[
  {
    "path": ".github/workflows/pkg-build.yaml",
    "content": "name: Packaging for Debian and Ubuntu\n\non:\n  push:\n    tags:\n      - '*'\n\njobs:\n  build:\n     runs-on: ubuntu-latest\n     container:\n       image: ${{ matrix.target }}\n     strategy:\n       fail-fast: false\n       matrix:\n         arch:\n           - amd64\n         target:\n           - \"debian:stretch\"\n           - \"debian:buster\"\n           - \"debian:bullseye\"\n           - \"ubuntu:xenial\"\n           - \"ubuntu:bionic\"\n           - \"ubuntu:focal\"\n\n     steps:\n      - name: Checkout repo\n        uses: actions/checkout@v2\n      - name: Install prereq packages\n        run: ./debpkg-setup.sh\n      - name: Build packages\n        run: ./debpkg-build.sh\n      - name: Store packages\n        run: |\n          export DIRNAME=`echo ${{ matrix.target }} | tr ':' '_'`\n          mkdir -p packages/${DIRNAME}\n          cp ../*.deb packages/${DIRNAME}/\n      - name: Publish packages to cloudsmith\n        uses: wanduow/action-cloudsmith-upload-packages@v1\n        with:\n          path: packages/\n          repo: ${{ secrets.CLOUDSMITH_OWNER }}/libprotoident\n          username: salcock\n          api_key: ${{ secrets.CLOUDSMITH_API_KEY }}\n\n"
  },
  {
    "path": ".github/workflows/rpm-build.yaml",
    "content": "name: Packaging for Centos and Fedora\n\non:\n  push:\n    tags:\n      - '*'\n\njobs:\n  build:\n    runs-on: ubuntu-latest\n    container:\n      image: ${{ matrix.target }}\n    strategy:\n      fail-fast: false\n      matrix:\n        arch:\n          - amd64\n        target:\n          - \"centos:7\"\n          - \"centos:8\"\n          - \"fedora:33\"\n          - \"fedora:32\"\n\n\n    steps:\n      - name: Checkout repo\n        uses: actions/checkout@v2\n      - name: Install prereq packages\n        run: ./rpmpkg-setup.sh ${{ matrix.target }}\n      - name: Build packages\n        run: ./rpmpkg-build.sh ${{ matrix.target }}\n      - name: Store packages\n        run: |\n          export DIRNAME=`echo ${{ matrix.target }} | tr ':' '_'`\n          mkdir -p packages/${DIRNAME}\n          cp ~/rpmbuild/RPMS/x86_64/*.rpm packages/${DIRNAME}/\n      - name: Publish packages to cloudsmith\n        uses: wanduow/action-cloudsmith-upload-packages@v1\n        with:\n          path: packages/\n          repo: ${{ secrets.CLOUDSMITH_OWNER }}/libprotoident\n          username: salcock\n          api_key: ${{ secrets.CLOUDSMITH_API_KEY }}\n\n\n"
  },
  {
    "path": ".gitignore",
    "content": "*.la\n*.o\n*.lo\n*Makefile.in\n*Makefile\n*.deps\n*.libs\n*.swp\nconfig\\.*\nconfigure\nautom4te.cache/\ndepcomp\ninstall-sh\naclocal.m4\nlibtool\nltmain.sh\nmissing\nstamp-h1\ntools/arff/lpi_arff\ntools/find_unknown/lpi_find_unknown\ntools/protoident/lpi_protoident\n"
  },
  {
    "path": ".gitmodules",
    "content": "[submodule \"libflowmanager\"]\n\tpath = libflowmanager\n\turl = https://github.com/wanduow/libflowmanager\n[submodule \"libtrace\"]\n\tpath = libtrace\n\turl = https://github.com/LibtraceTeam/libtrace\n"
  },
  {
    "path": "COPYING",
    "content": "                    GNU GENERAL PUBLIC LICENSE\n                       Version 3, 29 June 2007\n\n Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n                            Preamble\n\n  The GNU General Public License is a free, copyleft license for\nsoftware and other kinds of works.\n\n  The licenses for most software and other practical works are designed\nto take away your freedom to share and change the works.  By contrast,\nthe GNU General Public License is intended to guarantee your freedom to\nshare and change all versions of a program--to make sure it remains free\nsoftware for all its users.  We, the Free Software Foundation, use the\nGNU General Public License for most of our software; it applies also to\nany other work released this way by its authors.  You can apply it to\nyour programs, too.\n\n  When we speak of free software, we are referring to freedom, not\nprice.  Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthem if you wish), that you receive source code or can get it if you\nwant it, that you can change the software or use pieces of it in new\nfree programs, and that you know you can do these things.\n\n  To protect your rights, we need to prevent others from denying you\nthese rights or asking you to surrender the rights.  Therefore, you have\ncertain responsibilities if you distribute copies of the software, or if\nyou modify it: responsibilities to respect the freedom of others.\n\n  For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must pass on to the recipients the same\nfreedoms that you received.  You must make sure that they, too, receive\nor can get the source code.  And you must show them these terms so they\nknow their rights.\n\n  Developers that use the GNU GPL protect your rights with two steps:\n(1) assert copyright on the software, and (2) offer you this License\ngiving you legal permission to copy, distribute and/or modify it.\n\n  For the developers' and authors' protection, the GPL clearly explains\nthat there is no warranty for this free software.  For both users' and\nauthors' sake, the GPL requires that modified versions be marked as\nchanged, so that their problems will not be attributed erroneously to\nauthors of previous versions.\n\n  Some devices are designed to deny users access to install or run\nmodified versions of the software inside them, although the manufacturer\ncan do so.  This is fundamentally incompatible with the aim of\nprotecting users' freedom to change the software.  The systematic\npattern of such abuse occurs in the area of products for individuals to\nuse, which is precisely where it is most unacceptable.  Therefore, we\nhave designed this version of the GPL to prohibit the practice for those\nproducts.  If such problems arise substantially in other domains, we\nstand ready to extend this provision to those domains in future versions\nof the GPL, as needed to protect the freedom of users.\n\n  Finally, every program is threatened constantly by software patents.\nStates should not allow patents to restrict development and use of\nsoftware on general-purpose computers, but in those that do, we wish to\navoid the special danger that patents applied to a free program could\nmake it effectively proprietary.  To prevent this, the GPL assures that\npatents cannot be used to render the program non-free.\n\n  The precise terms and conditions for copying, distribution and\nmodification follow.\n\n                       TERMS AND CONDITIONS\n\n  0. Definitions.\n\n  \"This License\" refers to version 3 of the GNU General Public License.\n\n  \"Copyright\" also means copyright-like laws that apply to other kinds of\nworks, such as semiconductor masks.\n\n  \"The Program\" refers to any copyrightable work licensed under this\nLicense.  Each licensee is addressed as \"you\".  \"Licensees\" and\n\"recipients\" may be individuals or organizations.\n\n  To \"modify\" a work means to copy from or adapt all or part of the work\nin a fashion requiring copyright permission, other than the making of an\nexact copy.  The resulting work is called a \"modified version\" of the\nearlier work or a work \"based on\" the earlier work.\n\n  A \"covered work\" means either the unmodified Program or a work based\non the Program.\n\n  To \"propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on a\ncomputer or modifying a private copy.  Propagation includes copying,\ndistribution (with or without modification), making available to the\npublic, and in some countries other activities as well.\n\n  To \"convey\" a work means any kind of propagation that enables other\nparties to make or receive copies.  Mere interaction with a user through\na computer network, with no transfer of a copy, is not conveying.\n\n  An interactive user interface displays \"Appropriate Legal Notices\"\nto the extent that it includes a convenient and prominently visible\nfeature that (1) displays an appropriate copyright notice, and (2)\ntells the user that there is no warranty for the work (except to the\nextent that warranties are provided), that licensees may convey the\nwork under this License, and how to view a copy of this License.  If\nthe interface presents a list of user commands or options, such as a\nmenu, a prominent item in the list meets this criterion.\n\n  1. Source Code.\n\n  The \"source code\" for a work means the preferred form of the work\nfor making modifications to it.  \"Object code\" means any non-source\nform of a work.\n\n  A \"Standard Interface\" means an interface that either is an official\nstandard defined by a recognized standards body, or, in the case of\ninterfaces specified for a particular programming language, one that\nis widely used among developers working in that language.\n\n  The \"System Libraries\" of an executable work include anything, other\nthan the work as a whole, that (a) is included in the normal form of\npackaging a Major Component, but which is not part of that Major\nComponent, and (b) serves only to enable use of the work with that\nMajor Component, or to implement a Standard Interface for which an\nimplementation is available to the public in source code form.  A\n\"Major Component\", in this context, means a major essential component\n(kernel, window system, and so on) of the specific operating system\n(if any) on which the executable work runs, or a compiler used to\nproduce the work, or an object code interpreter used to run it.\n\n  The \"Corresponding Source\" for a work in object code form means all\nthe source code needed to generate, install, and (for an executable\nwork) run the object code and to modify the work, including scripts to\ncontrol those activities.  However, it does not include the work's\nSystem Libraries, or general-purpose tools or generally available free\nprograms which are used unmodified in performing those activities but\nwhich are not part of the work.  For example, Corresponding Source\nincludes interface definition files associated with source files for\nthe work, and the source code for shared libraries and dynamically\nlinked subprograms that the work is specifically designed to require,\nsuch as by intimate data communication or control flow between those\nsubprograms and other parts of the work.\n\n  The Corresponding Source need not include anything that users\ncan regenerate automatically from other parts of the Corresponding\nSource.\n\n  The Corresponding Source for a work in source code form is that\nsame work.\n\n  2. Basic Permissions.\n\n  All rights granted under this License are granted for the term of\ncopyright on the Program, and are irrevocable provided the stated\nconditions are met.  This License explicitly affirms your unlimited\npermission to run the unmodified Program.  The output from running a\ncovered work is covered by this License only if the output, given its\ncontent, constitutes a covered work.  This License acknowledges your\nrights of fair use or other equivalent, as provided by copyright law.\n\n  You may make, run and propagate covered works that you do not\nconvey, without conditions so long as your license otherwise remains\nin force.  You may convey covered works to others for the sole purpose\nof having them make modifications exclusively for you, or provide you\nwith facilities for running those works, provided that you comply with\nthe terms of this License in conveying all material for which you do\nnot control copyright.  Those thus making or running the covered works\nfor you must do so exclusively on your behalf, under your direction\nand control, on terms that prohibit them from making any copies of\nyour copyrighted material outside their relationship with you.\n\n  Conveying under any other circumstances is permitted solely under\nthe conditions stated below.  Sublicensing is not allowed; section 10\nmakes it unnecessary.\n\n  3. Protecting Users' Legal Rights From Anti-Circumvention Law.\n\n  No covered work shall be deemed part of an effective technological\nmeasure under any applicable law fulfilling obligations under article\n11 of the WIPO copyright treaty adopted on 20 December 1996, or\nsimilar laws prohibiting or restricting circumvention of such\nmeasures.\n\n  When you convey a covered work, you waive any legal power to forbid\ncircumvention of technological measures to the extent such circumvention\nis effected by exercising rights under this License with respect to\nthe covered work, and you disclaim any intention to limit operation or\nmodification of the work as a means of enforcing, against the work's\nusers, your or third parties' legal rights to forbid circumvention of\ntechnological measures.\n\n  4. Conveying Verbatim Copies.\n\n  You may convey verbatim copies of the Program's source code as you\nreceive it, in any medium, provided that you conspicuously and\nappropriately publish on each copy an appropriate copyright notice;\nkeep intact all notices stating that this License and any\nnon-permissive terms added in accord with section 7 apply to the code;\nkeep intact all notices of the absence of any warranty; and give all\nrecipients a copy of this License along with the Program.\n\n  You may charge any price or no price for each copy that you convey,\nand you may offer support or warranty protection for a fee.\n\n  5. Conveying Modified Source Versions.\n\n  You may convey a work based on the Program, or the modifications to\nproduce it from the Program, in the form of source code under the\nterms of section 4, provided that you also meet all of these conditions:\n\n    a) The work must carry prominent notices stating that you modified\n    it, and giving a relevant date.\n\n    b) The work must carry prominent notices stating that it is\n    released under this License and any conditions added under section\n    7.  This requirement modifies the requirement in section 4 to\n    \"keep intact all notices\".\n\n    c) You must license the entire work, as a whole, under this\n    License to anyone who comes into possession of a copy.  This\n    License will therefore apply, along with any applicable section 7\n    additional terms, to the whole of the work, and all its parts,\n    regardless of how they are packaged.  This License gives no\n    permission to license the work in any other way, but it does not\n    invalidate such permission if you have separately received it.\n\n    d) If the work has interactive user interfaces, each must display\n    Appropriate Legal Notices; however, if the Program has interactive\n    interfaces that do not display Appropriate Legal Notices, your\n    work need not make them do so.\n\n  A compilation of a covered work with other separate and independent\nworks, which are not by their nature extensions of the covered work,\nand which are not combined with it such as to form a larger program,\nin or on a volume of a storage or distribution medium, is called an\n\"aggregate\" if the compilation and its resulting copyright are not\nused to limit the access or legal rights of the compilation's users\nbeyond what the individual works permit.  Inclusion of a covered work\nin an aggregate does not cause this License to apply to the other\nparts of the aggregate.\n\n  6. Conveying Non-Source Forms.\n\n  You may convey a covered work in object code form under the terms\nof sections 4 and 5, provided that you also convey the\nmachine-readable Corresponding Source under the terms of this License,\nin one of these ways:\n\n    a) Convey the object code in, or embodied in, a physical product\n    (including a physical distribution medium), accompanied by the\n    Corresponding Source fixed on a durable physical medium\n    customarily used for software interchange.\n\n    b) Convey the object code in, or embodied in, a physical product\n    (including a physical distribution medium), accompanied by a\n    written offer, valid for at least three years and valid for as\n    long as you offer spare parts or customer support for that product\n    model, to give anyone who possesses the object code either (1) a\n    copy of the Corresponding Source for all the software in the\n    product that is covered by this License, on a durable physical\n    medium customarily used for software interchange, for a price no\n    more than your reasonable cost of physically performing this\n    conveying of source, or (2) access to copy the\n    Corresponding Source from a network server at no charge.\n\n    c) Convey individual copies of the object code with a copy of the\n    written offer to provide the Corresponding Source.  This\n    alternative is allowed only occasionally and noncommercially, and\n    only if you received the object code with such an offer, in accord\n    with subsection 6b.\n\n    d) Convey the object code by offering access from a designated\n    place (gratis or for a charge), and offer equivalent access to the\n    Corresponding Source in the same way through the same place at no\n    further charge.  You need not require recipients to copy the\n    Corresponding Source along with the object code.  If the place to\n    copy the object code is a network server, the Corresponding Source\n    may be on a different server (operated by you or a third party)\n    that supports equivalent copying facilities, provided you maintain\n    clear directions next to the object code saying where to find the\n    Corresponding Source.  Regardless of what server hosts the\n    Corresponding Source, you remain obligated to ensure that it is\n    available for as long as needed to satisfy these requirements.\n\n    e) Convey the object code using peer-to-peer transmission, provided\n    you inform other peers where the object code and Corresponding\n    Source of the work are being offered to the general public at no\n    charge under subsection 6d.\n\n  A separable portion of the object code, whose source code is excluded\nfrom the Corresponding Source as a System Library, need not be\nincluded in conveying the object code work.\n\n  A \"User Product\" is either (1) a \"consumer product\", which means any\ntangible personal property which is normally used for personal, family,\nor household purposes, or (2) anything designed or sold for incorporation\ninto a dwelling.  In determining whether a product is a consumer product,\ndoubtful cases shall be resolved in favor of coverage.  For a particular\nproduct received by a particular user, \"normally used\" refers to a\ntypical or common use of that class of product, regardless of the status\nof the particular user or of the way in which the particular user\nactually uses, or expects or is expected to use, the product.  A product\nis a consumer product regardless of whether the product has substantial\ncommercial, industrial or non-consumer uses, unless such uses represent\nthe only significant mode of use of the product.\n\n  \"Installation Information\" for a User Product means any methods,\nprocedures, authorization keys, or other information required to install\nand execute modified versions of a covered work in that User Product from\na modified version of its Corresponding Source.  The information must\nsuffice to ensure that the continued functioning of the modified object\ncode is in no case prevented or interfered with solely because\nmodification has been made.\n\n  If you convey an object code work under this section in, or with, or\nspecifically for use in, a User Product, and the conveying occurs as\npart of a transaction in which the right of possession and use of the\nUser Product is transferred to the recipient in perpetuity or for a\nfixed term (regardless of how the transaction is characterized), the\nCorresponding Source conveyed under this section must be accompanied\nby the Installation Information.  But this requirement does not apply\nif neither you nor any third party retains the ability to install\nmodified object code on the User Product (for example, the work has\nbeen installed in ROM).\n\n  The requirement to provide Installation Information does not include a\nrequirement to continue to provide support service, warranty, or updates\nfor a work that has been modified or installed by the recipient, or for\nthe User Product in which it has been modified or installed.  Access to a\nnetwork may be denied when the modification itself materially and\nadversely affects the operation of the network or violates the rules and\nprotocols for communication across the network.\n\n  Corresponding Source conveyed, and Installation Information provided,\nin accord with this section must be in a format that is publicly\ndocumented (and with an implementation available to the public in\nsource code form), and must require no special password or key for\nunpacking, reading or copying.\n\n  7. Additional Terms.\n\n  \"Additional permissions\" are terms that supplement the terms of this\nLicense by making exceptions from one or more of its conditions.\nAdditional permissions that are applicable to the entire Program shall\nbe treated as though they were included in this License, to the extent\nthat they are valid under applicable law.  If additional permissions\napply only to part of the Program, that part may be used separately\nunder those permissions, but the entire Program remains governed by\nthis License without regard to the additional permissions.\n\n  When you convey a copy of a covered work, you may at your option\nremove any additional permissions from that copy, or from any part of\nit.  (Additional permissions may be written to require their own\nremoval in certain cases when you modify the work.)  You may place\nadditional permissions on material, added by you to a covered work,\nfor which you have or can give appropriate copyright permission.\n\n  Notwithstanding any other provision of this License, for material you\nadd to a covered work, you may (if authorized by the copyright holders of\nthat material) supplement the terms of this License with terms:\n\n    a) Disclaiming warranty or limiting liability differently from the\n    terms of sections 15 and 16 of this License; or\n\n    b) Requiring preservation of specified reasonable legal notices or\n    author attributions in that material or in the Appropriate Legal\n    Notices displayed by works containing it; or\n\n    c) Prohibiting misrepresentation of the origin of that material, or\n    requiring that modified versions of such material be marked in\n    reasonable ways as different from the original version; or\n\n    d) Limiting the use for publicity purposes of names of licensors or\n    authors of the material; or\n\n    e) Declining to grant rights under trademark law for use of some\n    trade names, trademarks, or service marks; or\n\n    f) Requiring indemnification of licensors and authors of that\n    material by anyone who conveys the material (or modified versions of\n    it) with contractual assumptions of liability to the recipient, for\n    any liability that these contractual assumptions directly impose on\n    those licensors and authors.\n\n  All other non-permissive additional terms are considered \"further\nrestrictions\" within the meaning of section 10.  If the Program as you\nreceived it, or any part of it, contains a notice stating that it is\ngoverned by this License along with a term that is a further\nrestriction, you may remove that term.  If a license document contains\na further restriction but permits relicensing or conveying under this\nLicense, you may add to a covered work material governed by the terms\nof that license document, provided that the further restriction does\nnot survive such relicensing or conveying.\n\n  If you add terms to a covered work in accord with this section, you\nmust place, in the relevant source files, a statement of the\nadditional terms that apply to those files, or a notice indicating\nwhere to find the applicable terms.\n\n  Additional terms, permissive or non-permissive, may be stated in the\nform of a separately written license, or stated as exceptions;\nthe above requirements apply either way.\n\n  8. Termination.\n\n  You may not propagate or modify a covered work except as expressly\nprovided under this License.  Any attempt otherwise to propagate or\nmodify it is void, and will automatically terminate your rights under\nthis License (including any patent licenses granted under the third\nparagraph of section 11).\n\n  However, if you cease all violation of this License, then your\nlicense from a particular copyright holder is reinstated (a)\nprovisionally, unless and until the copyright holder explicitly and\nfinally terminates your license, and (b) permanently, if the copyright\nholder fails to notify you of the violation by some reasonable means\nprior to 60 days after the cessation.\n\n  Moreover, your license from a particular copyright holder is\nreinstated permanently if the copyright holder notifies you of the\nviolation by some reasonable means, this is the first time you have\nreceived notice of violation of this License (for any work) from that\ncopyright holder, and you cure the violation prior to 30 days after\nyour receipt of the notice.\n\n  Termination of your rights under this section does not terminate the\nlicenses of parties who have received copies or rights from you under\nthis License.  If your rights have been terminated and not permanently\nreinstated, you do not qualify to receive new licenses for the same\nmaterial under section 10.\n\n  9. Acceptance Not Required for Having Copies.\n\n  You are not required to accept this License in order to receive or\nrun a copy of the Program.  Ancillary propagation of a covered work\noccurring solely as a consequence of using peer-to-peer transmission\nto receive a copy likewise does not require acceptance.  However,\nnothing other than this License grants you permission to propagate or\nmodify any covered work.  These actions infringe copyright if you do\nnot accept this License.  Therefore, by modifying or propagating a\ncovered work, you indicate your acceptance of this License to do so.\n\n  10. Automatic Licensing of Downstream Recipients.\n\n  Each time you convey a covered work, the recipient automatically\nreceives a license from the original licensors, to run, modify and\npropagate that work, subject to this License.  You are not responsible\nfor enforcing compliance by third parties with this License.\n\n  An \"entity transaction\" is a transaction transferring control of an\norganization, or substantially all assets of one, or subdividing an\norganization, or merging organizations.  If propagation of a covered\nwork results from an entity transaction, each party to that\ntransaction who receives a copy of the work also receives whatever\nlicenses to the work the party's predecessor in interest had or could\ngive under the previous paragraph, plus a right to possession of the\nCorresponding Source of the work from the predecessor in interest, if\nthe predecessor has it or can get it with reasonable efforts.\n\n  You may not impose any further restrictions on the exercise of the\nrights granted or affirmed under this License.  For example, you may\nnot impose a license fee, royalty, or other charge for exercise of\nrights granted under this License, and you may not initiate litigation\n(including a cross-claim or counterclaim in a lawsuit) alleging that\nany patent claim is infringed by making, using, selling, offering for\nsale, or importing the Program or any portion of it.\n\n  11. Patents.\n\n  A \"contributor\" is a copyright holder who authorizes use under this\nLicense of the Program or a work on which the Program is based.  The\nwork thus licensed is called the contributor's \"contributor version\".\n\n  A contributor's \"essential patent claims\" are all patent claims\nowned or controlled by the contributor, whether already acquired or\nhereafter acquired, that would be infringed by some manner, permitted\nby this License, of making, using, or selling its contributor version,\nbut do not include claims that would be infringed only as a\nconsequence of further modification of the contributor version.  For\npurposes of this definition, \"control\" includes the right to grant\npatent sublicenses in a manner consistent with the requirements of\nthis License.\n\n  Each contributor grants you a non-exclusive, worldwide, royalty-free\npatent license under the contributor's essential patent claims, to\nmake, use, sell, offer for sale, import and otherwise run, modify and\npropagate the contents of its contributor version.\n\n  In the following three paragraphs, a \"patent license\" is any express\nagreement or commitment, however denominated, not to enforce a patent\n(such as an express permission to practice a patent or covenant not to\nsue for patent infringement).  To \"grant\" such a patent license to a\nparty means to make such an agreement or commitment not to enforce a\npatent against the party.\n\n  If you convey a covered work, knowingly relying on a patent license,\nand the Corresponding Source of the work is not available for anyone\nto copy, free of charge and under the terms of this License, through a\npublicly available network server or other readily accessible means,\nthen you must either (1) cause the Corresponding Source to be so\navailable, or (2) arrange to deprive yourself of the benefit of the\npatent license for this particular work, or (3) arrange, in a manner\nconsistent with the requirements of this License, to extend the patent\nlicense to downstream recipients.  \"Knowingly relying\" means you have\nactual knowledge that, but for the patent license, your conveying the\ncovered work in a country, or your recipient's use of the covered work\nin a country, would infringe one or more identifiable patents in that\ncountry that you have reason to believe are valid.\n\n  If, pursuant to or in connection with a single transaction or\narrangement, you convey, or propagate by procuring conveyance of, a\ncovered work, and grant a patent license to some of the parties\nreceiving the covered work authorizing them to use, propagate, modify\nor convey a specific copy of the covered work, then the patent license\nyou grant is automatically extended to all recipients of the covered\nwork and works based on it.\n\n  A patent license is \"discriminatory\" if it does not include within\nthe scope of its coverage, prohibits the exercise of, or is\nconditioned on the non-exercise of one or more of the rights that are\nspecifically granted under this License.  You may not convey a covered\nwork if you are a party to an arrangement with a third party that is\nin the business of distributing software, under which you make payment\nto the third party based on the extent of your activity of conveying\nthe work, and under which the third party grants, to any of the\nparties who would receive the covered work from you, a discriminatory\npatent license (a) in connection with copies of the covered work\nconveyed by you (or copies made from those copies), or (b) primarily\nfor and in connection with specific products or compilations that\ncontain the covered work, unless you entered into that arrangement,\nor that patent license was granted, prior to 28 March 2007.\n\n  Nothing in this License shall be construed as excluding or limiting\nany implied license or other defenses to infringement that may\notherwise be available to you under applicable patent law.\n\n  12. No Surrender of Others' Freedom.\n\n  If conditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License.  If you cannot convey a\ncovered work so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you may\nnot convey it at all.  For example, if you agree to terms that obligate you\nto collect a royalty for further conveying from those to whom you convey\nthe Program, the only way you could satisfy both those terms and this\nLicense would be to refrain entirely from conveying the Program.\n\n  13. Use with the GNU Affero General Public License.\n\n  Notwithstanding any other provision of this License, you have\npermission to link or combine any covered work with a work licensed\nunder version 3 of the GNU Affero General Public License into a single\ncombined work, and to convey the resulting work.  The terms of this\nLicense will continue to apply to the part which is the covered work,\nbut the special requirements of the GNU Affero General Public License,\nsection 13, concerning interaction through a network will apply to the\ncombination as such.\n\n  14. Revised Versions of this License.\n\n  The Free Software Foundation may publish revised and/or new versions of\nthe GNU General Public License from time to time.  Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\n  Each version is given a distinguishing version number.  If the\nProgram specifies that a certain numbered version of the GNU General\nPublic License \"or any later version\" applies to it, you have the\noption of following the terms and conditions either of that numbered\nversion or of any later version published by the Free Software\nFoundation.  If the Program does not specify a version number of the\nGNU General Public License, you may choose any version ever published\nby the Free Software Foundation.\n\n  If the Program specifies that a proxy can decide which future\nversions of the GNU General Public License can be used, that proxy's\npublic statement of acceptance of a version permanently authorizes you\nto choose that version for the Program.\n\n  Later license versions may give you additional or different\npermissions.  However, no additional obligations are imposed on any\nauthor or copyright holder as a result of your choosing to follow a\nlater version.\n\n  15. Disclaimer of Warranty.\n\n  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY\nAPPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT\nHOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY\nOF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,\nTHE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\nPURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM\nIS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF\nALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n  16. Limitation of Liability.\n\n  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS\nTHE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY\nGENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE\nUSE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF\nDATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD\nPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),\nEVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF\nSUCH DAMAGES.\n\n  17. Interpretation of Sections 15 and 16.\n\n  If the disclaimer of warranty and limitation of liability provided\nabove cannot be given local legal effect according to their terms,\nreviewing courts shall apply local law that most closely approximates\nan absolute waiver of all civil liability in connection with the\nProgram, unless a warranty or assumption of liability accompanies a\ncopy of the Program in return for a fee.\n\n                     END OF TERMS AND CONDITIONS\n\n            How to Apply These Terms to Your New Programs\n\n  If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n  To do so, attach the following notices to the program.  It is safest\nto attach them to the start of each source file to most effectively\nstate the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n    <one line to give the program's name and a brief idea of what it does.>\n    Copyright (C) <year>  <name of author>\n\n    This program is free software: you can redistribute it and/or modify\n    it under the terms of the GNU General Public License as published by\n    the Free Software Foundation, either version 3 of the License, or\n    (at your option) any later version.\n\n    This program is distributed in the hope that it will be useful,\n    but WITHOUT ANY WARRANTY; without even the implied warranty of\n    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n    GNU General Public License for more details.\n\n    You should have received a copy of the GNU General Public License\n    along with this program.  If not, see <http://www.gnu.org/licenses/>.\n\nAlso add information on how to contact you by electronic and paper mail.\n\n  If the program does terminal interaction, make it output a short\nnotice like this when it starts in an interactive mode:\n\n    <program>  Copyright (C) <year>  <name of author>\n    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n    This is free software, and you are welcome to redistribute it\n    under certain conditions; type `show c' for details.\n\nThe hypothetical commands `show w' and `show c' should show the appropriate\nparts of the General Public License.  Of course, your program's commands\nmight be different; for a GUI interface, you would use an \"about box\".\n\n  You should also get your employer (if you work as a programmer) or school,\nif any, to sign a \"copyright disclaimer\" for the program, if necessary.\nFor more information on this, and how to apply and follow the GNU GPL, see\n<http://www.gnu.org/licenses/>.\n\n  The GNU General Public License does not permit incorporating your program\ninto proprietary programs.  If your program is a subroutine library, you\nmay consider it more useful to permit linking proprietary applications with\nthe library.  If this is what you want to do, use the GNU Lesser General\nPublic License instead of this License.  But first, please read\n<http://www.gnu.org/philosophy/why-not-lgpl.html>.\n\n"
  },
  {
    "path": "COPYING.LESSER",
    "content": "                   GNU LESSER GENERAL PUBLIC LICENSE\n                       Version 3, 29 June 2007\n\n Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n\n  This version of the GNU Lesser General Public License incorporates\nthe terms and conditions of version 3 of the GNU General Public\nLicense, supplemented by the additional permissions listed below.\n\n  0. Additional Definitions.\n\n  As used herein, \"this License\" refers to version 3 of the GNU Lesser\nGeneral Public License, and the \"GNU GPL\" refers to version 3 of the GNU\nGeneral Public License.\n\n  \"The Library\" refers to a covered work governed by this License,\nother than an Application or a Combined Work as defined below.\n\n  An \"Application\" is any work that makes use of an interface provided\nby the Library, but which is not otherwise based on the Library.\nDefining a subclass of a class defined by the Library is deemed a mode\nof using an interface provided by the Library.\n\n  A \"Combined Work\" is a work produced by combining or linking an\nApplication with the Library.  The particular version of the Library\nwith which the Combined Work was made is also called the \"Linked\nVersion\".\n\n  The \"Minimal Corresponding Source\" for a Combined Work means the\nCorresponding Source for the Combined Work, excluding any source code\nfor portions of the Combined Work that, considered in isolation, are\nbased on the Application, and not on the Linked Version.\n\n  The \"Corresponding Application Code\" for a Combined Work means the\nobject code and/or source code for the Application, including any data\nand utility programs needed for reproducing the Combined Work from the\nApplication, but excluding the System Libraries of the Combined Work.\n\n  1. Exception to Section 3 of the GNU GPL.\n\n  You may convey a covered work under sections 3 and 4 of this License\nwithout being bound by section 3 of the GNU GPL.\n\n  2. Conveying Modified Versions.\n\n  If you modify a copy of the Library, and, in your modifications, a\nfacility refers to a function or data to be supplied by an Application\nthat uses the facility (other than as an argument passed when the\nfacility is invoked), then you may convey a copy of the modified\nversion:\n\n   a) under this License, provided that you make a good faith effort to\n   ensure that, in the event an Application does not supply the\n   function or data, the facility still operates, and performs\n   whatever part of its purpose remains meaningful, or\n\n   b) under the GNU GPL, with none of the additional permissions of\n   this License applicable to that copy.\n\n  3. Object Code Incorporating Material from Library Header Files.\n\n  The object code form of an Application may incorporate material from\na header file that is part of the Library.  You may convey such object\ncode under terms of your choice, provided that, if the incorporated\nmaterial is not limited to numerical parameters, data structure\nlayouts and accessors, or small macros, inline functions and templates\n(ten or fewer lines in length), you do both of the following:\n\n   a) Give prominent notice with each copy of the object code that the\n   Library is used in it and that the Library and its use are\n   covered by this License.\n\n   b) Accompany the object code with a copy of the GNU GPL and this license\n   document.\n\n  4. Combined Works.\n\n  You may convey a Combined Work under terms of your choice that,\ntaken together, effectively do not restrict modification of the\nportions of the Library contained in the Combined Work and reverse\nengineering for debugging such modifications, if you also do each of\nthe following:\n\n   a) Give prominent notice with each copy of the Combined Work that\n   the Library is used in it and that the Library and its use are\n   covered by this License.\n\n   b) Accompany the Combined Work with a copy of the GNU GPL and this license\n   document.\n\n   c) For a Combined Work that displays copyright notices during\n   execution, include the copyright notice for the Library among\n   these notices, as well as a reference directing the user to the\n   copies of the GNU GPL and this license document.\n\n   d) Do one of the following:\n\n       0) Convey the Minimal Corresponding Source under the terms of this\n       License, and the Corresponding Application Code in a form\n       suitable for, and under terms that permit, the user to\n       recombine or relink the Application with a modified version of\n       the Linked Version to produce a modified Combined Work, in the\n       manner specified by section 6 of the GNU GPL for conveying\n       Corresponding Source.\n\n       1) Use a suitable shared library mechanism for linking with the\n       Library.  A suitable mechanism is one that (a) uses at run time\n       a copy of the Library already present on the user's computer\n       system, and (b) will operate properly with a modified version\n       of the Library that is interface-compatible with the Linked\n       Version.\n\n   e) Provide Installation Information, but only if you would otherwise\n   be required to provide such information under section 6 of the\n   GNU GPL, and only to the extent that such information is\n   necessary to install and execute a modified version of the\n   Combined Work produced by recombining or relinking the\n   Application with a modified version of the Linked Version. (If\n   you use option 4d0, the Installation Information must accompany\n   the Minimal Corresponding Source and Corresponding Application\n   Code. If you use option 4d1, you must provide the Installation\n   Information in the manner specified by section 6 of the GNU GPL\n   for conveying Corresponding Source.)\n\n  5. Combined Libraries.\n\n  You may place library facilities that are a work based on the\nLibrary side by side in a single library together with other library\nfacilities that are not Applications and are not covered by this\nLicense, and convey such a combined library under terms of your\nchoice, if you do both of the following:\n\n   a) Accompany the combined library with a copy of the same work based\n   on the Library, uncombined with any other library facilities,\n   conveyed under the terms of this License.\n\n   b) Give prominent notice with the combined library that part of it\n   is a work based on the Library, and explaining where to find the\n   accompanying uncombined form of the same work.\n\n  6. Revised Versions of the GNU Lesser General Public License.\n\n  The Free Software Foundation may publish revised and/or new versions\nof the GNU Lesser General Public License from time to time. Such new\nversions will be similar in spirit to the present version, but may\ndiffer in detail to address new problems or concerns.\n\n  Each version is given a distinguishing version number. If the\nLibrary as you received it specifies that a certain numbered version\nof the GNU Lesser General Public License \"or any later version\"\napplies to it, you have the option of following the terms and\nconditions either of that published version or of any later version\npublished by the Free Software Foundation. If the Library as you\nreceived it does not specify a version number of the GNU Lesser\nGeneral Public License, you may choose any version of the GNU Lesser\nGeneral Public License ever published by the Free Software Foundation.\n\n  If the Library as you received it specifies that a proxy can decide\nwhether future versions of the GNU Lesser General Public License shall\napply, that proxy's public statement of acceptance of any version is\npermanent authorization for you to choose that version for the\nLibrary.\n\n"
  },
  {
    "path": "ChangeLog",
    "content": "Full ChangeLog details can now be found at:\n        https://github.com/wanduow/libprotoident/wiki/ChangeLog\n\n"
  },
  {
    "path": "Makefile.am",
    "content": "SUBDIRS=lib \n\nif BUILD_LPI_TOOLS\nSUBDIRS+=tools\nendif\n\nAUTOMAKE_OPTIONS = foreign\n"
  },
  {
    "path": "README",
    "content": "libprotoident 2.0.15\n\n---------------------------------------------------------------------------\nCopyright (c) 2011-2020 The University of Waikato, Hamilton, New Zealand.\nAll rights reserved.\n\nThis code has been developed by the University of Waikato WAND\nresearch group. For further information please see http://www.wand.net.nz/.\n---------------------------------------------------------------------------\n\nSee the file COPYING and COPYING.LESSER for full licensing details for this\nsoftware.\n\nReport and bugs, questions or comments to contact@wand.net.nz\n\nNEW: You can now lodge bugs by filing an issue on the libprotoident github:\nhttps://github.com/wanduow/libprotoident\n\nAuthors:\n\tShane Alcock\n\nWith contributions from:\n    Donald Neal\n    Aaron Murrihy\n    Paweł Foremski <pjf@iitis.pl>\n    Fabian Weisshaar <elnappo@nerdpol.io>\n    Jeroen Roovers\n    Jiri Havranek\n    Romain Fontugne\n    Jacob van Walraven\n\nIntroduction\n============\nLibprotoident is a library designed to perform application protocol \nidentification using a very limited form of deep packet inspection, i.e. using\nthe first four bytes of application payload sent in each direction. The\nlibrary provides a simple API that will enable programmers to develop their own\ntools that utilise application protocol information and we have also included\nsome tools that can be used to perform simple analysis of traffic flows.\n\nRequired Libraries\n==================\nlibtrace 4.0.1 or later\n\t* available from https://github.com/LibtraceTeam/libtrace\n\t\nlibflowmanager 3.0.0 or later\n\t* optional, but required to build the tools\n\t* available from https://github.com/LibtraceTeam/libflowmanager\n\nInstallation\n============\nAfter having installed the required libraries, running the following series\nof commands should install libprotoident\n\n        ./bootstrap.sh (only if you've cloned the source from GitHub)\n        ./configure\n       \tmake\n\tmake install\n\nBy default, libprotoident installs to /usr/local - this can be changed by\nappending the --prefix=<new location> option to ./configure.\n\nThe libprotoident tools are built by default - this can be changed by using the\n--with-tools=no option with ./configure.\n\nProtocols Supported\n===================\nA full list of supported protocols can be found at \nhttps://github.com/wanduow/libprotoident/wiki/SupportedProtocols\n\nLibprotoident also currently has rules for several \"mystery\" protocols. These\nare patterns that commonly occur in our trace sets that we cannot tie to an\nactual protocol. It would be nice to know what these protocols actually are - \nif you have any suggestions please feel free to email us at contact@wand.net.nz.\n\nIn addition, a flow can be assigned into a \"category\" based on the protocol\ndetermined by libprotoident, enabling broader analysis. For example, \nBitTorrent, Gnutella and eMule all fall into the P2P category, whereas SMTP,\nPOP3 and IMAP are part of the Mail category.\n\nTools\n=====\nThere are three tools included with libprotoident.\n\n * lpi_protoident\n \n   Description:\t\n\t\n\tThis tool attempts to identify each individual flow within the provided\n\ttrace. Identification only occurs when the flow has concluded or \n\texpired, so it is not very effective for real-time applications. \n\n   Usage: \n\tlpi_protoident <input trace URI>\n\n\tThe input trace must be a valid libtrace URI.\n        See https://github.com/LibtraceTeam/libtrace/wiki/Supported-Trace-Formats\n        to learn more about libtrace URIs. Note that a URI may be a live\n        source, such as a network interface.\n\n   Output:\n   \tFor each flow in the input trace, a single line is printed to stdout\n\tdescribing the flow. The line contains the following fields separated\n\tby spaces (in order):\n\n\t * Application protocol (as reported by libprotoident)\n\t * IP address of the first endpoint\n\t * IP address of the second endpoint\n\t * Port used by the first endpoint\n\t * Port used by the second endpoint\n\t * Transport protocol (6 = TCP, 17 = UDP)\n\t * Unix timestamp when the flow began\n\t * Unix timestamp when the flow ended\n\t * Total bytes sent from first endpoint to second endpoint\n\t * Total bytes sent from second endpoint to first endpoint\n\t * First four bytes of payload sent from first endpoint (in hex)\n\t * First four bytes of payload sent from first endpoint (ASCII)\n\t * Size of first payload-bearing packet sent from first endpoint\n\t * First four bytes of payload sent from second endpoint (in hex)\n\t * First four bytes of payload sent from second endpoint (ASCII)\n\t * Size of first payload-bearing packet sent from second endpoint\n\t\t\n * lpi_find_unknown\n \n   Description:\t\n\t\n\tThis tool reports all the flows in a trace which libprotoident\n\twas unable to identify. Identification only occurs when the flow has\n\tconcluded or expired, so it is not very effective for real-time\n\tapplications. \n\n\tThis is mainly intended as a tool to aid development of new protocol\n\tidentifiers.\n\t\n   Usage: \n\tlpi_find_unknown <input trace URI>\n\n\tThe input trace must be a valid libtrace URI.\n        See https://github.com/LibtraceTeam/libtrace/wiki/Supported-Trace-Formats\n        to learn more about libtrace URIs. Note that a URI may be a live\n        source, such as a network interface.\n\n   Output:\n   \tFor each unknown flow in the input trace, a single line is printed to \n\tstdout describing the flow. The line contains the following fields \n\tseparated by spaces (in order):\n\n\t * IP address of the first endpoint\n\t * IP address of the second endpoint\n\t * Port used by the first endpoint\n\t * Port used by the second endpoint\n\t * Transport protocol (6 = TCP, 17 = UDP)\n\t * Unix timestamp when the flow began\n\t * Total bytes sent from first endpoint to second endpoint\n\t * Total bytes sent from second endpoint to first endpoint\n\t * First four bytes of payload sent from first endpoint (in hex)\n\t * First four bytes of payload sent from first endpoint (ASCII)\n\t * Size of first payload-bearing packet sent from first endpoint\n\t * First four bytes of payload sent from second endpoint (in hex)\n\t * First four bytes of payload sent from second endpoint (ASCII)\n\t * Size of first payload-bearing packet sent from second endpoint\n\n\n * lpi_arff\n\n   Description:\n        This tool is similar to lpi_protoident except that it writes its\n        output in the ARFF format so that it is compatible with the Weka\n        machine learning software (http://www.cs.waikato.ac.nz/ml/weka/).\n\n        This tool was contributed by Paweł Foremski <pjf@iitis.pl>.\n\n   Usage:\n        lpi_arff <input trace URI>\n\n\tThe input trace must be a valid libtrace URI.\n        See https://github.com/LibtraceTeam/libtrace/wiki/Supported-Trace-Formats\n        to learn more about libtrace URIs. Note that a URI may be a live\n        source, such as a network interface.\n\n   Output:\n        The output begins with a series of lines describing each feature that\n        will be used to describe each flow. Following that,\n   \tfor each flow in the input trace, a single line is printed to stdout\n\tdescribing the flow. The line contains the following fields separated\n\tby commas (in order):\n\n\t * Application protocol (as reported by libprotoident)\n\t * ID number for the application protocol\n\t * Total number of packets sent from first endpoint to second endpoint\n\t * Total number of bytes sent from first endpoint to second endpoint\n\t * Total number of packets sent from second endpoint to first endpoint\n\t * Total number of bytes sent from second endpoint to first endpoint\n         * Minimum payload size sent from first endpoint to second endpoint\n         * Mean payload size sent from first endpoint to second endpoint\n         * Maximum payload size sent from first endpoint to second endpoint\n         * Standard deviation of payload size sent from first endpoint to\n                second endpoint\n         * Minimum payload size sent from second endpoint to first endpoint\n         * Mean payload size sent from second endpoint to first endpoint\n         * Maximum payload size sent from second endpoint to first endpoint\n         * Standard deviation of payload size sent from second endpoint to\n                first endpoint\n         * Minimum packet interarrival time for packets sent from first\n                endpoint to second endpoint\n         * Mean packet interarrival time for packets sent from first\n                endpoint to second endpoint\n         * Maximum packet interarrival time for packets sent from first\n                endpoint to second endpoint\n         * Standard deviation of packet interarrival time for packets sent from\n                first endpoint to second endpoint\n         * Minimum packet interarrival time for packets sent from second\n                endpoint to first endpoint\n         * Mean packet interarrival time for packets sent from second\n                endpoint to first endpoint\n         * Maximum packet interarrival time for packets sent from second\n                endpoint to first endpoint\n         * Standard deviation of packet interarrival time for packets sent from\n                second endpoint to first endpoint\n         * Flow duration (in microseconds)\n         * Flow start time (as a Unix timestamp)\n\n\nAPI\n===\n\nIf you want to develop your own tools based on libprotoident, you'll need to\nuse the libprotoident API. The API is very simple and the best way to learn it\nis to examine how the existing tools work. The source for the tools is\nlocated in the tools/ directory.\n\nThe tools use libflowmanager to do the flow tracking, using an instance of a\nFlowManager class. You will probably want to incorporate this into your own\ntool. Usage of libprotoident itself is through functions beginning with 'lpi_'.\n\nThe libprotoident API functions themselves are documented in\nlib/libprotoident.h if you need further guidance.\n\nFurther documentation of the API can also be found at\nhttps://github.com/LibtraceTeam/libflowmanager\n\nIf all else fails, drop me a line at shane@alcock.co.nz\n\n"
  },
  {
    "path": "bootstrap.sh",
    "content": "#! /bin/sh\n\nset -x\n# Prefer aclocal 1.9 if we can find it\naclocal-1.11  || aclocal-1.9 || aclocal \n\n# Darwin bizarrely uses glibtoolize\nlibtoolize --force --copy ||\n\tglibtoolize --force --copy\n\nautoheader2.50 || autoheader\n\n# Prefer automake-1.9 if we can find it\nautomake-1.11 --add-missing --copy --foreign ||\n\tautomake-1.10 --add-missing --copy --foreign || \n\tautomake-1.9 --add-missing --copy --foreign || \n\tautomake --add-missing --copy --foreign\n\nautoconf2.50 || autoconf \n"
  },
  {
    "path": "configure.ac",
    "content": "AC_INIT(libprotoident, 2.0.15, contact@wand.net.nz)\n\nAM_INIT_AUTOMAKE\nAC_CONFIG_SRCDIR(lib/libprotoident.cc)\nAM_CONFIG_HEADER(config.h)\n\n# Make sure we use the relatively silent automake output\nm4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])])\n\nAC_PREFIX_DEFAULT(/usr/local/)\n\n# Function that checks if the C++ compiler actually works - there's a bit of\n# oversight in autoconf that will set the C++ compiler to g++ if no compiler\n# is found, even if g++ is not present! So we need an extra test to make sure\n# that the compiler works :(\n\nAC_DEFUN([rw_PROG_CXX_WORKS],\n[AC_REQUIRE([AC_PROG_CXX])dnl\nAC_CACHE_CHECK([whether the C++ compiler works],\n\t[rw_cv_prog_cxx_works],\n\t[AC_LANG_PUSH([C++])\n\tAC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],\n\t\t[rw_cv_prog_cxx_works=yes],\n\t\t[rw_cv_prog_cxx_works=no])\n\tAC_LANG_POP([C++])])\n])\n\n\n\nAC_PROG_CC\nAC_PROG_CXX\nrw_PROG_CXX_WORKS\nAC_PROG_INSTALL\n\nAC_LANG(C++)\nAC_PROG_LIBTOOL\n\nbuild_tools=yes\n\nAC_ARG_WITH(tools,\n\tAS_HELP_STRING(--with-tools, install libprotoident tools),[\n\t\tif test \"$withval\" = yes\n\t\tthen\n\t\t\tbuild_tools=yes\n\t\telse\n\t\t\tbuild_tools=no\n\t\tfi\n])\n\nAC_CHECK_LIB([trace], [trace_get_payload_length],,trace_found=0)\n\nif test \"$build_tools\" = yes; then\n\tAC_CHECK_LIB([flowmanager], [lfm_version_three],,lfm_found=0)\nfi\n\nAC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h netdb.h netinet/in.h stdint.h stdlib.h string.h sys/socket.h sys/time.h syslog.h unistd.h])\n\nAC_CONFIG_FILES([Makefile lib/Makefile tools/Makefile \n\t\ttools/find_unknown/Makefile tools/protoident/Makefile\n\t\ttools/arff/Makefile\n\t\tlib/udp/Makefile lib/tcp/Makefile])\n\nif test \"$trace_found\" = 0; then\n\tAC_MSG_ERROR(Required library libtrace 3.0.7 or later not found; use LDFLAGS to specify library location)\nfi\n\nif test \"$lfm_found\" = 0; then\n\tAC_MSG_ERROR(Required library libflowmanager not found; use LDFLAGS to specify library location)\nfi\n\nAM_CONDITIONAL([BUILD_LPI_TOOLS], [test \"$build_tools\" = yes])\n\nAC_SUBST([ADD_LIBS])\nAC_SUBST([ADD_LDFLAGS])\nAC_SUBST([ADD_INCLS])\nAC_SUBST([LTLIBOBJS])\n\nAC_OUTPUT\n\n\n"
  },
  {
    "path": "debian/changelog",
    "content": "libprotoident (2.0.15-2) unstable; urgency=low\n\n  * Rebuild package so tool binaries are compatible with latest libtrace.\n\n -- Shane Alcock <shane.alcock@waikato.ac.nz>  Mon, 29 Mar 2021 13:40:13 +1300\n\nlibprotoident (2.0.15-1) unstable; urgency=low\n\n  * New upstream release.\n  * Added new API methods: lpi_get_category_by_protocol() and\n    lpi_get_category_by_name().\n  * Improved rules for 6 protocols, including QUIC and Zoom\n  * Added 5 new protocols.\n\n -- Shane Alcock <shane.alcock@waikato.ac.nz>  Thu, 12 Nov 2019 12:00:00 +1300\n\nlibprotoident (2.0.14-1) unstable; urgency=low\n\n  * New upstream release.\n  * Added new API method: lpi_get_protocol_by_name().\n  * Fixed bug where lpi_print_category() would fail for the message\n    queuing category.\n  * Renamed \"Roblox\" to \"Raknet\" to better reflect the real underlying\n    protocol.\n  * Added new protocol category for educational applications.\n  * Added 17 new application protocols.\n  * Improved rules for a further 17 application protocols.\n\n -- Shane Alcock <shane.alcock@waikato.ac.nz>  Wed, 20 Nov 2019 14:11:21 +1300\n\nlibprotoident (2.0.13) unstable; urgency=low\n\n  * New upstream release\n  * Fixed bug where RST payload was used for classification purposes.\n  * Fixed errors in 4D, Heroes of the Storm and The Division rules.\n  * Added new protocol category for message queuing applications.\n  * Added 43 new application protocols.\n  * Improved rules for a further 35 application protocols.\n\n -- Shane Alcock <shane.alcock@waikato.ac.nz>  Tue, 09 Apr 2019 13:49:25 +1200\n"
  },
  {
    "path": "debian/compat",
    "content": "9\n"
  },
  {
    "path": "debian/control",
    "content": "Source: libprotoident\nPriority: optional\nMaintainer: Shane Alcock <shane.alcock@waikato.ac.nz>\nBuild-Depends: debhelper (>= 9), dh-autoreconf, libtrace4-dev,\n libflowmanager-dev\nStandards-Version: 4.1.3\nSection: libs\nHomepage: http://research.wand.net.nz/software/libprotoident.php\n\nPackage: libprotoident-dev\nSection: libdevel\nArchitecture: any\nDepends: libprotoident (= ${binary:Version}), ${misc:Depends}\nProvides: libprotoident-dev\nDescription: development headers for the libprotoident library\n This package contains development headers and other ancillary files for\n the libprotoident library.\n .\n libprotoident is a library that can perform traffic classification\n on each network flow observed via a packet capture process (including\n pcap trace files and many common live packet capture approaches).\n The classification is performed by examining the packet headers and\n first four bytes of application payload only, so can be used in\n environments where full payload capture is not possible.\n .\n libprotoident is developed by the WAND Network Research Group at Waikato\n University in New Zealand.\n\nPackage: libprotoident\nSection: libs\nArchitecture: any\nDepends: ${shlibs:Depends}, ${misc:Depends}\nProvides: libprotoident\nDescription: C++ library for network traffic classification.\n libprotoident is a library that can perform traffic classification\n on each network flow observed via a packet capture process (including\n pcap trace files and many common live packet capture approaches).\n The classification is performed by examining the packet headers and\n first four bytes of application payload only, so can be used in\n environments where full payload capture is not possible.\n .\n libprotoident is developed by the WAND Network Research Group at Waikato\n University in New Zealand.\n\nPackage: libprotoident-tools\nSection: net\nArchitecture: any\nDepends: ${shlibs:Depends}, ${misc:Depends}\nProvides: libprotoident-tools\nDescription: example utilities that make use of the libprotoident library\n libprotoident is a library that can perform network traffic classification\n using minimal application payload. These tools are provided as working\n demonstrations of libprotoident and can be used to perform simple analytic\n tasks (i.e. identify flows belonging to a specific application).\n .\n libprotoident is developed by the WAND Network Research Group at Waikato\n University in New Zealand.\n"
  },
  {
    "path": "debian/copyright",
    "content": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nUpstream-Name: Libprotoident\nSource: http://research.wand.net.nz/software/libprotoident.php\n\nFiles: *\nCopyright: 2019 The University of Waikato, Hamilton, New Zealand.\nLicense: LGPL-3\n This package is free software; you can redistribute it and/or\n modify it under the terms of the GNU Lesser General Public\n License as published by the Free Software Foundation; either\n version 3 of the License, or (at your option)\n any later version.\n .\n This package is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n Lesser General Public License for more details.\n .\n You should have received a copy of the GNU Lesser General Public\n License along with this package; if not, write to the Free Software\n Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA\n .\n On Debian systems, the complete text of the GNU Lesser General\n Public License can be found in `/usr/share/common-licenses/LGPL-3'.\n"
  },
  {
    "path": "debian/libprotoident-dev.dirs",
    "content": "usr/lib\nusr/include\n"
  },
  {
    "path": "debian/libprotoident-dev.install",
    "content": "usr/include/libprotoident*.h\nusr/lib/libprotoident*.so\nusr/lib/libprotoident*.a\n"
  },
  {
    "path": "debian/libprotoident-tools.dirs",
    "content": "usr/bin\n"
  },
  {
    "path": "debian/libprotoident-tools.install",
    "content": "usr/bin/*\nusr/share/man/man1/*\n"
  },
  {
    "path": "debian/libprotoident.dirs",
    "content": "usr/lib\n"
  },
  {
    "path": "debian/libprotoident.install",
    "content": "usr/lib/libprotoident*.so.*\n"
  },
  {
    "path": "debian/rules",
    "content": "#!/usr/bin/make -f\n\n# Uncomment this to turn on verbose mode.\n#export DH_VERBOSE=1\n\n# Enable all hardening features, since traces are untrusted input.\nexport DEB_BUILD_MAINT_OPTIONS = hardening=+all\nDPKG_EXPORT_BUILDFLAGS = 1\ninclude /usr/share/dpkg/buildflags.mk\n\n# These are used for cross-compiling and for saving the configure script\n# from having to guess our platform (since we know it already)\nDEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)\nDEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)\nCONFFLAGS =\nifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))\n\tCONFFLAGS += --build $(DEB_HOST_GNU_TYPE)\nelse\n\tCONFFLAGS += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)\nendif\n\n\nconfigure:\n\nconfigure-stamp: configure\n\tdh_testdir\n\n\tdh_autoreconf\n\n\t./configure $(CONFFLAGS) \\\n\t\t   --prefix=/usr \\\n\t\t   --with-tools=yes \\\n\t\t   --mandir=\\$${prefix}/share/man \\\n\t\t   --infodir=\\$${prefix}/share/info\n\n\ttouch configure-stamp\n\nbuild: build-arch build-indep\nbuild-arch: build-stamp\nbuild-indep: build-stamp\nbuild-stamp: configure-stamp\n\tdh_testdir\n\n\t# Add here commands to compile the package.\n\t$(MAKE)\n\n\ttouch build-stamp\n\nclean:\n\tdh_testdir\n\tdh_testroot\n\trm -f build-stamp configure-stamp\n\n\t[ ! -f Makefile ] || $(MAKE) clean\n\t[ ! -f Makefile ] || $(MAKE) distclean\n\trm -rf docs/doxygen\n\n\tdh_autoreconf_clean\n\tdh_clean\n\ninstall: build\n\tdh_testdir\n\tdh_testroot\n\tdh_clean -k\n\tdh_installdirs\n\n\t# Add here commands to install the package into debian/tmp\n\t$(MAKE) install DESTDIR=$(CURDIR)/debian/tmp\n\n# Build architecture-independent files here.\nbinary-indep: build install\n# We have nothing to do by default.\n\n# Build architecture-dependent files here.\nbinary-arch: build install\n\tdh_testdir\n\tdh_testroot\n\t#dh_installchangelogs ChangeLog\n\tdh_installchangelogs\n\tdh_installdocs\n\tdh_installexamples\n\tdh_installman\n\tdh_install --sourcedir=debian/tmp\n\tdh_link\n\tdh_strip\n\tdh_compress\n\tdh_fixperms\n\tdh_makeshlibs\n\tdh_installdeb\n\tdh_shlibdeps\n\tdh_gencontrol\n\tdh_md5sums\n\tdh_builddeb -- -Zgzip\n\nbinary: binary-indep binary-arch\n.PHONY: build clean binary-indep binary-arch binary install\n\n"
  },
  {
    "path": "debian/source/format",
    "content": "3.0 (quilt)\n"
  },
  {
    "path": "debpkg-build.sh",
    "content": "#!/bin/bash\n\nset -x -e -o pipefail\n\nexport DEBEMAIL='packaging@wand.net.nz'\nexport DEBFULLNAME='WAND Packaging'\nexport DEBIAN_FRONTEND=noninteractive\n\nexport SOURCENAME=`echo ${GITHUB_REF##*/} | cut -d '-' -f 1`\n\nmk-build-deps -i -r -t 'apt-get -f -y --force-yes'\ndpkg-buildpackage -b -us -uc -rfakeroot -j4\n"
  },
  {
    "path": "debpkg-setup.sh",
    "content": "#!/bin/bash\n\nset -x -e -o pipefail\n\nexport DEBEMAIL='packaging@wand.net.nz'\nexport DEBFULLNAME='WAND Packaging'\nexport DEBIAN_FRONTEND=noninteractive\n\nexport SOURCENAME=`echo ${GITHUB_REF##*/} | cut -d '-' -f 1`\n\napt-get update\napt-get install -y equivs devscripts dpkg-dev quilt curl apt-transport-https \\\n    apt-utils ssl-cert ca-certificates gnupg lsb-release debhelper git \\\n    pkg-config\n\ncurl -1sLf 'https://dl.cloudsmith.io/public/wand/libwandio/cfg/setup/bash.deb.sh' | bash\ncurl -1sLf 'https://dl.cloudsmith.io/public/wand/libwandder/cfg/setup/bash.deb.sh' | bash\ncurl -1sLf 'https://dl.cloudsmith.io/public/wand/libtrace/cfg/setup/bash.deb.sh' | bash\ncurl -1sLf 'https://dl.cloudsmith.io/public/wand/libflowmanager/cfg/setup/bash.deb.sh' | bash\n\nDISTRO=$(lsb_release -sc)\n\ncase ${DISTRO} in\n        jessie | xenial | stretch )\n                curl -1sLf 'https://dl.cloudsmith.io/public/wand/dpdk-wand/cfg/setup/bash.deb.sh' | bash\n        ;;\nesac\n\napt-get update\napt-get upgrade -y\n"
  },
  {
    "path": "lib/Makefile.am",
    "content": "SUBDIRS=tcp udp\n\nlib_LTLIBRARIES=libprotoident.la\ninclude_HEADERS=libprotoident.h\n\nlibprotoident_la_SOURCES=libprotoident.h libprotoident.cc \\\n\tproto_common.cc proto_common.h \\\n\tproto_manager.cc proto_manager.h\n\nINCLUDES=@ADD_INCLS@\nlibprotoident_la_LIBADD = @ADD_LIBS@ tcp/libprotoident_tcp.la \\\n\tudp/libprotoident_udp.la\nlibprotoident_la_LDFLAGS = @ADD_LDFLAGS@ -version-info 4:0:2\nlibprotoident_la_CPPFLAGS = -Werror\n"
  },
  {
    "path": "lib/libprotoident.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#define __STDC_FORMAT_MACROS\n#define __STDC_LIMIT_MACROS\n\n#include <stdio.h>\n#include <assert.h>\n#include <libtrace.h>\n#include <inttypes.h>\n#include <sys/types.h>\n#include <stdint.h>\n#include <stdlib.h>\n#include <signal.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n\n\nbool init_called = false;\nLPIModuleMap TCP_protocols;\nLPIModuleMap UDP_protocols;\n\nlpi_module_t *lpi_icmp = NULL;\nlpi_module_t *lpi_unsupported = NULL;\nlpi_module_t *lpi_unknown_tcp = NULL;\nlpi_module_t *lpi_unknown_udp = NULL;\n\nstatic LPINameMap lpi_names;\nstatic LPIProtocolMap lpi_protocols;\nstatic LPICategoryMap lpi_categories;\nstatic LPICategoryProtocolMap lpi_category_protocols;\n\nstatic int seq_cmp (uint32_t seq_a, uint32_t seq_b) {\n\n        if (seq_a == seq_b) return 0;\n\n\n        if (seq_a > seq_b)\n                return (int)(seq_a - seq_b);\n        else\n                /* WRAPPING */\n                return (int)(UINT32_MAX - ((seq_b - seq_a) - 1));\n\n}\n\n\nint lpi_init_library() {\n\n\tif (init_called) {\n\t\tfprintf(stderr, \"WARNING: lpi_init_library has already been called\\n\");\n\t\treturn 0;\n\t}\n\t\n\tif (register_tcp_protocols(&TCP_protocols) == -1) \n\t\treturn -1;\n\t\n\tif (register_udp_protocols(&UDP_protocols) == -1) \n\t\treturn -1;\n\n\tinit_other_protocols(&lpi_names, &lpi_protocols, &lpi_category_protocols);\n\n\tregister_names(&TCP_protocols, &lpi_names, &lpi_protocols, &lpi_category_protocols);\n\tregister_names(&UDP_protocols, &lpi_names, &lpi_protocols, &lpi_category_protocols);\n\n\tregister_category_names(&lpi_categories);\n\n\tinit_called = true;\n\n\tif (TCP_protocols.empty() && UDP_protocols.empty()) {\n\t\tfprintf(stderr, \"WARNING: No protocol modules loaded\\n\");\n\t\treturn -1;\n\t}\n\n\n\treturn 0;\n\n}\n\nvoid lpi_free_library() {\n\n\tfree_protocols(&TCP_protocols);\n\tfree_protocols(&UDP_protocols);\n\n   if (lpi_icmp != NULL) {\n      delete lpi_icmp;\n      lpi_icmp = NULL;\n   }\n\n   if (lpi_unsupported != NULL) {\n      delete lpi_unsupported;\n      lpi_unsupported = NULL;\n   }\n\n   if (lpi_unknown_tcp != NULL) {\n      delete lpi_unknown_tcp;\n      lpi_unknown_tcp = NULL;\n   }\n\n   if (lpi_unknown_udp != NULL) {\n      delete lpi_unknown_udp;\n      lpi_unknown_udp = NULL;\n   }\n\n\tinit_called = false;\n}\n\nvoid lpi_init_data(lpi_data_t *data) {\n\n\tdata->payload[0] = 0;\n\tdata->payload[1] = 0;\n\tdata->seen_syn[0] = false;\n\tdata->seen_syn[1] = false;\n\tdata->seqno[0] = 0;\n\tdata->seqno[1] = 0;\n\tdata->observed[0] = 0;\n\tdata->observed[1] = 0;\n\tdata->server_port = 0;\n\tdata->client_port = 0;\n\tdata->trans_proto = 0;\n\tdata->payload_len[0] = 0;\n\tdata->payload_len[1] = 0;\n\tdata->ips[0] = 0;\n\tdata->ips[1] = 0;\n\n}\n\nstatic int update_tcp_flow(lpi_data_t *data, libtrace_tcp_t *tcp, uint8_t dir,\n\t\tuint32_t rem, uint32_t psize) {\n\tuint32_t seq = 0;\n\n\tif (rem < sizeof(libtrace_tcp_t))\n\t\treturn 0;\n\tif (tcp->rst)\n\t\treturn 0;\n\t\n\tif (data->server_port == 0) {\n\t\tdata->server_port = ntohs(tcp->dest);\n\t\tdata->client_port = ntohs(tcp->source);\n\t}\n\n\tseq = ntohl(tcp->seq);\n\n\tif (tcp->syn && data->payload_len[dir] == 0) {\n\t\tdata->seqno[dir] = seq + 1;\n\t\tdata->seen_syn[dir] = true;\n\t}\n\n\t/* Ok, we've got some payload but we never saw the SYN for this\n\t * direction. What do we do?\n\t *\n\t * Current idea: just assume this is the first payload bearing\n\t * packet. Better than running around with an uninitialised seqno */\n\tif (data->seen_syn[dir] == false && psize > 0) {\n\t\tdata->seqno[dir] = seq;\n\t\tdata->seen_syn[dir] = true;\n\t}\n\n\tif (seq_cmp(seq, data->seqno[dir]) != 0)\n\t\treturn 0;\n\t//data->seqno[dir] = seq;\n\n\treturn 1;\n}\n\nstatic int update_udp_flow(lpi_data_t *data, libtrace_udp_t *udp,\n\t\tuint32_t rem) {\n\n\tif (rem < sizeof(libtrace_udp_t))\n\t\treturn 0;\n\t\n\tif (data->server_port == 0) {\n\t\tdata->server_port = ntohs(udp->dest);\n\t\tdata->client_port = ntohs(udp->source);\n\t}\n\n\treturn 1;\n}\n\nint lpi_update_data(libtrace_packet_t *packet, lpi_data_t *data, uint8_t dir) {\n\n\tchar *payload = NULL;\n\tuint32_t psize = 0;\n\tuint32_t rem = 0;\n\tuint8_t proto = 0;\n\tvoid *transport;\n\tuint32_t four_bytes;\n\tlibtrace_ip_t *ip = NULL;\n\n\t//tcp = trace_get_tcp(packet);\n\tpsize = trace_get_payload_length(packet);\n\n\t/* Don't bother if we've observed 32k of data - the first packet must\n\t * surely been within that. This helps us avoid issues with sequence\n\t * number wrapping when doing the reordering check below */\n\tif (data->observed[dir] > 32 * 1024)\n\t\treturn 0;\n\t\n\tdata->observed[dir] += psize;\n\t\n\t/* If we're TCP, we have to wait to check that we haven't been\n\t * reordered */\n\tif (data->trans_proto != 6 && data->payload_len[dir] != 0)\n\t\treturn 0;\n\t\n\ttransport = trace_get_transport(packet, &proto, &rem);\n\tif (data->trans_proto == 0)\n\t\tdata->trans_proto = proto;\n\t\n\tif (transport == NULL || rem == 0)\n\t\treturn 0;\t\t\n\n\tif (proto == 6) {\n\t\tif (update_tcp_flow(data, (libtrace_tcp_t *)transport, dir, rem, psize) == 0) \n\t\t\treturn 0;\n\t\tpayload = (char *)trace_get_payload_from_tcp(\n\t\t\t\t(libtrace_tcp_t *)transport, &rem);\n\t} \n\n\tif (proto == 17) {\n\t\tif (update_udp_flow(data, (libtrace_udp_t *)transport, rem) == 0)\n\t\t\treturn 0;\n\t\tpayload = (char *)trace_get_payload_from_udp(\n\t\t\t\t(libtrace_udp_t *)transport, &rem);\n\t}\n\n\tip = trace_get_ip(packet);\n\t\n\tif (payload == NULL)\n\t\treturn 0;\n\tif (psize <= 0)\n\t\treturn 0;\n\n\tfour_bytes = (*(uint32_t *)payload);\n\t\n\tif (psize < 4) {\n\t\tfour_bytes = (ntohl(four_bytes)) >> (8 * (4 - psize));\t\t\n\t\tfour_bytes = htonl(four_bytes << (8 * (4 - psize)));\t\t\n\t}\n\n\tdata->payload[dir] = four_bytes;\n\tdata->payload_len[dir] = psize;\n\n\tif (ip != NULL && data->ips[0] == 0) {\n\t\tif (dir == 0) {\n\t\t\tdata->ips[0] = ip->ip_src.s_addr;\n\t\t\tdata->ips[1] = ip->ip_dst.s_addr;\n\t\t} else {\n\t\t\tdata->ips[1] = ip->ip_src.s_addr;\n\t\t\tdata->ips[0] = ip->ip_dst.s_addr;\n\t\t}\n\t}\n\n\treturn 1;\n\n}\n\nstatic lpi_module_t *test_protocol_list(LPIModuleList *ml, lpi_data_t *data) {\n\n\tLPIModuleList::iterator l_it;\n\t\n\t/* Turns out naively looping through the modules is quicker\n\t * than trying to do intelligent stuff with threads. Most\n\t * callbacks complete very quickly so threading overhead is a\n\t * major problem */\n\tfor (l_it = ml->begin(); l_it != ml->end(); l_it ++) {\n\t\tlpi_module_t *module = *l_it;\n\n\t\t/* To save time, I'm going to break on the first successful\n\t\t * match. A threaded version would wait for all the modules\n\t\t * to run, storing all successful results in a list of some\n\t\t * sort and selecting an appropriate result from there.\n\t\t */\n\n\t\tif (module->lpi_callback(data, module)) \n\t\t\treturn module;\n\t\t\n\t}\n\n\treturn NULL;\n}\nstatic lpi_module_t *guess_protocol(LPIModuleMap *modmap, lpi_data_t *data) {\n\n\tlpi_module_t *proto = NULL;\n\n\tLPIModuleMap::iterator m_it;\n\n\t/* Deal with each priority in turn - want to match higher priority\n\t * rules first. \n\t */\n\n\tfor (m_it = modmap->begin(); m_it != modmap->end(); m_it ++) {\n\t\tLPIModuleList *ml = m_it->second;\n\t\t\n\t\tproto = test_protocol_list(ml, data);\n\n\t\tif (proto != NULL)\n\t\t\tbreak;\n\t}\n\n\treturn proto;\n\n}\n\nlpi_module_t *lpi_guess_protocol(lpi_data_t *data) {\n\n\tlpi_module_t *p = NULL;\n\n\tif (!init_called) {\n\t\tfprintf(stderr, \"lpi_init_library was never called - cannot guess the protocol\\n\");\n\t\treturn NULL;\n\t}\n\n\tswitch(data->trans_proto) {\n\t\tcase TRACE_IPPROTO_ICMP:\n\t\t\treturn lpi_icmp;\n\t\tcase TRACE_IPPROTO_TCP:\n\t\t\tp = guess_protocol(&TCP_protocols, data);\n\t\t\tif (p == NULL)\n\t\t\t\tp = lpi_unknown_tcp;\n\t\t\treturn p;\n\n\t\tcase TRACE_IPPROTO_UDP:\n\t\t\tp = guess_protocol(&UDP_protocols, data);\n\t\t\tif (p == NULL)\n\t\t\t\tp = lpi_unknown_udp;\n\t\t\treturn p;\n\t\tdefault:\n\t\t\treturn lpi_unsupported;\n\t}\n\n\n\treturn p;\n}\n\t\nlpi_category_t lpi_categorise(lpi_module_t *module) {\n\n\tif (module == NULL)\n\t\treturn LPI_CATEGORY_NO_CATEGORY;\n\n\treturn module->category;\n\n}\n\nconst char *lpi_print_category(lpi_category_t category) {\n\n\tswitch(category) {\n\t\tcase LPI_CATEGORY_WEB:\n\t\t\treturn \"Web\";\n\t\tcase LPI_CATEGORY_MAIL:\n\t\t\treturn \"Mail\";\n\t\tcase LPI_CATEGORY_CHAT:\n\t\t\treturn \"Chat\";\n\t\tcase LPI_CATEGORY_P2P:\n\t\t\treturn \"P2P\";\n\t\tcase LPI_CATEGORY_P2P_STRUCTURE:\n\t\t\treturn \"P2P_Structure\";\n\t\tcase LPI_CATEGORY_KEY_EXCHANGE:\n\t\t\treturn \"Key_Exchange\";\n\t\tcase LPI_CATEGORY_ECOMMERCE:\n\t\t\treturn \"ECommerce\";\n\t\tcase LPI_CATEGORY_GAMING:\n\t\t\treturn \"Gaming\";\n\t\tcase LPI_CATEGORY_ENCRYPT:\n\t\t\treturn \"Encryption\";\n\t\tcase LPI_CATEGORY_MONITORING:\n\t\t\treturn \"Measurement\";\n\t\tcase LPI_CATEGORY_NEWS:\n\t\t\treturn \"News\";\n\t\tcase LPI_CATEGORY_MALWARE:\n\t\t\treturn \"Malware\";\n\t\tcase LPI_CATEGORY_SECURITY:\n\t\t\treturn \"Security\";\n\t\tcase LPI_CATEGORY_ANTISPAM:\n\t\t\treturn \"Antispam\";\n\t\tcase LPI_CATEGORY_VOIP:\n\t\t\treturn \"VOIP\";\n\t\tcase LPI_CATEGORY_TUNNELLING:\n\t\t\treturn \"Tunnelling\";\n\t\tcase LPI_CATEGORY_NAT:\n\t\t\treturn \"NAT_Traversal\";\n\t\tcase LPI_CATEGORY_STREAMING:\n\t\t\treturn \"Streaming\";\n\t\tcase LPI_CATEGORY_SERVICES:\n\t\t\treturn \"Services\";\n\t\tcase LPI_CATEGORY_DATABASES:\n\t\t\treturn \"Databases\";\n\t\tcase LPI_CATEGORY_FILES:\n\t\t\treturn \"File_Transfer\";\n\t\tcase LPI_CATEGORY_REMOTE:\n\t\t\treturn \"Remote_Access\";\n\t\tcase LPI_CATEGORY_TELCO:\n\t\t\treturn \"Telco_Services\";\n\t\tcase LPI_CATEGORY_P2PTV:\n\t\t\treturn \"P2PTV\";\n\t\tcase LPI_CATEGORY_RCS:\n\t\t\treturn \"Revision_Control\";\n\t\tcase LPI_CATEGORY_LOGGING:\n\t\t\treturn \"Logging\";\n\t\tcase LPI_CATEGORY_PRINTING:\n\t\t\treturn \"Printing\";\n\t\tcase LPI_CATEGORY_TRANSLATION:\n\t\t\treturn \"Translation\";\n\t\tcase LPI_CATEGORY_CDN:\n\t\t\treturn \"CDN\";\n\t\tcase LPI_CATEGORY_CLOUD:\n\t\t\treturn \"Cloud\";\n\t\tcase LPI_CATEGORY_NOTIFICATION:\n\t\t\treturn \"Notification\";\n\t\tcase LPI_CATEGORY_SERIALISATION:\n\t\t\treturn \"Serialisation\";\n\t\tcase LPI_CATEGORY_BROADCAST:\n\t\t\treturn \"Broadcast\";\n\t\tcase LPI_CATEGORY_LOCATION:\n\t\t\treturn \"Location\";\n\t\tcase LPI_CATEGORY_CACHING:\n\t\t\treturn \"Caching\";\n\t\tcase LPI_CATEGORY_ICS:\n\t\t\treturn \"ICS\";\n\t\tcase LPI_CATEGORY_MOBILE_APP:\n\t\t\treturn \"Mobile App\";\n\t\tcase LPI_CATEGORY_IPCAMERAS:\n\t\t\treturn \"IP Cameras\";\n\t\tcase LPI_CATEGORY_EDUCATIONAL:\n\t\t\treturn \"Educational\";\n                case LPI_CATEGORY_MESSAGE_QUEUE:\n                        return \"Message_Queuing\";\n\t\tcase LPI_CATEGORY_ICMP:\n\t\t\treturn \"ICMP\";\n\t\tcase LPI_CATEGORY_MIXED:\n\t\t\treturn \"Mixed\";\n\t\tcase LPI_CATEGORY_NOPAYLOAD:\n\t\t\treturn \"No_Payload\";\n\t\tcase LPI_CATEGORY_UNKNOWN:\n\t\t\treturn \"Unknown\";\n\t\tcase LPI_CATEGORY_UNSUPPORTED:\n\t\t\treturn \"Unsupported\";\n\t\tcase LPI_CATEGORY_NO_CATEGORY:\n\t\t\treturn \"Uncategorised\";\n\t\tcase LPI_CATEGORY_LAST:\n\t\t\treturn \"Invalid_Category\";\n\t}\n\n\treturn \"Invalid_Category\";\n\n}\n\t\t\t\nconst char *lpi_print(lpi_protocol_t proto) {\n\n\tLPINameMap::iterator it;\n\n\tit = lpi_names.find(proto);\n\n\tif (it == lpi_names.end()) {\n\t\treturn \"NULL\";\n\t}\t\n\treturn (it->second);\n\t\n}\n\nlpi_protocol_t lpi_get_protocol_by_name(char *name) {\n\n\tLPIProtocolMap::iterator it;\n\n\tit = lpi_protocols.find(name);\n\n\tif (it == lpi_protocols.end()) {\n\t\treturn LPI_PROTO_UNKNOWN;\n\t}\n\n\treturn (it->second);\n}\n\nlpi_category_t lpi_get_category_by_name(char *name) {\n\n\tLPICategoryMap::iterator it;\n\n\tit = lpi_categories.find(name);\n\n\tif (it == lpi_categories.end()) {\n\t\treturn LPI_CATEGORY_UNKNOWN;\n\t}\n\n\treturn (it->second);\n}\n\nlpi_category_t lpi_get_category_by_protocol(lpi_protocol_t protocol) {\n\n\tLPICategoryProtocolMap::iterator it;\n\n\tit = lpi_category_protocols.find(protocol);\n\n\tif (it == lpi_category_protocols.end()) {\n\t\treturn LPI_CATEGORY_UNKNOWN;\n\t}\n\n\treturn (it->second);\n}\n\nbool lpi_is_protocol_inactive(lpi_protocol_t proto) {\n\n\tLPINameMap::iterator it;\n\n\tit = lpi_names.find(proto);\n\n\tif (it == lpi_names.end()) {\n\t\treturn true;\n\t}\t\n\treturn false;\n\n}\n\n"
  },
  {
    "path": "lib/libprotoident.h",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n\n#ifndef LIBPROTOIDENT_H_\n#define LIBPROTOIDENT_H_\n\n#include <libtrace.h>\n#include <pthread.h>\n#include <list>\n\n#if __GNUC__ >= 3 \n#ifndef PRINTF\n#  define DEPRECATED __attribute__((deprecated))\n#  define SIMPLE_FUNCTION __attribute__((pure))\n#  define UNUSED __attribute__((unused))\n#  define PACKED __attribute__((packed))\n#  define PRINTF(formatpos,argpos) __attribute__((format(printf,formatpos,argpos)))\n#endif\n#else\n#ifndef PRINTF\n#  define DEPRECATED\n#  define SIMPLE_FUNCTION\n#  define UNUSED\n#  define PACKED \n#  define PRINTF(formatpos,argpos) \n#endif\n#endif\n\n#define DEFAULT_MAXTHREADS 10\n\n#ifdef __cplusplus \nextern \"C\" {\n#endif\n\n/* Protocol categories - most l7 protocols fall into a broader category that\n * describes what they are used for, e.g. P2P, Web, Mail etc.\n */\ntypedef enum {\n\tLPI_CATEGORY_WEB,\t\t/* HTTP-based protocols */\n\tLPI_CATEGORY_CHAT,\t\t/* Instant messaging and chatrooms */\n\tLPI_CATEGORY_MAIL,\t\t/* E-mail */\n\tLPI_CATEGORY_P2P,\t\t/* Peer-to-peer uploads and downloads */\n\tLPI_CATEGORY_P2P_STRUCTURE,\t/* Maintenance of P2P networks */\n\tLPI_CATEGORY_KEY_EXCHANGE,\t/* Protocols used to exchange and\n\t\t\t\t\t   manage cryptographic keys, e.g.\n\t\t\t\t\t   ISAKMP */\n\tLPI_CATEGORY_ECOMMERCE,\t\t/* Financial transaction protocols */\n\tLPI_CATEGORY_GAMING,\t\t/* Game protocols */\n\tLPI_CATEGORY_ENCRYPT,\t\t/* Encrypted traffic that is not\n\t\t\t\t\t   clearly part of another category */\n\tLPI_CATEGORY_MONITORING,\t/* Network measurement / monitoring */\n\tLPI_CATEGORY_NEWS,\t\t/* Newsgroup protocols, e.g. NNTP */\n\tLPI_CATEGORY_MALWARE,\t\t/* Viruses, trojans etc. */\n\tLPI_CATEGORY_SECURITY,\t\t/* Antivirus and firewall updates */\n\tLPI_CATEGORY_ANTISPAM,\t\t/* Anti-spam software update protocols\n\t\t\t\t\t */\n\tLPI_CATEGORY_VOIP,\t\t/* Voice chat and Internet telephony \n\t\t\t\t\t   protocols */\n\tLPI_CATEGORY_TUNNELLING,\t/* Tunnelling protocols */\n\tLPI_CATEGORY_NAT,\t\t/* NAT traversal protocols */\n\tLPI_CATEGORY_STREAMING,\t\t/* Streaming media protocols */\n\tLPI_CATEGORY_SERVICES,\t\t/* Basic services, e.g. DNS, NTP */\n\tLPI_CATEGORY_DATABASES,\t\t/* Database remote access protocols */\n\tLPI_CATEGORY_FILES,\t\t/* Non-P2P file transfer protocols */\n\tLPI_CATEGORY_REMOTE,\t\t/* Remote access, e.g. SSH, telnet */\n\tLPI_CATEGORY_TELCO,\t\t/* Telco services aside from VOIP, e.g\n\t\t\t\t\t   SMS protocols */\n\tLPI_CATEGORY_P2PTV,\t\t/* P2P TV, e.g. PPLive */\n\tLPI_CATEGORY_RCS,\t\t/* Revision Control */\n\tLPI_CATEGORY_LOGGING,\t\t/* Logging */\n\tLPI_CATEGORY_PRINTING,\t\t/* Network printing */\n\tLPI_CATEGORY_TRANSLATION,\t/* Language translation */\n\tLPI_CATEGORY_CDN,\t\t/* CDN protocols, e.g. Akamai */\n\tLPI_CATEGORY_CLOUD,\t\t/* Cloud computing/storage protocols */\n\tLPI_CATEGORY_NOTIFICATION,\t/* Notification / messaging protocols */\n\tLPI_CATEGORY_SERIALISATION,\t/* Transfer of programming \"objects\" */\n\tLPI_CATEGORY_BROADCAST,\t\t/* Protocols usually broadcast to the\n\t\t\t\t\t   local network */\n\tLPI_CATEGORY_LOCATION,\t\t/* Location-related services / GPS */\n\tLPI_CATEGORY_CACHING,\t\t/* Proxy cache protocols and similar */\n        LPI_CATEGORY_MOBILE_APP,        /* Mobile apps that don't fit any\n                                           other category */\n    LPI_CATEGORY_ICS,           /* Industrial control system protocols */\n        LPI_CATEGORY_IPCAMERAS,         /* IP Surveillance Camera protocols */\n        LPI_CATEGORY_MESSAGE_QUEUE,     /* Message queuing protocols */\n        LPI_CATEGORY_EDUCATIONAL,     /* Educational applications, e.g. virtual\n                                         classrooms */\n\tLPI_CATEGORY_ICMP,\t\t/* ICMP */\n\tLPI_CATEGORY_MIXED,\t\t/* Different protos in each direction */\n\tLPI_CATEGORY_NOPAYLOAD,\t\t/* No payload observed */\n\tLPI_CATEGORY_UNSUPPORTED,\t/* Transport protocol unsupported */\n\tLPI_CATEGORY_UNKNOWN,\t\t/* Protocol could not be identified */\n\tLPI_CATEGORY_NO_CATEGORY,\t/* Protocol has not been placed into a\n\t\t\t\t\t   category yet */\n\tLPI_CATEGORY_LAST\t\t/* Must always be last */\n} lpi_category_t;\n\n\ntypedef enum {\n        /* TCP Protocols */\n        LPI_PROTO_HTTP,\n        LPI_PROTO_SMTP,\n        LPI_PROTO_BITTORRENT,\n        LPI_PROTO_IRC,\n        LPI_PROTO_NCSOFT,      /* NCSoft proprietary protocol */\n        LPI_PROTO_DC,          /* DirectConnect */\n        LPI_PROTO_EMULE,\n        LPI_PROTO_GNUTELLA,\n        LPI_PROTO_SSH,\n        LPI_PROTO_HTTPS,\n        LPI_PROTO_RAZOR,       /* Razor database updates */\n        LPI_PROTO_POP3,\n        LPI_PROTO_SSL,         /* SSL that isn't HTTPS */\n        LPI_PROTO_MSN,\n        LPI_PROTO_DNS,\n        LPI_PROTO_IMAP,\n        LPI_PROTO_RTSP,\n        LPI_PROTO_ID,          /* Identification protocol */\n        LPI_PROTO_YAHOO,\n        LPI_PROTO_ICQ,\n        LPI_PROTO_TELNET,\n        LPI_PROTO_RDP,         /* Windows remote desktop protocol */\n        LPI_PROTO_TDS,         /* MS SQL Server protocol */\n        LPI_PROTO_RPC_SCAN,    /* Port 135 exploit attempt */\n        LPI_PROTO_SMB,         /* Server Message Block protocol e.g. samba */\n        LPI_PROTO_WARCRAFT3,\n        LPI_PROTO_ETRUST,      /* Updates for the eTrust virus scanner */\n        LPI_PROTO_FTP_CONTROL, /* FTP control e.g. port 21 or 2121 */\n        LPI_PROTO_FTP_DATA,\n        LPI_PROTO_EYE,         /* Yahoo Game Server Browser */\n        LPI_PROTO_ARES,        /* Ares peer-to-peer protocol */\n        LPI_PROTO_NNTP,        /* Newsfeeds */\n        LPI_PROTO_NAPSTER,\n        LPI_PROTO_BNCS,        /* Battle.net Chat Server */\n        LPI_PROTO_RFB,         /* Remote Frame Buffer protocol */\n        LPI_PROTO_YAHOO_WEBCAM,/* Webcam over Yahoo Messenger */\n        LPI_PROTO_ICA,         /* Citrix ICA */\n        LPI_PROTO_NETBIOS,\n        LPI_PROTO_KMS,         /* Possibly a vista activation service */\n        LPI_PROTO_MS_DS,\n        LPI_PROTO_SIP,         /* Session Initiation Protocol*/\n        LPI_PROTO_MZINGA,\n        LPI_PROTO_GOKUCHAT,\n        LPI_PROTO_XUNLEI,\n        LPI_PROTO_DXP,\n        LPI_PROTO_HAMACHI,\n        LPI_PROTO_BLIZZARD,\n        LPI_PROTO_MSNV,        /* MSN Voice */\n        LPI_PROTO_BITEXT,      /* BitTorrent extensions */\n        LPI_PROTO_MITGLIEDER,  /* Mitglieder trojan */\n        LPI_PROTO_TOR,         /* TOR (The Onion Router) */\n        LPI_PROTO_MYSQL,\n        LPI_PROTO_HTTP_TUNNEL, /* Tunnelling via HTTP */\n        LPI_PROTO_RSYNC,\n        LPI_PROTO_NOTES_RPC,   /* Lotus Notes RPC (Domino) */\n        LPI_PROTO_AZUREUS,     /* Azureus Extension */\n\tLPI_PROTO_PANDO,\t/* Pando P2P protocol */\n\tLPI_PROTO_FLASH,\t/* Flash Player specific behaviour */\n\tLPI_PROTO_STEAM,\t/* Steam TCP download, i.e. downloading games */\n\tLPI_PROTO_TRACKMANIA, \t/* Trackmania control protocol */\n\tLPI_PROTO_CONQUER,\t/* Conquer Online game */\n\tLPI_PROTO_RTMP,\t\t/* Adobe RTMP */\n\tLPI_PROTO_TIP,\t\t/* Transaction Internet Protocol */\n\tLPI_PROTO_NONSTANDARD_HTTP, /* HTTP on unconventional port numbers */\n\tLPI_PROTO_HARVEYS,\t/* Photo transfers for Harveys Real Estate */\n\tLPI_PROTO_SHOUTCAST,\n\tLPI_PROTO_HTTP_BADPORT,\t/* HTTP over port 443, leading to failure */\n\tLPI_PROTO_POSTGRESQL,\t/* Postgresql protocol */\n\tLPI_PROTO_WOW,\t\t/* World of Warcraft */\n\tLPI_PROTO_M4U,\t\t/* Message4U (Aus SMS service) */\n\tLPI_PROTO_RBLS,\t\t/* Realtime Block List updates */\n\tLPI_PROTO_OPENVPN,\n\tLPI_PROTO_TELECOMKEY,\t/* Proto used to talk to telecomkey.com */\n\tLPI_PROTO_IMAPS,\t/* IMAP over SSL */\n\tLPI_PROTO_MSNC,\t\t/* MSN Client Protocol */\n\tLPI_PROTO_YAHOO_ERROR,\t/* Yahoo method of dealing with HTTP errors */\n\tLPI_PROTO_IMESH,\t/* iMesh */\n\tLPI_PROTO_PPTP,\t\t/* MS Tunnelling protocol */\n\tLPI_PROTO_AFP,\t\t/* Apple Filing Protocol */\n\tLPI_PROTO_PDBOX,\t/* Korean P2P TV protocol */\n\tLPI_PROTO_EA_GAMES,\t/* EA Games protocol */\n\tLPI_PROTO_ZYNGA,\t/* Protocol used by Zynga games */\n\tLPI_PROTO_CLUBBOX,\t/* Another Korean file sharing protocol */\n\tLPI_PROTO_WINMX,\t/* WinMX */\n\tLPI_PROTO_INVALID_BT,\t/* Bittorrent in one direction but not other */\n\tLPI_PROTO_WEBLOGIC,\t/* Weblogic server */\n\tLPI_PROTO_INVALID_HTTP,\t/* HTTP server sending raw HTML */\n\tLPI_PROTO_COD_WAW,\t/* Call of Duty: World at War TCP */\n\tLPI_PROTO_MP2P,\n\tLPI_PROTO_SVN,\n\tLPI_PROTO_SOCKS5,\n\tLPI_PROTO_SOCKS4,\n\tLPI_PROTO_INVALID_SMTP,\n\tLPI_PROTO_MMS,\t\t/* Microsoft Media Server */\n\tLPI_PROTO_CISCO_VPN,\t/* Cisco VPN protocol */\n\tLPI_PROTO_WEB_JUNK,\t/* Clients communicating with web servers\n\t\t\t\t   using non-HTTP */\n\tLPI_PROTO_CVS,\n\tLPI_PROTO_LDAP,\t\t/* LDAP */\n\tLPI_PROTO_INVALID_POP3,\t/* POP commands send to an SMTP server */\n\tLPI_PROTO_TEAMVIEWER,\n\tLPI_PROTO_XMPP,\t\t/* a.k.a. Jabber */\n\tLPI_PROTO_SECONDLIFE,\t/* SecondLife over TCP */\n\tLPI_PROTO_KASEYA,\n\tLPI_PROTO_KASPERSKY,\n\tLPI_PROTO_JEDI,\t\t/* Citrix Jedi */\n\tLPI_PROTO_CGP,\t\t/* Citrix CGP */\n\tLPI_PROTO_YOUKU,\n\tLPI_PROTO_STUN,\n\tLPI_PROTO_XYMON,\n\tLPI_PROTO_MUNIN,\n\tLPI_PROTO_TROJAN_WIN32_GENERIC_SB,\n\tLPI_PROTO_PALTALK,\n\tLPI_PROTO_ZABBIX,\n\tLPI_PROTO_AKAMAI, \n\tLPI_PROTO_GAMESPY, \n\tLPI_PROTO_WUALA,\n\tLPI_PROTO_TROJAN_ZEROACCESS, \n\tLPI_PROTO_DVRNS,\n\tLPI_PROTO_CHATANGO, \n\tLPI_PROTO_OMEGLE,\n\tLPI_PROTO_TELNET_EXPLOIT, \n\tLPI_PROTO_POP3S,\t\t/* POP3 over TLS/SSL */ \n\tLPI_PROTO_PSN_STORE,\t\t\n\tLPI_PROTO_SKYPE_TCP,\t\t/* Skype TCP sessions */\t\t\n\tLPI_PROTO_APPLE_PUSH,\t\t/* Apple push notifications */ \n\tLPI_PROTO_XMPPS,\t\t/* XMPP over TLS/SSL */\n\tLPI_PROTO_SMTPS,\t\t/* Legacy Secure SMTP */ \n\tLPI_PROTO_NNTPS,\t\t/* NNTP over TLS/SSL */\t\t\n\tLPI_PROTO_JAVA,\t\t\t/* Serialised Java Objects */\n\tLPI_PROTO_IPOP,\t\t\t/* IP over P2P */\n\tLPI_PROTO_SPOTIFY,\n\tLPI_PROTO_RUNESCAPE,\t\n\tLPI_PROTO_WHOIS,\n\tLPI_PROTO_VIBER,\n\tLPI_PROTO_FRING,\n\tLPI_PROTO_PALRINGO,\n\tLPI_PROTO_CRYPTIC,\t\t/* Games by Cryptic */\n\tLPI_PROTO_SUPL,\n\tLPI_PROTO_MINECRAFT,\n\tLPI_PROTO_TPKT,\n        LPI_PROTO_QVOD,\n        LPI_PROTO_KIK,\n        LPI_PROTO_WHATSAPP,\n        LPI_PROTO_WECHAT,\n\tLPI_PROTO_FUNSHION,\n\tLPI_PROTO_BTSYNC,\n        LPI_PROTO_SPEEDTEST,\n        LPI_PROTO_GIT,\n        LPI_PROTO_DUELING_NETWORK,\n        LPI_PROTO_LINE,\n        LPI_PROTO_AMP,\n        LPI_PROTO_SPDY,\n        LPI_PROTO_YAHOO_GAMES,\n        LPI_PROTO_DELL_BACKUP,\n        LPI_PROTO_REVOLVER_NBLBT,\n        LPI_PROTO_CRASHPLAN,\n        LPI_PROTO_CLASH_OF_CLANS,\n        LPI_PROTO_TRION,\n        LPI_PROTO_MONGO,\n        LPI_PROTO_LLP2P,\n        LPI_PROTO_HEARTHSTONE,\n        LPI_PROTO_DIABLO3,\n        LPI_PROTO_CACAOWEB,\n        LPI_PROTO_TAOBAO,       /* Custom protocol seen on Taobao CDN */\n        LPI_PROTO_TERA,\n        LPI_PROTO_SILKROADONLINE,       /* Korean MMO */\n        LPI_PROTO_GOOGLE_HANGOUTS,\n        LPI_PROTO_HOLA,\n        LPI_PROTO_GUILDWARS2,\n\tLPI_PROTO_QQ,\n\tLPI_PROTO_TETRISONLINE,\n\tLPI_PROTO_TWITCH_IRC,   /* IRC specific to twitch.tv */\n\tLPI_PROTO_QQLIVE,\n\tLPI_PROTO_TENCENT_GAMES,        /* Games operated by Tencent */\n\tLPI_PROTO_VODLOCKER,\n\tLPI_PROTO_TELEGRAM,\n\tLPI_PROTO_XUNLEI_ACCEL,\n\tLPI_PROTO_360SAFEGUARD,         /* Chinese anti-virus */\n\tLPI_PROTO_NORTON_BACKUP,\n\tLPI_PROTO_BADBAIDU,     /* Weird 1 byte flows from Baidu browser */\n\tLPI_PROTO_KAKAO,\n\tLPI_PROTO_WEIBO,\n\tLPI_PROTO_TENSAFE,\n        LPI_PROTO_KANKAN,\n        LPI_PROTO_AIRDROID,\n        LPI_PROTO_KUAIBO,\n        LPI_PROTO_DIANPING,\n        LPI_PROTO_XIAMI,\n        LPI_PROTO_QQDOWNLOAD,\n        LPI_PROTO_ZERO_FACEBOOK,\n        LPI_PROTO_FINALFANTASY_XIV,\n        LPI_PROTO_FACEBOOK_MESSENGER,\n        LPI_PROTO_YY,\n        LPI_PROTO_NETCAT_CCTV,\n        LPI_PROTO_ZOOM,\n        LPI_PROTO_S7COMM,\n        LPI_PROTO_MAXICLOUD,\n        LPI_PROTO_GLUPTEBA,\n        LPI_PROTO_WNS,\n        LPI_PROTO_PANDATV,\n        LPI_PROTO_FACEBOOK_TURN,\n        LPI_PROTO_DESTINY,\n        LPI_PROTO_QCLOUD_ILVB,\n        LPI_PROTO_BITCOIN,\n        LPI_PROTO_LIFEFORGE,\n        LPI_PROTO_ACESTREAM,\n        LPI_PROTO_MAPLESTORY_CHINA,\n        LPI_PROTO_NDT_TPUT,\n        LPI_PROTO_RELAY,\n        LPI_PROTO_DOUYU,\n        LPI_PROTO_IDRIVE_SYNC,\n        LPI_PROTO_TWITCASTING,\n        LPI_PROTO_THE_DIVISION,\n        LPI_PROTO_BLACKDESERT,\n        LPI_PROTO_REALVNC,\n        LPI_PROTO_DOGECOIN,\n        LPI_PROTO_FUCKCOIN,\n        LPI_PROTO_OURWORLD,\n        LPI_PROTO_GRAAL_ONLINE_ERA,\n        LPI_PROTO_APPEAR_IN,\n        LPI_PROTO_VAINGLORY,\n        LPI_PROTO_WEIQI,\n        LPI_PROTO_4D,\n        LPI_PROTO_TANKIX,\n        LPI_PROTO_IPSHARKK,\n        LPI_PROTO_NET_MFP,\n        LPI_PROTO_SPEEDIN,\n        LPI_PROTO_CROSSFIRE,\n        LPI_PROTO_DASH,\n        LPI_PROTO_AIRMEDIA,\n        LPI_PROTO_GIOP,\n        LPI_PROTO_VPN_UNLIMITED,\n        LPI_PROTO_TENFIVECOIN,\n        LPI_PROTO_BAOFENG,\n        LPI_PROTO_TALESRUNNER,\n        LPI_PROTO_ANTCOIN,\n        LPI_PROTO_FBCDN_SSL,\n        LPI_PROTO_SAPROUTER,\n        LPI_PROTO_FLIGGY,\n        LPI_PROTO_SMITE,\n        LPI_PROTO_VPNROBOT,\n        LPI_PROTO_VMWARE,\n        LPI_PROTO_DOUYU_CHAT,\n        LPI_PROTO_JX3ONLINE,\n        LPI_PROTO_LITECOIN,\n        LPI_PROTO_STRATUM,\n        LPI_PROTO_WIZARD101,\n        LPI_PROTO_KINGOFGLORY,\n        LPI_PROTO_SAS_ZOMBIE_ASSAULT_4,\n        LPI_PROTO_DNF,\n        LPI_PROTO_IHEXIN,\n        LPI_PROTO_NAVER_P2P,\n        LPI_PROTO_GCAFE_UPDATER,\n        LPI_PROTO_BWSYNC,\n        LPI_PROTO_TANKIONLINE,\n        LPI_PROTO_REALMOFTHEMADGOD,\n        LPI_PROTO_PATHOFEXILE,\n        LPI_PROTO_SSJJ,\n        LPI_PROTO_SPEEDIFY,\n        LPI_PROTO_NSQ,\n        LPI_PROTO_SKYFORGE,\n        LPI_PROTO_HOTS,\n        LPI_PROTO_NOMACHINE,\n        LPI_PROTO_QQSPEEDMOBILE,\n        LPI_PROTO_DAHUA,\n        LPI_PROTO_UTHERVERSE,\n        LPI_PROTO_300_HEROES,\n        LPI_PROTO_FILENORI,\n        LPI_PROTO_IPFS,\n        LPI_PROTO_REMOTE_MANIPULATOR,\n        LPI_PROTO_WEBEX_STUN,\n        LPI_PROTO_RRTV,\n        LPI_PROTO_RABBITMQ,\n        LPI_PROTO_ICEP,\n        LPI_PROTO_BEAM,\n        LPI_PROTO_VHDP2P,\n        LPI_PROTO_CLASSIN,\n        LPI_PROTO_TRANSOCKS,\n        LPI_PROTO_RAGNAROK_ONLINE,\n\tLPI_PROTO_ETHERNETIP,\n\n        /* UDP Protocols */\n        LPI_PROTO_UDP,\n        LPI_PROTO_UDP_SIP,\n        LPI_PROTO_UDP_BTDHT,\n        LPI_PROTO_UDP_GNUTELLA,\n        LPI_PROTO_UDP_DNS,\n        LPI_PROTO_UDP_DHCP,\n        LPI_PROTO_UDP_QUAKE,\n        LPI_PROTO_UDP_STEAM,\n        LPI_PROTO_UDP_STEAM_FRIENDS,\n        LPI_PROTO_UDP_STEAM_INHOMEBROADCAST,\n        LPI_PROTO_UDP_WIN_MESSAGE,\n        LPI_PROTO_UDP_GAMESPY,\n        LPI_PROTO_UDP_EMULE,\n        LPI_PROTO_UDP_EYE,\n        LPI_PROTO_UDP_RTP,\n        LPI_PROTO_UDP_ETHERNETIP,\n\tLPI_PROTO_UDP_CIP_IO, /* Common industrial protocol IO */\n        LPI_PROTO_UDP_MSN_VIDEO,\n        LPI_PROTO_UDP_COD,     /* Call of Duty game protocol */\n        LPI_PROTO_UDP_NTP,\n\tLPI_PROTO_UDP_MP2P,\t/* MP2P protocol (Piolet, Manolito etc.) */\n\tLPI_PROTO_UDP_SPAMFIGHTER,\t/* SpamFighter */\n\tLPI_PROTO_UDP_TRACEROUTE,\n\tLPI_PROTO_UDP_SECONDLIFE,\n\tLPI_PROTO_UDP_HL,\t/* Halflife, includes derivatives such as\n                                 * CounterStrike and Garry's Mod */\n\tLPI_PROTO_UDP_XLSP,\t/* XLSP - Xbox Live */\n\tLPI_PROTO_UDP_DEMONWARE,\t/* Company that does game networking */\n\tLPI_PROTO_UDP_IMESH,\t/* iMesh */\n\tLPI_PROTO_UDP_OPASERV,\t/* Opaserv worm */\n\tLPI_PROTO_UDP_STUN,\t/* STUN NAT traversal */\n\tLPI_PROTO_UDP_SQLEXP,\t/* MS SQL Server worm, called SQLExp */\n\tLPI_PROTO_UDP_MSN_CACHE, /* MSN cache callback protocol */\n\tLPI_PROTO_UDP_DIABLO2,\t/* Diablo 2 game protocol */\n\tLPI_PROTO_UDP_IPV6,\t/* IPv6 tunnelled directly over UDP */\n\tLPI_PROTO_UDP_ORBIT,\t/* Orbit downloader */\n\tLPI_PROTO_UDP_TEREDO,\n\tLPI_PROTO_UDP_KADEMLIA,\t/* Unknown flavour of kademlia */\n\tLPI_PROTO_UDP_PANDO,\t/* Pando DHT and Peer Exchange */\n\tLPI_PROTO_UDP_ESP,\t/* ESP/IPSec encapsulated in UDP */\n\tLPI_PROTO_UDP_PSN,\t/* Playstation Network */\n\tLPI_PROTO_UDP_REAL,\t/* RDT - the Real Data Transport protocol */\n\tLPI_PROTO_UDP_GNUTELLA2, /* Gnutella2 */\n\tLPI_PROTO_UDP_PYZOR,\t/* Python implementation of Razor */\n\tLPI_PROTO_UDP_SKYPE,\n\tLPI_PROTO_UDP_ISAKMP,\t/* ref: RFC 2408 */\n\tLPI_PROTO_UDP_SNMP,\n\tLPI_PROTO_UDP_BACKWEB,\t/* BackWeb Polite Protocol */\n\tLPI_PROTO_UDP_STARCRAFT,\n\tLPI_PROTO_UDP_XFIRE_P2P, /* Xfire P2P protocol */\n\tLPI_PROTO_UDP_THQ,\t/* Protocol used by THQ games */\n\tLPI_PROTO_UDP_NEWERTH,\t/* Heroes of Newerth */\n\tLPI_PROTO_UDP_LINKPROOF,\t/* Linkproof device packets */\n\tLPI_PROTO_UDP_WORM_22105,\t/* Chinese worm that uses port 22105 */\n\tLPI_PROTO_UDP_QQ,\t\t/* Tencent QQ */\n\tLPI_PROTO_UDP_SLP,\t/* Service Location Protocol, RFC 2608 */\n\tLPI_PROTO_UDP_ESO,\t/* Games using Ensemble Studios Online */\n\tLPI_PROTO_UDP_SSDP,\n\tLPI_PROTO_UDP_NETBIOS,\t/* Netbios lookup */\n\tLPI_PROTO_UDP_CP_RDP,\t/* Checkpoint RDP */\n\tLPI_PROTO_UDP_VENTRILO,\t/* Ventrilo VoiceChat */\n\tLPI_PROTO_UDP_MTA,\t/* Multitheftauto */\n\tLPI_PROTO_UDP_PPLIVE,\n\tLPI_PROTO_UDP_JEDI_ACADEMY,\t/* Jedi Academy game */\n\tLPI_PROTO_UDP_MOH,\t/* Medal of Honor game */\n\tLPI_PROTO_UDP_TREMULOUS, /* Tremulous - free OSS FPS */\n\tLPI_PROTO_UDP_VIVOX,\t/* Vivox voice chat */\n\tLPI_PROTO_UDP_IPMSG,\t/* IPMsg messenger */\n\tLPI_PROTO_UDP_TEAMSPEAK,\n\tLPI_PROTO_UDP_DC,\t/* DirectConnect UDP commands */\n\tLPI_PROTO_UDP_FREECHAL,\t/* FreeChal P2P */\n\tLPI_PROTO_UDP_XUNLEI,\n\tLPI_PROTO_UDP_KAZAA,\n\tLPI_PROTO_UDP_NORTON,\t/* Norton Antivirus probe */\n\tLPI_PROTO_UDP_CISCO_VPN,\t/* Cisco VPN (port 10000) */\n\tLPI_PROTO_UDP_RTCP,\n\tLPI_PROTO_UDP_UNREAL,\t/* Unreal server query protocol */\n\tLPI_PROTO_UDP_TFTP,\n\tLPI_PROTO_UDP_GARENA,\t/* A gaming platform */\n\tLPI_PROTO_UDP_PPSTREAM,\t/* PPStream - Chinese P2PTV */\n\tLPI_PROTO_UDP_FORTINET,\t/* Fortinet update protocol */\n\tLPI_PROTO_UDP_TVANTS,\t/* TVants P2PTV - no longer active */\n\tLPI_PROTO_UDP_STORM_WORM,\n\tLPI_PROTO_UDP_BATTLEFIELD,\t/* Battlefield series of games */\n\tLPI_PROTO_UDP_SOPCAST,\n\tLPI_PROTO_UDP_SERIALNUMBERD,\n\tLPI_PROTO_UDP_LDAP_AD,\n\tLPI_PROTO_UDP_RTMFP,\n\tLPI_PROTO_UDP_L2TP,\n\tLPI_PROTO_UDP_SYSLOG,\n\tLPI_PROTO_UDP_AKAMAI,\n\tLPI_PROTO_UDP_RADIUS,\n\tLPI_PROTO_UDP_HAMACHI,\n\tLPI_PROTO_UDP_BJNP,\t/* Canon BJNP printing protocol */\n\tLPI_PROTO_UDP_KASPERSKY,\n\tLPI_PROTO_UDP_GSM,\n\tLPI_PROTO_UDP_JEDI,\t/* Citrix Jedi */\n\tLPI_PROTO_UDP_YOUKU,\n\tLPI_PROTO_UDP_YOUDAO_DICT,\n\tLPI_PROTO_UDP_DRIVESHARE,\n\tLPI_PROTO_UDP_CIRN,\t/* Carpathia Intelligent Routing Network */\n\tLPI_PROTO_UDP_NEVERWINTER,\n\tLPI_PROTO_UDP_QQLIVE,\n\tLPI_PROTO_UDP_TEAMVIEWER,\n\tLPI_PROTO_UDP_ARES,\n\tLPI_PROTO_UDP_EPSON,\n\tLPI_PROTO_UDP_AKAMAI_TRANSFER,\n\tLPI_PROTO_UDP_DCC,\n\tLPI_PROTO_UDP_AMANDA,\n\tLPI_PROTO_UDP_NETFLOW,\n\tLPI_PROTO_UDP_ZEROACCESS,\n\tLPI_PROTO_UDP_VXWORKS_EXPLOIT,\n\tLPI_PROTO_UDP_APPLE_FACETIME_INIT,\n\tLPI_PROTO_UDP_STEAM_LOCALBROADCAST,\t\n\t/* ^Protocol used by Steam to discover clients on the local network */\n\tLPI_PROTO_UDP_LANSYNC,\t/* LANSync, used by DropBox */\n\tLPI_PROTO_UDP_BTSYNC,\n\tLPI_PROTO_UDP_MSOFFICE_MAC,\t/* MS Office for Mac anti-piracy */\n\tLPI_PROTO_UDP_SPOTIFY_BROADCAST,\n\tLPI_PROTO_UDP_MDNS,\t/* Multicast DNS */\n\tLPI_PROTO_UDP_FASP,\n\tLPI_PROTO_UDP_RAKNET,\n\tLPI_PROTO_UDP_OPENVPN,\n\tLPI_PROTO_UDP_NOE,\t/* Alcatel's New Office Environment */\n\tLPI_PROTO_UDP_VIBER,\n\tLPI_PROTO_UDP_DTLS,\n\tLPI_PROTO_UDP_ICP,\n\tLPI_PROTO_UDP_LOL,\t/* League of Legends */\n\tLPI_PROTO_UDP_SANANDREAS,\t/* San Andreas Multiplayer */\n\tLPI_PROTO_UDP_MFNP,\t/* Canon MFNP Printer protocol */\n\tLPI_PROTO_UDP_FUNSHION,\n\tLPI_PROTO_UDP_QUIC,\n\tLPI_PROTO_UDP_AVAST_DNS,\n\tLPI_PROTO_UDP_DB2,\n\tLPI_PROTO_UDP_NATPMP,\n\tLPI_PROTO_UDP_GPRS_TUNNEL,\n\tLPI_PROTO_UDP_WECHAT,\n\tLPI_PROTO_UDP_NOCTION,\n        LPI_PROTO_UDP_ARMA_SERVER,    /* Includes DayZ */\n        LPI_PROTO_UDP_PLANETSIDE2,\n        LPI_PROTO_UDP_RWTH_AACHEN,      /* RWTH-Aachen University research */\n        LPI_PROTO_UDP_BMDP,      /* Part of Microsoft ADS */\n        LPI_PROTO_UDP_DOTA2,      \n        LPI_PROTO_UDP_LINE, \n        LPI_PROTO_UDP_ZOOM,\n        LPI_PROTO_UDP_HEROES_GENERALS,  /* Heroes and Generals */ \n        LPI_PROTO_UDP_WARTHUNDER,\n        LPI_PROTO_UDP_H1Z1,\n        LPI_PROTO_UDP_CS_GLOBAL_OFFENSIVE,\n        LPI_PROTO_UDP_NTP_REFLECT,      /* NTP reflection attack */\n        LPI_PROTO_UDP_PUNKBUSTER,\n        LPI_PROTO_UDP_ROBOCRAFT,\n        LPI_PROTO_UDP_CISCO_SSLVPN,\n        LPI_PROTO_UDP_ACERCLOUD,\n        LPI_PROTO_UDP_360CN,\n        LPI_PROTO_UDP_WOLF_ET,\n        LPI_PROTO_UDP_KUGOU,\n        LPI_PROTO_UDP_XUNLEI_JSQ,\n        LPI_PROTO_UDP_KANKAN,\n        LPI_PROTO_UDP_QQPCMGR,\n        LPI_PROTO_UDP_DIANPING,\n        LPI_PROTO_UDP_XUNYOU,\n        LPI_PROTO_UDP_FORTICLIENT_SSLVPN,\n        LPI_PROTO_UDP_DISCORD,\n        LPI_PROTO_UDP_NETCORE,\n        LPI_PROTO_UDP_ARMA3_SERVER,\n        LPI_PROTO_UDP_BAIDU_YUN_P2P,\n        LPI_PROTO_UDP_YY,\n        LPI_PROTO_UDP_OVERWATCH,\n        LPI_PROTO_UDP_BACNET,\n        LPI_PROTO_UDP_ARK_SURVIVAL,\n        LPI_PROTO_UDP_360P2P,\n        LPI_PROTO_UDP_PORTMAP_RPC,\n        LPI_PROTO_UDP_NINTENDO,\n        LPI_PROTO_UDP_CHIVALRY,\n        LPI_PROTO_UDP_DOYO,\n        LPI_PROTO_UDP_NETCAT_CCTV,\n        LPI_PROTO_UDP_N2PING,\n        LPI_PROTO_UDP_RAMSEY_DASH,\n        LPI_PROTO_UDP_UBISOFT_GAMES,\n        LPI_PROTO_UDP_THE_CREW,\n        LPI_PROTO_UDP_TURBOVPN,\n        LPI_PROTO_UDP_GEARSOFWAR,\n        LPI_PROTO_UDP_RDP,\n        LPI_PROTO_UDP_HOTS,\n        LPI_PROTO_UDP_VPNMASTER,\n        LPI_PROTO_UDP_DIANSHIJIA,\n        LPI_PROTO_UDP_PS4_REMOTEPLAY,\n        LPI_PROTO_UDP_STARCITIZEN,\n        LPI_PROTO_UDP_WEBEX,\n        LPI_PROTO_UDP_HALO_ONLINE,\n        LPI_PROTO_UDP_GOTOMEETING,\n        LPI_PROTO_UDP_CROSSOUT,\n        LPI_PROTO_UDP_UMEYE,\n        LPI_PROTO_UDP_RISING_STORM,\n        LPI_PROTO_UDP_CROSSFIRE,\n        LPI_PROTO_UDP_MERAKICLOUD,\n        LPI_PROTO_UDP_SNAPVPN,\n        LPI_PROTO_UDP_DAHUA,\n        LPI_PROTO_UDP_STARLEAF,\n        LPI_PROTO_UDP_FOSCAM,\n        LPI_PROTO_UDP_DESTINY,\n        LPI_PROTO_UDP_BAOFENG,\n        LPI_PROTO_UDP_TORCHLIGHT2,\n        LPI_PROTO_UDP_SMITE,\n        LPI_PROTO_UDP_COUNTERSTRIKE_16,\n        LPI_PROTO_UDP_VPNROBOT,\n        LPI_PROTO_UDP_TF2,\n        LPI_PROTO_UDP_GANGSOFSPACE,\n        LPI_PROTO_UDP_COMBATARMS,\n        LPI_PROTO_UDP_COMBATARMS_P2P,\n        LPI_PROTO_UDP_PANIPANI,\n        LPI_PROTO_UDP_FEITWO,\n        LPI_PROTO_UDP_MOONHUNTERS,\n        LPI_PROTO_UDP_HELIBORNE,\n        LPI_PROTO_UDP_KINGOFGLORY,\n        LPI_PROTO_UDP_ASSETTO_CORSA,\n        LPI_PROTO_UDP_CACAOWEB,\n        LPI_PROTO_UDP_ZALO_CALL,\n        LPI_PROTO_UDP_PALADINS,\n        LPI_PROTO_UDP_CHARGEN_EXPLOIT,\n        LPI_PROTO_UDP_TOX,\n        LPI_PROTO_UDP_HOLLA,\n        LPI_PROTO_UDP_RRSHARE,\n        LPI_PROTO_UDP_QQSPEEDMOBILE,\n        LPI_PROTO_UDP_LOADOUT,\n        LPI_PROTO_UDP_GANGLIA,\n        LPI_PROTO_UDP_TALESRUNNER,\n        LPI_PROTO_UDP_FREEFIRE,\n        LPI_PROTO_UDP_HEROES_EVOLVED,\n        LPI_PROTO_UDP_RULES_OF_SURVIVAL,\n        LPI_PROTO_UDP_CONTRACT_WARS,\n        LPI_PROTO_UDP_ARD,\n        LPI_PROTO_UDP_QVOD,\n        LPI_PROTO_UDP_YUANFUDAO,\n        LPI_PROTO_UDP_ROCKET_LEAGUE,\n        LPI_PROTO_UDP_CLOUDFLARE_WARP,\n        LPI_PROTO_UDP_WIREGUARD,\n        LPI_PROTO_UDP_COD_MOBILE,\n        LPI_PROTO_UDP_NVIDIA_GAMESTREAM,\n        LPI_PROTO_UDP_CLASSIN,\n        LPI_PROTO_UDP_ARTCP,\n\n\t/* Patterns that we can match, but do not know the protocol */\n\tLPI_PROTO_REJECTION,\t/* All responses are 0x02 */\n\tLPI_PROTO_MYSTERY_9000,\t/* Occurs on tcp port 9000 */\n\tLPI_PROTO_MYSTERY_PSPR,\n\tLPI_PROTO_MYSTERY_8000,\n\tLPI_PROTO_MYSTERY_IG,\n\tLPI_PROTO_MYSTERY_CONN,\n\tLPI_PROTO_MYSTERY_SYMANTEC,\n\tLPI_PROTO_MYSTERY_RXXF,\n\t\n\tLPI_PROTO_UDP_MYSTERY_0D,\t\n\tLPI_PROTO_UDP_MYSTERY_99,\n\tLPI_PROTO_UDP_MYSTERY_8000,\n\tLPI_PROTO_UDP_MYSTERY_45,\n\tLPI_PROTO_UDP_MYSTERY_0660,\n\tLPI_PROTO_UDP_MYSTERY_E9,\n\tLPI_PROTO_UDP_MYSTERY_QQ,\n\tLPI_PROTO_UDP_MYSTERY_61_72,\n\tLPI_PROTO_UDP_MYSTERY_05,\n\n\tLPI_PROTO_ICMP,\n\n        LPI_PROTO_INVALID,     /* No single valid protocol */\n\tLPI_PROTO_NO_PAYLOAD,\n\tLPI_PROTO_NO_FIRSTPKT,\n\tLPI_PROTO_UNSUPPORTED,\n        LPI_PROTO_UNKNOWN,\n\tLPI_PROTO_LAST\t\t/** ALWAYS have this as the last value */\n} lpi_protocol_t;\n\n/* This structure stores all the data needed by libprotoident to identify the\n * application protocol for a flow. Do not change the contents of this struct\n * directly - lpi_update_data() will do that for you - but reading the values\n * should be ok. */\ntypedef struct lpi {\n\tuint32_t payload[2];\n\tbool seen_syn[2];\n\tuint32_t seqno[2];\n\tuint32_t observed[2];\n\tuint16_t server_port;\n\tuint16_t client_port;\n\tuint8_t trans_proto;\n\tuint32_t payload_len[2];\n\tuint32_t ips[2];\n} lpi_data_t;\n\ntypedef struct lpi_module lpi_module_t;\n\n/* This structure describes an individual LPI module - i.e. a protocol \n * supported by libprotoident */\nstruct lpi_module {\n        lpi_protocol_t protocol;\t/* The protocol ID */\n        lpi_category_t category;\t/* The category for this protocol */\n        const char *name;\t\t/* The protocol name, as a string */\n        uint8_t priority;\t\t/* The relative priority for matching\n\t\t\t\t\t   this protocol */\n\n\t/* The callback function for testing whether a given set of LPI\n\t * data matches the ruleset for this protocol */\n        bool (*lpi_callback) (lpi_data_t *proto_d, lpi_module_t *module);\n\n};\n\ntypedef std::list<lpi_module_t *> ProtoMatchList;\n\ntypedef struct lpi_thread {\n\tint index;\n\tlpi_module_t *module;\n\tlpi_data_t *data;\n\tbool result;\n} lpi_thread_t;\n\ntypedef std::list<pthread_t> ThreadList;\n\n/* Initialises the LPI library, by registering all the protocol modules.\n *\n * @return 0 if initialisation succeeded, -1 otherwise \n */\nint lpi_init_library(void);\n\n/* Shuts down the LPI library, by de-registering all the protocol modules */\nvoid lpi_free_library(void);\n\n/** Initialises an LPI data structure, setting all the members to appropriate\n *  starting values.\n *\n * @param data\tThe LPI data structure to be initialised.\n */\nvoid lpi_init_data(lpi_data_t *data);\n\n/** Updates the LPI data structure based on the contents of the packet\n *  provided.\n *\n *  @note The direction must be provided by the caller, as we cannot rely\n *  on trace_get_direction().\n *\n *  @param packet The packet to update the LPI data from.\n *  @param data\tThe LPI data structure to be updated.\n *  @param dir The direction of the packet - 0 is outgoing, 1 is incoming.\n *\n *  @return 0 if the packet was ignored, 1 if the LPI data was updated.\n */\nint lpi_update_data(libtrace_packet_t *packet, lpi_data_t *data, uint8_t dir);\n\n/** Returns a unique string describing the provided protocol.\n *\n * This is essentially a protocol-to-string conversion function.\n *\n * @param proto The protocol that a string representation is required for.\n *\n * @return A pointer to a statically allocated string describing the protocol.\n * This is allocated on the stack, so should be used or copied immediately.\n */\nconst char *lpi_print(lpi_protocol_t proto);\n\n/** Given a protocol, returns the category that it matches.\n *\n * @param proto The protocol that a category is required for.\n *\n * @return The category that the protocol belongs to.\n */\nlpi_category_t lpi_categorise(lpi_module_t *proto);\n\n/** Returns a unique string describing the provided category. \n *\n * This is essentially a category-to-string conversion function.\n *\n * @param category The category that a string representation is required for.\n *\n * @return A pointer to a statically allocated string describing the category.\n * This is allocated on the stack, so should be used or copied immediately.\n */\nconst char *lpi_print_category(lpi_category_t category);\n\n/** Using the provided data, attempts to determine the L7 protocol being used\n *  by that flow.\n *\n *  @param data\tThe LPI data to use when determining the protocol.\n *\n *  @return The LPI module for the protocol that matches the profile described\n *  by the given LPI data. If no protocol matches, the module for either\n *  LPI_UNKNOWN or LPI_UNKNOWN_UDP will be returned, depending on the transport\n *  protocol.\n */\nlpi_module_t *lpi_guess_protocol(lpi_data_t *data);\n\n/** Given the protocol name, returns the lpi protcol it matches.\n *\n * @param name The protocol name\n *\n * @returns The LPI protocol for the supplied name.\n *          LPI_PROTO_UNKNOWN if the name is not found.\n */\nlpi_protocol_t lpi_get_protocol_by_name(char *name);\n\n/* Give the category name, returns the lpi category it matches.\n *\n * @param name The protocol name\n *\n * @returns the LPI category for the supplied name on success.\n *          LPI_CATEGORY_UNKNOWN if the name is not found.\n */\nlpi_category_t lpi_get_category_by_name(char *name);\n\n/* Given the lpi protocol, returns the lpi category it matches.\n *\n * @param protocol The lpi protocol\n *\n * @returns the lpi category for the supplied lpi protocol.\n *          LPI_CATEGORY_UNKNOWN if the category is not found.\n */\nlpi_category_t lpi_get_category_by_protocol(lpi_protocol_t protocol);\n\n/** Determines whether the protocol matching a given protocol number is no\n *  longer supported by libprotoident.\n *\n *  @param proto The protocol to check\n *\n *  @return true if the protocol is no longer supported, false otherwise.\n *\n *  Some protocols are no longer supported by libprotoident, either because\n *  the rules were found to be producing too many false positives or the \n *  protocol has been merged with another existing protocol (especially in the\n *  case of mystery protocols). When these cases occur, we don't necessarily\n *  remove the protocol from the enumerated type list, just disable the module\n *  and set the name string for the protocol to \"NULL\".\n *\n *  This function allows the caller to check if a given protocol value has \n *  been disabled. This is often handy when reporting stats for all the \n *  protocol values (see lpi_live for an example), as ideally you would want\n *  to avoid reporting anything for the NULL protocols.\n */\nbool lpi_is_protocol_inactive(lpi_protocol_t proto);\n#ifdef __cplusplus \n}\n#endif\n#endif\n"
  },
  {
    "path": "lib/proto_common.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#ifdef __APPLE__\n#include <libkern/OSByteOrder.h>\n#define bswap32 OSSwapInt32\n#endif\n\n#ifdef __FreeBSD__\n#include <sys/endian.h>\n#endif\n\n#ifdef __linux__\n#include <byteswap.h>\n#define bswap32 __bswap_32\n#endif\n\n#include \"libprotoident.h\"\n#include \"proto_common.h\"\n\nbool match_str_either(lpi_data_t *data, const char *string) {\n\n        if (MATCHSTR(data->payload[0], string))\n                return true;\n        if (MATCHSTR(data->payload[1], string))\n                return true;\n        return false;\n}\n\nbool match_str_both(lpi_data_t *data, const char *string1,\n        const char *string2) {\n\n        if (MATCHSTR(data->payload[0], string1) &&\n                MATCHSTR(data->payload[1], string2))\n                return true;\n        if (MATCHSTR(data->payload[1], string1) &&\n                MATCHSTR(data->payload[0], string2))\n                return true;\n        return false;\n}\n\nbool match_chars_either(lpi_data_t *data, char a, char b, char c,\n        char d) {\n\n        if (MATCH(data->payload[0], a, b, c, d))\n                return true;\n        if (MATCH(data->payload[1], a, b, c, d))\n                return true;\n        return false;\n}\n\nbool match_payload_length(uint32_t payload, uint32_t payload_len) {\n\n        uint32_t header = 0;\n\n        header = ntohl(payload);\n\n        /* See if the length in the (presumed) header matches the\n         * length of the rest of the packet minus the header itself (4 bytes).\n         *\n         * Watch out for the case of a 4 byte packet containing just \n         * 00 00 00 00! */\n        if (payload_len > 4 && header == payload_len - 4)\n                return true;\n\n        return false;\n}\n\nbool match_ip_address_both(lpi_data_t *data) {\n\n\tuint8_t matches = 0;\n\n\tif (data->ips[0] == 0 || data->ips[0] == 0)\n\t\treturn false;\n\t\n\tif (data->payload_len[0] == 0)\n\t\tmatches += 1;\n\telse if (data->payload[0] == data->ips[0])\n\t\tmatches += 1;\n\telse if (data->payload[0] == data->ips[1])\n\t\tmatches += 1;\n\t\t\n\tif (data->payload_len[1] == 0)\n\t\tmatches += 1;\n\telse if (data->payload[1] == data->ips[0])\n\t\tmatches += 1;\n\telse if (data->payload[1] == data->ips[1])\n\t\tmatches += 1;\n\t \n\tif (matches == 2)\n\t\treturn true;\n\telse\n\t\treturn false;\n\t\n}\n\n/* Multiple protocols use HTTP-style requests */\nbool match_http_request(uint32_t payload, uint32_t len) {\n\n        /* HTTP requests - some of these are MS-specific extensions */\n        if (len == 0)\n                return true;\n\n        if (MATCHSTR(payload, \"GET \")) return true;\n        if (len == 1 && MATCH(payload, 'G', 0x00, 0x00, 0x00))\n                return true;\n        if (len == 2 && MATCH(payload, 'G', 'E', 0x00, 0x00))\n                return true;\n        if (len == 3 && MATCH(payload, 'G', 'E', 'T', 0x00))\n                return true;\n\n        if (MATCHSTR(payload, \"POST\")) return true;\n        if (MATCHSTR(payload, \"HEAD\")) return true;\n        if (MATCHSTR(payload, \"PUT \")) return true;\n        if (MATCHSTR(payload, \"DELE\")) return true;\n        if (MATCHSTR(payload, \"auth\")) return true;\n\n        /* SVN? */\n        if (MATCHSTR(payload, \"REPO\")) return true;\n\n        /* Webdav */\n        if (MATCHSTR(payload, \"LOCK\")) return true;\n        if (MATCHSTR(payload, \"UNLO\")) return true;\n        if (MATCHSTR(payload, \"OPTI\")) return true;\n        if (MATCHSTR(payload, \"PROP\")) return true;\n        if (MATCHSTR(payload, \"MKCO\")) return true;\n        if (MATCHSTR(payload, \"POLL\")) return true;\n        if (MATCHSTR(payload, \"SEAR\")) return true;\n\n        /* Ntrip - some differential GPS system using modified HTTP */\n        if (MATCHSTR(payload, \"SOUR\")) return true;\n\n\n        return false;\n\n}\n\n/* File headers are not specific to any particular protocol */\nbool match_file_header(uint32_t payload) {\n\n        /* RIFF is a meta-format for storing AVI and WAV files */\n        if (MATCHSTR(payload, \"RIFF\"))\n                return true;\n\n        /* MZ is a .exe file */\n        if (MATCH(payload, 'M', 'Z', ANY, 0x00))\n                return true;\n\n        /* Ogg files */\n        if (MATCHSTR(payload, \"OggS\"))\n                return true;\n\n        /* ZIP files */\n        if (MATCH(payload, 'P', 'K', 0x03, 0x04))\n                return true;\n\n        /* MPEG files */\n        if (MATCH(payload, 0x00, 0x00, 0x01, 0xba))\n                return true;\n\n        /* RAR files */\n        if (MATCHSTR(payload, \"Rar!\"))\n                return true;\n\n        /* EBML */\n        if (MATCH(payload, 0x1a, 0x45, 0xdf, 0xa3))\n                return true;\n\n        /* JPG */\n        if (MATCH(payload, 0xff, 0xd8, ANY, ANY))\n                return true;\n\n        /* GIF */\n        if (MATCHSTR(payload, \"GIF8\"))\n                return true;\n\n        /* I'm also going to include PHP scripts in here */\n        if (MATCH(payload, 0x3c, 0x3f, 0x70, 0x68))\n                return true;\n\n        /* Unix scripts */\n        if (MATCH(payload, 0x23, 0x21, 0x2f, 0x62))\n                return true;\n\n        /* PDFs */\n        if (MATCHSTR(payload, \"%PDF\"))\n                return true;\n\n        /* PNG */\n        if (MATCH(payload, 0x89, 'P', 'N', 'G'))\n                return true;\n\n        /* HTML */\n        if (MATCHSTR(payload, \"<htm\"))\n                return true;\n        if (MATCH(payload, 0x0a, '<', '!', 'D'))\n                return true;\n\n        /* 7zip */\n        if (MATCH(payload, 0x37, 0x7a, 0xbc, 0xaf))\n                return true;\n\n        /* gzip  - may need to replace last two bytes with ANY */\n        if (MATCH(payload, 0x1f, 0x8b, 0x08, ANY))\n                return true;\n\n        /* XML */\n        if (MATCHSTR(payload, \"<!DO\"))\n                return true;\n\n        /* FLAC */\n        if (MATCHSTR(payload, \"fLaC\"))\n                return true;\n\n        /* MP3 */\n        if (MATCH(payload, 'I', 'D', '3', 0x03))\n                return true;\n\tif (MATCHSTR(payload, \"\\xff\\xfb\\x90\\xc0\"))\n\t\treturn true;\n\n        /* RPM */\n        if (MATCH(payload, 0xed, 0xab, 0xee, 0xdb))\n                return true;\n\n        /* Wz Patch */\n        if (MATCHSTR(payload, \"WzPa\"))\n                return true;\n\n        /* Flash Video */\n        if (MATCH(payload, 'F', 'L', 'V', 0x01))\n                return true;\n\n        /* .BKF (Microsoft Tape Format) */\n        if (MATCHSTR(payload, \"TAPE\"))\n                return true;\n\n        /* MS Office Doc file - this is unpleasantly geeky */\n        if (MATCH(payload, 0xd0, 0xcf, 0x11, 0xe0))\n                return true;\n\n        /* ASP */\n        if (MATCH(payload, 0x3c, 0x25, 0x40, 0x20))\n                return true;\n\n        /* WMS file */\n        if (MATCH(payload, 0x3c, 0x21, 0x2d, 0x2d))\n                return true;\n\n\t/* ar archive, typically .deb files */\n\tif (MATCHSTR(payload, \"!<ar\"))\n\t\treturn true;\n\n\t/* Raw XML */\n\tif (MATCHSTR(payload, \"<?xm\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"<iq \"))\n\t\treturn true;\n\n\t/* SPF */\n\tif (MATCHSTR(payload, \"SPFI\"))\n\t\treturn true;\n\n\t/* ABIF - Applied Biosystems */\n\tif (MATCHSTR(payload, \"ABIF\"))\n\t\treturn true;\n\n\t/* bzip2 - other digits are also possible instead of 9 */\n\tif (MATCH(payload, 'B', 'Z', 'h', '9'))\n\t\treturn true;\n\n        /* xz compression format */\n        if (MATCH(payload, 0xfd, '7', 'z', 'X'))\n                return true;\n\n        /* Microsoft Cabinet Files */\n        if (MATCH(payload, 'M', 'S', 'C', 'F'))\n                return true;\n\n        /* M4A -- be wary of false positives? */\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x20))\n                return true;\n\n        /* TIFF */\n        if (MATCH(payload, 0x49, 0x49, 0x2a, 0x00))\n                return true;\n\n        /* LZMA */\n        if (MATCH(payload, 0x5d, 0x00, 0x00, 0x80))\n                return true;\n\n        /* Source engine BSP file */\n        if (MATCH(payload, 'V', 'B', 'S', 'P'))\n                return true;\n\n        /* TTF */\n        if (MATCH(payload, 0x00, 0x01, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 'O', 'T', 'T', 'O'))\n                return true;\n\n        /* WOF2 TTCF */\n        if (MATCH(payload, 't', 't', 'c', 'f'))\n                return true;\n\n        /* RIR delegation files... */\n        if (MATCH(payload, '2', '.', '3', '|'))\n                return true;\n\n        /* REBASE -- restriction enzyme database\n         * A bit niche, but might be fairly common at universities? */\n        if (MATCH(payload, 0x20, 0x0a, 'R', 'E'))\n                return true;\n\n        /* Old coralreef trace files! */\n        if (MATCHSTR(payload, \"\\xff\\xff\\x44\\x00\"))\n                return true;\n\n        /* I'm pretty sure the following are files of some type or another.\n         * They crop up pretty often in our test data sets, so I'm going to\n         * put them in here.\n         *\n         * Hopefully one day we will find out what they really are */\n\n        if (MATCH(payload, '<', 'c', 'f', ANY))\n                return true;\n        if (MATCH(payload, '<', 'C', 'F', ANY))\n                return true;\n        if (MATCHSTR(payload, \".tem\"))\n                return true;\n        if (MATCHSTR(payload, \".ite\"))\n                return true;\n        if (MATCHSTR(payload, \".lef\"))\n                return true;\n\n        return false;\n\n}\n\nbool valid_http_port(lpi_data_t *data) {\n        /* Must be on a known HTTP port - designed to filter \n         * out P2P protos that use HTTP.\n         *\n         * XXX If this doesn't work well, get rid of it!\n        */\n        if (data->server_port == 80 || data->client_port == 80)\n                return true;\n        if (data->server_port == 8080 || data->client_port == 8080)\n                return true;\n        if (data->server_port == 8081 || data->client_port == 8081)\n                return true;\n\n        /* If port 443 responds, we want it to be counted as genuine\n         * HTTP, rather than a bad port scenario */\n        if (data->server_port == 443 || data->client_port == 443) {\n                if (data->payload_len[0] > 0 && data->payload_len[1] > 0)\n                        return true;\n        }\n\n        return false;\n\n}\n\n/* 16 03 00 X is an SSLv3 handshake */\nstatic inline bool match_ssl3_handshake(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len == 1 && MATCH(payload, 0x16, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x16, 0x03, 0x00, ANY))\n                return true;\n        return false;\n}\n\n/* 16 03 01 X is an TLS handshake */\nstatic inline bool match_tls_handshake(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len == 1 && MATCH(payload, 0x16, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x16, 0x03, 0x01, ANY))\n                return true;\n        if (MATCH(payload, 0x16, 0x03, 0x02, ANY))\n                return true;\n        if (MATCH(payload, 0x16, 0x03, 0x03, ANY))\n                return true;\n        return false;\n}\n\n/* SSLv2 handshake - the ANY byte in the 0x80 payload is actually the length \n * of the payload - 2. \n *\n * XXX This isn't always true - consecutive packets may be merged it seems :(\n */\nstatic inline bool match_ssl2_handshake(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x80, ANY, 0x01, 0x03))\n                return true;\n        if (MATCH(payload, 0x81, ANY, 0x01, 0x03))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_tls_alert(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x15, 0x03, 0x01, ANY))\n                return true;\n        if (MATCH(payload, 0x15, 0x03, 0x02, ANY))\n                return true;\n        if (MATCH(payload, 0x15, 0x03, 0x03, ANY))\n                return true;\n\n\t/* Alerts are also possible under SSL 3.0 */\n        if (MATCH(payload, 0x15, 0x03, 0x00, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tls_change(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x14, 0x03, 0x01, ANY))\n                return true;\n        if (MATCH(payload, 0x14, 0x03, 0x02, ANY))\n                return true;\n        if (MATCH(payload, 0x14, 0x03, 0x03, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_tls_content(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x17, 0x03, 0x01, ANY))\n                return true;\n        if (MATCH(payload, 0x17, 0x03, 0x02, ANY))\n                return true;\n        if (MATCH(payload, 0x17, 0x03, 0x03, ANY))\n                return true;\n        return false;\n}\n\nbool match_ssl(lpi_data_t *data) {\n\n\n        if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_ssl3_handshake(data->payload[1], data->payload_len[1]))\n                return true;\n\n        if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_tls_handshake(data->payload[1], data->payload_len[1]))\n                return true;\n\n        if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_tls_handshake(data->payload[1], data->payload_len[1]))\n                return true;\n\n        if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_ssl3_handshake(data->payload[1], data->payload_len[1]))\n                return true;\n        /* Seems we can sometimes skip the full handshake and start on the data\n         * right away (as indicated by 0x17) - for now, I've only done this for TLS */\n        if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_tls_content(data->payload[1], data->payload_len[1]))\n                return true;\n        if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&\n                        match_tls_content(data->payload[0], data->payload_len[0]))\n                return true;\n        /* Need to check for TLS alerts (errors) too */\n        if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_tls_alert(data->payload[1], data->payload_len[1]))\n                return true;\n        if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&\n                        match_tls_alert(data->payload[0], data->payload_len[0]))\n                return true;\n        if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_tls_alert(data->payload[1], data->payload_len[1]))\n                return true;\n        if (match_ssl3_handshake(data->payload[1], data->payload_len[1]) &&\n                        match_tls_alert(data->payload[0], data->payload_len[0]))\n                return true;\n\n        /* Need to check for cipher changes too */\n        if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&\n                        match_tls_change(data->payload[1], data->payload_len[1]))\n                return true;\n        if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&\n                        match_tls_change(data->payload[0], data->payload_len[0]))\n                return true;\n\n\n        /* Some HTTPS servers respond with unencrypted content, presumably\n         * when somebody invalid attempts a connection */\n        if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&\n                        MATCHSTR(data->payload[1], \"<!DO\") &&\n\t\t\tdata->payload_len[0] != 0)\n                return true;\n        if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&\n                        MATCHSTR(data->payload[0], \"<!DO\") &&\n\t\t\tdata->payload_len[1] != 0)\n                return true;\n\n\n        /* Allow TLS content in both directions -- could be multi-path TCP?\n         * Or some form of picking up where a previous connection left off?\n         */\n        if (match_tls_content(data->payload[0], data->payload_len[0]) &&\n                        match_tls_content(data->payload[1], data->payload_len[1]))\n                return true;\n        if (match_tls_content(data->payload[1], data->payload_len[1]) &&\n                        match_tls_content(data->payload[0], data->payload_len[0]))\n                return true;\n        \n\n        if ((match_tls_handshake(data->payload[0], data->payload_len[0]) ||\n                        match_ssl3_handshake(data->payload[0], data->payload_len[0])) &&\n                        match_ssl2_handshake(data->payload[1], data->payload_len[1]))\n                return true;\n\n        if ((match_tls_handshake(data->payload[1], data->payload_len[1]) ||\n                        match_ssl3_handshake(data->payload[1], data->payload_len[1])) &&\n                        match_ssl2_handshake(data->payload[0], data->payload_len[0]))\n                return true;\n\n        if (data->payload_len[0] == 0 && match_ssl2_handshake(data->payload[1], data->payload_len[1]))\n                return true;\n        if (data->payload_len[1] == 0 && match_ssl2_handshake(data->payload[0], data->payload_len[0]))\n                return true;\n\n        return false;\n}\n\nstatic bool dns_req(uint32_t payload) {\n\n        /* The flags / rcode on requests are usually all zero.\n         *\n         * Exceptions: CD and RD may be set \n         *\n         * Remember BYTE ORDER!\n         */\n\n\tpayload = htonl(payload);\n\n\tif ((payload & 0x0000ffff) == 0x00000000)\n\t\treturn true;\n\t/* Check for CD */\n\tif ((payload & 0x0000ffff) == 0x00000010)\n\t\treturn true;\n\t/* Check for RD */\n\tif ((payload & 0x0000ffff) == 0x00000100)\n\t\treturn true;\n\n\n        return false;\n\n}\n\nstatic bool dns_backscatter(uint32_t payload) {\n\n\t/* Let's see if we can identify unsolicited DNS responses */\n\n\t/* Last byte seems to be always 0x00 - third is either 0x84 or 0x85 */\n\n\tpayload = htonl(payload);\n\n\tif ((payload & 0x0000ffff) == 0x00008500)\n\t\treturn true;\n\tif ((payload & 0x0000ffff) == 0x00008580)\n\t\treturn true;\n\tif ((payload & 0x0000ffff) == 0x00008400)\n\t\treturn true;\n\tif ((payload & 0x0000ffff) == 0x00008480)\n\t\treturn true;\n\tif ((payload & 0x0000ffff) == 0x00008483)\n\t\treturn true;\n\tif ((payload & 0x0000ffff) == 0x00008403)\n\t\treturn true;\n\tif ((payload & 0x0000ffff) == 0x00008000)\n\t\treturn true;\n\n\treturn false;\n}\n\nbool match_dns(lpi_data_t *data) {\n\n        if (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n\n                /* No response, so we have a bit of a hard time - however,\n                 * most requests have a pretty standard set of flags.\n                 *\n                 * We'll also use the port here to help out */\n                if (data->server_port != 53 && data->client_port != 53)\n                        return false;\n                if (data->payload_len[0] > 12 && dns_req(data->payload[0]))\n                        return true;\n                if (data->payload_len[1] > 12 && dns_req(data->payload[1]))\n                        return true;\n                if (data->payload_len[0] > 12 && \n\t\t\t\tdns_backscatter(data->payload[0]))\n                        return true;\n                if (data->payload_len[1] > 12 && \n\t\t\t\tdns_backscatter(data->payload[1]))\n                        return true;\n\n                return false;\n        }\n\n        if (((htonl(data->payload[0])) & 0xffff7800) != \n\t\t\t((htonl(data->payload[1])) & 0xffff7800))\n                return false;\n\n        if ((htonl(data->payload[0]) & 0x00008000) == \n\t\t(htonl(data->payload[1]) & 0x00008000))\n                return false;\n\n        return true;\n\n}\n\nbool match_tds_request(uint32_t payload, uint32_t len) {\n\n        uint32_t stated_len = 0;\n\n        stated_len = (ntohl(payload) & 0xffff);\n        if (stated_len != len)\n                return false;\n\n        if (MATCH(payload, 0x12, 0x01, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x10, 0x01, ANY, ANY))\n                return true;\n\n        return false;\n\n}\n\n\nbool match_8000_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) {\n                return true;\n        }\n        if (MATCH(payload, 0x3c, 0x00, 0x00, 0x00)) {\n                return true;\n        }\n        if (MATCH(payload, 0x3d, 0x00, 0x00, 0x00)) {\n                return true;\n        }\n        if (MATCH(payload, 0x3e, 0x00, 0x00, 0x00)) {\n                return true;\n        }\n\n        return false;\n}\n\nbool match_emule(lpi_data_t *data) {\n\n        /* Check that payload begins with e3 or c5 in both directions before \n         * classifying as eMule */\n        /* (I noticed that most emule(probably) flows began with \"e3 xx 00 00\" \n         * or \"c5 xx 00 00\", perhaps is worth looking into... Although I \n         * couldn't find anything about emule packets) */\n\n        if (data->payload_len[0] < 4 && data->payload_len[1] < 4)\n                return false;\n\n        if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) &&\n            MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00))\n                return true;\n\n        if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) &&\n            MATCH(data->payload[1], 0xc5, ANY, 0x00, 0x00))\n                return true;\n\n        /* XXX I haven't seen any obviously legit emule that starts with c5\n         * in both directions */\n        /*\n        if (MATCH(data->payload[0], 0xc5, ANY, ANY, ANY) &&\n            MATCH(data->payload[1], 0xc5, ANY, ANY, ANY))\n                return true;\n        */\n\n        if (MATCH(data->payload[0], 0xc5, ANY, 0x00, 0x00) &&\n            MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00))\n                return true;\n\n        if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) &&\n                data->payload_len[1] == 0)\n                return true;\n\n        if (MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00) &&\n                data->payload_len[0] == 0)\n                return true;\n\n\n\n        return false;\n}\n\nstatic inline bool match_kaspersky_ke(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (MATCH(payload, 'K', 'E', 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 'K', 'E', 0x00, 0x02))\n                return true;\n        if (MATCH(payload, 'K', 'E', 0x00, 0x07))\n                return true;\n        return false;\n}\n\nstatic inline bool match_kaspersky_ks(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (MATCH(payload, 'K', 'S', 0x00, 0x00))\n                return true;\n        return false;\n}\n\nbool match_kaspersky(lpi_data_t *data) {\n\n\t/* Traffic is either on TCP port 443 or UDP port 2001.\n\t *\n\t * One of the endpoints is always in either a Kaspersky range or\n\t * an old PSInet range */\n\n\tif (match_str_both(data, \"PI\\x00\\x00\", \"PI\\x00\\x00\")) {\n\t\tif (data->payload_len[0] == 2 && data->payload_len[1] == 2)\n\t\t\treturn true;\n\t}\n        if (match_kaspersky_ke(data->payload[0], data->payload_len[0])) {\n                if (match_kaspersky_ke(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        if (match_kaspersky_ks(data->payload[0], data->payload_len[0])) {\n                if (match_kaspersky_ks(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\treturn false;\n}\n\nbool match_youku_payload(uint32_t pload, uint32_t len) {\n\n\tif (len == 0)\n                return true;\n        if (MATCH(pload, 0x4b, 0x55, 0x00, 0x01))\n                return true;\n        if (MATCH(pload, 0x4b, 0x55, 0x00, 0x02))\n                return true;\n        if (MATCH(pload, 0x4b, 0x55, 0x00, 0x03))\n                return true;\n        if (MATCH(pload, 0x4b, 0x55, 0x00, 0x04))\n                return true;\n        return false;\n\n}\n\nbool match_tpkt(uint32_t payload, uint32_t len) {\n        uint32_t stated_len = 0;\n\n        /*\n         * TPKT header is 03 00 + 2 bytes of length (including the TPKT header)\n         */\n\n        if (!MATCH(payload, 0x03, 0x00, ANY, ANY))\n                return false;\n\n        stated_len = ntohl(payload) & 0xffff;\n        if (stated_len != len)\n                return false;\n        return true;\n}\n\nbool match_qqlive_payload(uint32_t payload, uint32_t len) {\n\n        uint32_t swap;\n\n        /* This appears to have a 3 byte header. First byte is always 0xfe.\n         * Second and third bytes are the length (minus the 3 byte header).\n         */\n\n        if (len == 0)\n                return true;\n\n        swap = htonl(payload);\n        swap = (swap & 0xffff00) >> 8;\n\n        if (ntohs(swap) != len - 3)\n                return false;\n\n\t/* Interestingly, the third and fourth byte always match */\n        swap = htonl(payload);\n        if ((swap & 0xff) != ((swap & 0xff00) >> 8))\n                return false;\n\n        if (MATCH(payload, 0xfe, ANY, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nbool match_yy_payload(uint32_t payload, uint32_t len) {\n\n        /* The first four bytes are a length field, but using the\n         * wrong byte order...\n         */\n\n        if (!MATCH(payload, ANY, ANY, 0x00, 0x00))\n                return false;\n\n#if BYTE_ORDER == BIG_ENDIAN\n        if (bswap32(payload) == len)\n                return true;\n#else\n        if (payload == len)\n                return true;\n#endif\n        return false;\n}\n\n\n/* Byte swapping functions for various inttypes */\nuint64_t byteswap64(uint64_t num)\n{\n        return (byteswap32((num&0xFFFFFFFF00000000ULL)>>32))\n              |((uint64_t)byteswap32(num&0x00000000FFFFFFFFULL)<<32);\n}\n\nuint32_t byteswap32(uint32_t num)\n{\n        return ((num&0x000000FFU)<<24)\n                | ((num&0x0000FF00U)<<8)\n                | ((num&0x00FF0000U)>>8)\n                | ((num&0xFF000000U)>>24);\n}\n\nuint16_t byteswap16(uint16_t num)\n{\n        return ((num<<8)&0xFF00)|((num>>8)&0x00FF);\n}\n\n"
  },
  {
    "path": "lib/proto_common.h",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n\n#ifndef PROTO_COMMON_H_\n#define PROTO_COMMON_H_\n\n#include \"libprotoident.h\"\n\n#ifndef __BYTE_ORDER\n#include <endian.h>\n#endif\n\n#define ANY -1\n\n#define MASKOCTET(x) \\\n        ((x) == ANY ? 0U : 255U)\n\n#if __BYTE_ORDER == __BIG_ENDIAN\n#define FORMUP(a,b,c,d) \\\n        (unsigned)((((a)&0xFF)<<24)|(((b)&0xFF)<<16)|(((c)&0xFF)<<8)|((d)&0xFF))\n#else\n#define FORMUP(a,b,c,d) \\\n\t(unsigned)((((d)&0xFF)<<24)|(((c)&0xFF)<<16)|(((b)&0xFF)<<8)|((a)&0xFF))\n#endif\n\n\n#define FORMUPMASK(a,b,c,d) \\\n        FORMUP(MASKOCTET(a),MASKOCTET(b),MASKOCTET(c),MASKOCTET(d))\n#define MATCH(x,a,b,c,d) \\\n                ((x&FORMUPMASK(a,b,c,d))==(FORMUP(a,b,c,d)&FORMUPMASK(a,b,c,d)))\n\n#define MATCHSTR(x,st) \\\n        (memcmp(&(x),(st),sizeof(x))==0)\n\n\n/** Byteswaps a 64-bit value.\n *\n * @param num           The value to be byteswapped.\n * @return The byteswapped 64-bit number\n *\n */\nuint64_t byteswap64(uint64_t num);\n\n/** Byteswaps a 32-bit value.\n *\n * @param num           The value to be byteswapped.\n * @return The byteswapped 32-bit number\n *\n */\nuint32_t byteswap32(uint32_t num);\n\n/** Byteswaps a 16-bit value.\n *\n * @param num           The value to be byteswapped.\n * @return The byteswapped 16-bit number\n *\n */\nuint16_t byteswap16(uint16_t num);\n\n\n#if __BYTE_ORDER == __BIG_ENDIAN\n#define bswap_host_to_be64(num) ((uint64_t)(num))\n#define bswap_host_to_le64(num) byteswap64(num)\n#define bswap_host_to_be32(num) ((uint32_t)(num))\n#define bswap_host_to_le32(num) byteswap32(num)\n#define bswap_host_to_be16(num) ((uint16_t)(num))\n#define bswap_host_to_le16(num) byteswap16(num)\n\n#define bswap_be_to_host64(num) ((uint64_t)(num))\n#define bswap_le_to_host64(num) byteswap64(num)\n#define bswap_be_to_host32(num) ((uint32_t)(num))\n#define bswap_le_to_host32(num) byteswap32(num)\n#define bswap_be_to_host16(num) ((uint16_t)(num))\n#define bswap_le_to_host16(num) byteswap16(num)\n\n/* We use ntoh*() here, because the compiler may\n * attempt to optimise it\n  */\n#elif __BYTE_ORDER == __LITTLE_ENDIAN\n#define bswap_host_to_be64(num) (byteswap64(num))\n#define bswap_host_to_le64(num) ((uint64_t)(num))\n#define bswap_host_to_be32(num) (htonl(num))\n#define bswap_host_to_le32(num) ((uint32_t)(num))\n#define bswap_host_to_be16(num) (htons(num))\n#define bswap_host_to_le16(num) ((uint16_t)(num))\n\n#define bswap_be_to_host64(num) (byteswap64(num))\n#define bswap_le_to_host64(num) ((uint64_t)(num))\n#define bswap_be_to_host32(num) (ntohl(num))\n#define bswap_le_to_host32(num) ((uint32_t)(num))\n#define bswap_be_to_host16(num) (ntohs(num))\n#define bswap_le_to_host16(num) ((uint16_t)(num))\n\n#else\n#error \"Unknown byte order\"\n#endif\n\n\nbool match_str_either(lpi_data_t *data, const char *string);\nbool match_str_both(lpi_data_t *data, const char *string1,\n        const char *string2);\nbool match_chars_either(lpi_data_t *data, char a, char b, char c,\n        char d);\nbool match_payload_length(uint32_t payload, uint32_t payload_len);\nbool match_ip_address_both(lpi_data_t *data);\nbool match_file_header(uint32_t payload);\nbool match_http_request(uint32_t payload, uint32_t len);\nbool valid_http_port(lpi_data_t *data);\nbool match_ssl(lpi_data_t *data);\nbool match_dns(lpi_data_t *data);\nbool match_tds_request(uint32_t payload, uint32_t len);\nbool match_8000_payload(uint32_t payload, uint32_t len);\nbool match_youku_payload(uint32_t payload, uint32_t len);\nbool match_emule(lpi_data_t *data);\nbool match_kaspersky(lpi_data_t *data);\nbool match_tpkt(uint32_t payload, uint32_t len);\nbool match_qqlive_payload(uint32_t payload, uint32_t len);\nbool match_yy_payload(uint32_t payload, uint32_t len);\n#endif\n"
  },
  {
    "path": "lib/proto_manager.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include \"config.h\"\n\n#include <glob.h>\n#include <dlfcn.h>\n\n#include \"proto_manager.h\"\n#include \"tcp/tcp_protocols.h\"\n#include \"udp/udp_protocols.h\"\n\nvoid register_protocol(lpi_module_t *mod, LPIModuleMap *mod_map) {\n\tLPIModuleMap::iterator it;\n\tLPIModuleList *ml;\n\n\tit = mod_map->find(mod->priority); \n\n\tif (it == mod_map->end()) {\n\t\t(*mod_map)[mod->priority] = new LPIModuleList();\n\t\t\n\t\tit = mod_map->find(mod->priority);\n\t}\n\t\n\tml = it->second;\n\tml->push_back(mod);\n\n\n}\n\nvoid free_protocols(LPIModuleMap *mod_map) {\n\n\tLPIModuleMap::iterator it;\n\tLPIModuleList *ml;\n\n\tfor (it = mod_map->begin(); it != mod_map->end(); it ++) {\n\t\tml = it->second;\n\n\t\tml->clear();\n\t\tdelete(ml);\n\t}\n\tmod_map->clear();\n}\n\nint register_tcp_protocols(LPIModuleMap *mod_map) {\n\n\tregister_300heroes(mod_map);\n\tregister_360safeguard(mod_map);\n\tregister_4d(mod_map);\n\tregister_acestream(mod_map);\n\tregister_afp(mod_map);\n\tregister_airdroid(mod_map);\n\tregister_airmedia(mod_map);\n\tregister_akamai_tcp(mod_map);\n\tregister_amp(mod_map);\n\tregister_antcoin(mod_map);\n\tregister_appearin(mod_map);\n\tregister_apple_push(mod_map);\n\tregister_ares(mod_map);\n\tregister_badbaidu(mod_map);\n\tregister_baofeng_tcp(mod_map);\n\tregister_beam(mod_map);\n\tregister_bitcoin(mod_map);\n\tregister_bitextend(mod_map);\n\tregister_bittorrent(mod_map);\n\tregister_blackdesert(mod_map);\n\tregister_blizzard(mod_map);\n\tregister_btsync(mod_map);\n\tregister_bwsyncandshare(mod_map);\n\tregister_cacaoweb(mod_map);\n\tregister_cgp(mod_map);\n\tregister_chatango(mod_map);\n\tregister_cisco_vpn(mod_map);\n\tregister_clashofclans(mod_map);\n\tregister_classin_tcp(mod_map);\n\tregister_clubbox(mod_map);\n\tregister_cod_waw(mod_map);\n\tregister_conquer(mod_map);\n\tregister_crashplan(mod_map);\n\tregister_crossfire_tcp(mod_map);\n\tregister_cryptic(mod_map);\n\tregister_cvs(mod_map);\n\tregister_dahua_tcp(mod_map);\n\tregister_dash(mod_map);\n\tregister_dell_backup(mod_map);\n\tregister_destiny(mod_map);\n\tregister_diablo3(mod_map);\n\tregister_dianping_tcp(mod_map);\n\tregister_directconnect(mod_map);\n\tregister_dnf(mod_map);\n\tregister_dns_tcp(mod_map);\n\tregister_dogecoin(mod_map);\n\tregister_douyu(mod_map);\n\tregister_douyu_chat(mod_map);\n\tregister_duelingnetwork(mod_map);\n\tregister_dvrns(mod_map);\n\tregister_dxp(mod_map);\n\tregister_ea_games(mod_map);\n\tregister_emule(mod_map);\n\tregister_ethernetip(mod_map);\n\tregister_eye(mod_map);\n\tregister_facebook_turn(mod_map);\n\tregister_fb_message(mod_map);\n\tregister_fbcdn_ssl(mod_map);\n\tregister_ffxiv(mod_map);\n\tregister_filenori(mod_map);\n\tregister_flash(mod_map);\n\tregister_fliggy(mod_map);\n\tregister_fring(mod_map);\n\tregister_ftpcontrol(mod_map);\n\tregister_ftpdata(mod_map);\n\tregister_fuckcoin(mod_map);\n\tregister_funshion_tcp(mod_map);\n\tregister_gamespy_tcp(mod_map);\n\tregister_gcafe_updater(mod_map);\n\tregister_giop(mod_map);\n\tregister_git(mod_map);\n\tregister_glupteba(mod_map);\n\tregister_gnutella(mod_map);\n\tregister_goku(mod_map);\n\tregister_googlehangouts(mod_map);\n\tregister_graalonlineera(mod_map);\n\tregister_guildwars2(mod_map);\n\tregister_hamachi(mod_map);\n\tregister_harveys(mod_map);\n\tregister_hearthstone(mod_map);\n\tregister_hola(mod_map);\n\tregister_hots_tcp(mod_map);\n\tregister_http_badport(mod_map);\n\tregister_http(mod_map);\n\tregister_http_nonstandard(mod_map);\n\tregister_https(mod_map);\n\tregister_http_tunnel(mod_map);\n\tregister_ica(mod_map);\n\tregister_icep(mod_map);\n\tregister_id(mod_map);\n\tregister_idrivesync(mod_map);\n\tregister_ihexin(mod_map);\n\tregister_imap(mod_map);\n\tregister_imaps(mod_map);\n\tregister_imesh(mod_map);\n\tregister_invalid(mod_map);\n\tregister_invalid_bittorrent(mod_map);\n\tregister_invalid_http(mod_map);\n\tregister_invalid_pop(mod_map);\n\tregister_invalid_smtp(mod_map);\n\tregister_ipfs(mod_map);\n\tregister_ipop(mod_map);\n\tregister_ipsharkk(mod_map);\n\tregister_irc(mod_map);\n\tregister_java(mod_map);\n\tregister_jedi(mod_map);\n\tregister_jx3online(mod_map);\n\tregister_kakao(mod_map);\n\tregister_kankan_tcp(mod_map);\n\tregister_kaseya(mod_map);\n\tregister_kaspersky(mod_map);\n\tregister_kik(mod_map);\n\tregister_kingofglory_tcp(mod_map);\n\tregister_kuaibo(mod_map);\n\tregister_ldap(mod_map);\n\tregister_lifeforge(mod_map);\n\tregister_line(mod_map);\n\tregister_litecoin(mod_map);\n\tregister_llp2p(mod_map);\n\tregister_maplestory_china(mod_map);\n\tregister_maxicloud(mod_map);\n\tregister_message4u(mod_map);\n\tregister_minecraft(mod_map);\n\t//register_mitglieder(mod_map);\n\tregister_mms(mod_map);\n\tregister_mongo(mod_map);\n\tregister_mp2p(mod_map);\n\tregister_msn(mod_map);\n\tregister_msnc(mod_map);\n\tregister_msnv(mod_map);\n\tregister_munin(mod_map);\n\tregister_mysql(mod_map);\n\t//register_mystery_8000(mod_map);\n\t//register_mystery_9000(mod_map);\n\t//register_mystery_conn(mod_map);\n\t//register_mystery_iG(mod_map);\n\t//register_mystery_pspr(mod_map);\n\t//register_mystery_rxxf(mod_map);\n\t//register_mystery_symantec(mod_map);\n\tregister_mzinga(mod_map);\n\tregister_naverp2p(mod_map);\n\tregister_ncsoft(mod_map);\n\tregister_ndt_tput(mod_map);\n\tregister_netbios(mod_map);\n\tregister_netcat_cctv(mod_map);\n\tregister_netmfp(mod_map);\n\tregister_nntp(mod_map);\n\tregister_nntps(mod_map);\n\tregister_nomachine(mod_map);\n\tregister_norton_backup(mod_map);\n\tregister_notes_rpc(mod_map);\n\tregister_tcp_no_payload(mod_map);\n\tregister_tcp_no_firstpkt(mod_map);\n\tregister_nsq(mod_map);\n\tregister_omegle(mod_map);\n\tregister_openvpn(mod_map);\n\tregister_ourworld(mod_map);\n\tregister_palringo(mod_map);\n\tregister_paltalk(mod_map);\n\tregister_pandatv(mod_map);\n\tregister_pando(mod_map);\n\tregister_pathofexile(mod_map);\n\tregister_pdbox(mod_map);\n\tregister_pop3(mod_map);\n\tregister_pop3s(mod_map);\n\tregister_postgresql(mod_map);\n\tregister_pptp(mod_map);\n\tregister_psn_store(mod_map);\n\tregister_qcloud_ilvb(mod_map);\n\tregister_qq_tcp(mod_map);\n\tregister_qqdownload(mod_map);\n\tregister_qqlive_tcp(mod_map);\n\tregister_qqspeedmobile_tcp(mod_map);\n\tregister_qvod(mod_map);\n        register_rabbitmq(mod_map);\n        register_ragnarokonline(mod_map);\n        register_razor(mod_map);\n\tregister_rbls(mod_map);\n\tregister_rdp(mod_map);\n\tregister_realmofthemadgod(mod_map);\n\tregister_realvnc(mod_map);\n\tregister_rejection(mod_map);\n\tregister_relay(mod_map);\n\tregister_remote_manipulator(mod_map);\n\tregister_revolver_nblbt(mod_map);\n\tregister_rfb(mod_map);\n\tregister_rpcscan(mod_map);\n\tregister_rrtv(mod_map);\n\tregister_rsync(mod_map);\n\tregister_rtmp(mod_map);\n\tregister_rtsp(mod_map);\n\tregister_runescape(mod_map);\n\tregister_s7comm(mod_map);\n\tregister_saprouter(mod_map);\n\tregister_saszombieassault4(mod_map);\n\tregister_second_life(mod_map);\n\tregister_shoutcast(mod_map);\n\tregister_silkroadonline(mod_map);\n\tregister_sip(mod_map);\n\tregister_skyforge(mod_map);\n\tregister_skype_tcp(mod_map);\n\tregister_smb(mod_map);\n        register_smite_tcp(mod_map);\n\tregister_smtp(mod_map);\n\tregister_smtps(mod_map);\n\tregister_socks4(mod_map);\n\tregister_socks5(mod_map);\n\tregister_spdy(mod_map);\n\tregister_speedify(mod_map);\n\tregister_speedin(mod_map);\n\tregister_speedtest(mod_map);\n\tregister_spotify(mod_map);\n\tregister_ssh(mod_map);\n\tregister_ssjj(mod_map);\n\tregister_ssl(mod_map);\n\tregister_steam(mod_map);\n\tregister_stratum(mod_map);\n\tregister_stun_tcp(mod_map);\n\tregister_supl(mod_map);\n\tregister_svn(mod_map);\n\tregister_talesrunner(mod_map);\n\tregister_tankionline(mod_map);\n\tregister_tankix(mod_map);\n\tregister_taobao(mod_map);\n\tregister_tds(mod_map);\n\tregister_teamviewer(mod_map);\n\tregister_telecomkey(mod_map);\n\tregister_telegram(mod_map);\n\tregister_telnet(mod_map);\n\tregister_telnet_exploit(mod_map);\n\tregister_tencent_games(mod_map);\n\tregister_tenfivecoin(mod_map);\n\tregister_tensafe(mod_map);\n\tregister_tera(mod_map);\n\tregister_tetrisonline(mod_map);\n\tregister_thedivision(mod_map);\n\tregister_tip(mod_map);\n\tregister_tor(mod_map);\n\tregister_tpkt_generic(mod_map);\n\tregister_trackmania(mod_map);\n\tregister_transocks(mod_map);\n\tregister_trion(mod_map);\n\tregister_trojan_win32_generic_sb(mod_map);\n\tregister_trojan_zeroaccess(mod_map);\n\tregister_twitcasting(mod_map);\n\tregister_twitch_irc(mod_map);\n\tregister_utherverse(mod_map);\n\tregister_vainglory(mod_map);\n\tregister_vhdp2p(mod_map);\n\tregister_viber(mod_map);\n\tregister_vmware(mod_map);\n\tregister_vodlocker(mod_map);\n\tregister_vpnrobot_tcp(mod_map);\n\tregister_vpnunlimited_tcp(mod_map);\n\tregister_warcraft3(mod_map);\n\tregister_web_junk(mod_map);\n\tregister_webex_stun(mod_map);\n\tregister_weblogic(mod_map);\n\tregister_wechat(mod_map);\n\tregister_weibo(mod_map);\n\tregister_weiqi(mod_map);\n\tregister_whatsapp(mod_map);\n\tregister_whois(mod_map);\n\tregister_winmx(mod_map);\n\tregister_wizard101(mod_map);\n\tregister_wns(mod_map);\n\tregister_wow(mod_map);\n\tregister_wuala(mod_map);\n\tregister_xiami(mod_map);\n\tregister_xmpp(mod_map);\n\tregister_xmpps(mod_map);\n\tregister_xunlei(mod_map);\n\tregister_xunlei_accel(mod_map);\n\tregister_xymon(mod_map);\n\tregister_yahoo(mod_map);\n\tregister_yahoo_error(mod_map);\n\tregister_yahoo_games(mod_map);\n\tregister_yahoo_webcam(mod_map);\n\tregister_youku_tcp(mod_map);\n\tregister_yy_tcp(mod_map);\n\tregister_zabbix(mod_map);\n\tregister_zero_facebook(mod_map);\n\tregister_zoom_tcp(mod_map);\n\tregister_zynga(mod_map);\n\treturn 0;\n}\n\nint register_udp_protocols(LPIModuleMap *mod_map) {\n\n\tregister_360cn(mod_map);\n\tregister_360p2p(mod_map);\n\tregister_aachen_udp(mod_map);\n\tregister_acercloud(mod_map);\n\tregister_akamai(mod_map);\n\tregister_akamai_transfer(mod_map);\n\tregister_amanda(mod_map);\n\tregister_apple_facetime_init(mod_map);\n\tregister_ard(mod_map);\n\tregister_ares_udp(mod_map);\n\tregister_arksurvival(mod_map);\n\tregister_arma_server(mod_map);\n\tregister_arma3_server(mod_map);\n\tregister_artcp(mod_map);\n\tregister_assettocorsa(mod_map);\n\tregister_avast_secure_dns(mod_map);\n\tregister_bacnet(mod_map);\n\tregister_backweb(mod_map);\n\tregister_baiduyun_p2p(mod_map);\n\tregister_baofeng_udp(mod_map);\n\tregister_battlefield(mod_map);\n\tregister_bjnp(mod_map);\n\tregister_bmdp(mod_map);\n\tregister_btsync_udp(mod_map);\n\tregister_cacaoweb_udp(mod_map);\n\tregister_canon_mfnp(mod_map);\n\tregister_callofduty(mod_map);\n\tregister_chargen_exploit(mod_map);\n\tregister_checkpoint_rdp(mod_map);\n\tregister_chivalry(mod_map);\n        register_ethernetip_udp(mod_map);\n\tregister_cip_io(mod_map);\n\tregister_cirn(mod_map);\n\tregister_cisco_ipsec(mod_map);\n\tregister_cisco_sslvpn(mod_map);\n\tregister_classin_udp(mod_map);\n\tregister_cloudflare_warp(mod_map);\n\tregister_codmobile(mod_map);\n\tregister_combatarms(mod_map);\n\tregister_combatarms_p2p(mod_map);\n\tregister_contract_wars(mod_map);\n\tregister_crossfire(mod_map);\n\tregister_crossout(mod_map);\n\tregister_csgo(mod_map);\n\tregister_csoriginal(mod_map);\n\tregister_dahua(mod_map);\n\tregister_db2(mod_map);\n\tregister_dcc_udp(mod_map);\n\tregister_demonware(mod_map);\n\tregister_destiny_udp(mod_map);\n\tregister_dhcp(mod_map);\n\tregister_dht_dict(mod_map);\n\tregister_dht_other(mod_map);\n\tregister_diablo2(mod_map);\n\tregister_dianping_udp(mod_map);\n\tregister_dianshijia(mod_map);\n\tregister_directconnect_udp(mod_map);\n\tregister_discord(mod_map);\n\tregister_dns_udp(mod_map);\n\tregister_dota2(mod_map);\n\tregister_doyo(mod_map);\n\tregister_driveshare(mod_map);\n\tregister_dtls(mod_map);\n\tregister_emule_udp(mod_map);\n\t//register_emule_weak_udp(mod_map);\n\tregister_epson(mod_map);\n\t//register_eso(mod_map);\n\tregister_esp_encap(mod_map);\n\tregister_eye_udp(mod_map);\n\tregister_fasp(mod_map);\n\tregister_feitwo(mod_map);\n\tregister_forticlient_sslvpn(mod_map);\n\tregister_fortinet(mod_map);\n\tregister_foscam(mod_map);\n\tregister_freechal(mod_map);\n\tregister_freefire(mod_map);\n\tregister_funshion_udp(mod_map);\n\tregister_gamespy(mod_map);\n\tregister_ganglia(mod_map);\n\tregister_gangsofspace(mod_map);\n\tregister_garena(mod_map);\n\tregister_gearsofwar(mod_map);\n\tregister_gnutella_udp(mod_map);\n\tregister_gnutella2_udp(mod_map);\n\tregister_gnutella_weak(mod_map);\n\tregister_gotomeeting(mod_map);\n\tregister_gprs_tunnel(mod_map);\n\tregister_gsm(mod_map);\n\tregister_h1z1(mod_map);\n\tregister_halflife(mod_map);\n\tregister_haloonline(mod_map);\n\tregister_hamachi_udp(mod_map);\n\tregister_heliborne(mod_map);\n\tregister_heroesevolved(mod_map);\n\tregister_heroes_generals(mod_map);\n\tregister_hollachat(mod_map);\n\tregister_hots(mod_map);\n\tregister_icp(mod_map);\n\tregister_imesh_udp(mod_map);\n\tregister_ipmsg(mod_map);\n\t//register_ipv6_udp(mod_map);\n\tregister_isakmp(mod_map);\n\tregister_jedi_academy(mod_map);\n\tregister_jedi_udp(mod_map);\n\tregister_kademlia(mod_map);\n\tregister_kankan(mod_map);\n\tregister_kaspersky_udp(mod_map);\n\tregister_kazaa(mod_map);\n\tregister_kingofglory_udp(mod_map);\n\tregister_kugou(mod_map);\n\tregister_l2tp(mod_map);\n\tregister_lansync_udp(mod_map);\n\tregister_ldap_ad(mod_map);\n\tregister_line_udp(mod_map);\n\tregister_linkproof(mod_map);\n\tregister_loadout(mod_map);\n\tregister_lol(mod_map);\n\tregister_mdns(mod_map);\n\tregister_merakicloud(mod_map);\n\tregister_moh(mod_map);\n\tregister_moonhunters(mod_map);\n\tregister_mp2p_udp(mod_map);\n\tregister_msn_cache(mod_map);\n\tregister_msn_video(mod_map);\n\tregister_msoffice_mac(mod_map);\n\tregister_mta(mod_map);\n\t//register_mystery_05(mod_map);\n\t//register_mystery_0660(mod_map);\n\t//register_mystery_0d(mod_map);\n\t//register_mystery_45(mod_map);\n\t//register_mystery_61_72(mod_map);\n\t//register_mystery_8000_udp(mod_map);\n\t//register_mystery_99(mod_map);\n\t//register_mystery_e9(mod_map);\n\t//register_mystery_qq(mod_map);\n\tregister_n2ping(mod_map);\n\tregister_natpmp(mod_map);\n\tregister_netbios_udp(mod_map);\n\tregister_netcat_cctv_udp(mod_map);\n\tregister_netcore_scan(mod_map);\n\tregister_netflow(mod_map);\n\tregister_newerth(mod_map);\n\tregister_nintendo(mod_map);\n\tregister_noction(mod_map);\n\tregister_noe(mod_map);\n\tregister_norton(mod_map);\n\tregister_ntp(mod_map);\n\tregister_ntp_reflect(mod_map);\n\tregister_nwn(mod_map);\n\tregister_nvidia_gamestream(mod_map);\n\tregister_opaserv(mod_map);\n\tregister_openvpn_udp(mod_map);\n\tregister_orbit_udp(mod_map);\n\tregister_overwatch(mod_map);\n\tregister_paladins(mod_map);\n\tregister_pando_udp(mod_map);\n\tregister_panipani(mod_map);\n\tregister_planetside2(mod_map);\n\tregister_portmap_rpc(mod_map);\n\tregister_pplive(mod_map);\n\tregister_ppstream(mod_map);\n\t//register_probable_gnutella(mod_map);\n\tregister_ps4_remoteplay(mod_map);\n\tregister_psn(mod_map);\n\tregister_punkbuster(mod_map);\n\tregister_pyzor(mod_map);\n\tregister_qq(mod_map);\n\tregister_qqlive(mod_map);\n\tregister_qqpcmgr(mod_map);\n\tregister_qqspeedmobile_udp(mod_map);\n\tregister_quake(mod_map);\n\tregister_quic(mod_map);\n\tregister_qvod_udp(mod_map);\n\tregister_radius(mod_map);\n\tregister_ramsey_dash(mod_map);\n\tregister_rdp_udp(mod_map);\n\tregister_real(mod_map);\n\tregister_risingstorm(mod_map);\n\tregister_raknet(mod_map);\n\tregister_robocraft(mod_map);\n\tregister_rocket_league(mod_map);\n\tregister_rrshare(mod_map);\n\tregister_rtcp(mod_map);\n\tregister_rtmfp(mod_map);\n\tregister_rtp(mod_map);\n\tregister_rulesofsurvival(mod_map);\n\tregister_sanandreas_mp(mod_map);\n\tregister_second_life_udp(mod_map);\n\tregister_serialnumberd(mod_map);\n\tregister_sip_udp(mod_map);\n\tregister_skype(mod_map);\n\tregister_slp(mod_map);\n        register_smite(mod_map);\n\tregister_snapvpn(mod_map);\n\tregister_snmp(mod_map);\n\tregister_sopcast(mod_map);\n\tregister_spamfighter(mod_map);\n\tregister_spotify_bcast(mod_map);\n\tregister_sql_worm(mod_map);\n\tregister_ssdp(mod_map);\n\tregister_starcitizen(mod_map);\n\tregister_starcraft(mod_map);\n\tregister_starleaf(mod_map);\n\tregister_steamfriends(mod_map);\n\tregister_steam_localbroadcast(mod_map);\n\tregister_steam_inhomebroadcast(mod_map);\n\tregister_steam_udp(mod_map);\n\tregister_storm_worm(mod_map);\n\tregister_stun(mod_map);\n\tregister_syslog(mod_map);\n\tregister_talesrunner_udp(mod_map);\n\tregister_teamspeak(mod_map);\n\tregister_teamviewer_udp(mod_map);\n\tregister_teredo(mod_map);\n\tregister_tf2(mod_map);\n\tregister_tftp(mod_map);\n\tregister_thecrew(mod_map);\n\tregister_thq(mod_map);\n\tregister_torchlight2(mod_map);\n\tregister_tox(mod_map);\n\tregister_traceroute(mod_map);\n\tregister_tremulous(mod_map);\n\tregister_turbovpn(mod_map);\n\tregister_tvants(mod_map);\n\tregister_ubisoft_games(mod_map);\n\tregister_udp_no_payload(mod_map);\n\tregister_umeye(mod_map);\n\tregister_unreal(mod_map);\n\tregister_ventrilo(mod_map);\n\tregister_viber_udp(mod_map);\n\tregister_vivox(mod_map);\n\tregister_vpnmaster(mod_map);\n\tregister_vpnrobot_udp(mod_map);\n\tregister_vxworks_exploit(mod_map);\n\tregister_warthunder(mod_map);\n\tregister_webex(mod_map);\n\tregister_wechat_udp(mod_map);\n\tregister_winmessage(mod_map);\n\tregister_wireguard(mod_map);\n\tregister_wolfet(mod_map);\n\tregister_worm_22105(mod_map);\n\tregister_xfire_p2p(mod_map);\n\tregister_xlsp(mod_map);\n\tregister_xunlei_jsq(mod_map);\n\tregister_xunlei_udp(mod_map);\n\tregister_xunyou(mod_map);\n\tregister_youdao_dict(mod_map);\n\tregister_youku_udp(mod_map);\n\tregister_yuanfudao(mod_map);\n\tregister_yy_udp(mod_map);\n\tregister_zalo_call(mod_map);\n\tregister_zeroaccess_udp(mod_map);\n\tregister_zoom(mod_map);\n\treturn 0;\n}\n\nstatic void register_list_names(LPIModuleList *ml, LPINameMap *names, LPIProtocolMap *protos,\n\tLPICategoryProtocolMap *category_protocols) {\n\tLPIModuleList::iterator it; \n\n\tfor (it = ml->begin(); it != ml->end(); it ++) {\n\t\tlpi_module_t *mod = *it;\n\n\t\t(*names)[mod->protocol] = mod->name;\n                (*protos)[std::string(mod->name)] = mod->protocol;\n\t\t(*category_protocols)[mod->protocol] = mod->category;\n\t}\n\n}\n\nvoid register_names(LPIModuleMap *mods, LPINameMap *names, LPIProtocolMap *protocols,\n\tLPICategoryProtocolMap *category_protocols) {\n\n\tLPIModuleMap::iterator it;\n\n\tfor (it = mods->begin(); it != mods->end(); it ++) {\n\t\tregister_list_names(it->second, names, protocols, category_protocols);\n\t}\n\n}\n\nvoid register_category_names(LPICategoryMap *categories) {\n\n\tint i;\n\n\tfor (i = 0; i < LPI_CATEGORY_LAST; i++) {\n\t\t(*categories)[std::string(lpi_print_category((lpi_category_t)i))] = (lpi_category_t)i;\n\t}\n}\n\nvoid init_other_protocols(LPINameMap *name_map, LPIProtocolMap *proto_map,\n\tLPICategoryProtocolMap *category_protocols) {\n\n\tlpi_icmp = new lpi_module_t;\n\n\tlpi_icmp->protocol = LPI_PROTO_ICMP;\n\tlpi_icmp->category = LPI_CATEGORY_ICMP;\n\tlpi_icmp->name = \"ICMP\";\n\tlpi_icmp->priority = 255;\n\tlpi_icmp->lpi_callback = NULL;\n\t(*name_map)[lpi_icmp->protocol] = lpi_icmp->name;\n        (*proto_map)[std::string(lpi_icmp->name)] = lpi_icmp->protocol;\n\t(*category_protocols)[lpi_icmp->protocol] = lpi_icmp->category;\n\n\tlpi_unknown_tcp = new lpi_module_t;\n\n\tlpi_unknown_tcp->protocol = LPI_PROTO_UNKNOWN;\n\tlpi_unknown_tcp->category = LPI_CATEGORY_UNKNOWN;\n\tlpi_unknown_tcp->name = \"Unknown_TCP\";\n\tlpi_unknown_tcp->priority = 255;\n\tlpi_unknown_tcp->lpi_callback = NULL;\n\t(*name_map)[lpi_unknown_tcp->protocol] = lpi_unknown_tcp->name;\n\t(*proto_map)[std::string(lpi_unknown_tcp->name)] = lpi_unknown_tcp->protocol;\n\t(*category_protocols)[lpi_unknown_tcp->protocol] = lpi_unknown_tcp->category;\n\n\tlpi_unknown_udp = new lpi_module_t;\n\n\tlpi_unknown_udp->protocol = LPI_PROTO_UDP;\n\tlpi_unknown_udp->category = LPI_CATEGORY_UNKNOWN;\n\tlpi_unknown_udp->name = \"Unknown_UDP\";\n\tlpi_unknown_udp->priority = 255;\n\tlpi_unknown_udp->lpi_callback = NULL;\n\t(*name_map)[lpi_unknown_udp->protocol] = lpi_unknown_udp->name;\n        (*proto_map)[std::string(lpi_unknown_udp->name)] = lpi_unknown_udp->protocol;\n\t(*category_protocols)[lpi_unknown_udp->protocol] = lpi_unknown_udp->category;\n\n\tlpi_unsupported = new lpi_module_t;\n\n\tlpi_unsupported->protocol = LPI_PROTO_UNSUPPORTED;\n\tlpi_unsupported->category = LPI_CATEGORY_UNSUPPORTED;\n\tlpi_unsupported->name = \"Unsupported\";\n\tlpi_unsupported->priority = 255;\n\tlpi_unsupported->lpi_callback = NULL;\n\t(*name_map)[lpi_unsupported->protocol] = lpi_unsupported->name;\n        (*proto_map)[std::string(lpi_unsupported->name)] = lpi_unsupported->protocol;\n\t(*category_protocols)[lpi_unsupported->protocol] = lpi_unsupported->category;\n}\n\n"
  },
  {
    "path": "lib/proto_manager.h",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n\n#ifndef PROTO_MANAGER_H_\n#define PROTO_MANAGER_H_\n\n#include <list>\n#include <vector>\n#include <map>\n#include <string>\n\n#include \"libprotoident.h\"\n\ntypedef std::list<lpi_module_t *> LPIModuleList;\ntypedef std::map<uint8_t, LPIModuleList *> LPIModuleMap;\ntypedef std::map<lpi_protocol_t, const char *> LPINameMap;\ntypedef std::map<std::string, lpi_protocol_t> LPIProtocolMap;\ntypedef std::map<std::string, lpi_category_t> LPICategoryMap;\ntypedef std::map<lpi_protocol_t, lpi_category_t> LPICategoryProtocolMap;\n\nvoid register_protocol(lpi_module_t *mod, LPIModuleMap *mod_map);\nint register_tcp_protocols(LPIModuleMap *mod_map);\nint register_udp_protocols(LPIModuleMap *mod_map);\nvoid register_names(LPIModuleMap *mod_map, LPINameMap *name_map, LPIProtocolMap *proto_map,\n\tLPICategoryProtocolMap *category_protocols);\nvoid register_category_names(LPICategoryMap *categories);\nvoid init_other_protocols(LPINameMap *name_map, LPIProtocolMap *proto_map,\n\tLPICategoryProtocolMap *category_protocols);\nvoid free_protocols(LPIModuleMap *mod_map);\n\n\nextern lpi_module_t *lpi_icmp;\nextern lpi_module_t *lpi_unknown_tcp;\nextern lpi_module_t *lpi_unknown_udp;\nextern lpi_module_t *lpi_unsupported;\n\n#endif\n"
  },
  {
    "path": "lib/tcp/Makefile.am",
    "content": "noinst_LTLIBRARIES = libprotoident_tcp.la\nlibprotoident_tcp_la_SOURCES = \\\n\tlpi_300heroes.cc \\\n\tlpi_360safeguard.cc \\\n\tlpi_4d.cc \\\n\tlpi_acestream.cc \\\n\tlpi_afp.cc \\\n\tlpi_airdroid.cc \\\n\tlpi_airmedia.cc \\\n\tlpi_akamai.cc \\\n\tlpi_amp.cc \\\n\tlpi_antcoin.cc \\\n\tlpi_appearin.cc \\\n\tlpi_apple_push.cc \\\n\tlpi_ares.cc \\\n\tlpi_badbaidu.cc \\\n\tlpi_baofeng_tcp.cc \\\n\tlpi_beam.cc \\\n\tlpi_bitcoin.cc \\\n\tlpi_bitextend.cc \\\n\tlpi_bittorrent.cc \\\n\tlpi_blackdesert.cc \\\n\tlpi_blizzard.cc \\\n\tlpi_btsync.cc \\\n\tlpi_bwsyncandshare.cc \\\n\tlpi_cacaoweb.cc \\\n\tlpi_cgp.cc \\\n\tlpi_chatango.cc \\\n\tlpi_cisco_vpn.cc \\\n\tlpi_clashofclans.cc \\\n\tlpi_classin_tcp.cc \\\n\tlpi_clubbox.cc \\\n\tlpi_cod_waw.cc \\\n\tlpi_conquer.cc \\\n\tlpi_crashplan.cc \\\n\tlpi_crossfire_tcp.cc \\\n\tlpi_cryptic.cc \\\n\tlpi_cvs.cc \\\n\tlpi_dahua_tcp.cc \\\n\tlpi_dash.cc \\\n\tlpi_dell_backup.cc \\\n\tlpi_destiny.cc \\\n\tlpi_diablo3.cc \\\n\tlpi_dianping_tcp.cc \\\n\tlpi_directconnect.cc \\\n\tlpi_dnf.cc \\\n\tlpi_dns.cc \\\n\tlpi_dogecoin.cc \\\n\tlpi_douyu.cc \\\n\tlpi_douyu_chat.cc \\\n\tlpi_duelingnetwork.cc \\\n\tlpi_dvrns.cc \\\n\tlpi_dxp.cc \\\n\tlpi_ea_games.cc \\\n\tlpi_emule.cc \\\n\tlpi_ethernetip.cc \\\n\tlpi_eye.cc \\\n\tlpi_facebook_turn.cc \\\n\tlpi_fb_message.cc \\\n\tlpi_fbcdn_ssl.cc \\\n\tlpi_ffxiv.cc \\\n\tlpi_filenori.cc \\\n\tlpi_flash.cc \\\n\tlpi_fliggy.cc \\\n\tlpi_fring.cc \\\n\tlpi_ftpcontrol.cc \\\n\tlpi_ftpdata.cc \\\n\tlpi_fuckcoin.cc \\\n\tlpi_funshion.cc \\\n\tlpi_gamespy.cc \\\n\tlpi_gcafe_updater.cc \\\n\tlpi_giop.cc \\\n\tlpi_git.cc \\\n\tlpi_glupteba.cc \\\n\tlpi_gnutella.cc \\\n\tlpi_goku.cc \\\n\tlpi_googlehangouts.cc \\\n\tlpi_graalonlineera.cc \\\n\tlpi_guildwars2.cc \\\n\tlpi_hamachi.cc \\\n\tlpi_harveys.cc \\\n\tlpi_hearthstone.cc \\\n\tlpi_hola.cc \\\n\tlpi_hots_tcp.cc \\\n\tlpi_http_badport.cc \\\n\tlpi_http.cc \\\n\tlpi_http_nonstandard.cc \\\n\tlpi_https.cc \\\n\tlpi_http_tunnel.cc \\\n\tlpi_ica.cc \\\n\tlpi_icep.cc \\\n\tlpi_id.cc \\\n\tlpi_idrivesync.cc \\\n\tlpi_ihexin.cc \\\n\tlpi_imap.cc \\\n\tlpi_imaps.cc \\\n\tlpi_imesh.cc \\\n\tlpi_invalid.cc \\\n\tlpi_invalid_bittorrent.cc \\\n\tlpi_invalid_http.cc \\\n\tlpi_invalid_pop.cc \\\n\tlpi_invalid_smtp.cc \\\n\tlpi_ipfs.cc \\\n\tlpi_ipop.cc \\\n\tlpi_ipsharkk.cc \\\n\tlpi_irc.cc \\\n\tlpi_java.cc \\\n\tlpi_jedi.cc \\\n\tlpi_jx3online.cc \\\n\tlpi_kakao.cc \\\n\tlpi_kankan_tcp.cc \\\n\tlpi_kaseya.cc \\\n\tlpi_kaspersky.cc \\\n\tlpi_kik.cc \\\n\tlpi_kingofglory_tcp.cc \\\n\tlpi_kuaibo.cc \\\n\tlpi_ldap.cc \\\n\tlpi_lifeforge.cc \\\n\tlpi_line.cc \\\n\tlpi_litecoin.cc \\\n\tlpi_llp2p.cc \\\n\tlpi_maplestory_china.cc \\\n\tlpi_maxicloud.cc \\\n\tlpi_message4u.cc \\\n\tlpi_minecraft.cc \\\n\tlpi_mitglieder.cc \\\n\tlpi_mms.cc \\\n\tlpi_mongo.cc \\\n\tlpi_mp2p.cc \\\n\tlpi_msn.cc \\\n\tlpi_msnc.cc \\\n\tlpi_msnv.cc \\\n\tlpi_munin.cc \\\n\tlpi_mysql.cc \\\n\tlpi_mystery_8000.cc \\\n\tlpi_mystery_9000.cc \\\n\tlpi_mystery_conn.cc \\\n\tlpi_mystery_iG.cc \\\n\tlpi_mystery_pspr.cc \\\n\tlpi_mystery_rxxf.cc \\\n\tlpi_mystery_symantec.cc \\\n\tlpi_mzinga.cc \\\n\tlpi_naverp2p.cc \\\n\tlpi_ncsoft.cc \\\n\tlpi_ndt_tput.cc \\\n\tlpi_netbios.cc \\\n\tlpi_netcat_cctv.cc \\\n\tlpi_netmfp.cc \\\n\tlpi_nntp.cc \\\n\tlpi_nntps.cc \\\n\tlpi_nomachine.cc \\\n\tlpi_nopayload.cc \\\n\tlpi_nofirstpkt.cc \\\n\tlpi_norton_backup.cc \\\n\tlpi_notes_rpc.cc \\\n\tlpi_nsq.cc \\\n\tlpi_omegle.cc \\\n\tlpi_openvpn.cc \\\n\tlpi_ourworld.cc \\\n\tlpi_palringo.cc \\\n\tlpi_paltalk.cc \\\n\tlpi_pandatv.cc \\\n\tlpi_pando.cc \\\n\tlpi_pathofexile.cc \\\n\tlpi_pdbox.cc \\\n\tlpi_pop3.cc \\\n\tlpi_pop3s.cc \\\n\tlpi_postgresql.cc \\\n\tlpi_pptp.cc \\\n\tlpi_psn_store.cc \\\n\tlpi_qcloud_ilvb.cc \\\n\tlpi_qq_tcp.cc \\\n\tlpi_qqdownload.cc \\\n\tlpi_qqlive_tcp.cc \\\n\tlpi_qqspeedmobile_tcp.cc \\\n\tlpi_qvod.cc \\\n        lpi_rabbitmq.cc \\\n        lpi_ragnarokonline.cc \\\n        lpi_razor.cc \\\n\tlpi_rbls.cc \\\n\tlpi_rdp.cc \\\n\tlpi_realmofthemadgod.cc \\\n\tlpi_realvnc.cc \\\n\tlpi_rejection.cc \\\n\tlpi_relay.cc \\\n\tlpi_remote_manipulator.cc \\\n\tlpi_revolver_nblbt.cc \\\n\tlpi_rfb.cc \\\n\tlpi_rpcscan.cc \\\n\tlpi_rrtv.cc \\\n\tlpi_rsync.cc \\\n\tlpi_rtmp.cc \\\n\tlpi_rtsp.cc \\\n\tlpi_runescape.cc \\\n\tlpi_s7comm.cc \\\n\tlpi_saprouter.cc \\\n\tlpi_saszombieassault4.cc \\\n\tlpi_second_life.cc \\\n\tlpi_shoutcast.cc \\\n\tlpi_silkroadonline.cc \\\n\tlpi_sip.cc \\\n\tlpi_skyforge.cc \\\n\tlpi_skype_tcp.cc \\\n\tlpi_smb.cc \\\n\tlpi_smite_tcp.cc \\\n\tlpi_smtp.cc \\\n\tlpi_smtps.cc \\\n\tlpi_socks4.cc \\\n\tlpi_socks5.cc \\\n\tlpi_spdy.cc \\\n\tlpi_speedify.cc \\\n\tlpi_speedin.cc \\\n\tlpi_speedtest.cc \\\n\tlpi_spotify.cc \\\n\tlpi_ssh.cc \\\n\tlpi_ssjj.cc \\\n\tlpi_ssl.cc \\\n\tlpi_steam.cc \\\n\tlpi_stratum.cc \\\n\tlpi_stun.cc \\\n\tlpi_supl.cc \\\n\tlpi_svn.cc \\\n\tlpi_talesrunner.cc \\\n\tlpi_tankionline.cc \\\n\tlpi_tankix.cc \\\n\tlpi_taobao.cc \\\n\tlpi_tds.cc \\\n\tlpi_teamviewer.cc \\\n\tlpi_telecomkey.cc \\\n\tlpi_telegram.cc \\\n\tlpi_telnet.cc \\\n\tlpi_telnet_exploit.cc \\\n\tlpi_tencent_games.cc \\\n\tlpi_tenfivecoin.cc \\\n\tlpi_tensafe.cc \\\n\tlpi_tera.cc \\\n\tlpi_tetrisonline.cc \\\n\tlpi_thedivision.cc \\\n\tlpi_tip.cc \\\n\tlpi_tor.cc \\\n\tlpi_tpkt.cc \\\n\tlpi_trackmania.cc \\\n\tlpi_transocks.cc \\\n\tlpi_trion.cc \\\n\tlpi_trojan_win32_generic_sb.cc \\\n\tlpi_trojan_zeroaccess.cc \\\n\tlpi_twitcasting.cc \\\n\tlpi_twitch_irc.cc \\\n\tlpi_utherverse.cc \\\n\tlpi_vainglory.cc \\\n\tlpi_vhdp2p.cc \\\n\tlpi_viber.cc \\\n\tlpi_vmware.cc \\\n\tlpi_vodlocker.cc \\\n\tlpi_vpnrobot_tcp.cc \\\n\tlpi_vpnunlimited_tcp.cc \\\n\tlpi_warcraft3.cc \\\n\tlpi_web_junk.cc \\\n\tlpi_webex_stun.cc \\\n\tlpi_weblogic.cc \\\n\tlpi_wechat.cc \\\n\tlpi_weibo.cc \\\n\tlpi_weiqi.cc \\\n\tlpi_whatsapp.cc \\\n\tlpi_whois.cc \\\n\tlpi_winmx.cc \\\n\tlpi_wizard101.cc \\\n\tlpi_wns.cc \\\n\tlpi_wow.cc \\\n\tlpi_wuala.cc \\\n\tlpi_xiami.cc \\\n\tlpi_xmpp.cc \\\n\tlpi_xmpps.cc \\\n\tlpi_xunlei.cc \\\n\tlpi_xunlei_accel.cc \\\n\tlpi_xymon.cc \\\n\tlpi_yahoo.cc \\\n\tlpi_yahoo_error.cc \\\n\tlpi_yahoo_games.cc \\\n\tlpi_yahoo_webcam.cc \\\n\tlpi_youku.cc \\\n\tlpi_yy_tcp.cc \\\n\tlpi_zabbix.cc \\\n\tlpi_zero.cc \\\n\tlpi_zoom_tcp.cc \\\n\tlpi_zynga.cc \n\nEXTRA_DIST=tcp_protocols.h\n\nlibprotoident_tcp_la_CFLAGS=-I\"$(top_srcdir)/lib\"\nlibprotoident_tcp_la_CPPFLAGS=-I\"$(top_srcdir)/lib\"\nINCLUDES=@ADD_INCLS@\n\n"
  },
  {
    "path": "lib/tcp/lpi_300heroes.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Yet another Chinese LoL clone */\n\nstatic inline bool match_heroes_c1(uint32_t payload, uint32_t len) {\n        if (len == 12 && MATCH(payload, 0xc1, 0x0c, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_heroes_c2(uint32_t payload, uint32_t len) {\n        if (len == 15 && MATCH(payload, 0xc2, 0x0f, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_heroes_db(uint32_t payload, uint32_t len) {\n        if (len == 22 && MATCH(payload, 0xdb, 0x16, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_heroes_e7(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0xe7, 0x2a, 0x00, 0x00)) {\n                if (len >= 185 && len <= 200)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_300heroes(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_heroes_c1(data->payload[0], data->payload_len[0])) {\n                if (match_heroes_c2(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_heroes_c1(data->payload[1], data->payload_len[1])) {\n                if (match_heroes_c2(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_heroes_db(data->payload[0], data->payload_len[0])) {\n                if (match_heroes_e7(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_heroes_db(data->payload[1], data->payload_len[1])) {\n                if (match_heroes_e7(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_300heroes = {\n\tLPI_PROTO_300_HEROES,\n\tLPI_CATEGORY_GAMING,\n\t\"300Heroes\",\n\t101,\n\tmatch_300heroes\n};\n\nvoid register_300heroes(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_300heroes, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_360safeguard.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_360_a1req(uint32_t payload, uint32_t len) {\n\n        if (len != 63)\n                return false;\n        if (MATCH(payload, 0xa1, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_360_a1resp(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xa1, 0x82, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_360_03req(uint32_t payload, uint32_t len) {\n\n        uint32_t hdrlen = (ntohl(payload) & 0xffff);\n\n        if (!MATCH(payload, 0x00, 0x03, 0x00, ANY))\n                return false;\n        if (len - 8 == hdrlen)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_360_03resp(uint32_t payload, uint32_t len) {\n\n        if (len != 8)\n                return false;\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_360_p2pupdate(uint32_t payload, uint32_t len) {\n\n        if (len == 68 && MATCH(payload, 0x01, 0xaa, 0x4b, 0x79))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_360safeguard(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* These patterns have been regularly seen on a machine with 360\n         * safeguard (Chinese edition) installed. They seem to appear when \n         * starting up and running a scan, so are probably some form of update\n         * checking?\n         */\n\n        if (match_360_a1req(data->payload[0], data->payload_len[0])) {\n                if (match_360_a1resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        \n        if (match_360_a1req(data->payload[1], data->payload_len[1])) {\n                if (match_360_a1resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_360_03req(data->payload[0], data->payload_len[0])) {\n                if (match_360_03resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_360_03req(data->payload[1], data->payload_len[1])) {\n                if (match_360_03resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        /* Have observed unencrypted traffic that appears to be downloading a\n         * .cab file to update 360 safeguard. */\n        if (match_360_p2pupdate(data->payload[0], data->payload_len[0])) {\n                if (match_360_p2pupdate(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_360safeguard = {\n\tLPI_PROTO_360SAFEGUARD,\n\tLPI_CATEGORY_SECURITY,\n\t\"360Safeguard\",\n\t8,\n\tmatch_360safeguard\n};\n\nvoid register_360safeguard(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_360safeguard, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_4d.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_4d_5f(uint32_t payload, uint32_t len) {\n\n        if (len == 4 && MATCH(payload, 0x5f, 0x11, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_4d_other(uint32_t payload, uint32_t len) {\n\n        if (len == 4 && MATCH(payload, 0x60, 0x11, 0x00, 0x00))\n                return true;\n        if (len == 4 && MATCH(payload, 0x61, 0x11, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_4d_len72(uint32_t payload, uint32_t len) {\n        if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x48))\n                return true;\n        return false;\n}\n\nstatic inline bool match_4d_len12(uint32_t payload, uint32_t len) {\n        if (len == 12 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_4d(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_4d_5f(data->payload[0], data->payload_len[0])) {\n                if (match_4d_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_4d_5f(data->payload[1], data->payload_len[1])) {\n                if (match_4d_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_4d_len72(data->payload[0], data->payload_len[0])) {\n                if (match_4d_len12(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_4d_len72(data->payload[1], data->payload_len[1])) {\n                if (match_4d_len12(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_4d = {\n\tLPI_PROTO_4D,\n\tLPI_CATEGORY_DATABASES,\n\t\"4D\",\n\t75,\n\tmatch_4d\n};\n\nvoid register_4d(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_4d, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_acestream.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ace_greet(uint32_t payload, uint32_t len) {\n\n        if (len == 46 && MATCH(payload, 0x11, 'A', 'c', 'e'))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_ace_66(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len == 66 && MATCH(payload, 0x11, 'A', 'c', 'e'))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_acestream(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ace_greet(data->payload[0], data->payload_len[0])) {\n                if (match_ace_greet(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n                if (match_ace_66(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_acestream = {\n\tLPI_PROTO_ACESTREAM,\n\tLPI_CATEGORY_P2P,\n\t\"AceStream\",\n\t6,\n\tmatch_acestream\n};\n\nvoid register_acestream(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_acestream, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_afp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_afp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Looking for a DSI header - command 4 is OpenSession */\n        if (match_str_both(data, \"\\x00\\x04\\x00\\x01\", \"\\x01\\x04\\x00\\x01\"))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_afp = {\n\tLPI_PROTO_AFP,\n\tLPI_CATEGORY_FILES,\n\t\"AFP\",\n\t5,\n\tmatch_afp\n};\n\nvoid register_afp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_afp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_airdroid.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_airdroid_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x2a, 0x33, 0x0d, 0x0a)) {\n                if (len == 97)\n                        return true;\n        }\n\n        if (MATCH(payload, 0x2a, 0x35, 0x0d, 0x0a)) {\n                if (len == 118 || len == 119)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_airdroid_resp(uint32_t payload, uint32_t len) {\n        if (len != 4)\n                return false;\n        if (MATCH(payload, 0x2b, 0x68, 0x0d, 0x0a))\n                return true;\n        return false;\n}\n\nstatic inline bool match_airdroid_get(uint32_t payload) {\n\n        if (MATCH(payload, 'G', 'E', 'T', 0x20))\n                return true;\n        return false;\n}\n\nstatic inline bool is_hexdigit(uint32_t byte) {\n\n        if (byte < 0x30)\n                return false;\n        if (byte > 0x39 && byte < 0x61)\n                return false;\n        if (byte > 0x66)\n                return false;\n        return true;\n}\n\nstatic inline bool match_airdroid_33(uint32_t payload, uint32_t len) {\n\n        uint32_t ordered = ntohl(payload);\n        uint32_t byte;\n\n        /* Needs some proper testing against real airdroid traffic */\n        if (len == 33) {\n                byte = (ordered & 0xff);\n                if (!is_hexdigit(byte))\n                        return false;\n\n                byte = ((ordered >> 8) & 0xff);\n                if (!is_hexdigit(byte))\n                        return false;\n\n                byte = ((ordered >> 16) & 0xff);\n                if (!is_hexdigit(byte))\n                        return false;\n\n                byte = ((ordered >> 24) & 0xff);\n                if (!is_hexdigit(byte))\n                        return false;\n\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_airdroid(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_airdroid_req(data->payload[0], data->payload_len[0])) {\n                if (match_airdroid_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_airdroid_req(data->payload[1], data->payload_len[1])) {\n                if (match_airdroid_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (data->server_port == 9991 || data->client_port == 9991) {\n                if (match_airdroid_33(data->payload[0], data->payload_len[0])) {\n                        if (match_airdroid_get(data->payload[1]))\n                                return true;\n                }\n                if (match_airdroid_33(data->payload[1], data->payload_len[1])) {\n                        if (match_airdroid_get(data->payload[0]))\n                                return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_airdroid = {\n\tLPI_PROTO_AIRDROID,\n\tLPI_CATEGORY_CLOUD,\n\t\"AirDroid\",\n\t12,\n\tmatch_airdroid\n};\n\nvoid register_airdroid(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_airdroid, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_airmedia.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Crestron Airmedia -- more details at:\n * http://www.boredhackerblog.info/2016/02/extracting-images-from-crestron.html\n */\n\nstatic inline bool match_cam_wppi(uint32_t payload, uint32_t len) {\n        if (len == 12 && MATCHSTR(payload, \"wppi\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_cam_sender(uint32_t payload, uint32_t len) {\n        if (len == 32 && MATCHSTR(payload, \"Send\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_airmedia(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 515 */\n        if (match_cam_wppi(data->payload[0], data->payload_len[0])) {\n                if (match_cam_sender(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_cam_wppi(data->payload[1], data->payload_len[1])) {\n                if (match_cam_sender(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_airmedia = {\n\tLPI_PROTO_AIRMEDIA,\n\tLPI_CATEGORY_REMOTE,\n\t\"Airmedia\",\n\t5,\n\tmatch_airmedia\n};\n\nvoid register_airmedia(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_airmedia, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_akamai.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_akamai_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* TCP exchanges between Akamai nodes */\n\n\t/* Seems to always be over port 9050, so add a check if too many\n\t * false positives */\n\n\t/* Payload is 00000000 in both directions */\n\tif (data->payload[0] != 0 || data->payload[0] != 0)\n\t\treturn false;\n\tif (data->payload_len[0] == 163 && data->payload_len[1] == 149)\n\t\treturn true;\n\tif (data->payload_len[1] == 163 && data->payload_len[0] == 149)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_akamai_tcp = {\n\tLPI_PROTO_AKAMAI,\n\tLPI_CATEGORY_CDN,\n\t\"AkamaiTCP\",\n\t9,\n\tmatch_akamai_tcp\n};\n\nvoid register_akamai_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_akamai_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_amp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_amp_throughput(lpi_data_t *data) {\n        /* AMP Throughput generally uses port 8826 or 8827 */\n        if (data->server_port != 8826 && data->client_port != 8826\n                        && data->server_port != 8827 &&\n                        data->client_port != 8827)\n                return false;\n\n        /* AMP Throughput tests are large one-way data transfers */\n        if (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n                return false;\n\n        /* Packets are always going to be MSS-sized -- assume MTU is no\n         * smaller than 1280 bytes */\n        if (data->payload_len[0] < 1240 && data->payload_len[1] < 1240)\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_amp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_amp_throughput(data))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_amp = {\n\tLPI_PROTO_AMP,\n\tLPI_CATEGORY_MONITORING,\n\t\"AMP\",\n\t240,    /* AMP is not something I'd expect to see outside of Waikato */\n\tmatch_amp\n};\n\nvoid register_amp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_amp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_antcoin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_antcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* port 10333 */\n\n        if (MATCH(data->payload[0], 'A', 'n', 't', 0x00)) {\n                if (MATCH(data->payload[1], 'A', 'n', 't', 0x00))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_antcoin = {\n\tLPI_PROTO_ANTCOIN,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"AntCoin\",\n\t5,\n\tmatch_antcoin\n};\n\nvoid register_antcoin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_antcoin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_appearin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* Signalling protocol (?) used by appear.in, a WebRTC based video\n * conferencing system.\n */\n\nstatic inline bool match_appear_req(uint32_t payload, uint32_t len) {\n\n        uint32_t hlen = ntohl(payload) & 0xffff;\n\n        /* Usually 28 bytes */\n        if (hlen == len - 20 && MATCH(payload, 0x00, 0x03, 0x00, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_appear_resp(uint32_t payload, uint32_t len) {\n\n        uint32_t hlen = ntohl(payload) & 0xffff;\n\n        /* Usually 92 bytes */\n        if (hlen == len - 20 && MATCH(payload, 0x01, 0x13, 0x00, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_appearin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 443 && data->client_port != 443)\n                return false;\n\n        if (match_appear_req(data->payload[0], data->payload_len[0])) {\n                if (match_appear_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_appear_req(data->payload[1], data->payload_len[1])) {\n                if (match_appear_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_appearin = {\n\tLPI_PROTO_APPEAR_IN,\n\tLPI_CATEGORY_VOIP,\n\t\"Appear.in\",\n\t120,\n\tmatch_appearin\n};\n\nvoid register_appearin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_appearin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_apple_push.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_apple_push(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This rule matches the push notifications sent to IOS devices */ \n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Port 5223 is used for the push notifications */\n\tif (data->server_port != 5223 && data->client_port != 5223)\n\t\treturn false;\n\n\t/* If payload is only one-way, fall back to SSL to avoid risking\n\t * a false positive for other port 5223 SSL apps, e.g. Kik */\n\tif (data->payload_len[0] == 0 || data->payload_len[1] == 0)\n\t\treturn false;\n\n\t/* Too much size variation to write a good set of rules based on\n\t * payload sizes, just use this as the fallback option for all\n\t * SSL traffic on 5223 that doesn't match something else, e.g.\n\t * PSN store */\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_apple_push = {\n\tLPI_PROTO_APPLE_PUSH,\n\tLPI_CATEGORY_NOTIFICATION,\n\t\"ApplePush\",\n\t8, /* Should be a higher priority than regular SSL, but lower than\n\t      anything else on port 5223  */\n\tmatch_apple_push\n};\n\nvoid register_apple_push(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_apple_push, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ares.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ares_client(uint32_t payload, uint32_t len) {\n\tif (len != 6)\n\t\treturn false;\n\t\n\tif (!MATCH(payload, 0x03, 0x00, 0x5a, 0x06))\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic inline bool match_ares_peer(uint32_t payload, uint32_t len) {\n\n\tif (len != 138)\n\t\treturn false;\n\n\tif (MATCH(payload, 0x87, 0x00, 0x3c, ANY))\n\t\treturn true;\n\tif (MATCH(payload, 0x87, 0x00, 0x3b, ANY))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_ares(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Pretty sure this is the ARES p2p protocol */\n\tif (match_str_either(data, \"ARES\"))\n\t\treturn true;\n\n\tif (match_ares_client(data->payload[0], data->payload_len[0])) {\n\t\tif (match_ares_peer(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_ares_client(data->payload[1], data->payload_len[1])) {\n\t\tif (match_ares_peer(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ares = {\n\tLPI_PROTO_ARES,\n\tLPI_CATEGORY_P2P,\n\t\"Ares\",\n\t8,\n\tmatch_ares\n};\n\nvoid register_ares(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ares, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_badbaidu.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Strange flows that seem to be related to users running the Baidu browser.\n * The flow will connect to a Baidu server on port 80, send no data, then\n * start sending FINs. After about 6 FINs, the client will then send a one\n * byte packet with a sequence number matching the original SYN (which is\n * of course completely invalid). At this point, the server usually terminates\n * the connection.\n *\n * Confirmed as being associated with Baidu browser after observing this\n * exact traffic after installing the browser.\n *\n * Not sure what the purpose of this is, or how the browser manages to send\n * invalid TCP traffic but it is the root cause behind a lot of non-HTTP\n * flows on TCP port 80.\n */\n\n\nstatic inline bool match_badbaidu(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Only seen on port 80 */\n        if (data->client_port != 80 && data->server_port != 80)\n                return false;\n\n        /* Packet is one byte; the byte itself is 0x00. The other end\n         * does not send any payload.\n         */\n        if (data->payload_len[0] == 0 && data->payload_len[1] == 1) {\n                if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n        if (data->payload_len[1] == 0 && data->payload_len[0] == 1) {\n                if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_badbaidu = {\n\tLPI_PROTO_BADBAIDU,\n\tLPI_CATEGORY_MALWARE,\n\t\"BadBaidu\",\n\t100,\n\tmatch_badbaidu\n};\n\nvoid register_badbaidu(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_badbaidu, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_baofeng_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_baofeng_52(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x52, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_baofeng_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port == 7909 || data->client_port == 7909) {\n\n                if (match_baofeng_52(data->payload[1], data->payload_len[1])) {\n                        if (match_baofeng_52(data->payload[0], data->payload_len[0]))\n                                return true;\n                }\n\n        }\n\n        if (data->server_port == 8189 || data->client_port == 8189) {\n                if (data->payload_len[0] == 63 && data->payload_len[1] == 152)\n                        return true;\n                if (data->payload_len[1] == 63 && data->payload_len[0] == 152)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_baofeng_tcp = {\n\tLPI_PROTO_BAOFENG,\n\tLPI_CATEGORY_STREAMING,\n\t\"Baofeng\",\n\t105,\n\tmatch_baofeng_tcp\n};\n\nvoid register_baofeng_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_baofeng_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_beam.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_bm(uint32_t payload, uint32_t len) {\n        if (len == 40 && MATCH(payload, 'B', 'm', 0x0a, 0x04)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_beam(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8100 && data->client_port != 8100) {\n                return false;\n        }\n\n        if (match_bm(data->payload[0], data->payload_len[0])) {\n                if (match_bm(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_beam = {\n\tLPI_PROTO_BEAM,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Beam\",\n\t25,\n\tmatch_beam\n};\n\nvoid register_beam(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_beam, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_bitcoin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_bc_version(uint32_t payload, uint32_t len) {\n\n        if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9))\n                return true;\n        return false;\n}\n\nstatic inline bool match_bc_version_reply(uint32_t payload, uint32_t len) {\n\n        if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9))\n                return true;\n        return false;\n}\n\nstatic inline bool match_bitcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_bc_version(data->payload[0], data->payload_len[0])) {\n                if (match_bc_version_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_bc_version(data->payload[1], data->payload_len[1])) {\n                if (match_bc_version_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_bitcoin = {\n\tLPI_PROTO_BITCOIN,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Bitcoin\",\n\t5,\n\tmatch_bitcoin\n};\n\nvoid register_bitcoin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_bitcoin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_bitextend.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Bittorrent extensions (?)\n *\n * TODO Find some good references for this\n */\n\nstatic inline bool match_bitextend(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_str_both(data, \"\\x0\\x0\\x0\\xd\", \"\\x0\\x0\\x0\\x1\"))\n                return true;\n        if (match_str_both(data, \"\\x0\\x0\\x0\\x3\", \"\\x0\\x0\\x0\\x38\"))\n                return true;\n        if (match_str_both(data, \"\\x0\\x0\\x0\\x3\", \"\\x0\\x0\\x0\\x39\"))\n                return true;\n        if (match_str_both(data, \"\\x0\\x0\\x0\\x3\", \"\\x0\\x0\\x0\\x3\"))\n                return true;\n\n        if (match_str_both(data, \"\\x0\\x0\\x0\\x4e\", \"\\x0\\x0\\x0\\xb2\"))\n                return true;\n        if (match_chars_either(data, 0x00, 0x00, 0x40, 0x09))\n                return true;\n\n        if (MATCH(data->payload[0], 0x00, 0x00, 0x01, ANY) &&\n                MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x38))\n                return true;\n        if (MATCH(data->payload[1], 0x00, 0x00, 0x01, ANY) &&\n                MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x38))\n                return true;\n\n        if (MATCH(data->payload[0], 0x00, 0x00, 0x00, ANY) &&\n                MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05))\n                return true;\n        if (MATCH(data->payload[1], 0x00, 0x00, 0x00, ANY) &&\n                MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05))\n                return true;\n\n        if (MATCH(data->payload[0], 0x01, 0x00, ANY, 0x68) &&\n                MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05))\n                return true;\n        if (MATCH(data->payload[1], 0x01, 0x00, ANY, 0x68) &&\n                MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05))\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_bitextend = {\n\tLPI_PROTO_BITEXT,\n\tLPI_CATEGORY_P2P,\n\t\"Bittorrent_Extension\",\n\t5, /* This is probably fine, but I'd rather have this at 5 than 2 */\n\tmatch_bitextend\n};\n\nvoid register_bitextend(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_bitextend, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_bittorrent.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_bittorrent_header(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 0x13, 'B', 'i', 't'))\n                return true;\n\n        if (len == 3 && MATCH(payload, 0x13, 'B', 'i', 0x00))\n                return true;\n        if (len == 2 && MATCH(payload, 0x13, 'B', 0x00, 0x00))\n                return true;\n        if (len == 1 && MATCH(payload, 0x13, 0x00, 0x00, 0x00))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_ww_xx_header(uint32_t payload, uint32_t len) {\n        /* Fairly confident that this is related to Bittorrent, though I\n         * can't seem to find any source code or documentation that references\n         * it.\n         *\n         * The full string included in the header is:\n         * 0x13 #WW-XX#@77\n         */\n       if (len == 0)\n               return true;\n       if (MATCH(payload, 0x13, 0x23, 0x57, 0x57))\n               return true;\n       return false;\n\n}\n\nstatic inline bool match_bittorrent(lpi_data_t *data, lpi_module_t *mod UNUSED) \n{\n        if (match_bittorrent_header(data->payload[0], data->payload_len[0])) {\n                if (match_bittorrent_header(data->payload[1], \n                                data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ww_xx_header(data->payload[0], data->payload_len[0])) {\n                if (match_ww_xx_header(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        return false;\n}\n\nstatic lpi_module_t lpi_bittorrent = {\n\tLPI_PROTO_BITTORRENT,\n\tLPI_CATEGORY_P2P,\n\t\"BitTorrent\",\n\t2,\n\tmatch_bittorrent\n};\n\nvoid register_bittorrent(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_bittorrent, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_blackdesert.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* First two bytes definitely look like a little-endian length\n * field, so we could use that to match more reply types */\n\n/* Port 9991, 9992 and 9993 */\n\nstatic inline bool match_bdo_request(uint32_t payload, uint32_t len) {\n\n        if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x9d))\n                return true;\n        if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x46))\n                return true;\n        if (len == 277 && MATCH(payload, 0x15, 0x01, 0x01, ANY))\n                return true;\n        if (len == 433 && MATCH(payload, 0xb1, 0x01, 0x01, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_bdo_reply(uint32_t payload, uint32_t len) {\n\n        if (len == 112 && MATCH(payload, 0x70, 0x00, 0x01, ANY))\n                return true;\n        if (len == 113 && MATCH(payload, 0x71, 0x00, 0x01, ANY))\n                return true;\n        if (len == 119 && MATCH(payload, 0x77, 0x00, 0x01, 0x46))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_blackdesert(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (match_bdo_request(data->payload[0], data->payload_len[0])) {\n                if (match_bdo_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n        if (match_bdo_request(data->payload[1], data->payload_len[1])) {\n                if (match_bdo_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_blackdesert = {\n\tLPI_PROTO_BLACKDESERT,\n\tLPI_CATEGORY_GAMING,\n\t\"BlackDesertOnline\",\n\t12,\n\tmatch_blackdesert\n};\n\nvoid register_blackdesert(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_blackdesert, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_blizzard.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_bnet_auth_req(uint32_t payload, uint32_t len) {\n\n        if (len >= 160 && len <= 170 && MATCH(payload, 0x00, 0x0a, 0x08, 0xfe))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_bnet_auth_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 184 || len == 199) {\n                if (MATCH(payload, 0x00, 0x09, 0x08, 0x00))\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_blizzard(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"\\x10\\xdf\\x22\\x00\", \"\\x10\\x00\\x00\\x00\"))\n                return true;\n\n        if (MATCH(data->payload[0], 0x00, ANY, 0xed, 0x01) &&\n                MATCH(data->payload[1], 0x00, 0x06, 0xec, 0x01))\n                return true;\n        if (MATCH(data->payload[1], 0x00, ANY, 0xed, 0x01) &&\n                MATCH(data->payload[0], 0x00, 0x06, 0xec, 0x01))\n                return true;\n\n\n        /* More up to date battle.net authentication protocol */\n        if (match_bnet_auth_req(data->payload[0], data->payload_len[0])) {\n                if (match_bnet_auth_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_bnet_auth_req(data->payload[1], data->payload_len[1])) {\n                if (match_bnet_auth_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_blizzard = {\n\tLPI_PROTO_BLIZZARD,\n\tLPI_CATEGORY_GAMING,\n\t\"Blizzard\",\n\t2,\n\tmatch_blizzard\n};\n\nvoid register_blizzard(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_blizzard, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_btsync.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_btsync(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"BSYN\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_btsync = {\n\tLPI_PROTO_BTSYNC,\n\tLPI_CATEGORY_FILES,\n\t\"BitTorrentSync\",\n\t8,\n\tmatch_btsync\n};\n\nvoid register_btsync(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_btsync, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_bwsyncandshare.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Have not tested against the application itself, as it is restricted\n * to certain German universities. There may be more variants of this\n * traffic.\n */\n\nstatic inline bool match_bws_951(uint32_t payload, uint32_t len) {\n        if (len == 4 && MATCH(payload, 0x00, 0x00, 0x09, 0x51))\n                return true;\n        return false;\n}\n\nstatic inline bool match_bws_other(uint32_t payload, uint32_t len) {\n\n        uint32_t lastbyte = ntohl(payload) & 0x000000ff;\n\n        if (len == 4 && MATCH(payload, 0x00, 0x00, 0x08, ANY)) {\n                /* Byte 4 is always 0xfX, where X can be just about\n                 * anything.\n                 */\n                if ((lastbyte & 0xf0) == 0xf0)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_bwsyncandshare(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 60107? */\n        if (match_bws_951(data->payload[0], data->payload_len[0])) {\n                if (match_bws_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_bws_951(data->payload[1], data->payload_len[1])) {\n                if (match_bws_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_bwsyncandshare = {\n\tLPI_PROTO_BWSYNC,\n\tLPI_CATEGORY_CLOUD,\n\t\"BWSyncAndShare\",\n\t120,\n\tmatch_bwsyncandshare\n};\n\nvoid register_bwsyncandshare(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_bwsyncandshare, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_cacaoweb.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cacaoweb_header(uint32_t payload, uint32_t len) {\n        if (!MATCH(payload, 0x84, 0x95, 0xa6, 0xbe))\n                return false;\n        if (len >= 51 && len <= 56)\n                return true;\n        if (len == 91)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_cacaoweb(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_cacaoweb_header(data->payload[0], data->payload_len[0])) {\n                if (match_cacaoweb_header(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cacaoweb = {\n\tLPI_PROTO_CACAOWEB,\n\tLPI_CATEGORY_P2P,\n\t\"CacaoWeb\",\n\t5,\n\tmatch_cacaoweb\n};\n\nvoid register_cacaoweb(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cacaoweb, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_cgp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cgp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Citrix CGP is a special version of ICA that runs on TCP port\n\t * 2598 */\n\n\tif (match_str_both(data, \"\\x1a\"\"CGP\", \"\\x1a\"\"CGP\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cgp = {\n\tLPI_PROTO_CGP,\n\tLPI_CATEGORY_REMOTE,\n\t\"CitrixCGP\",\n\t3,\n\tmatch_cgp\n};\n\nvoid register_cgp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cgp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_chatango.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_chatango_in(uint32_t payload, uint32_t len) {\n\n\tif (len != 2)\n\t\treturn false;\n\tif (!MATCH(payload, 'v', 0x00, 0x00, 0x00))\n\t\treturn false;\n\n\treturn true;\n\n}\n\nstatic inline bool match_chatango_out(uint32_t payload, uint32_t len) {\n\n\tif (len != 10)\n\t\treturn false;\n\tif (MATCH(payload, 'v', ':', '1', '0'))\n\t\treturn true;\n\tif (MATCH(payload, 'v', ':', '1', '4'))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_chatango(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_chatango_out(data->payload[0], data->payload_len[0])) {\n\t\tif (match_chatango_in(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_chatango_in(data->payload[0], data->payload_len[0])) {\n\t\tif (match_chatango_out(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_chatango = {\n\tLPI_PROTO_CHATANGO,\n\tLPI_CATEGORY_CHAT,\n\t\"Chatango\",\n\t3,\n\tmatch_chatango\n};\n\nvoid register_chatango(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_chatango, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_cisco_vpn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cisco_vpn_server(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\tif (MATCH(payload, 0x01, 0xf4, ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_cisco_vpn_client(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x01, 0xf4))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_cisco_vpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_cisco_vpn_server(data->payload[0], data->payload_len[0])) {\n\t\tif (match_cisco_vpn_client(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_cisco_vpn_server(data->payload[1], data->payload_len[1])) {\n\t\tif (match_cisco_vpn_client(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_cisco_vpn = {\n\tLPI_PROTO_CISCO_VPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"Cisco_VPN\",\n\t7,\n\tmatch_cisco_vpn\n};\n\nvoid register_cisco_vpn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cisco_vpn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_clashofclans.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_coc_login(uint32_t payload, uint32_t len) {\n\n        /* First two bytes are 10101 (0x2775) or 10100 (0x2774)\n         * Next three bytes are a length field, usually 250-330 bytes */\n\n        if (MATCH(payload, 0x27, 0x75, 0x00, 0x01))\n                return true;\n        if (MATCH(payload, 0x27, 0x75, 0x00, 0x00))\n                return true;\n\n        if (MATCH(payload, 0x27, 0x74, 0x00, 0x01))\n                return true;\n        if (MATCH(payload, 0x27, 0x74, 0x00, 0x00))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_coc_encrypt(uint32_t payload, uint32_t len) {\n\n        /* First two bytes are 20000 (0x4e20) or 20100 (0x4e84)\n         * Next three bytes are a length field, always seems to be just\n         * under 256 bytes */\n\n        if (MATCH(payload, 0x4e, 0x20, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x4e, 0x84, 0x00, 0x00))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_clashofclans(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Could limit this to port 9339, but the pattern is probably strong\n         * enough by itself */\n        /* Actually, port 1863 is also used... */\n\n        if (match_coc_login(data->payload[0], data->payload_len[0])) {\n                if (match_coc_encrypt(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        \n        if (match_coc_login(data->payload[1], data->payload_len[1])) {\n                if (match_coc_encrypt(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_clashofclans = {\n\tLPI_PROTO_CLASH_OF_CLANS,\n\tLPI_CATEGORY_GAMING,\n\t\"ClashOfClans\",\n\t4,\n\tmatch_clashofclans\n};\n\nvoid register_clashofclans(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_clashofclans, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_classin_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_classin_41(uint32_t payload, uint32_t len) {\n        if (len == 41 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_classin_52(uint32_t payload, uint32_t len) {\n        if (len == 52 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_classin_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_classin_41(data->payload[0], data->payload_len[0])) {\n                if (match_classin_52(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_classin_41(data->payload[1], data->payload_len[1])) {\n                if (match_classin_52(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_classin_tcp = {\n\tLPI_PROTO_CLASSIN,\n\tLPI_CATEGORY_EDUCATIONAL,\n\t\"ClassIn_TCP\",\n\t133,\n\tmatch_classin_tcp\n};\n\nvoid register_classin_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_classin_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_clubbox.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_clubbox(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_str_both(data, \"\\x00\\x00\\x01\\x03\", \"\\x00\\x00\\x01\\x03\"))\n                return false;\n\n        if (data->payload_len[0] == 36 && data->payload_len[1] == 28)\n                return true;\n        if (data->payload_len[1] == 36 && data->payload_len[0] == 28)\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_clubbox = {\n\tLPI_PROTO_CLUBBOX,\n\tLPI_CATEGORY_P2P,\n\t\"Clubbox\",\n\t3,\n\tmatch_clubbox\n};\n\nvoid register_clubbox(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_clubbox, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_cod_waw.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cod_waw(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Call of Duty: World at War uses TCP port 3074 - the protocol isn't\n         * well documented, but traffic matching this pattern goes to known\n         * CoD servers */\n\n        if (data->server_port != 3074 && data->client_port != 3074)\n                return false;\n\n        if (data->payload_len[0] != 4 || data->payload_len[1] != 4)\n                return false;\n\n        if (data->payload[0] != 0 || data->payload[1] != 0)\n                return false;\n\n        return true;\n\n}\n\nstatic lpi_module_t lpi_cod_waw = {\n\tLPI_PROTO_COD_WAW,\n\tLPI_CATEGORY_GAMING,\n\t\"Call_of_Duty_TCP\",\n\t10,\t/* Weak rule */\n\tmatch_cod_waw\n};\n\nvoid register_cod_waw(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cod_waw, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_conquer.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_conquer(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] == 5 && data->payload_len[1] == 4 &&\n                        MATCH(data->payload[0], 'R', 'E', 'A', 'D'))\n                return true;\n        if (data->payload_len[1] == 5 && data->payload_len[0] == 4 &&\n                        MATCH(data->payload[1], 'R', 'E', 'A', 'D'))\n                return true;\n\n        if (data->payload_len[0] == 4 && (MATCH(data->payload[0], '5', '0', ANY, ANY) ||\n                        MATCH(data->payload[0], '5', '1', ANY, ANY)) &&\n                        MATCH(data->payload[1], 'U', 'P', 'D', 'A'))\n                return true;\n\n        if (data->payload_len[1] == 4 && (MATCH(data->payload[1], '5', '0', ANY, ANY) ||\n                        MATCH(data->payload[1], '5', '1', ANY, ANY)) &&\n                        MATCH(data->payload[0], 'U', 'P', 'D', 'A'))\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_conquer = {\n\tLPI_PROTO_CONQUER,\n\tLPI_CATEGORY_GAMING,\n\t\"ConquerOnline\",\n\t3,\n\tmatch_conquer\n};\n\nvoid register_conquer(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_conquer, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_crashplan.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_crashplan_16(uint32_t payload, uint32_t len) {\n\n        if (len != 16)\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_crashplan_6(uint32_t payload, uint32_t len) {\n\n        if (len != 6)\n                return false;\n        if (!MATCH(payload, 0x80, 0x63, 0x00, 0x00))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_crashplan(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_crashplan_16(data->payload[0], data->payload_len[0])) {\n                if (match_crashplan_6(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_crashplan_16(data->payload[1], data->payload_len[1])) {\n                if (match_crashplan_6(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\treturn false;\n}\n\nstatic lpi_module_t lpi_crashplan = {\n\tLPI_PROTO_CRASHPLAN,\n\tLPI_CATEGORY_CLOUD,\n\t\"CrashPlan\",\n\t50,\n\tmatch_crashplan\n};\n\nvoid register_crashplan(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_crashplan, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_crossfire_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cf_05(uint32_t payload, uint32_t len) {\n        if (len == 65 && MATCH(payload, 0x05, 0x01, 0x99, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_cf_tcp(uint32_t payload, uint32_t len) {\n\n        uint32_t hlen = bswap_le_to_host32(payload & 0xffff00) >> 8;\n\n        if (len < 1350 && hlen != len - 7)\n                return false;\n        if (MATCH(payload, 0xf1, ANY, ANY, 0x01))\n                return true;\n        if (MATCH(payload, 0xf1, ANY, ANY, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_crossfire_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_cf_tcp(data->payload[0], data->payload_len[0])) {\n                if (match_cf_tcp(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n                if (match_cf_05(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_cf_05(data->payload[0], data->payload_len[0])) {\n                if (match_cf_tcp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_crossfire_tcp = {\n\tLPI_PROTO_CROSSFIRE,\n\tLPI_CATEGORY_GAMING,\n\t\"CrossfireTCP\",\n\t30,\n\tmatch_crossfire_tcp\n};\n\nvoid register_crossfire_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_crossfire_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_cryptic.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Cryptic are the company behind several popular MMOs, including\n * Champions Online and Star Trek Online */\n\nstatic inline bool match_cryptic(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"Cryp\", \"Cryp\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cryptic = {\n\tLPI_PROTO_CRYPTIC,\n\tLPI_CATEGORY_GAMING,\n\t\"Cryptic\",\n\t2,\n\tmatch_cryptic\n};\n\nvoid register_cryptic(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cryptic, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_cvs.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cvs_request(uint32_t data, uint32_t len) {\n\n\tif (MATCHSTR(data, \"BEGI\"))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_cvs_response(uint32_t data, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\t\n\t/* \"I LOVE YOU\" = auth succeeded */\n\tif (MATCHSTR(data, \"I LO\"))\n\t\treturn true;\n\t\n\t/* \"I HATE YOU\" = auth failed */\n\tif (MATCHSTR(data, \"I HA\"))\n\t\treturn true;\n\n\t/* \"E <msg>\" = a message */\n\tif (MATCH(data, 'E', ' ', ANY, ANY))\n\t\treturn true;\n\n\t/* error = an error */\n\tif (MATCHSTR(data, \"erro\"))\n\t\treturn true;\n\t\n\treturn false;\n\n}\n\nstatic inline bool match_cvs(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_cvs_request(data->payload[0], data->payload_len[0]) &&\n\t\t\tmatch_cvs_response(data->payload[1], data->payload_len[1]))\n\t\treturn true;\n\t\n\tif (match_cvs_request(data->payload[1], data->payload_len[1]) &&\n\t\t\tmatch_cvs_response(data->payload[0], data->payload_len[0]))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cvs = {\n\tLPI_PROTO_CVS,\n\tLPI_CATEGORY_RCS,\n\t\"CVS\",\n\t3,\n\tmatch_cvs\n};\n\nvoid register_cvs(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cvs, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dahua_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Chinese IP surveillance Cameras */\n\nstatic inline bool match_dahua_ports(uint16_t sport, uint16_t cport) {\n        if (sport == 8888 || cport == 8888) {\n                return true;\n        }\n\n        if (sport == 37777 || cport == 37777) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_f4_186(uint32_t payload, uint32_t len) {\n        if (len == 186 && MATCH(payload, 0xf4, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_f4_208(uint32_t payload, uint32_t len) {\n        if (len >= 206 && len <= 208 && MATCH(payload, 0xf4, 0x00, 0x00, 0x58))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dahua(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!match_dahua_ports(data->server_port, data->client_port)) {\n                return false;\n        }\n\n        if (match_f4_186(data->payload[0], data->payload_len[0])) {\n                if (match_f4_208(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_f4_186(data->payload[1], data->payload_len[1])) {\n                if (match_f4_208(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dahua_tcp = {\n\tLPI_PROTO_DAHUA,\n\tLPI_CATEGORY_IPCAMERAS,\n\t\"DahuaTCP\",\n\t13,\n\tmatch_dahua\n};\n\nvoid register_dahua_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dahua_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dash.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dash_125(uint32_t payload, uint32_t len) {\n\n        if (len == 125 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dash_130(uint32_t payload, uint32_t len) {\n\n        if (len == 130 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dash(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 9999 */\n        if (match_dash_125(data->payload[0], data->payload_len[0])) {\n                if (match_dash_130(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dash_125(data->payload[1], data->payload_len[1])) {\n                if (match_dash_130(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dash = {\n\tLPI_PROTO_DASH,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Dash\",\n\t5,\n\tmatch_dash\n};\n\nvoid register_dash(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dash, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dell_backup.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This one is a bit tenuous but I'm reasonably confident that this is\n * something to do with the Dell backup and recovery service. All observed\n * traffic matching the rules described here go 66.151.242.0/24, which has\n * previously reversed to dellbackupandrecoverycloudstorage.com.\n */\n\nstatic inline bool match_dell_backup_req(uint32_t payload, uint32_t len) {\n        if (len != 12)\n                return false;\n        if (MATCH(payload, 0x08, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dell_backup_resp(uint32_t payload, uint32_t len) {\n        if (len != 24)\n                return false;\n        if (MATCH(payload, 0x14, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dell_backup(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n        if (data->server_port != 443 && data->client_port != 443)\n                return false;\n\n        if (match_dell_backup_req(data->payload[0], data->payload_len[0])) {\n                if (match_dell_backup_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dell_backup_req(data->payload[1], data->payload_len[1])) {\n                if (match_dell_backup_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n        \n\treturn false;\n}\n\nstatic lpi_module_t lpi_dell_backup = {\n\tLPI_PROTO_DELL_BACKUP,\n\tLPI_CATEGORY_CLOUD,\n\t\"DellBackup\",\n\t100,\n\tmatch_dell_backup\n};\n\nvoid register_dell_backup(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dell_backup, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_destiny.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Destiny -- multiplayer FPS by Bungie */\n\nstatic inline bool match_destiny_request(uint32_t payload, uint32_t len) {\n        if (len == 140 && MATCH(payload, 0x01, 0x02, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_destiny_reply(uint32_t payload, uint32_t len) {\n        if (len == 142 && MATCH(payload, 0x01, 0x02, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_destiny(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_destiny_request(data->payload[0], data->payload_len[0])) {\n                if (match_destiny_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n        if (match_destiny_request(data->payload[1], data->payload_len[1])) {\n                if (match_destiny_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_destiny = {\n\tLPI_PROTO_DESTINY,\n\tLPI_CATEGORY_GAMING,\n\t\"Destiny\",\n\t23,\n\tmatch_destiny\n};\n\nvoid register_destiny(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_destiny, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_diablo3.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_diablo_req(uint32_t payload, uint32_t len) {\n        if (len == 25 && MATCH(payload, 0x00, 0x00, 0x00, 0x19))\n                return true;\n        return false;\n}\n\nstatic inline bool match_diablo_resp(uint32_t payload, uint32_t len) {\n        if (len == 66 && MATCH(payload, 0x00, 0x00, 0x00, 0x42))\n                return true;\n        return false;\n}\n\nstatic inline bool match_diablo3(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (match_diablo_req(data->payload[0], data->payload_len[0])) {\n                if (match_diablo_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_diablo_req(data->payload[1], data->payload_len[1])) {\n                if (match_diablo_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\treturn false;\n}\n\nstatic lpi_module_t lpi_diablo3 = {\n\tLPI_PROTO_DIABLO3,\n\tLPI_CATEGORY_GAMING,\n\t\"Diablo3\",\n\t5,\n\tmatch_diablo3\n};\n\nvoid register_diablo3(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_diablo3, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dianping_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_dianping_query(uint32_t payload, uint32_t len) {\n        if (len != 1)\n                return false;\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dianping_resp(uint32_t payload, uint32_t len) {\n        if (len != 1)\n                return false;\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dianping_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 80 && data->client_port != 80 && \n                        data->client_port != 443 && data->server_port != 443)\n                return false;\n\n        if (match_dianping_query(data->payload[0], data->payload_len[0])) {\n                if (match_dianping_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dianping_query(data->payload[1], data->payload_len[1])) {\n                if (match_dianping_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dianping_tcp = {\n\tLPI_PROTO_DIANPING,\n\tLPI_CATEGORY_MOBILE_APP,\n\t\"DianpingTCP\",\n\t210,\n\tmatch_dianping_tcp\n};\n\nvoid register_dianping_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dianping_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_directconnect.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dc(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* $MyN seemed best to check for - might have to check for $max and\n\t * $Sup as well */\n\t/* NOTE: Some people seem to use DC to connect to port 80 and get\n\t * HTTP responses. At this stage, I'd rather that fell under DC rather\n\t * than HTTP, so we need to check for this before we check for HTTP */\n\n\n\tif (match_str_either(data, \"$MyN\")) return true;\n\tif (match_str_either(data, \"$Sup\")) return true;\n\tif (match_str_either(data, \"$Loc\")) return true;\n\n\t/* Response is usually an HTTP response - we could check that if\n\t * needed */\n\t\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_directconnect = {\n\tLPI_PROTO_DC,\n\tLPI_CATEGORY_P2P,\n\t\"DirectConnect\",\n\t1, /* Need a higher priority than regular HTTP */\n\tmatch_dc\n};\n\nvoid register_directconnect(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_directconnect, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dnf.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dnf_90(uint32_t payload, uint32_t len) {\n        if (len == 90 && MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dnf_258(uint32_t payload, uint32_t len) {\n        if (len == 258 && MATCH(payload, 0x01, 0x00, 0x00, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dnf(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 80 or 443 */\n\n        if (match_dnf_90(data->payload[0], data->payload_len[0])) {\n                if (match_dnf_258(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dnf_90(data->payload[1], data->payload_len[1])) {\n                if (match_dnf_258(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dnf = {\n\tLPI_PROTO_DNF,\n\tLPI_CATEGORY_GAMING,\n\t\"DNF\",\n\t150,\n\tmatch_dnf\n};\n\nvoid register_dnf(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dnf, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dns.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic bool match_length_single(uint32_t payload, uint32_t len) {\n\n        uint32_t statedlen;\n\n        if (len == 2) {\n                return true;\n        }\n\n        statedlen = (ntohl(payload) >> 16);\n\n        if (statedlen < 1280) {\n                if (statedlen != len - 2)\n                        return false;\n        }\n\n        return true;\n}\n\nstatic bool match_dns_tcp_length(lpi_data_t *data) {\n\n        uint32_t id0, id1;\n\n        if (data->payload_len[0] == 0 || data->payload_len[1] == 0)\n                return false;\n\n        if (data->server_port != 53 && data->client_port != 53)\n                return false;\n\n        if (!match_length_single(data->payload[0], data->payload_len[0]))\n                return false;\n\n        if (!match_length_single(data->payload[1], data->payload_len[1]))\n                return false;\n\n        if (data->payload_len[0] > 2 && data->payload_len[1] > 2) {\n\n                id0 = (ntohl(data->payload[0]) & 0xffff);\n                id1 = (ntohl(data->payload[1]) & 0xffff);\n\n                if (id0 != id1)\n                        return false;\n        }\n\n\n        return true;\n}\n\n\nstatic bool match_tcp_dns(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_dns(data))\n\t\treturn true;\n\tif (match_dns_tcp_length(data))\n\t\treturn true;\n\t\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_dns = {\n\tLPI_PROTO_DNS,\n\tLPI_CATEGORY_SERVICES,\n\t\"DNS_TCP\",\n\t6, \t/* Not a high certainty */\n\tmatch_tcp_dns\n};\n\nvoid register_dns_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dns, mod_map);\n}\n"
  },
  {
    "path": "lib/tcp/lpi_dogecoin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dc_magic(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xc0, 0xc0, 0xc0, 0xc0)) {\n                if (len >= 125 && len <= 129) \n                        return true;\n                if (len == 142)\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_dogecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port == 22556 */\n\n        if (match_dc_magic(data->payload[0], data->payload_len[0])) {\n                if (match_dc_magic(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dogecoin = {\n\tLPI_PROTO_DOGECOIN,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Dogecoin\",\n\t8,\n\tmatch_dogecoin\n};\n\nvoid register_dogecoin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dogecoin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_douyu.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This is a classic 4-byte length protocol, but there is plenty of\n * scope for the packet sizes to vary a bit so we can't just look for\n * a specific combo of packet sizes */\n\nstatic inline bool match_douyu_req(uint32_t payload, uint32_t len) {\n\n        uint32_t plen = bswap_le_to_host32(payload);\n\n        /* Packet usually contains a username and a password so\n         * can probably vary quite a bit in size */\n        if (plen == len - 4) {\n                if (len <= 255)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_douyu_reply(uint32_t payload, uint32_t len) {\n\n        uint32_t plen = bswap_le_to_host32(payload);\n\n        /* Response packets seem like they will vary a lot less in\n         * size -- could be wrong though */\n\n        if (plen == len - 4) {\n                if (len >= 225 && len <= 255)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_douyu_port(uint16_t port) {\n\n        /* Based purely on observed flows, rather than any docs */\n        if (port >= 8601 && port <= 8605)\n                return true;\n        if (port >= 12601 && port <= 12605)\n                return true;\n        return false;\n}\n\nstatic inline bool match_douyu(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Tends to use a couple of different port ranges */\n        if (!match_douyu_port(data->server_port) && \n                        !match_douyu_port(data->client_port)) {\n                return false;\n        }\n\n        if (match_douyu_req(data->payload[0], data->payload_len[0])) {\n                if (match_douyu_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_douyu_req(data->payload[1], data->payload_len[1])) {\n                if (match_douyu_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_douyu = {\n\tLPI_PROTO_DOUYU,\n\tLPI_CATEGORY_STREAMING,\n\t\"Douyu\",\n\t249,\n\tmatch_douyu\n};\n\nvoid register_douyu(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_douyu, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_douyu_chat.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_douyu_ee(uint32_t payload, uint32_t len) {\n\n        if (len == 242 && MATCH(payload, 0xee, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_douyu_len(uint32_t payload, uint32_t len) {\n\n\n        if (bswap_host_to_le32(payload) == len - 4)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_douyu_chat(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8601 && data->client_port != 8601 &&\n                        data->client_port != 8602 && data->server_port != 8602)\n        {\n                return false;\n        }\n\n        if (match_douyu_ee(data->payload[0], data->payload_len[0])) {\n                if (match_douyu_len(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_douyu_ee(data->payload[1], data->payload_len[1])) {\n                if (match_douyu_len(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_douyu_chat = {\n\tLPI_PROTO_DOUYU_CHAT,\n\tLPI_CATEGORY_CHAT,\n\t\"DouyuChat\",\n\t133,\n\tmatch_douyu_chat\n};\n\nvoid register_douyu_chat(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_douyu_chat, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_duelingnetwork.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_duelingnetwork(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 1235 && data->client_port != 1235)\n                return false;\n\n        if (data->payload_len[0] == 40 && MATCHSTR(data->payload[0], \"Ritv\"))\n                return true;\n        if (data->payload_len[1] == 40 && MATCHSTR(data->payload[1], \"Ritv\"))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_duelingnetwork = {\n\tLPI_PROTO_DUELING_NETWORK,\n\tLPI_CATEGORY_GAMING,\n\t\"DuelingNetwork\",\n\t4,\n\tmatch_duelingnetwork\n};\n\nvoid register_duelingnetwork(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_duelingnetwork, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dvrns.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dvrns_typea(uint32_t payload_a, uint32_t len_a,\n\t\tuint32_t payload_b, uint32_t len_b) {\n\n\tif (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01))\n\t\treturn false;\n\tif (len_a != 188)\n\t\treturn false;\n\tif (len_b == 0)\n\t\treturn true;\n\tif (len_b != 20)\n\t\treturn false;\n\tif (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_dvrns_typeb(uint32_t payload_a, uint32_t len_a,\n\t\tuint32_t payload_b, uint32_t len_b) {\n\n\tif (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01))\n\t\treturn false;\n\tif (len_a != 12)\n\t\treturn false;\n\tif (len_b == 0)\n\t\treturn true;\n\tif (len_b != 140)\n\t\treturn false;\n\tif (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_dvrns(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* DVRNS is basically DNS for DVR surveillance systems */\n\n\t/* Not sure whether this is just the protocol used by dvrnames.net\n\t * or all DVRNS systems */\n\n\tif (match_dvrns_typea(data->payload[0], data->payload_len[0],\n\t\t\tdata->payload[1], data->payload_len[1]))\n\t\treturn true;\n\tif (match_dvrns_typea(data->payload[1], data->payload_len[1],\n\t\t\tdata->payload[0], data->payload_len[0]))\n\t\treturn true;\n\tif (match_dvrns_typeb(data->payload[0], data->payload_len[0],\n\t\t\tdata->payload[1], data->payload_len[1]))\n\t\treturn true;\n\tif (match_dvrns_typeb(data->payload[1], data->payload_len[1],\n\t\t\tdata->payload[0], data->payload_len[0]))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dvrns = {\n\tLPI_PROTO_DVRNS,\n\tLPI_CATEGORY_SERVICES,\n\t\"DVRNS\",\n\t10,\n\tmatch_dvrns\n};\n\nvoid register_dvrns(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dvrns, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_dxp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dxp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_chars_either(data, 0xb0, 0x04, 0x15, 0x00))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dxp = {\n\tLPI_PROTO_DXP,\n\tLPI_CATEGORY_DATABASES,\n\t\"Silverplatter_DXP\",\n\t3,\n\tmatch_dxp\n};\n\nvoid register_dxp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dxp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ea_games.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ea_games(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Not sure exactly what game this is, but the server matches the\n         * EA IP range and the default port is 9946 */\n\n        if (match_str_both(data, \"&lgr\", \"&lgr\"))\n                return true;\n\n        if (match_str_either(data, \"&lgr\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ea_games = {\n\tLPI_PROTO_EA_GAMES,\n\tLPI_CATEGORY_GAMING,\n\t\"EA_Games\",\n\t4,\n\tmatch_ea_games\n};\n\nvoid register_ea_games(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ea_games, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_emule.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_emule_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_emule(data))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_emule = {\n\tLPI_PROTO_EMULE,\n\tLPI_CATEGORY_P2P,\n\t\"EMule\",\n\t10,\t/* We've always had this at low priority */\n\tmatch_emule_tcp\n};\n\nvoid register_emule(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_emule, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ethernetip.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_command(uint32_t payload) {\n\n\t// no op\n\tif (MATCH(payload, 0x00, 0x00, ANY, ANY))\n\t\treturn true;\n\t// list services\n\tif (MATCH(payload, 0x04, 0x00, ANY, ANY))\n\t\treturn true;\n\t// list identity\n\tif (MATCH(payload, 0x63, 0x00, ANY, ANY))\n\t\treturn true;\n\t// list interfaces\n\tif (MATCH(payload, 0x64, 0x00, ANY, ANY))\n\t\treturn true;\n\t// register session\n\tif (MATCH(payload, 0x65, 0x00, 0x04, 0x00))\n\t\treturn true;\n\t// un-register session\n\tif (MATCH(payload, 0x66, 0x00, ANY, ANY))\n\t\treturn true;\n\t// sendrrdata\n\tif (MATCH(payload, 0x6f, 0x00, ANY, ANY))\n\t\treturn true;\n\t// send unit data\n\tif (MATCH(payload, 0x70, 0x00, ANY, ANY))\n\t\treturn true;\n\t// indicate status\n\tif (MATCH(payload, 0x72, 0x00, ANY, ANY))\n\t\treturn true;\n\t// cancel\n\tif (MATCH(payload, 0x73, 0x00, ANY, ANY))\n\t\treturn true;\n\t// error\n\tif (MATCH(payload, 0xff, 0xff, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_ethernetip(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] < 24 || data->payload_len[1] < 24)\n\t\treturn false;\n\n\tif (data->server_port != 44818 && data->client_port != 44818)\n\t\treturn false;\n\n\tif (match_command(data->payload[0]) && match_command(data->payload[1]))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ethernetip = {\n\tLPI_PROTO_ETHERNETIP,\n\tLPI_CATEGORY_ICS,\n\t\"EtherNet/IP\",\n\t100,\n\tmatch_ethernetip\n};\n\nvoid register_ethernetip(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ethernetip, mod_map);\n}\n"
  },
  {
    "path": "lib/tcp/lpi_eye.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* All-seeing Eye - Yahoo Games */\n\nstatic inline bool match_eye(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"EYE1\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_eye = {\n\tLPI_PROTO_EYE,\n\tLPI_CATEGORY_GAMING,\n\t\"AllSeeingEye\",\n\t3,\n\tmatch_eye\n}; \n\nvoid register_eye(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_eye, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_facebook_turn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_fbturn_request(uint32_t payload, uint32_t len) {\n        /* 0x74 == len - 2, 0x0001 == binding request */\n\n        if (len == 118 && MATCH(payload, 0x00, 0x74, 0x00, 0x01))\n                return true;\n        if (len == 114 && MATCH(payload, 0x00, 0x70, 0x00, 0x01))\n                return true;\n        if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01))\n                return true;\n        if (len == 122 && MATCH(payload, 0x00, 0x78, 0x00, 0x01))\n                return true;\n        if (len == 126 && MATCH(payload, 0x00, 0x7c, 0x00, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_fbturn_reply(uint32_t payload, uint32_t len) {\n        /* 0x40 == len - 2, 0x0101 == binding accepted */\n\n        if (len == 66 && MATCH(payload, 0x00, 0x40, 0x01, 0x01))\n                return true;\n        if (len == 82 && MATCH(payload, 0x00, 0x50, 0x01, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_facebook_turn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Seems to be a slightly custom version of TURN, as there is a two\n         * byte length field preceding the conventional STUN header. Can't\n         * find any explanation for this in RFC 5766, so maybe it is a Facebook\n         * addition?\n         */\n\n        if (data->server_port != 443 && data->client_port != 443)\n                return false;\n\n        if (match_fbturn_request(data->payload[0], data->payload_len[0])) {\n                if (match_fbturn_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_fbturn_request(data->payload[1], data->payload_len[1])) {\n                if (match_fbturn_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_facebook_turn = {\n\tLPI_PROTO_FACEBOOK_TURN,\n\tLPI_CATEGORY_NAT,\n\t\"FacebookTURN\",\n\t55,\n\tmatch_facebook_turn\n};\n\nvoid register_facebook_turn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_facebook_turn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_fb_message.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Observed while using Facebook Messenger -- I used the unofficial desktop\n * version (https://messengerfordesktop.com/) to talk to another account\n * logged into a web browser. I suspect direct app->app voice/video calls\n * may use the protocol more heavily.\n */\n\nstatic inline bool match_fb_msg_104(uint32_t payload, uint32_t len) {\n        if (len == 104  && MATCH(payload, 0x01, 0x13, 0x00, 0x54))\n                return true;\n        if (len == 116  && MATCH(payload, 0x01, 0x13, 0x00, 0x60))\n                return true;\n        return false;\n}\n\nstatic inline bool match_fb_msg_28(uint32_t payload, uint32_t len) {\n        if (len == 28 && MATCH(payload, 0x00, 0x03, 0x00, 0x08))\n                return true;\n        if (len == 44 && MATCH(payload, 0x00, 0x03, 0x00, 0x18))\n                return true;\n        return false;\n}\n\nstatic inline bool match_fb_message(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 3478 && data->client_port != 3478 &&\n                        data->server_port != 443 && data->client_port != 443)\n                return false;\n\n        if (match_fb_msg_28(data->payload[0], data->payload_len[0])) {\n                if (match_fb_msg_104(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_fb_msg_28(data->payload[1], data->payload_len[1])) {\n                if (match_fb_msg_104(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_fb_message = {\n\tLPI_PROTO_FACEBOOK_MESSENGER,\n\tLPI_CATEGORY_CHAT,\n\t\"FacebookMessenger\",\n\t9,\n\tmatch_fb_message\n};\n\nvoid register_fb_message(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_fb_message, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_fbcdn_ssl.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Seems to be a custom version of SSL used by the FNA servers provided\n * by Facebook? */\n\nstatic inline bool match_normal_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x16, 0x03, 0x01, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_odd_reply(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x63, 0x03, 0x01, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_fbcdn_ssl(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 443 */\n\n        if (match_normal_req(data->payload[0], data->payload_len[0])) {\n                if (match_odd_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_normal_req(data->payload[1], data->payload_len[1])) {\n                if (match_odd_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_fbcdn_ssl = {\n\tLPI_PROTO_FBCDN_SSL,\n\tLPI_CATEGORY_WEB,\n\t\"FacebookCDNSSL\",\n\t112,\n\tmatch_fbcdn_ssl\n};\n\nvoid register_fbcdn_ssl(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_fbcdn_ssl, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ffxiv.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ff_96(uint32_t payload, uint32_t len) {\n        /* Some flows also have a 672 byte packet */\n        if (len != 96 && len != 672)\n                return false;\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ff_other(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return false;\n        if (len == 64 || len == 63 || len == 153 || len == 154) {\n                if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ffxiv(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ff_96(data->payload[0], data->payload_len[0])) {\n                if (match_ff_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ff_96(data->payload[1], data->payload_len[1])) {\n                if (match_ff_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ffxiv = {\n\tLPI_PROTO_FINALFANTASY_XIV,\n\tLPI_CATEGORY_GAMING,\n\t\"FinalFantasy14\",\n\t55,\n\tmatch_ffxiv\n};\n\nvoid register_ffxiv(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ffxiv, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_filenori.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Filenori is the most likely candidate for this -- hard to test because\n * you need to pay money to download anything and probably not a good look\n * for me to be paying money for this kind of service...\n */\n\nstatic inline bool match_100(uint32_t payload, uint32_t len) {\n\n\tif (len != 15)\n\t\treturn false;\n\tif (MATCHSTR(payload, \"100 \"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_command(uint32_t payload, uint32_t len) {\n\n\t/* Probably short for START */\n\tif ((len == 20 || len == 19) && MATCHSTR(payload, \"STAR\"))\n\t\treturn true;\n\n\t/* DOWNLOAD ? */\n\tif (len == 39 && MATCHSTR(payload, \"DOWN\"))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_filenori(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_100(data->payload[0], data->payload_len[0])) {\n\t\tif (match_command(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\tif (match_100(data->payload[1], data->payload_len[1])) {\n\t\tif (match_command(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_filenori = {\n\tLPI_PROTO_FILENORI,\n\tLPI_CATEGORY_P2P,\n\t\"Filenori\",\n\t15,\n\tmatch_filenori\n};\n\nvoid register_filenori(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_filenori, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_flash.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_flash(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Flash player stuff - cross-domain policy etc. */\n\t\n\tif (match_str_either(data, \"<cro\")) {\n\t\tif (match_str_either(data, \"<msg\"))\n\t\t\treturn true;\n\t\tif (match_str_either(data, \"<pol\"))\n\t\t\treturn true;\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\tif (match_str_either(data, \"<?xm\")) {\n\t\tif (match_str_either(data, \"<pol\"))\n\t\t\treturn true;\n\t\tif (match_str_either(data, \"<msg\"))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_flash = {\n\tLPI_PROTO_FLASH,\n\tLPI_CATEGORY_STREAMING,\n\t\"Flash_Player\",\n\t6,\n\tmatch_flash\n};\n\nvoid register_flash(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_flash, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_fliggy.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* Bytes 3 and 4 are a length field */\nstatic inline bool match_fliggy_req(uint32_t payload, uint32_t len) {\n\n        uint32_t hlen = ntohl(payload) & 0xffff;\n\n        if (MATCH(payload, 0xd1, 0x00, ANY, ANY) ||\n                        MATCH(payload, 0xd5, 0x00, ANY, ANY)) {\n                if (hlen == len - 4)\n                        return true;\n                /* Try to account for messages that are longer than one MTU */\n                if (len >= 1300 && hlen > len)\n                        return true;\n        }\n\n        if (MATCH(payload, 0xd5, 0x00, 0x01, 0x16) && len >= 282) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_fliggy_resp(uint32_t payload, uint32_t len) {\n\n        /* Usually, but not always 174 bytes -- I'm guessing sometimes\n         * messages get merged?\n         */\n        if (MATCH(payload, 0xd3, 0x00, 0x00, 0xaa) && len >= 174)\n                return true;\n\n        /* Same for this one, usually 58 but not always */\n        if (MATCH(payload, 0xd3, 0x00, 0x00, 0x36) && len >= 58)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_fliggy(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Ports 80 and 443, typically */\n\n        if (match_fliggy_req(data->payload[0], data->payload_len[0])) {\n                if (match_fliggy_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_fliggy_req(data->payload[1], data->payload_len[1])) {\n                if (match_fliggy_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_fliggy = {\n\tLPI_PROTO_FLIGGY,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Fliggy\",\n\t30,\n\tmatch_fliggy\n};\n\nvoid register_fliggy(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_fliggy, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_fring.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_fring(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"NOPC\", \"1234\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_fring = {\n\tLPI_PROTO_FRING,\n\tLPI_CATEGORY_VOIP,\n\t\"Fring\",\n\t2,\n\tmatch_fring\n};\n\nvoid register_fring(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_fring, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ftpcontrol.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ftp_reply_code(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (MATCHSTR(payload, \"220 \"))\n                 return true;\n        if (MATCHSTR(payload, \"220-\"))\n                 return true;\n        return false;\n}\n\nstatic inline bool match_ftp_command(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        /* There are lots of valid FTP commands, but let's just limit this\n         * to ones we've observed for now */\n\n        if (MATCHSTR(payload, \"USER\"))\n                return true;\n        if (MATCHSTR(payload, \"QUIT\"))\n                return true;\n        if (MATCHSTR(payload, \"FEAT\"))\n                return true;\n        if (MATCHSTR(payload, \"HELP\"))\n                return true;\n        if (MATCHSTR(payload, \"user\"))\n                return true;\n        if (MATCHSTR(payload, \"AUTH\"))\n                return true;\n\n        /* This is invalid syntax, but clients using HOST seem to revert to\n         * sane FTP commands once the server reports a syntax error */\n        if (MATCHSTR(payload, \"HOST\"))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_ftp_control(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* Rule out SMTP which uses similar reply codes and commands */\n\tif (data->server_port == 25 || data->client_port == 25)\n                return false;\n\n        if (match_ftp_reply_code(data->payload[0], data->payload_len[0])) {\n                if (match_ftp_command(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ftp_reply_code(data->payload[1], data->payload_len[1])) {\n                if (match_ftp_command(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ftpcontrol = {\n\tLPI_PROTO_FTP_CONTROL,\n\tLPI_CATEGORY_FILES,\n\t\"FTP_Control\",\n\t3,\n\tmatch_ftp_control\n};\n\nvoid register_ftpcontrol(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ftpcontrol, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ftpdata.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_bulk_response(uint32_t payload, uint32_t len) {\n\n        /* Most FTP-style transactions result in no packets being sent back\n         * to server (aside from ACKs) */\n\n        if (len == 0)\n                return true;\n\n        /* However, there is at least one FTP client that sends some sort of\n         * sequence number back to the server - maybe allowing for resumption\n         * of paused transfers? \n         *\n         * XXX This seems to be related to completely failing to implement the\n         * FTP protocol correctly. There is usually a flow preceding these\n         * flows that sends commands like \"get\" and \"dir\" to the server, \n         * which are not actually part of the FTP protocol. Instead, these\n         * are often commands typed into FTP CLI clients that are converted\n         * into the appropriate FTP commands. No idea what software is doing\n         * this, but it is essentially emulating FTP so I'll keep it in here\n         * for now.\n         * */\n\n        if (len == 4 && MATCH(payload, 0x00, 0x00, ANY, ANY))\n                return true;\n\n\n        /* Another weird FTP client: sends the occasional one byte response */\n        if (len == 1 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\n\n/* Bulk download covers files being downloaded through a separate channel,\n * like FTP data. We identify these by observing file type identifiers at the\n * start of the packet. This is not a protocol in itself, but it's almost \n * certainly FTP.\n */\nstatic inline bool match_bulk_download(lpi_data_t *data) {\n\n        if (match_bulk_response(data->payload[1], data->payload_len[1]) &&\n                        match_file_header(data->payload[0]))\n                return true;\n        if (match_bulk_response(data->payload[0], data->payload_len[0]) &&\n                        match_file_header(data->payload[1]))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_directory(lpi_data_t *data) {\n\n\t/* FTP Data can start with directory permissions */\n        if (    (MATCH(data->payload[0], '-', ANY, ANY, ANY) ||\n                MATCH(data->payload[0], 'd', ANY, ANY, ANY)) &&\n                (MATCH(data->payload[0], ANY, '-', ANY, ANY) ||\n                MATCH(data->payload[0], ANY, 'r', ANY, ANY)) &&\n                (MATCH(data->payload[0], ANY, ANY, '-', ANY) ||\n                MATCH(data->payload[0], ANY, ANY, 'w', ANY)) &&\n                (MATCH(data->payload[0], ANY, ANY, ANY, '-') ||\n                MATCH(data->payload[0], ANY, ANY, ANY, 'x')) )\n\n                return true;\n\n        if (    (MATCH(data->payload[1], '-', ANY, ANY, ANY) ||\n                MATCH(data->payload[1], 'd', ANY, ANY, ANY)) &&\n                (MATCH(data->payload[1], ANY, '-', ANY, ANY) ||\n                MATCH(data->payload[1], ANY, 'r', ANY, ANY)) &&\n                (MATCH(data->payload[1], ANY, ANY, '-', ANY) ||\n                MATCH(data->payload[1], ANY, ANY, 'w', ANY)) &&\n                (MATCH(data->payload[1], ANY, ANY, ANY, '-') ||\n                MATCH(data->payload[1], ANY, ANY, ANY, 'x')) )\n\n                return true;\n\treturn false;\n}\n\nstatic inline bool match_ftp_data(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_bulk_download(data))\n\t\treturn true;\n\t\n\t/* XXX All rules below this are for one-way exchanges only */\n\tif (data->payload_len[0] > 0 && data->payload_len[1] > 0)\n                return false;\n\t\n\tif (match_directory(data))\n\t\treturn true;\n\n\t/* Virus definition updates from CA are delivered via FTP */\n\tif (match_str_either(data, \"Viru\"))\n\t\treturn true;\n\n\t/* XXX - I hate having to look at port numbers but there are no\n         * useful headers in FTP data exchanges; all the FTP protocol stuff\n         * is done using the control channel */\n        if (data->client_port == 20 || data->server_port == 20)\n                return true;\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ftpdata = {\n\tLPI_PROTO_FTP_DATA,\n\tLPI_CATEGORY_FILES,\n\t\"FTP_Data\",\n\t7, /* Some of these rules rely on port numbers and one-way data, so\n\t    * should have a lower priority than more concrete rules */\n\tmatch_ftp_data\n};\n\nvoid register_ftpdata(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ftpdata, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_fuckcoin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_fc_magic(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xfb, 0xc0, 0xb6, 0xdb)) {\n                if (len == 126)\n                        return true;\n                if (len == 146)\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_fuckcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port == 9333 */\n\n        if (match_fc_magic(data->payload[0], data->payload_len[0])) {\n                if (match_fc_magic(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_fuckcoin = {\n\tLPI_PROTO_FUCKCOIN,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Dogecoin\",\n\t8,\n\tmatch_fuckcoin\n};\n\nvoid register_fuckcoin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_fuckcoin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_funshion.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n#include <stdio.h>\n\n/* Funshion is a Chinese P2PTV application that seems to use a bunch\n * of different protocols / messages.\n */ \n\nstatic inline bool match_funshion_54(uint32_t payload, uint32_t len) {\n\n\tif (len != 54)\n\t\treturn false;\n\n\t/* Byte 4 is always 0x00.\n\t * Byte 3 is always 0x?1, where '?' can be any hex digit.\n\t */\n\tif ((payload & 0xff0f0000) == 0x00010000)\n\t\treturn true;\n\t\n\treturn false;\n\n}\n\nstatic inline bool match_funshion_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Only ever observed this traffic pattern on port 6601 */\n\tif (data->server_port == 6601 || data->client_port == 6601) {\n\t\tif (match_funshion_54(data->payload[0], data->payload_len[0])) {\n\t\t\tif (match_funshion_54(data->payload[1], data->payload_len[1]))\n\t\t\t\treturn true;\n\t\t}\n\t}\n\n        return false;\n\n}\n\nstatic lpi_module_t lpi_funshion_tcp = {\n\tLPI_PROTO_FUNSHION,\n\tLPI_CATEGORY_P2PTV,\n\t\"Funshion_TCP\",\n\t10,\n\tmatch_funshion_tcp\n};\n\nvoid register_funshion_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_funshion_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_gamespy.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gamespy_bsr(uint32_t payload, uint32_t len) {\n\n\tif (len != 16)\n\t\treturn false;\n\tif (!MATCH(payload, 0x5c, 'b', 's', 'r'))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_gamespy_search(uint32_t payload, uint32_t len) {\n\n\tif (!MATCH(payload, 0x5c, 's', 'e', 'a'))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_gamespy_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_gamespy_bsr(data->payload[0], data->payload_len[0])) {\n\t\tif (match_gamespy_search(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\tif (match_gamespy_bsr(data->payload[1], data->payload_len[1])) {\n\t\tif (match_gamespy_search(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gamespy_tcp = {\n\tLPI_PROTO_GAMESPY,\n\tLPI_CATEGORY_GAMING,\n\t\"Gamespy_TCP\",\n\t6,\n\tmatch_gamespy_tcp\n};\n\nvoid register_gamespy_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gamespy_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_gcafe_updater.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_caf(uint32_t payload, uint32_t len) {\n        if (len == 53 && MATCH(payload, 0x0c, 'C', 'A', 'F'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_gcafe_updater(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Seen on ports 16800 and 1839 */\n\n\n        if (match_caf(data->payload[0], data->payload_len[0])) {\n                if (match_caf(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gcafe_updater = {\n\tLPI_PROTO_GCAFE_UPDATER,\n\tLPI_CATEGORY_P2P,\n\t\"G-CafeUpdater\",\n\t11,\n\tmatch_gcafe_updater\n};\n\nvoid register_gcafe_updater(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gcafe_updater, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_giop.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_giop(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (MATCH(data->payload[0], 'G', 'I', 'O', 'P')) {\n                if (MATCH(data->payload[1], 'G', 'I', 'O', 'P'))\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 'G', 'I', 'O', 'P')) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_giop = {\n\tLPI_PROTO_GIOP,\n\tLPI_CATEGORY_REMOTE,\n\t\"GIOP\",\n\t5,\n\tmatch_giop\n};\n\nvoid register_giop(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_giop, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_git.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n#include <stdlib.h>\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_git_header(uint32_t payload, uint32_t len) {\n        int i;\n        char headerstr[4];\n        uint8_t *pl = (uint8_t *)(&payload);\n\n        if (len == 0)\n                return true;\n\n        memset(headerstr, 0, 4);\n        for (i = 0; i < 4; i++) {\n                headerstr[i] = (char)(*pl);\n                pl++;\n        }\n\n        uint32_t replen = strtoul(headerstr, NULL, 16);\n\n        if (replen != len)\n                return false;\n\n        return true;\n}\n\nstatic inline bool match_git(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_git_header(data->payload[0], data->payload_len[0])) {\n                if (match_git_header(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_git_header(data->payload[1], data->payload_len[1])) {\n                if (match_git_header(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_git = {\n\tLPI_PROTO_GIT,\n\tLPI_CATEGORY_RCS,\n\t\"Git\",\n\t5,\n\tmatch_git\n};\n\nvoid register_git(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_git, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_glupteba.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_glupteba.yvg */\n\nstatic inline bool match_glup_hello(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 'H', 'E', 'L', 'L'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_glup_id(uint32_t payload, uint32_t len) {\n\n        /* ID changes from infected host to infected host, but I'm\n         * going to assume the ID has a similar length.\n         */\n\n        if (len >= 18 && len <= 25) {\n                /* Always begins with @ */\n                if (MATCH(payload, '@', ANY, ANY, ANY))\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_glupteba(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_glup_hello(data->payload[0], data->payload_len[0])) {\n                if (match_glup_id(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n                if (match_glup_hello(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n        if (match_glup_hello(data->payload[1], data->payload_len[1])) {\n                if (match_glup_id(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n                if (match_glup_hello(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_glupteba = {\n\tLPI_PROTO_GLUPTEBA,\n\tLPI_CATEGORY_MALWARE,\n\t\"GluptebaBackdoor\",\n\t50,\n\tmatch_glupteba\n};\n\nvoid register_glupteba(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_glupteba, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_gnutella.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gnutella(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"GNUT\"))\n\t\treturn true;\n\tif (match_str_either(data, \"GIV \"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gnutella = {\n\tLPI_PROTO_GNUTELLA,\n\tLPI_CATEGORY_P2P,\n\t\"Gnutella\",\n\t1, /* Avoid matching HTTP which uses similar commands */\n\tmatch_gnutella\n};\n\nvoid register_gnutella(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gnutella, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_goku.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_goku(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tif (match_str_both(data, \"ok:g\", \"baut\"))\n\t\treturn true;\n\tif (match_str_both(data, \"ok:w\", \"baut\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_goku = {\n\tLPI_PROTO_GOKUCHAT,\n\tLPI_CATEGORY_CHAT,\n\t\"GokuChat\",\n\t3,\n\tmatch_goku\n};\n\nvoid register_goku(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_goku, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_googlehangouts.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_hangout_req(uint32_t payload, uint32_t len) {\n\n        if ((len % 114) == 0) {\n                if (MATCH(payload, 0x00, 0x70, 0x00, 0x01))\n                        return true;\n        }\n\n        if ((len % 122) == 0) {\n                if (MATCH(payload, 0x00, 0x78, 0x00, 0x01))\n                        return true;\n        }\n\n        if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_hangout_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 106) {\n                if (MATCH(payload, 0x00, 0x68, 0x01, 0x01))\n                        return true;\n        }\n\n        if (len == 118) {\n                if (MATCH(payload, 0x00, 0x74, 0x01, 0x01))\n                        return true;\n        }\n\n        if (len == 94 && MATCH(payload, 0x00, 0x5c, 0x01, 0x01))\n                return true;\n\n        return false;\n}\n\n\nstatic inline bool match_googlehangouts(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Based on traffic seen on port 19305 to google addresses */\n\n        /* Limit this to port 19305 - 19309 */\n        if (data->server_port < 19305 || data->server_port > 19309) {\n                if (data->client_port < 19305 || data->client_port > 19309)\n                        return false;\n        }\n\n        if (match_hangout_req(data->payload[0], data->payload_len[0])) {\n                if (match_hangout_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_hangout_req(data->payload[1], data->payload_len[1])) {\n                if (match_hangout_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_googlehangouts = {\n\tLPI_PROTO_GOOGLE_HANGOUTS,\n\tLPI_CATEGORY_CHAT,\n\t\"GoogleHangouts\",\n\t12,\n\tmatch_googlehangouts\n};\n\nvoid register_googlehangouts(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_googlehangouts, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_graalonlineera.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_goe_gnp(uint32_t payload, uint32_t len) {\n        if (len == 8 && MATCH(payload, 'G', 'N', 'P', '1'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_goe_binary(uint32_t payload, uint32_t len) {\n\n        if (len >= 275 && len <= 300) {\n                if (MATCH(payload, 0x01, 0x02, 0x00, 0x01))\n                        return true;\n                if (MATCH(payload, 0x01, 0x03, 0x00, 0x01))\n                        return true;\n\n        }\n        return false;\n\n}\n\n\nstatic inline bool match_graalonlineera(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 14900 */\n\n        if (match_goe_gnp(data->payload[0], data->payload_len[0])) {\n                if (match_goe_binary(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_goe_gnp(data->payload[1], data->payload_len[1])) {\n                if (match_goe_binary(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_graalonlineera = {\n\tLPI_PROTO_GRAAL_ONLINE_ERA,\n\tLPI_CATEGORY_GAMING,\n\t\"GraalOnlineEra\",\n\t8,\n\tmatch_graalonlineera\n};\n\nvoid register_graalonlineera(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_graalonlineera, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_guildwars2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_gw2_req(uint32_t payload, uint32_t len) {\n\n        if (len < 285 || len > 295)\n                return false;\n        if (MATCH(payload, 0x50, 0x20, 0x2f, 0x53))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_gw2_resp(uint32_t payload, uint32_t len) {\n\n        if (len != 35)\n                return false;\n        if (MATCH(payload, 0x53, 0x54, 0x53, 0x2f))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_guildwars2(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_gw2_req(data->payload[1], data->payload_len[1])) {\n                if (match_gw2_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_gw2_req(data->payload[0], data->payload_len[0])) {\n                if (match_gw2_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_guildwars2 = {\n\tLPI_PROTO_GUILDWARS2,\n\tLPI_CATEGORY_GAMING,\n\t\"GuildWars2\",\n\t5,\n\tmatch_guildwars2\n};\n\nvoid register_guildwars2(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_guildwars2, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_hamachi.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_hamachi(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* All Hamachi messages that I've seen begin with a 4 byte length\n         * field. Other protocols also do this, so I also check for the\n         * default Hamachi port (12975)\n         */\n        if (!match_payload_length(data->payload[0], data->payload_len[0]))\n                return false;\n\n        if (!match_payload_length(data->payload[1], data->payload_len[1]))\n                return false;\n\n        if (data->server_port == 12975 || data->client_port == 12975)\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_hamachi = {\n\tLPI_PROTO_HAMACHI,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"Hamachi\",\n\t4,\n\tmatch_hamachi\n};\n\nvoid register_hamachi(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_hamachi, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_harveys.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Harveys - a seemingly custom protocol used by Harveys Real\n * Estate to transfer photos. Common in ISP C traces */\n\nstatic inline bool match_harveys(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"77;T\", \"47;T\"))\n\t\treturn true;\n\n\tif (match_str_either(data, \"47;T\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\tif (match_str_either(data, \"77;T\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_harveys = {\n\tLPI_PROTO_HARVEYS,\n\tLPI_CATEGORY_FILES,\n\t\"Harveys\",\n\t10,\n\tmatch_harveys\n};\n\nvoid register_harveys(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_harveys, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_hearthstone.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_hearthstone_req(uint32_t payload, uint32_t len) {\n        if (len == 16 && MATCH(payload, 0x10, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 22 && MATCH(payload, 0x10, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_hearthstone_reply(uint32_t payload) {\n        if (MATCH(payload, 0x0f, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0xa8, 0x00, 0x00, 0x00))\n                return true;\n\treturn false;\n}\n\n\nstatic inline bool match_hearthstone(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Consider enforcing port 1119 or 3724, if we get FPs */\n\n\n        if (match_hearthstone_req(data->payload[0], data->payload_len[0])) {\n                if (match_hearthstone_reply(data->payload[1]))\n                        return true;\n        }\n\n        if (match_hearthstone_req(data->payload[1], data->payload_len[1])) {\n                if (match_hearthstone_reply(data->payload[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_hearthstone = {\n\tLPI_PROTO_HEARTHSTONE,\n\tLPI_CATEGORY_GAMING,\n\t\"Hearthstone\",\n\t5,\n\tmatch_hearthstone\n};\n\nvoid register_hearthstone(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_hearthstone, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_hola.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_hola(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (MATCH(data->payload[0], 0xac, 0x2e, 0xbf, 0x5c)) {\n                if (MATCH(data->payload[1], 0xac, 0x2e, 0xbf, 0x5c))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_hola = {\n\tLPI_PROTO_HOLA,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"HolaVPN\",\n\t4,\n\tmatch_hola\n};\n\nvoid register_hola(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_hola, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_hots_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_bau(uint32_t payload, uint32_t len) {\n\n        if (len == 743 && MATCH(payload, 0x42, 0x10, 0x61, 0x75))\n                return true;\n        return false;\n}\n\nstatic inline bool match_hots_7f28(uint32_t payload, uint32_t len) {\n        uint32_t hlen;\n\n        hlen = (ntohl(payload) & 0xffff) * 2 + 5;\n        if (len == hlen && MATCH(payload, 0x7f, 0x28, ANY, ANY)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_hots_4a48(uint32_t payload, uint32_t len) {\n        if (len == 201 && MATCH(payload, 0x4a, 0x48, 0x0c, 0xae))\n                return true;\n        return false;\n}\n\nstatic inline bool match_hots_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 1119 && data->client_port != 1119) {\n                return false;\n        }\n\n        if (match_bau(data->payload[0], data->payload_len[0])) {\n                if (match_hots_7f28(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_hots_4a48(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_bau(data->payload[1], data->payload_len[1])) {\n                if (match_hots_7f28(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_hots_4a48(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_hots_tcp = {\n\tLPI_PROTO_HOTS,\n\tLPI_CATEGORY_GAMING,\n\t\"HeroesOfTheStorm_TCP\",\n\t90,\n\tmatch_hots_tcp\n};\n\nvoid register_hots_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_hots_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_http.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_http_response(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len == 1 && MATCH(payload, 'H', 0x00, 0x00, 0x00))\n                return true;\n        if (MATCHSTR(payload, \"HTTP\")) {\n                return true;\n        }\n\n        /* UNKNOWN seems to be a valid response from some servers, e.g.\n         * mini_httpd */\n        if (MATCHSTR(payload, \"UNKN\")) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_http(lpi_data_t *data, lpi_module_t *mod) {\n\n\n        /* Need to rule out protocols using HTTP-style commands to do \n         * exchanges. These protocols primarily use GET, rather than other\n         * HTTP requests */\n        if (!valid_http_port(data)) {\n                if (match_str_either(data, \"GET \"))\n                        return false;\n        }\n\n        if (match_http_request(data->payload[0], data->payload_len[0])) {\n                if (match_http_response(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_http_request(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_file_header(data->payload[1]) &&\n                                data->payload_len[0] != 0)\n                        return true;\n        }\n\n        if (match_http_request(data->payload[1], data->payload_len[1])) {\n                if (match_http_response(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_file_header(data->payload[0]) &&\n                                data->payload_len[1] != 0)\n                        return true;\n        }\n\n        /* Allow responses in both directions, even if this is doesn't entirely\n         * make sense :/ */\n        if (match_http_response(data->payload[0], data->payload_len[0])) {\n                if (match_http_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n        return false;\n\n\n}\n\nstatic lpi_module_t lpi_http = {\n\tLPI_PROTO_HTTP,\n\tLPI_CATEGORY_WEB,\n\t\"HTTP\",\n\t2,\t\n\tmatch_http\n};\n\nvoid register_http(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_http, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_http_badport.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_http_badport(lpi_data_t *data, lpi_module_t *mod) {\n\n        /* For some reason, some clients send GET messages to servers on\n         * port 443, which unsurprisingly do not respond. I'm putting this\n         * in a separate category to avoid mixing it in with legitimate\n         * HTTP traffic */\n\n        if (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n                return false;\n\n        if (!match_str_either(data, \"GET \"))\n                return false;\n\n        if (data->server_port == 443 || data->client_port == 443)\n                return true;\n\n        return false;\n\n}\n\nstatic lpi_module_t lpi_http_badport = {\n\tLPI_PROTO_HTTP_BADPORT,\n\tLPI_CATEGORY_WEB,\n\t\"HTTP_443\",\n\t2,\n\tmatch_http_badport\n};\n\nvoid register_http_badport(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_http_badport, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_http_nonstandard.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_nonstandard_http(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Must not be on a known HTTP port\n         * \n\t * This used to be HTTP_P2P, but we found that most of this stuff was\n\t * legit HTTP - just using really weird ports.\n\t *\n\t * We might miss some HTTP-based P2P now, but it's just too hard for\n\t * us to differentiate more than this.\n\t */\n        if (valid_http_port(data))\n                return false;\n\n        if (match_str_both(data, \"GET \", \"HTTP\"))\n                return true;\n\n        if (match_str_either(data, \"GET \")) {\n                if (data->payload_len[0] == 0 || data->payload_len[1] == 0)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic lpi_module_t lpi_http_nonstandard = {\n\tLPI_PROTO_NONSTANDARD_HTTP,\n\tLPI_CATEGORY_WEB,\n\t\"HTTP_NonStandard\",\n\t100,\n\tmatch_nonstandard_http\n};\n\nvoid register_http_nonstandard(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_http_nonstandard, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_http_tunnel.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_http_tunnel(lpi_data_t *data, lpi_module_t *mod UNUSED)\n{\n\n\tif (match_str_both(data, \"CONN\", \"HTTP\")) return true;\n\n\tif (MATCHSTR(data->payload[0], \"CONN\") && data->payload_len[1] == 0)\n\t\treturn true;\n\n\tif (MATCHSTR(data->payload[1], \"CONN\") && data->payload_len[0] == 0)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_http_tunnel = {\n\tLPI_PROTO_HTTP_TUNNEL,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"HTTP_Tunnel\",\n\t1, /* Make sure we are higher priority than HTTP */\n\tmatch_http_tunnel\n};\n\nvoid register_http_tunnel(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_http_tunnel, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_https.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_https(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Assume all SSL traffic on port 443 is HTTPS */\n\tif (data->server_port == 443 || data->client_port == 443)\n\t\treturn true;\n\t\n\t/* We'll do port 80 as well, just to be safe */\n\tif (data->server_port == 80 || data->client_port == 80)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_https = {\n\tLPI_PROTO_HTTPS,\n\tLPI_CATEGORY_WEB,\n\t\"HTTPS\",\n\t2, /* Should be higher priority than regular SSL */\n\tmatch_https\n};\n\nvoid register_https(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_https, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ica.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ica(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Citrix ICA */\n\tif (match_chars_either(data, 0x7f, 0x7f, 0x49, 0x43))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ica = {\n\tLPI_PROTO_ICA,\n\tLPI_CATEGORY_REMOTE,\n\t\"CitrixICA\",\n\t3,\n\tmatch_ica\n};\n\nvoid register_ica(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ica, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_icep.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Internet Communications Engine Protocol */\n\nstatic inline bool match_icep_validate(uint32_t payload, uint32_t len) {\n        if (len == 14 && MATCHSTR(payload, \"IceP\")) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_icep_req(uint32_t payload, uint32_t len) {\n        if (MATCHSTR(payload, \"IceP\") && len >= 30) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_icep(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_icep_validate(data->payload[0], data->payload_len[0])) {\n                if (match_icep_req(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_icep_validate(data->payload[1], data->payload_len[1])) {\n                if (match_icep_req(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_icep = {\n\tLPI_PROTO_ICEP,\n\tLPI_CATEGORY_NAT,     /* unsure about this one */\n\t\"IceP\",\n\t8,\n\tmatch_icep\n};\n\nvoid register_icep(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_icep, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_id.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_id(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* TODO: Starts with only digits - request matches the response  */\n\t\n\t/* 20 3a 20 55 is an ID protocol error, I think */\n\tif (match_str_either(data, \" : U\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_id = {\n\tLPI_PROTO_ID,\n\tLPI_CATEGORY_SERVICES,\n\t\"ID_Protocol\",\n\t3,\n\tmatch_id\n};\n\nvoid register_id(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_id, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_idrivesync.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_idrivesync_hello(uint32_t payload) {\n\n        if (MATCH(payload, '@', 'I', 'D', 'E'))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_idrivesync(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_idrivesync_hello(data->payload[0])) {\n                if (match_idrivesync_hello(data->payload[1]))\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_idrivesync_hello(data->payload[1])) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_idrivesync = {\n\tLPI_PROTO_IDRIVE_SYNC,\n\tLPI_CATEGORY_CLOUD,\n\t\"IDriveSync\",\n\t5,\n\tmatch_idrivesync\n};\n\nvoid register_idrivesync(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_idrivesync, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ihexin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Stock trading app by 10jqka.com.cn (aka Flush). */\n\nstatic inline bool match_ihex_magic(uint32_t payload) {\n        if (MATCH(payload, 0xfd, 0xfd, 0xfd, 0xfd))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ihexin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 9528 and 8887 */\n\n        if (match_ihex_magic(data->payload[0])) {\n                if (match_ihex_magic(data->payload[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ihexin = {\n\tLPI_PROTO_IHEXIN,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"IHexin\",\n\t89,\n\tmatch_ihexin\n};\n\nvoid register_ihexin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ihexin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_imap.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_imap(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tif (match_str_either(data, \"* OK\")) \n\t\treturn true;\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_imap = {\n\tLPI_PROTO_IMAP,\n\tLPI_CATEGORY_MAIL,\n\t\"IMAP\",\n\t2,\n\tmatch_imap\n};\n\nvoid register_imap(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_imap, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_imaps.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_imaps(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Assume all SSL traffic on port 993 is IMAPS */\n\tif (data->server_port == 993 || data->client_port == 993)\n\t\treturn true;\n\t\n\treturn false;\n}\n\nstatic lpi_module_t lpi_imaps = {\n\tLPI_PROTO_IMAPS,\n\tLPI_CATEGORY_MAIL,\n\t\"IMAPS\",\n\t2, /* Should be a higher priority than regular SSL */\n\tmatch_imaps\n};\n\nvoid register_imaps(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_imaps, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_imesh.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_imesh_payload(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n\n        if (len == 2 && MATCH(payload, 0x06, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 10 && MATCH(payload, 0x06, 0x00, 0x04, 0x00))\n                return true;\n        if (len == 6 && MATCH(payload, 0x06, 0x00, 0x04, 0x00))\n                return true;\n        if (len == 12 && MATCH(payload, 0x06, 0x00, 0x06, 0x00))\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_imesh(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Credit for this rule goes to opendpi - so if they're wrong then\n         * we're wrong! */\n\n        if (!match_imesh_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_imesh_payload(data->payload[1], data->payload_len[1]))\n                return false;\n        return true;\n\n}\n\nstatic lpi_module_t lpi_imesh = {\n\tLPI_PROTO_IMESH,\n\tLPI_CATEGORY_P2P,\n\t\"iMesh_TCP\",\n\t3,\n\tmatch_imesh\n};\n\nvoid register_imesh(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_imesh, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_invalid.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_invalid(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t\n\t/* I'm using invalid as a category for flows where both halves of\n         * the connection are clearly speaking different protocols,\n         * e.g. trying to do HTTP tunnelling via an SMTP server\n         */\n\n        /* XXX Bittorrent-related stuff is covered in \n         * match_invalid_bittorrent() */\n\n        /* SOCKSv4 via FTP or SMTP \n         *\n         * The last two octets '\\x00\\x50' is the port number - in this case\n         * I've hard-coded it to be 80 */\n        if (match_str_both(data, \"220 \", \"\\x04\\x01\\x00\\x50\"))\n                return true;\n\n        /* SOCKSv5 via FTP or SMTP */\n        if (match_str_both(data, \"220 \", \"\\x05\\x01\\x00\\x00\"))\n                return true;\n\n        /* HTTP tunnelling via FTP or SMTP */\n        if (match_str_both(data, \"220 \", \"CONN\"))\n                return true;\n        if (match_str_both(data, \"450 \", \"CONN\"))\n                return true;\n\n        /* Trying to send HTTP commands to FTP or SMTP servers */\n        if (match_str_both(data, \"220 \", \"GET \"))\n                return true;\n        if (match_str_both(data, \"450 \", \"GET \"))\n                return true;\n\n        /* Trying to send HTTP commands to an SVN server */\n        if (match_str_both(data, \"( su\", \"GET \"))\n                return true;\n\n        /* People running an HTTP server on the MS SQL server port */\n        if (match_tds_request(data->payload[0], data->payload_len[0])) {\n                if (MATCHSTR(data->payload[1], \"HTTP\"))\n                        return true;\n        }\n        if (match_tds_request(data->payload[1], data->payload_len[1])) {\n                if (MATCHSTR(data->payload[0], \"HTTP\"))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_invalid = {\n\tLPI_PROTO_INVALID,\n\tLPI_CATEGORY_MIXED,\n\t\"Invalid\",\n\t200,\t/* Very low priority, but not as low as mystery protos */\n\tmatch_invalid\n};\n\nvoid register_invalid(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_invalid, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_invalid_bittorrent.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_invalid_bittorrent(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This function will match anyone doing bittorrent in one\n         * direction and *something else* in the other.\n         *\n         * I've broken it down into several separate conditions, just in case\n         * we want to treat them as separate instances later on */\n\n\n\n        /* People trying to do Bittorrent to an actual HTTP server, rather than\n         * someone peering on port 80 */\n        if (match_str_either(data, \"HTTP\") &&\n                        match_chars_either(data, 0x13, 'B', 'i', 't'))\n                return true;\n\n        /* People sending GETs to a Bittorrent peer?? */\n        if (match_str_either(data, \"GET \") &&\n                        match_chars_either(data, 0x13, 'B', 'i', 't'))\n                return true;\n\n        /* We also get a bunch of cases where one end is doing bittorrent\n         * and the other end is speaking a protocol that begins with a 4\n         * byte length field. */\n        if (match_chars_either(data, 0x13, 'B', 'i', 't')) {\n                if (match_payload_length(data->payload[0],data->payload_len[0]))\n                        return true;\n                if (match_payload_length(data->payload[1],data->payload_len[1]))\n                        return true;\n        }\n\n\n        /* This assumes we've checked for regular bittorrent prior to calling\n         * this function! */\n        if (match_chars_either(data, 0x13, 'B', 'i', 't'))\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_invalid_bittorrent = {\n\tLPI_PROTO_INVALID_BT,\n\tLPI_CATEGORY_MIXED,\n\t\"Invalid_Bittorrent\",\n\t200,\n\tmatch_invalid_bittorrent\n};\n\nvoid register_invalid_bittorrent(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_invalid_bittorrent, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_invalid_http.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_invalid_http(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This function is for identifying web servers that are not \n         * following the HTTP spec properly.\n         *\n         * For flows where the client is not doing HTTP properly, see\n         * match_web_junk().\n         */\n\n        /* HTTP servers that appear to respond with raw HTML */\n        if (match_str_either(data, \"GET \")) {\n                if (match_chars_either(data, '<', 'H', 'T', 'M'))\n                        return true;\n                if (match_chars_either(data, '<', 'h', 't', 'm'))\n                        return true;\n                if (match_chars_either(data, '<', 'h', '1', '>'))\n                        return true;\n                if (match_chars_either(data, '<', 't', 'i', 't'))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_invalid_http = {\n\tLPI_PROTO_INVALID_HTTP,\n\tLPI_CATEGORY_WEB,\n\t\"Invalid_HTTP\",\n\t200,\n\tmatch_invalid_http\n};\n\nvoid register_invalid_http(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_invalid_http, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_invalid_pop.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_invalid_pop(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This basically covers cases where idiots run SMTP servers on the\n\t * POP port, so we get SMTP responses to valid POP commands */\n\tif (match_str_both(data, \"USER\", \"421 \"))\n\t\treturn true;\n\tif (match_str_both(data, \"QUIT\", \"421 \"))\n\t\treturn true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_invalid_pop = {\n\tLPI_PROTO_INVALID_POP3,\n\tLPI_CATEGORY_MAIL,\n\t\"Invalid_POP3\",\n\t200,\n\tmatch_invalid_pop\n};\n\nvoid register_invalid_pop(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_invalid_pop, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_invalid_smtp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_invalid_smtp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* SMTP flows that do not conform to the spec properly */\n\n        if (match_str_both(data, \"250-\", \"EHLO\"))\n                return true;\n\n        if (match_str_both(data, \"250 \", \"HELO\"))\n                return true;\n\n        if (match_str_both(data, \"220 \", \"MAIL\"))\n                return true;\n\n\tif (match_str_both(data, \"\\x00\\x00\\x00\\x00\", \"EHLO\"))\n\t\treturn true;\n\tif (match_str_both(data, \"\\x00\\x00\\x00\\x00\", \"HELO\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_invalid_smtp = {\n\tLPI_PROTO_INVALID_SMTP,\n\tLPI_CATEGORY_MAIL,\n\t\"Invalid_SMTP\",\n\t200,\n\tmatch_invalid_smtp\n};\n\nvoid register_invalid_smtp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_invalid_smtp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ipfs.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* self-described \"P2P hypermedia protocol\" -- https://ipfs.io */\n\nstatic inline bool match_ipfs_mu(uint32_t payload, uint32_t len) {\n        if (len == 20 && MATCH(payload, 0x13, 0x2f, 'm', 'u')) {\n                return true;\n        }\n        if (len == 34 && MATCH(payload, 0x13, 0x2f, 'm', 'u')) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ipfs_single(uint32_t payload, uint32_t len) {\n        if (len == 1 && MATCH(payload, 0x13, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ipfs_length(uint32_t payload, uint32_t len) {\n        uint32_t plen = ntohl(payload);\n\n        /* Starting to see IPFS replies with a four byte length field */\n        if (plen + 4 == len) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ipfs(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 4001 by default, but probably changeable */\n        if (match_ipfs_mu(data->payload[0], data->payload_len[0])) {\n                if (match_ipfs_single(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_ipfs_mu(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_ipfs_length(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ipfs_mu(data->payload[1], data->payload_len[1])) {\n                if (match_ipfs_single(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_ipfs_length(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ipfs = {\n\tLPI_PROTO_IPFS,\n\tLPI_CATEGORY_P2P,\n\t\"IPFS\",\n\t10,\n\tmatch_ipfs\n};\n\nvoid register_ipfs(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ipfs, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ipop.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ipop_payload(uint32_t payload, uint32_t len) {\n\n\tuint16_t *len_ptr;\n\n\tif (!MATCH(payload, ANY, ANY, 0x72, 0x00))\n\t\treturn false;\n\t\n\tlen_ptr = (uint16_t *)(&payload);\n\n\tif (ntohs(*len_ptr) + 4 != len)\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_ipop(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_ipop_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_ipop_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_ipop = {\n\tLPI_PROTO_IPOP,\n\tLPI_CATEGORY_P2P,\n\t\"IPOP_TCP\",\n\t8,\n\tmatch_ipop\n};\n\nvoid register_ipop(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ipop, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ipsharkk.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* IPSharkk P2P Proxy */\n\nstatic inline bool match_ipsharkk_ssl(uint32_t payload) {\n\n        if (MATCH(payload, 0x16, 0x03, 0x03, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_ipsharkk_4f(uint32_t payload) {\n\n        if (MATCH(payload, 0x4f, 0x1b, 0x4d, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ipsharkk(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ipsharkk_ssl(data->payload[0])) {\n                if (match_ipsharkk_4f(data->payload[1]))\n                        return true;\n        }\n\n        if (match_ipsharkk_ssl(data->payload[1])) {\n                if (match_ipsharkk_4f(data->payload[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ipsharkk = {\n\tLPI_PROTO_IPSHARKK,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"IPSharkk\",\n\t15,\n\tmatch_ipsharkk\n};\n\nvoid register_ipsharkk(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ipsharkk, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_irc.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_irc(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"PASS\"))\n\t\treturn true;\n\tif (match_str_either(data, \"NICK\"))\n\t\treturn true;\n\tif (MATCHSTR(data->payload[0], \"\\x0aNIC\"))\n\t\treturn true;\n\tif (MATCHSTR(data->payload[1], \"\\x0aNIC\"))\n\t\treturn true;\n\tif (match_str_both(data, \":irc\", \"USER\"))\n\t\treturn true;\n\tif (match_str_both(data, \":loc\", \"MODE\"))\n\t\treturn true;\n\n\n\t/* Trying to match on broken IRC implementations :) */\n\tif (data->server_port == 6667 || data->client_port == 6667) {\n\t\tif (match_str_either(data, \"ERRO\"))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_irc = {\n\tLPI_PROTO_IRC,\n\tLPI_CATEGORY_CHAT,\n\t\"IRC\",\n\t2,\n\tmatch_irc\n};\n\nvoid register_irc(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_irc, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_java.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_java_serial(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 4)\n\t\treturn false;\n\tif (MATCH(payload, 0xac, 0xed, 0x00, 0x05))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_java(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_java_serial(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_java_serial(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_java = {\n\tLPI_PROTO_JAVA,\n\tLPI_CATEGORY_SERIALISATION,\n\t\"JavaObjectSerialised\",\n\t5,\n\tmatch_java\n};\n\nvoid register_java(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_java, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_jedi.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_jedi(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Citrix have a protocol called JEDI which is used for streaming\n\t * in products like GoToMyPC */\n\n\tif (match_str_both(data, \"JEDI\", \"JEDI\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_jedi = {\n\tLPI_PROTO_JEDI,\n\tLPI_CATEGORY_REMOTE,\n\t\"Citrix_Jedi\",\n\t3,\n\tmatch_jedi\n};\n\nvoid register_jedi(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_jedi, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_jx3online.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_jx3_2c(uint32_t payload, uint32_t len) {\n\n        if (len == 44 && MATCH(payload, 0x2c, 0x00, 0x20, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_jx3_varying(uint32_t payload, uint32_t len) {\n\n        /* There appear to be lots of valid patterns here, but I'm\n         * just going to focus on the major ones for now */\n        if (len == 28 && MATCH(payload, 0x1c, 0x00, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_jx3online(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_jx3_2c(data->payload[0], data->payload_len[0])) {\n                if (match_jx3_varying(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_jx3_2c(data->payload[1], data->payload_len[1])) {\n                if (match_jx3_varying(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_jx3online = {\n\tLPI_PROTO_JX3ONLINE,\n\tLPI_CATEGORY_GAMING,\n\t\"JX3Online\",\n\t201,\n\tmatch_jx3online\n};\n\nvoid register_jx3online(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_jx3online, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_kakao.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kakao_req(uint32_t payload, uint32_t len) {\n\n        if (len < 250)\n                return false;\n        if (MATCH(payload, 0x00, 0x01, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_kakao_resp(uint32_t payload, uint32_t len) {\n\n        if (payload + 4 == len)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_kakao(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_kakao_req(data->payload[0], data->payload_len[0])) {\n                if (match_kakao_resp(data->payload[1], \n                                data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_kakao_req(data->payload[1], data->payload_len[1])) {\n                if (match_kakao_resp(data->payload[0], \n                                data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kakao = {\n\tLPI_PROTO_KAKAO,\n\tLPI_CATEGORY_CHAT,\n\t\"Kakao\",\n\t43,\n\tmatch_kakao\n};\n\nvoid register_kakao(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kakao, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_kankan_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_kankan_44(uint32_t payload, uint32_t len) {\n        if (len != 44)\n                return false;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_kankan_28(uint32_t payload, uint32_t len) {\n        if (len != 28)\n                return false;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_kankan_140(uint32_t payload, uint32_t len) {\n        if (len != 140)\n                return false;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_kankan_any(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_xmp_04_req(uint32_t payload, uint32_t len) {\n        if (len < 92)\n                return false;\n        if (MATCH(payload, 0x04, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_xmp_04_resp(uint32_t payload, uint32_t len) {\n        if (len != 4)\n                return false;\n        if (MATCH(payload, 0x04, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_kankan(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->client_port != 80 && data->server_port != 80)\n                return false;\n\n        if (match_kankan_44(data->payload[0], data->payload_len[0])) {\n                if (match_kankan_28(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_kankan_44(data->payload[1], data->payload_len[1])) {\n                if (match_kankan_28(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_kankan_140(data->payload[0], data->payload_len[0])) {\n                if (match_kankan_any(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_kankan_140(data->payload[1], data->payload_len[1])) {\n                if (match_kankan_any(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_xmp_04_req(data->payload[0], data->payload_len[0])) {\n                if (match_xmp_04_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_xmp_04_req(data->payload[1], data->payload_len[1])) {\n                if (match_xmp_04_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kankan = {\n\tLPI_PROTO_KANKAN,\n\tLPI_CATEGORY_STREAMING,\n\t\"KankanTCP\",\n\t70,\n\tmatch_kankan\n};\n\nvoid register_kankan_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kankan, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_kaseya.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kaseya_req(uint32_t payload, uint32_t len) {\n\n\t/* Seen quite a few flows where only the response is present */\n\tif (len == 0)\n\t\treturn true;\n\n\tif (!MATCH(payload, 0x4a, 0x5e, 0x7a, 0x04))\n\t\treturn false;\n\tif (len == 48)\n\t\treturn true;\n\tif (len == 52)\n\t\treturn true;\n\tif (len == 25)\n\t\treturn true;\n\treturn false;\t\t\n\n}\n\nstatic inline bool match_kaseya_resp(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\n\tif (!MATCH(payload, 0x4a, 0x5e, 0x7a, 0x04))\n\t\treturn false;\n\n\t/*\n\tif (len < 200)\n\t\treturn false;\n\t*/\n\t\n\treturn true;\n}\n\nstatic inline bool match_kaseya(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_kaseya_req(data->payload[0], data->payload_len[0])) {\n\t\tif (match_kaseya_resp(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_kaseya_req(data->payload[1], data->payload_len[1])) {\n\t\tif (match_kaseya_resp(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kaseya = {\n\tLPI_PROTO_KASEYA,\n\tLPI_CATEGORY_REMOTE,\n\t\"Kaseya\",\n\t7,\n\tmatch_kaseya\n};\n\nvoid register_kaseya(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kaseya, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_kaspersky.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kaspersky_tcp(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 443 && data->client_port != 443)\n\t\treturn false;\n\n\treturn match_kaspersky(data);\n}\n\nstatic lpi_module_t lpi_kaspersky = {\n\tLPI_PROTO_KASPERSKY,\n\tLPI_CATEGORY_SECURITY,\n\t\"Kaspersky_TCP\",\n\t4,\n\tmatch_kaspersky_tcp\n};\n\nvoid register_kaspersky(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kaspersky, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_kik.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kik(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This rule tries to match the traffic for Kik, a somewhat popular\n\t * IM app for mobile devices. \n\t *\n\t * The problem with Kik is that it uses port 5223 and SSL, so it is\n\t * very difficult to distinguish from ApplePush\n\t */ \n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Port 5223 is used */\n\tif (data->server_port != 5223 && data->client_port != 5223)\n\t\treturn false;\n\n\t/* The key to matching Kik is bytes 3 and 4 of the incoming SSL\n\t * handshake packet. They are slightly different to those seen\n\t * for ApplePush flows.\n\t */\n\t\n\tif (MATCH(data->payload[0], 0x16, 0x03, 0x01, 0x0c))\n\t\treturn true;\n\tif (MATCH(data->payload[1], 0x16, 0x03, 0x01, 0x0c))\n\t\treturn true;\n\tif (MATCH(data->payload[0], 0x16, 0x03, 0x03, 0x0e))\n\t\treturn true;\n\tif (MATCH(data->payload[1], 0x16, 0x03, 0x03, 0x0e))\n\t\treturn true;\n\tif (MATCH(data->payload[0], 0x16, 0x03, 0x01, 0x0e))\n\t\treturn true;\n\tif (MATCH(data->payload[1], 0x16, 0x03, 0x01, 0x0e))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kik = {\n\tLPI_PROTO_KIK,\n\tLPI_CATEGORY_CHAT,\n\t\"Kik\",\n\t5, /* Should be a higher priority than ApplePush */\n\tmatch_kik\n};\n\nvoid register_kik(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kik, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_kingofglory_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* TODO make sure this is not a more generic tencent games protocol? */\n\nstatic inline bool match_kog_64(uint32_t payload, uint32_t len) {\n        if (len == 64 && MATCH(payload, 0x33, 0x66, 0x00, 0x09))\n                return true;\n        return false;\n}\n\nstatic inline bool match_kog_other(uint32_t payload, uint32_t len) {\n        if (len < 100 && MATCH(payload, 0x33, 0x66, 0x00, 0x09))\n                return true;\n        return false;\n}\n\nstatic inline bool match_kingofglory_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_kog_64(data->payload[0], data->payload_len[0])) {\n                if (match_kog_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_kog_64(data->payload[1], data->payload_len[1])) {\n                if (match_kog_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kingofglory_tcp = {\n\tLPI_PROTO_KINGOFGLORY,\n\tLPI_CATEGORY_GAMING,\n\t\"KingOfGlory_TCP\",\n\t99,\n\tmatch_kingofglory_tcp\n};\n\nvoid register_kingofglory_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kingofglory_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_kuaibo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* First two bytes are actually a length field, byte 3 is always 0x03,\n * byte 4 is probably a message type (must match both ways).\n *\n * However, since messages of a certain type always seem to have the same\n * length for the request and response, I prefer matching like this\n * where I can enforce the length requirement.\n */\n\nstatic inline bool match_1c_req(uint32_t payload, uint32_t len) {\n        if (len == 28 && MATCH(payload, 0x00, 0x1c, 0x03, 0x03))\n                return true;\n        return false;\n}\n\nstatic inline bool match_0c_resp(uint32_t payload, uint32_t len) {\n        if (len == 12 && MATCH(payload, 0x00, 0x0c, 0x03, 0x03))\n                return true;\n        return false;\n}\n\nstatic inline bool match_30_req(uint32_t payload, uint32_t len) {\n\n        if (len == 48 && MATCH(payload, 0x00, 0x30, 0x03, 0x06))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_20_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 32 && MATCH(payload, 0x00, 0x20, 0x03, 0x06))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_24_req(uint32_t payload, uint32_t len) {\n\n        if (len == 36 && MATCH(payload, 0x00, 0x24, 0x03, 0x01))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_10_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 16 && MATCH(payload, 0x00, 0x10, 0x03, 0x01))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_kuaibo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_1c_req(data->payload[0], data->payload_len[0])) {\n                if (match_0c_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_1c_req(data->payload[1], data->payload_len[1])) {\n                if (match_0c_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_30_req(data->payload[0], data->payload_len[0])) {\n                if (match_20_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_30_req(data->payload[1], data->payload_len[1])) {\n                if (match_20_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_24_req(data->payload[0], data->payload_len[0])) {\n                if (match_10_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_24_req(data->payload[1], data->payload_len[1])) {\n                if (match_10_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kuaibo = {\n\tLPI_PROTO_KUAIBO,\n\tLPI_CATEGORY_STREAMING,\n\t\"Kuaibo\",\n\t51,\n\tmatch_kuaibo\n};\n\nvoid register_kuaibo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kuaibo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ldap.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ldap_payload(uint32_t payload, uint32_t len) {\n\t\n\tuint8_t *byte = ((uint8_t *)&payload);\n\tuint16_t struct_len = 0;\n\n\tif (len == 0)\n\t\treturn true;\n\n\tbyte ++;\n\t\n\tif (((*byte) & 0x80) == 0x80) {\n\t\tuint8_t bytes_required = ((*byte) & 0x7f);\n\t\tif (bytes_required > 2 || bytes_required == 0)\n\t\t\treturn false;\n\n\t\tif (bytes_required == 1) {\n\t\t\tif (len > 255)\n\t\t\t\treturn false;\n\t\t\tbyte ++;\n\t\t\tstruct_len = 3 + ((uint8_t)(*byte));\n\t\t\tif (!MATCH(payload, 0x30, ANY, ANY, 0x02))\n\t\t\t\treturn false;\n\t\t} else {\n\t\t\tstruct_len = 4 + ntohs(*((uint16_t *)(byte + 1)));\n\t\t\tif (!MATCH(payload, 0x30, ANY, ANY, ANY))\n\t\t\t\treturn false;\n\t\t}\n\t} else {\n\t\tif (!MATCH(payload, 0x30, ANY, 0x02, 0x01))\n\t\t\treturn false;\n\t\tif (len > 255)\n\t\t\treturn false;\n\t\tstruct_len = (*byte) + 2;\n\t}\n\t\t\t\n\tif (struct_len != len)\n\t\treturn false;\t\n\t\n\n\treturn true;\n\n}\n\nstatic inline bool match_ldap(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_ldap_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_ldap_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_ldap = {\n\tLPI_PROTO_LDAP,\n\tLPI_CATEGORY_SERVICES,\n\t\"LDAP\",\n\t3,\n\tmatch_ldap\n};\n\nvoid register_ldap(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ldap, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_lifeforge.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_lifeforge_login(uint32_t payload, uint32_t len) {\n\n        uint32_t plen = bswap_le_to_host32(payload);\n\n        /* I've only seen 0x25 in here, but that may vary depending on\n         * username length? */\n        if (MATCH(payload, ANY, 0x00, 0x00, 0x00)) {\n                if (len == plen + 4)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_lifeforge_ping(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x0e, 0x00, 0x00, 0x00)) {\n                if (len == 18)\n                        return true;\n                if (len == 34)\n                        return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_lifeforge(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_lifeforge_login(data->payload[0], data->payload_len[0])) {\n                if (match_lifeforge_ping(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_lifeforge_login(data->payload[1], data->payload_len[1])) {\n                if (match_lifeforge_ping(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_lifeforge = {\n\tLPI_PROTO_LIFEFORGE,\n\tLPI_CATEGORY_GAMING,\n\t\"LifeForge\",\n\t150,\n\tmatch_lifeforge\n};\n\nvoid register_lifeforge(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_lifeforge, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_line.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_line_request(uint32_t payload, uint32_t len) {\n\n        /* This packet varies in length but is always ~680 bytes if we\n         * end up needing a stronger rule */\n        if (MATCH(payload, 0x80, 0x02, 0x00, 0x01))\n                return true;\n\n        if (len == 12 && MATCH(payload, 0x80, 0x02, 0x00, 0x06))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_line_response(uint32_t payload, uint32_t len) {\n\n        if (len == 60 && MATCH(payload, 0x80, 0x02, 0x00, 0x04))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_line(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Restrict to port 443 for now */\n        if (data->server_port != 443 && data->client_port != 443)\n                return false;\n\n        /* This looks a lot like an SSL 2.0 handshake */\n        if (match_line_request(data->payload[0], data->payload_len[0])) {\n                if (match_line_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_line_request(data->payload[1], data->payload_len[1])) {\n                if (match_line_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_line = {\n\tLPI_PROTO_LINE,\n\tLPI_CATEGORY_CHAT,\n\t\"Line\",\n\t12,\n\tmatch_line\n};\n\nvoid register_line(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_line, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_litecoin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_lc_magic(uint32_t payload) {\n        if (MATCH(payload, 0xfb, 0xc0, 0xb6, 0xdb))\n                return true;\n        return false;\n}\n\nstatic inline bool match_litecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 9333 */\n\n        if (match_lc_magic(data->payload[0]) && match_lc_magic(data->payload[1]))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_litecoin = {\n\tLPI_PROTO_LITECOIN,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Litecoin\",\n\t5,\n\tmatch_litecoin\n};\n\nvoid register_litecoin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_litecoin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_llp2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Low Latency P2P -- open-source Chinese P2P streaming software.\n * https://github.com/momomou/llp2p\n */\nstatic inline bool match_llp2p_get(uint32_t payload, uint32_t len) {\n        /* Outgoing request looks like an HTTP GET -- maybe aiming to fool\n         * DPI software? */\n\n        /* Only seen len=133 so far but this seems like it could change */\n        if (MATCH(payload, 'G', 'E', 'T', 0x20))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_llp2p_update(uint32_t payload, uint32_t len) {\n\n        /* Not sure on the length requirement, but I've only seen 454\n         * bytes so far.\n         */\n        if (MATCH(payload, 0x13, 0x00, 0x01, 0x00) && len == 454)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_llp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_llp2p_get(data->payload[0], data->payload_len[0])) {\n                if (match_llp2p_update(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        \n        if (match_llp2p_get(data->payload[1], data->payload_len[1])) {\n                if (match_llp2p_update(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_llp2p = {\n\tLPI_PROTO_LLP2P,\n\tLPI_CATEGORY_P2PTV,\n\t\"LLP2P\",\n\t12,\n\tmatch_llp2p\n};\n\nvoid register_llp2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_llp2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_maplestory_china.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cms_hello(uint32_t payload, uint32_t len) {\n\n        if (len == 16 || len == 536) {\n                if (MATCH(payload, 0x0e, 0x00, 0x8d, 0x00))\n                        return true;\n                if (MATCH(payload, 0x0e, 0x00, 0x8e, 0x00))\n                        return true;\n                if (MATCH(payload, 0x0e, 0x00, 0x8f, 0x00))\n                        return true;\n                if (MATCH(payload, 0x0e, 0x00, 0x90, 0x00))\n                        return true;\n                if (MATCH(payload, 0x0e, 0x00, 0x91, 0x00))\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_cms_alt(uint32_t payload, uint32_t len) {\n\n        if (len == 16) {\n                if (MATCH(payload, 0x0e, 0x00, 0xba, 0x00))\n                        return true;\n                if (MATCH(payload, 0x0e, 0x00, 0xbb, 0x00))\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_cms_51(uint32_t payload, uint32_t len) {\n        if (len == 16) {\n                if (MATCH(payload, 0x0e, 0x00, 0xc1, 0x00)) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_maplestory_china(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Can also restrict to ports 8585 and 8586 if required */\n\n        if (match_cms_hello(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] == 42)\n                        return true;\n        }\n\n        if (match_cms_hello(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] == 42)\n                        return true;\n        }\n\n        if (match_cms_alt(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] == 40)\n                        return true;\n        }\n\n        if (match_cms_alt(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] == 40)\n                        return true;\n        }\n\n        if (match_cms_51(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] == 51)\n                        return true;\n        }\n\n        if (match_cms_51(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] == 51)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_maplestory_china = {\n\tLPI_PROTO_MAPLESTORY_CHINA,\n\tLPI_CATEGORY_GAMING,\n\t\"MaplestoryChina\",\n\t12,\n\tmatch_maplestory_china\n};\n\nvoid register_maplestory_china(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_maplestory_china, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_maxicloud.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_maxicloud(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* MaxiCloud actually uses HTTP, but there is some weird behaviour\n         * with some servers where we see a 1 byte response to the login\n         * POST prior to the actual HTTP response so we can distinguish these\n         * flows as MaxiCloud specifically.\n         */\n\n        if (MATCHSTR(data->payload[0], \"POST\") && MATCH(data->payload[1],\n                        0x00, 0x00, 0x00, 0x00) && data->payload_len[1] == 1)\n                return true;\n\n        if (MATCHSTR(data->payload[1], \"POST\") && MATCH(data->payload[0],\n                        0x00, 0x00, 0x00, 0x00) && data->payload_len[0] == 1)\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_maxicloud = {\n\tLPI_PROTO_MAXICLOUD,\n\tLPI_CATEGORY_CLOUD,\n\t\"MaxiCloud\",\n\t100,\n\tmatch_maxicloud\n};\n\nvoid register_maxicloud(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_maxicloud, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_message4u.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_message4u(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"m4ul\"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_message4u = {\n\tLPI_PROTO_M4U,\n\tLPI_CATEGORY_TELCO,\n\t\"Message4U\",\n\t3,\n\tmatch_message4u\n};\n\nvoid register_message4u(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_message4u, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_minecraft.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mc_server_ping(uint32_t payload, uint32_t len) {\n\n\t/* There are two variants of the server ping\n\t *\n\t * http://mc.kev009.com/Server_List_Ping\n\t */\n\n\tif (len == 1) {\n\t\tif (MATCH(payload, 0xfe, 0x00, 0x00, 0x00))\n\t\t\treturn true;\n\t}\n\n\tif (len == 2) {\n\t\tif (MATCH(payload, 0xf3, 0x01, 0x00, 0x00))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n\n}\n\nstatic inline bool match_mc_kick(uint32_t payload, uint32_t len) {\n\n\tuint32_t str_len;\n\n\tif (!MATCH(payload, 0xff, ANY, ANY, 0x00))\n\t\treturn false;\n\n\t/* Middle 2 bytes are the length of the string following the initial\n\t * header. Unfortunately there is more to the packet after the string,\n\t * so we just have to check that the length makes sense given the size\n\t * of the packet */\n\n\tstr_len = (ntohl(payload) >> 8) & 0xffff;\n\n\tif (str_len >= len)\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_mc_handshake(uint32_t payload, uint32_t len) {\n        /* Ref: http://wiki.vg/Protocol */\n        uint32_t replen;\n\n        replen = ntohl(payload) >> 24;\n\n        if (replen == len - 1) {\n                if (MATCH(payload, ANY, 0x00, ANY, ANY) && len - 1 <= 255)\n                        return true;\n                if (MATCH(payload, ANY, 0x01, ANY, ANY) && len - 1 >= 256)\n                        return true;\n        }\n\n        /* Some handshakes seem to be undersized? */\n        if (len == 187 && MATCH(payload, 0xb9, 0x01, 0x01, 0x0e))\n                return true;\n        if (len == 188 && MATCH(payload, 0xba, 0x01, 0x01, 0x0f))\n                return true;\n        if (len == 189 && MATCH(payload, 0xbb, 0x01, 0x01, 0x10))\n                return true;\n        if (len == 190 && MATCH(payload, 0xbc, 0x01, 0x01, 0x11))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_mc_v5_handshake(uint32_t payload, uint32_t len) {\n\n        uint32_t replen;\n        uint32_t serverlen;\n\n        replen = ntohl(payload) >> 24;\n        serverlen = ntohl(payload) & 0xff;\n\n        if (replen == len - 1 && len - 1 <= 255) {\n                if (!MATCH(payload, ANY, 0x00, 0x05, ANY))\n                        return false;\n                if (serverlen != replen - 6)\n                        return false;\n                return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_mc_handshake_reply(uint32_t payload, uint32_t len) {\n\n        /* Not technically a handshake reply, as the protocol spec doesn't\n         * have one. This pattern is what we see in the other direction\n         * after a handshake though.\n         */\n        if (len == 173) {\n                if (MATCH(payload, 0xab, 0x01, 0x01, 0x00))\n                        return true;\n        }\n\n        if (len == 174) {\n                if (MATCH(payload, 0xac, 0x01, 0x01, 0x00))\n                        return true;\n        }\n\n        if (len == 22 && MATCH(payload, 0x15, 0x00, 0xd4, 0x02))\n                return true;\n        if (len == 24 && MATCH(payload, 0x17, 0x00, 0xcf, 0x02))\n                return true;\n        if (len == 29 && MATCH(payload, 0x1c, 0x00, 0xd2, 0x01))\n                return true;\n        if (len == 30 && MATCH(payload, 0x1d, 0x00, 0xd4, 0x02))\n                return true;\n\n        if (len == 4) {\n                if (MATCH(payload, 0x03, 0x03, 0x80, 0x02))\n                        return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_minecraft(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_mc_server_ping(data->payload[0], data->payload_len[0])) {\n\t\tif (match_mc_kick(data->payload[1], data->payload_len[1])) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n\tif (match_mc_server_ping(data->payload[1], data->payload_len[1])) {\n\t\tif (match_mc_kick(data->payload[0], data->payload_len[0])) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n        if (match_mc_handshake(data->payload[0], data->payload_len[0])) {\n                if (match_mc_handshake_reply(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n                /* apparently we can have handshake reqs in both dirs? */\n                if (match_mc_handshake(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_mc_handshake(data->payload[1], data->payload_len[1])) {\n                if (match_mc_handshake_reply(data->payload[0],\n                                data->payload_len[0]))\n                        return true;\n                /* apparently we can have handshake reqs in both dirs? */\n                if (match_mc_handshake(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n        /* Some servers running old versions of MC are annoying and send\n         * single byte packets */\n        if (match_mc_v5_handshake(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] == 1)\n                        return true;\n        }\n\n        if (match_mc_v5_handshake(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] == 1)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_minecraft = {\n\tLPI_PROTO_MINECRAFT,\n\tLPI_CATEGORY_GAMING,\n\t\"Minecraft\",\n\t35,\n\tmatch_minecraft\n};\n\nvoid register_minecraft(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_minecraft, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mitglieder.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mitglieder(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tif (match_chars_either(data, 0x04, 0x01, 0x00, 0x19))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mitglieder = {\n\tLPI_PROTO_MITGLIEDER,\n\tLPI_CATEGORY_MALWARE,\n\t\"Mitglieder_Trojan\",\n\t8,\n\tmatch_mitglieder\n};\n\nvoid register_mitglieder(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mitglieder, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mms.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mms_server(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x01, 0x00, 0x00, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_mms_client(uint32_t payload, uint32_t len) {\n\n        if (len != 144)\n                return false;\n        if (MATCH(payload, 0x01, 0x00, 0x00, ANY))\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_mms(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Microsoft Media Server protocol */\n\n        if (match_mms_server(data->payload[0], data->payload_len[0])) {\n                if (match_mms_client(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_mms_server(data->payload[1], data->payload_len[1])) {\n                if (match_mms_client(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mms = {\n\tLPI_PROTO_MMS,\n\tLPI_CATEGORY_STREAMING,\n\t\"MMS\",\n\t6,\n\tmatch_mms\n};\n\nvoid register_mms(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mms, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mongo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Mongo protocol uses the first four bytes as a length field */\nstatic inline bool match_mongo_req(uint32_t payload, uint32_t len) {\n\n        uint32_t mongolen = bswap_le_to_host32(payload);\n\n        /* Most requests are very small */\n        if (MATCH(payload, ANY, 0x00, 0x00, 0x00) ||\n                        MATCH(payload, ANY, 0x01, 0x00, 0x00)) {\n                /* Some mongo libraries manage to split requests across\n                 * multiple packets, so we can't do a direct length\n                 * match :(\n                 */\n                if (mongolen >= len)\n                        return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_mongo_reply(uint32_t payload, uint32_t len) {\n\n        uint32_t mongolen = bswap_le_to_host32(payload);\n\n        /* If reply is short, mongolen should match the packet length */\n        if (mongolen == len)\n                return true;\n\n        /* If mongolen is large, packet len should be MTU-sized. Here,\n         * we'll assume an MTU of at least 1400 (sorry, people with\n         * tons of encapsulation) */\n        if (mongolen > len) {\n                if (len >= 1400)\n                        return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_mongo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Restrict to the default mongo port for now */\n        if (data->server_port != 27017 && data->client_port != 27017)\n                return false;\n\n        if (match_mongo_req(data->payload[0], data->payload_len[0])) {\n                if (match_mongo_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        if (match_mongo_req(data->payload[1], data->payload_len[1])) {\n                if (match_mongo_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mongo = {\n\tLPI_PROTO_MONGO,\n\tLPI_CATEGORY_DATABASES,\n\t\"MongoDB\",\n        88,\n\tmatch_mongo\n};\n\nvoid register_mongo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mongo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mp2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Looking for STR, SIZ, MD5, GO!! */\n\n        if (match_str_both(data, \"STR \", \"SIZ \"))\n                return true;\n        if (MATCHSTR(data->payload[0], \"STR \")) {\n                if (data->payload_len[0] == 10 || data->payload_len[0] == 11)\n                        return true;\n        }\n        if (MATCHSTR(data->payload[1], \"STR \")) {\n                if (data->payload_len[1] == 10 || data->payload_len[1] == 11)\n                        return true;\n        }\n\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mp2p = {\n\tLPI_PROTO_MP2P,\n\tLPI_CATEGORY_P2P,\n\t\"MP2P_TCP\",\n\t2,\n\tmatch_mp2p\n};\n\nvoid register_mp2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mp2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_msn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_msn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"ANS \"))\n\t\treturn true;\n\tif (match_str_either(data, \"VER \"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_msn = {\n\tLPI_PROTO_MSN,\n\tLPI_CATEGORY_CHAT,\n\t\"MSN\",\n\t2,\n\tmatch_msn\n};\n\nvoid register_msn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_msn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_msnc.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_msnc(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* http://msnpiki.msnfanatic.com/index.php/MSNC:File_Transfer#Direct_connection:_Handshake */\n\n        /* MSNC sends the length as a separate packet before the data. To\n         * confirm MSNC, you have to look at the second packet sent by the\n         * connecting host. It should begin with 'foo'. */\n\n        if (match_str_both(data, \"\\x30\\x00\\x00\\x00\", \"\\x04\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 4 && data->payload_len[1] == 4)\n                        return true;\n        }\n        if (match_str_both(data, \"\\x10\\x00\\x00\\x00\", \"\\x04\\x00\\x00\\x00\")) {\n                if (MATCH(data->payload[0], 0x04, 0x00, 0x00, 0x00)) {\n                        if (data->payload_len[0] == 4)\n                                return true;\n                }\n                if (MATCH(data->payload[1], 0x04, 0x00, 0x00, 0x00)) {\n                        if (data->payload_len[1] == 4)\n                                return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_msnc = {\n\tLPI_PROTO_MSNC,\n\tLPI_CATEGORY_FILES,\n\t\"MSNC\",\n\t3,\n\tmatch_msnc\n};\n\nvoid register_msnc(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_msnc, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_msnv.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_msnv(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"\\x01\\x01\\x00\\x70\", \"\\x00\\x01\\x00\\x64\"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_msnv = {\n\tLPI_PROTO_MSNV,\n\tLPI_CATEGORY_CHAT,\n\t\"MSN_Voice\",\n\t3,\n\tmatch_msnv\n};\n\nvoid register_msnv(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_msnv, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_munin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_munin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Can also match on TCP port 4949 if we're having false positive\n\t * problems */\n\n\t/* Also, one common munin command (seen in the other direction) \n\t * is \"cap \" */\n\n\tif (match_str_either(data, \"# mu\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_munin = {\n\tLPI_PROTO_MUNIN,\n\tLPI_CATEGORY_MONITORING,\n\t\"Munin\",\n\t6,\n\tmatch_munin\n};\n\nvoid register_munin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_munin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mysql.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mysql(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tuint32_t stated_len = 0;\n\n        if (data->payload_len[0] == 0 && data->payload_len[1] == 0)\n                return false;\n\n        /* Need to enforce some sort of port checking here */\n        if (data->server_port != 3306 && data->client_port != 3306)\n                return false;\n\n        stated_len = (data->payload[0] & 0xffffff);\n        if (data->payload_len[0] > 0 && stated_len != data->payload_len[0] - 4)\n                return false;\n\n        stated_len = (data->payload[1] & 0xffffff);\n        if (data->payload_len[1] > 0 && stated_len != data->payload_len[1] - 4)\n                return false;\n\n        if (MATCH(data->payload[0], ANY, ANY, ANY, 0x00) &&\n                        MATCH(data->payload[1], ANY, ANY, ANY, 0x01))\n                return true;\n\n        if (MATCH(data->payload[1], ANY, ANY, ANY, 0x00) &&\n                        MATCH(data->payload[0], ANY, ANY, ANY, 0x01))\n                return true;\n\n\n        if (MATCH(data->payload[0], ANY, ANY, ANY, 0x00) &&\n                data->payload_len[1] == 0)\n                return true;\n\n        if (MATCH(data->payload[1], ANY, ANY, ANY, 0x00) &&\n                data->payload_len[0] == 0)\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mysql = {\n\tLPI_PROTO_MYSQL,\n\tLPI_CATEGORY_DATABASES,\n\t\"MySQL\",\n\t4,\n\tmatch_mysql\n};\n\nvoid register_mysql(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mysql, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mystery_8000.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_8000(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* These patterns typically appear on UDP port 8000 (and occasionally\n         * TCP port 80) */\n\n        if (!match_8000_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_8000_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\n}\n\nstatic lpi_module_t lpi_mystery_8000 = {\n\tLPI_PROTO_MYSTERY_8000,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_8000\",\n\t250,\n\tmatch_mystery_8000\n};\n\nvoid register_mystery_8000(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_8000, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mystery_9000.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_9000_payload(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (len != 80)\n                return false;\n        if (MATCH(payload, 0x4c, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_mystery_9000(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Not entirely sure what this is - looks kinda like Samba that is\n         * occurring primarily on port 9000. Many storage solutions use\n         * port 9000 as a default port so this is a possibility, but the\n         * use of this protocol is rather spammy */\n\n        if (!match_mystery_9000_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_mystery_9000_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\t\n}\n\nstatic lpi_module_t lpi_mystery_9000 = {\n\tLPI_PROTO_MYSTERY_9000,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_9000\",\n\t250,\t\n\tmatch_mystery_9000\n};\n\nvoid register_mystery_9000(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_9000, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mystery_conn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_conn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t/* Appears to be some sort of file transfer protocol, but\n         * trying to google for a protocol using words such as \"connect\"\n         * and \"receive\" is not very helpful */\n\n        if (match_str_both(data, \"conn\", \"reci\"))\n                return true;\n\n        if (match_str_either(data, \"reci\")) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_conn = {\n\tLPI_PROTO_MYSTERY_CONN,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_conn\",\n\t250,\n\tmatch_mystery_conn\n};\n\nvoid register_mystery_conn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_conn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mystery_iG.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_iG(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Another mystery protocol - the payload pattern is the same in\n         * both directions. Have observed this on port 20005 and port 8080,\n         * but not obvious what exactly this is */\n\n        if (match_str_both(data, \"\\xd7\\x69\\x47\\x26\", \"\\xd7\\x69\\x47\\x26\"))\n                return true;\n        if (MATCH(data->payload[0], 0xd7, 0x69, 0x47, 0x26)) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n        if (MATCH(data->payload[1], 0xd7, 0x69, 0x47, 0x26)) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_iG = {\n\tLPI_PROTO_MYSTERY_IG,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_iG\",\n\t250,\n\tmatch_mystery_iG\n};\n\nvoid register_mystery_iG(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_iG, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mystery_pspr.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_pspr(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"PSPr\", \"PSPr\"))\n                return true;\n        if (match_str_either(data, \"PSPr\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_pspr = {\n\tLPI_PROTO_MYSTERY_PSPR,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_PSPR\",\n\t250,\n\tmatch_mystery_pspr\n};\n\nvoid register_mystery_pspr(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_pspr, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mystery_rxxf.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_rxxf(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* Things we know about this protocol:\n\t *\n\t * One endpoint is always running on TCP port 3128 (squid).\n\t * The other end always seems to be in Chinese address space.\n\t * Bytes 5-8 are a length field.\n\t */\n\n\tif (match_str_either(data, \"RXXF\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_rxxf = {\n\tLPI_PROTO_MYSTERY_RXXF,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_RXXF\",\n\t250,\n\tmatch_mystery_rxxf\n};\n\nvoid register_mystery_rxxf(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_rxxf, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mystery_symantec.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_symantec(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* This protocol definitely goes to hosts in the Symantec IP space,\n\t * but it is not exactly clear what the purpose of it is */\n\n\t/* Always on TCP port 80 */\n\tif (data->server_port != 80 && data->client_port != 80)\n\t\treturn false;\n\n\tif (data->payload_len[0] != 4 || data->payload_len[1] != 4)\n\t\treturn false;\n\n\tif (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00)) {\n\t\tif (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00))\n\t\t\treturn false;\n\t\tif (MATCH(data->payload[1], 0x58, 0x54, 0x7d, 0x01))\n\t\t\treturn true;\n\t\tif (MATCH(data->payload[1], ANY, ANY, ANY, 0x00))\n\t\t\treturn true;\n\t}\n\n\tif (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) {\n\t\tif (MATCH(data->payload[1], 0x58, 0x54, 0x7d, 0x01))\n\t\t\treturn true;\n\t\tif (MATCH(data->payload[0], ANY, ANY, ANY, 0x00))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_symantec = {\n\tLPI_PROTO_MYSTERY_SYMANTEC,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_Symantec\",\n\t250,\n\tmatch_mystery_symantec\n};\n\nvoid register_mystery_symantec(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_symantec, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_mzinga.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mzinga(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"PCHA\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mzinga = {\n\tLPI_PROTO_MZINGA,\n\tLPI_CATEGORY_CHAT,\n\t\"Mzinga\",\n\t3,\n\tmatch_mzinga\n};\n\nvoid register_mzinga(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mzinga, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_naverp2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_naver_magic(uint32_t payload) {\n        if (MATCH(payload, 0xcf, 0x10, 0x00, 0x1f))\n                return true;\n        return false;\n}\n\nstatic inline bool match_naverp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_naver_magic(data->payload[0])) {\n                if (match_naver_magic(data->payload[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_naverp2p = {\n\tLPI_PROTO_NAVER_P2P,\n\tLPI_CATEGORY_P2P,\n\t\"NaverP2P\",\n\t29,\n\tmatch_naverp2p\n};\n\nvoid register_naverp2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_naverp2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ncsoft.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ncsoft(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_chars_either(data, 0x00, 0x05, 0x0c, 0x00))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ncsoft = {\n\tLPI_PROTO_NCSOFT,\n\tLPI_CATEGORY_GAMING,\n\t\"NCSoft\",\n\t4, /* Not the strongest rule, although this hasn't caused any problems\n\t    * in the past */\n\tmatch_ncsoft\n};\n\nvoid register_ncsoft(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ncsoft, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ndt_tput.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_ndt_tput(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* One-way throughput test */\n        if (MATCH(data->payload[0], 0x20, 0x21, 0x22, 0x23) &&\n                       data->payload_len[1] == 0) {\n                return true;\n        }\n        if (MATCH(data->payload[1], 0x20, 0x21, 0x22, 0x23) &&\n                       data->payload_len[0] == 0) {\n                return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ndt_tput = {\n\tLPI_PROTO_NDT_TPUT,\n\tLPI_CATEGORY_MONITORING,\n\t\"NDTThroughput\",\n\t100,\n\tmatch_ndt_tput\n};\n\nvoid register_ndt_tput(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ndt_tput, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_netbios.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_netbios(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tuint32_t stated_len = 0;\n\n        if (MATCH(data->payload[0], 0x81, 0x00, ANY, ANY)) {\n                stated_len = ntohl(data->payload[0]) & 0xffff;\n                if (stated_len == data->payload_len[0] - 4)\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x81, 0x00, ANY, ANY)) {\n                stated_len = ntohl(data->payload[1]) & 0xffff;\n                if (stated_len == data->payload_len[1] - 4)\n                        return true;\n        }\n\n\treturn false;\n}\nstatic lpi_module_t lpi_netbios = {\n\tLPI_PROTO_NETBIOS,\n\tLPI_CATEGORY_SERVICES,\n\t\"NetBIOS\",\n\t2, \n\tmatch_netbios\n}; \n\nvoid register_netbios(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_netbios, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_netcat_cctv.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_netcat_ff00(uint32_t payload, uint32_t len) {\n        if (MATCHSTR(payload, \"\\xff\\x00\\x00\\x00\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_netcat_ff01(uint32_t payload, uint32_t len) {\n        if (MATCHSTR(payload, \"\\xff\\x01\\x00\\x00\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_netcat_cctv(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Protocol used by Netcat branded IP Cameras\n         * http://www.netcatcctv.com\n         */\n\n        if (match_netcat_ff00(data->payload[0], data->payload_len[0])) {\n                if (match_netcat_ff01(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_netcat_ff00(data->payload[1], data->payload_len[1])) {\n                if (match_netcat_ff01(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_netcat_cctv = {\n\tLPI_PROTO_NETCAT_CCTV,\n\tLPI_CATEGORY_IPCAMERAS,\n\t\"NetcatCCTV\",\n\t20,\n\tmatch_netcat_cctv\n};\n\nvoid register_netcat_cctv(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_netcat_cctv, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_netmfp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* .NET Message Framing Protocol */\n\nstatic inline bool match_version_record(uint32_t payload, uint32_t len) {\n\n        /* Length will probably vary */\n        /* Version, mode and via records are often included in the same\n         * packet */\n\n        if (MATCH(payload, 0x00, 0x01, 0x00, 0x01))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_upgrade_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 1 && MATCH(payload, 0x0a, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_netmfp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Limit to port 7150 for now -- this probably only corresponds to\n         * one MS service that uses this protocol, but I'm going to play\n         * it conservative.\n         */\n\n        if (data->server_port != 7150 && data->client_port != 7150)\n                return false;\n\n        if (match_version_record(data->payload[0], data->payload_len[0])) {\n                if (match_upgrade_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_netmfp = {\n\tLPI_PROTO_NET_MFP,\n\tLPI_CATEGORY_WEB,\n\t\"NET-MFP\",\n\t199,\n\tmatch_netmfp\n};\n\nvoid register_netmfp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_netmfp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_nntp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_nntp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"mode\")) return true;\n        if (match_str_either(data, \"MODE\")) return true;\n        if (match_str_either(data, \"GROU\")) return true;\n        if (match_str_either(data, \"grou\")) return true;\n\n        if (match_str_both(data, \"AUTH\", \"200 \")) return true;\n        if (match_str_both(data, \"AUTH\", \"201 \")) return true;\n        if (match_str_both(data, \"AUTH\", \"200-\")) return true;\n        if (match_str_both(data, \"AUTH\", \"201-\")) return true;\n        if (match_str_both(data, \"auth\", \"200 \")) return true;\n        if (match_str_both(data, \"auth\", \"201 \")) return true;\n        if (match_str_both(data, \"auth\", \"200-\")) return true;\n        if (match_str_both(data, \"auth\", \"201-\")) return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_nntp = {\n\tLPI_PROTO_NNTP,\n\tLPI_CATEGORY_NEWS,\n\t\"NNTP\",\n\t4,\n\tmatch_nntp\n};\n\nvoid register_nntp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_nntp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_nntps.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_nntps(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This rule matches NNTP over SSL/TLS */\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* NNTPS uses port 563 */\n\tif (data->server_port != 563 && data->client_port != 563)\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_nntps = {\n\tLPI_PROTO_NNTPS,\n\tLPI_CATEGORY_NEWS,\n\t\"NNTPS\",\n\t5, /* Should be a higher priority than regular SSL */\n\tmatch_nntps\n};\n\nvoid register_nntps(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_nntps, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_nofirstpkt.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nbool match_no_firstpkt(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n    if ( (data->observed[0] != 0 || data->observed[1] != 0) &&\n        (data->payload_len[0] == 0 && data->payload_len[1] == 0) )\n            return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_no_firstpkt = {\n\tLPI_PROTO_NO_FIRSTPKT,\n\tLPI_CATEGORY_NOPAYLOAD,\n\t\"No_FirstPkt\",\n\t0,\t/* Must supercede all other protocols */\n\tmatch_no_firstpkt\n};\n\nvoid register_tcp_no_firstpkt(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_no_firstpkt, mod_map);\n}\n"
  },
  {
    "path": "lib/tcp/lpi_nomachine.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_nxd(uint32_t payload, uint32_t len) {\n        if (len == 11 && MATCH(payload, 'N', 'X', 'D', '-'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_nxup(uint32_t payload, uint32_t len) {\n        if (len < 20 && MATCH(payload, 'N', 'X', 'U', 'P'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_nomachine(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 4000? */\n\n        if (match_nxup(data->payload[0], data->payload_len[0])) {\n                if (match_nxd(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_nxd(data->payload[0], data->payload_len[0])) {\n                if (match_nxup(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_nomachine = {\n\tLPI_PROTO_NOMACHINE,\n\tLPI_CATEGORY_REMOTE,\n\t\"NoMachine\",\n\t19,\n\tmatch_nomachine\n};\n\nvoid register_nomachine(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_nomachine, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_nopayload.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nbool match_no_payload(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->observed[0] == 0 && data->observed[1] == 0)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_no_payload = {\n\tLPI_PROTO_NO_PAYLOAD,\n\tLPI_CATEGORY_NOPAYLOAD,\n\t\"No_Payload\",\n\t0,\t/* Must supercede all other protocols */\n\tmatch_no_payload\n};\n\nvoid register_tcp_no_payload(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_no_payload, mod_map);\n}\n"
  },
  {
    "path": "lib/tcp/lpi_norton_backup.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_nobu_rand(uint32_t payload, uint32_t len) {\n\n        /* This seems to be a random host-specific ID? */\n\n        /* Rule out 00000000, as that is unlikely to be this */\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return false;\n\n        if (len == 4)\n                return true;\n        return false;\n}\n\nstatic inline bool match_nobu_zeroes(uint32_t payload, uint32_t len) {\n\n        if (len != 4)\n                return false;\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x02, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x03, 0x00, 0x00, 0x00))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_norton_backup(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 80 && data->client_port != 80)\n                return false;\n\n        /* Some sort of keep-alive protocol? Appears regularly on machines with\n         * Norton backup active, but generally only sends 4 bytes each way.\n         */\n        if (match_nobu_rand(data->payload[0], data->payload_len[0])) {\n                if (match_nobu_zeroes(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_nobu_rand(data->payload[1], data->payload_len[1])) {\n                if (match_nobu_zeroes(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_norton_backup = {\n\tLPI_PROTO_NORTON_BACKUP,\n\tLPI_CATEGORY_CLOUD,\n\t\"NortonBackup\",\n\t25,\n\tmatch_norton_backup\n};\n\nvoid register_norton_backup(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_norton_backup, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_notes_rpc.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_notes_rpc(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Notes RPC is a proprietary protocol and I haven't been able to\n         * find anything to confirm or disprove any of this. \n         *\n         * As a result, this rule is pretty iffy as it is based on a bunch\n         * of flows observed going to 1 server using port 1352. There is\n         * no documented basis for this (unlike most other rules)\n         */\n\n        if (data->server_port != 1352 && data->client_port != 1352)\n                return false;\n\n        if (!match_str_either(data, \"\\x78\\x00\\x00\\x00\"))\n                return false;\n\n        if (MATCH(data->payload[0], ANY, ANY, 0x00, 0x00) &&\n                        MATCH(data->payload[1], ANY, ANY, 0x00, 0x00))\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_notes_rpc = {\n\tLPI_PROTO_NOTES_RPC,\n\tLPI_CATEGORY_REMOTE,\n\t\"Lotus_Notes_RPC\",\n\t200,\t/* Don't really trust this rule that much :/ */\n\tmatch_notes_rpc\n};\n\nvoid register_notes_rpc(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_notes_rpc, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_nsq.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_nsq_v2(uint32_t payload, uint32_t len) {\n        if (len == 4 && MATCH(payload, ' ', ' ', 'V', '2'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_nsq_data(uint32_t payload, uint32_t len) {\n\n        uint32_t assize = ntohl(payload);\n\n        if (assize == len - 4) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_nsq(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 4150? */\n\n        if (match_nsq_v2(data->payload[0], data->payload_len[0])) {\n                if (match_nsq_data(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_nsq_v2(data->payload[1], data->payload_len[1])) {\n                if (match_nsq_data(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_nsq = {\n\tLPI_PROTO_NSQ,\n\tLPI_CATEGORY_MESSAGE_QUEUE,\n\t\"NSQ\",\n\t45,\n\tmatch_nsq\n};\n\nvoid register_nsq(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_nsq, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_omegle.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* http://pastebin.com/bGxqigRN */\n\nstatic inline bool match_omegle_client(uint32_t payload, uint32_t len) {\n\tif (len < 12)\n\t\treturn false;\n\tif (!MATCH(payload, 0x0b, 'o', 'm', 'e'))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_omegle_server(uint32_t payload, uint32_t len) {\n\n\tif (len == 4 && MATCH(payload, 0x01, 'w', 0x00, 0x00))\n\t\treturn true;\n\tif (len == 68 && MATCH(payload, 0x01, 0x63, 0x00, 0x40))\n\t\treturn true;\n\tif (MATCH(payload, 0x09, 'c', 'l', 'i'))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_omegle(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_omegle_client(data->payload[0], data->payload_len[0])) {\n\t\tif (match_omegle_server(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_omegle_client(data->payload[1], data->payload_len[1])) {\n\t\tif (match_omegle_server(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_omegle = {\n\tLPI_PROTO_OMEGLE,\n\tLPI_CATEGORY_CHAT,\n\t\"Omegle\",\n\t3,\n\tmatch_omegle\n};\n\nvoid register_omegle(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_omegle, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_openvpn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_openvpn_handshake(uint32_t payload, uint32_t len) {\n\n        uint16_t pktlen = ntohs((uint16_t)payload);\n\n        /* First two bytes are the length of the packet (not including the\n         * length) */\n        if (pktlen + 2 != len)\n                return false;\n\n        /* Handshake packets have opcodes of either 7 or 8 and key IDs of \n         * zero, so the third byte is either 0x38 or 0x40 */\n\n        /* Ref: http://tinyurl.com/37tt3xe */\n\n        if (MATCH(payload, ANY, ANY, 0x38, ANY))\n                return true;\n        if (MATCH(payload, ANY, ANY, 0x40, ANY))\n                return true;\n\n\n        return false;\n\n}\n\n\nstatic inline bool match_openvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_openvpn_handshake(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_openvpn_handshake(data->payload[1], data->payload_len[1]))\n                return false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_openvpn = {\n\tLPI_PROTO_OPENVPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"OpenVPN\",\n\t4,\t/* Most of this rule is based on a length field in the header */\n\tmatch_openvpn\n};\n\nvoid register_openvpn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_openvpn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ourworld.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* ourworld.com -- Flash-based MMO / game site combo thing */\n\nstatic inline bool match_custom_flash_36(uint32_t payload, uint32_t len) {\n\n        if (len == 36 && MATCH(payload, '<', 'm', '>', 'A'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_custom_flash_200(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, '<', 'm', '>', 'A')) {\n                if (len >= 200 && len <= 250)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ourworld(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 9310 */\n        if (match_custom_flash_36(data->payload[0], data->payload_len[0])) {\n                if (match_custom_flash_200(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_custom_flash_36(data->payload[1], data->payload_len[1])) {\n                if (match_custom_flash_200(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ourworld = {\n\tLPI_PROTO_OURWORLD,\n\tLPI_CATEGORY_GAMING,\n\t\"OurWorld\",\n\t5,\n\tmatch_ourworld\n};\n\nvoid register_ourworld(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ourworld, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_palringo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_palringo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"AUTH\", \"LOGO\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_palringo = {\n\tLPI_PROTO_PALRINGO,\n\tLPI_CATEGORY_CHAT,\n\t\"Palringo\",\n\t4,\n\tmatch_palringo\n};\n\nvoid register_palringo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_palringo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_paltalk.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pal_17f6(uint32_t payload, uint32_t len) {\n\n\tif (len != 8)\n\t\treturn false;\n\tif (MATCH(payload, 0x17, 0xf6, 0x00, 0x01))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_pal_24c2(uint32_t payload, uint32_t len) {\n\t\n\tif (len != 4)\n\t\treturn false;\n\tif (MATCH(payload, 0x00, 0x00, 0x24, 0xc2))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_pal_ff8b(uint32_t payload, uint32_t len) {\n\n\tif (len != 24)\n\t\treturn false;\n\tif (MATCHSTR(payload, \"\\xff\\x8b\\x00\\x0e\"))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_pal_fb(uint32_t payload, uint32_t len) {\n\n\tif (len != 6)\n\t\treturn false;\n\tif (MATCH(payload, 0xfb, ANY, 0x00, ANY))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_pal_1byte(uint32_t payload, uint32_t len) {\n\n\tif (len != 0 and len != 1)\n\t\treturn false;\n\tif (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_pal_4byte(uint32_t payload, uint32_t len) {\n\n\tif (len != 4)\n\t\treturn false;\n\tif (payload == 0)\n\t\treturn false;\n\n\tif (MATCH(payload, 0x00, 0x00, ANY, ANY))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_paltalk(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Created all these rules based on a capture of actual Paltalk\n\t * traffic */\n\n\tif (match_pal_fb(data->payload[0], data->payload_len[0])) {\n\t\tif (match_pal_ff8b(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_pal_fb(data->payload[1], data->payload_len[1])) {\n\t\tif (match_pal_ff8b(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\tif (match_pal_17f6(data->payload[0], data->payload_len[0])) {\n\t\tif (match_pal_24c2(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_pal_17f6(data->payload[1], data->payload_len[1])) {\n\t\tif (match_pal_24c2(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\n\t/* These last two may be iffy, keep an eye out for false positives */\n\tif (match_pal_4byte(data->payload[0], data->payload_len[0])) {\n\t\tif (match_pal_1byte(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_pal_4byte(data->payload[1], data->payload_len[1])) {\n\t\tif (match_pal_1byte(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_paltalk = {\n\tLPI_PROTO_PALTALK,\n\tLPI_CATEGORY_CHAT,\n\t\"Paltalk\",\n\t11,\n\tmatch_paltalk\n};\n\nvoid register_paltalk(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_paltalk, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_pandatv.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_panda_request(uint32_t payload, uint32_t len) {\n\n        /* Seen length 156 and 160 so far, so could be variable length */\n        if (MATCH(payload, 0x02, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_panda_reply(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00) && len == 36)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_pandatv(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 3105 && data->client_port != 3105)\n                return false;\n\n        if (match_panda_request(data->payload[0], data->payload_len[0])) {\n                if (match_panda_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_panda_request(data->payload[1], data->payload_len[1])) {\n                if (match_panda_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pandatv = {\n\tLPI_PROTO_PANDATV,\n\tLPI_CATEGORY_STREAMING,\n\t\"Panda.tv\",\n\t140,\n\tmatch_pandatv\n};\n\nvoid register_pandatv(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pandatv, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_pando.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pando(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"\\x0ePan\"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pando = {\n\tLPI_PROTO_PANDO,\n\tLPI_CATEGORY_P2P,\n\t\"Pando\",\n\t3,\n\tmatch_pando\n}; \n\nvoid register_pando(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pando, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_pathofexile.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_poe_40(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x00, 0x03, 0x00, 0x00)) {\n                if (len == 40 || len == 54 || len == 20 || len == 66) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_poe_05(uint32_t payload, uint32_t len) {\n        if (len >= 200 && MATCH(payload, 0x00, 0x05, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_pathofexile(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 6112 */\n        if (match_poe_40(data->payload[0], data->payload_len[0])) {\n                if (match_poe_05(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_poe_40(data->payload[1], data->payload_len[1])) {\n                if (match_poe_05(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pathofexile = {\n\tLPI_PROTO_PATHOFEXILE,\n\tLPI_CATEGORY_GAMING,\n\t\"PathOfExile\",\n\t49,\n\tmatch_pathofexile\n};\n\nvoid register_pathofexile(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pathofexile, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_pdbox.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pdbox(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"0127\", \"0326\"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pdbox = {\n\tLPI_PROTO_PDBOX,\n\tLPI_CATEGORY_CLOUD,\n\t\"PDBOX\",\n\t3,\n\tmatch_pdbox\n};\n\nvoid register_pdbox(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pdbox, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_pop3.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pop3(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_chars_either(data, '+', 'O', 'K', ANY))\n\t\treturn true;\n\tif (match_chars_either(data, '-', 'E', 'R', 'R'))\n\t\treturn true;\n\n\tif (match_str_either(data, \"CAPA\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\tif (match_str_either(data, \"AUTH\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_pop3 = {\n\tLPI_PROTO_POP3,\n\tLPI_CATEGORY_MAIL,\n\t\"POP3\",\n\t2,\n\tmatch_pop3\n};\n\nvoid register_pop3(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pop3, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_pop3s.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pop3s(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Assume all SSL traffic on port 995 is POP3S */\n\tif (data->server_port == 995 || data->client_port == 995)\n\t\treturn true;\n\t\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pop3s = {\n\tLPI_PROTO_POP3S,\n\tLPI_CATEGORY_MAIL,\n\t\"POP3S\",\n\t2, /* Should be a higher priority than regular SSL */\n\tmatch_pop3s\n};\n\nvoid register_pop3s(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pop3s, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_postgresql.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_postgresql(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t/* Client start up messages start with a 4 byte length */\n        /* Server auth requests start with 'R', followed by 4 bytes of length\n         *\n         * All auth requests tend to be quite small */\n\n        if (ntohl(data->payload[0]) == data->payload_len[0])\n        {\n                if (MATCH(data->payload[1], 0x52, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n        if (ntohl(data->payload[1]) == data->payload_len[1])\n        {\n                if (MATCH(data->payload[0], 0x52, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_postgresql = {\n\tLPI_PROTO_POSTGRESQL,\n\tLPI_CATEGORY_DATABASES,\n\t\"Postgresql\",\n\t4,\n\tmatch_postgresql\n};\n\nvoid register_postgresql(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_postgresql, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_pptp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pptp_payload(uint32_t payload, uint32_t len) {\n\n        if (len != 156)\n                return false;\n\n        if (!MATCH(payload, 0x00, 0x9c, 0x00, 0x01))\n                return false;\n\n        return true;\n\n}\n\n\nstatic inline bool match_pptp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_pptp_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_pptp_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic lpi_module_t lpi_pptp = {\n\tLPI_PROTO_PPTP,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"PPTP\",\n\t3,\n\tmatch_pptp\n};\n\nvoid register_pptp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pptp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_psn_store.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_psn_store(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This rule matches the SSL exchanges used by the Playstation\n\t * Store */\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* All PSN SSL traffic is on port 5223 */\n\tif (data->server_port != 5223 && data->client_port != 5223)\n\t\treturn false;\n\n\tif (data->payload_len[0] == 66 && data->payload_len[1] == 1085)\n\t\treturn true;\n\tif (data->payload_len[1] == 66 && data->payload_len[0] == 1085)\n\t\treturn true;\n\t\n\treturn false;\n}\n\nstatic lpi_module_t lpi_psn_store = {\n\tLPI_PROTO_PSN_STORE,\n\tLPI_CATEGORY_GAMING,\n\t\"PSNStore\",\n\t2, /* Should be a higher priority than regular SSL */\n\tmatch_psn_store\n};\n\nvoid register_psn_store(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_psn_store, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_qcloud_ilvb.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Interactive Live Video Broadcasting, a service offered by Tencent QCloud.\n *\n * Seems to be some sort of SDK for developing live streaming applications.\n */\n\nstatic inline bool match_qcloud_ilvb(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Packet sizes can vary -- 51,53,55,68 observed */\n        if (MATCH(data->payload[0], 0x28, 0x00, 0x00, 0x00)) {\n                if (MATCH(data->payload[1], 0x28, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_qcloud_ilvb = {\n\tLPI_PROTO_QCLOUD_ILVB,\n\tLPI_CATEGORY_STREAMING,\n\t\"QCloud_ILVB\",\n\t199,\n\tmatch_qcloud_ilvb\n};\n\nvoid register_qcloud_ilvb(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qcloud_ilvb, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_qq_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool check_length(uint32_t payload, uint32_t len) {\n\tuint32_t swap;\n\t\n\tuint32_t length;\n\n\tif (!(MATCH(payload, ANY, ANY, 0x02, ANY) || \n\t\t\tMATCH(payload, ANY, ANY, 0x2d, ANY)))\n\t\treturn false;\n\t\n\tswap=ntohl(payload);\n\n\tlength = swap >> 16;\n\n\tif (length != len)\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_qq_8080(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return false;\n\n        if (ntohl(payload) == len)\n                return true;\n        return false;\n}\n\nstatic inline bool match_qq_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port == 8080 || data->client_port == 8080) {\n                /* Typically traffic to msfwifi.3g.qq.com, only seen on\n                 * mobile QQ clients.\n                 */\n\n                if (match_qq_8080(data->payload[0], data->payload_len[0])) {\n                        if (match_qq_8080(data->payload[1], data->payload_len[1]))\n                                return true;\n                }\n\n        }\n\n\n\tif (data->payload_len[0] == 0 || data->payload_len[1] == 0)\n\t\treturn false;\n\tif ((data->payload[0] & 0xffff0000) != (data->payload[1] & 0xffff0000))\n\t\treturn false;\n\t\n\tif ((data->payload[0] & 0xffff0000) ==  0x00000000)\n\t\treturn false;\n\tif ((data->payload[1] & 0xffff0000) ==  0x00000000)\n\t\treturn false;\n\t\n\tif (!check_length(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\n\tif (!check_length(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\t\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_qq_tcp = {\n\tLPI_PROTO_QQ,\n\tLPI_CATEGORY_CHAT,\n\t\"QQ\",\n\t20,\n\tmatch_qq_tcp\n};\n\nvoid register_qq_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qq_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_qqdownload.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_qqd_req(uint32_t payload) {\n\n        if (!MATCH(payload, 0x02, 0x03, ANY, ANY))\n                return false;\n\n        if (MATCH(payload, 0x02, 0x03, 0x05, 0x00))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x05, 0x01))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x00))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x01))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x03))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x06))\n                return true;\n        return false;\n}\n\nstatic inline bool match_qqd_resp(uint32_t payload) {\n\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x00))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x04))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x05))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x13))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x04, 0x17))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x05, 0x00))\n                return true;\n        if (MATCH(payload, 0x02, 0x03, 0x05, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_qqdownload(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if ((data->payload[0] & 0xffffff) != (data->payload[1] & 0xffffff))\n                return false;\n\n        if (match_qqd_req(data->payload[0])) {\n                if (match_qqd_resp(data->payload[1]))\n                        return true;\n        }\n\n        if (match_qqd_req(data->payload[1])) {\n                if (match_qqd_resp(data->payload[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_qqdownload = {\n\tLPI_PROTO_QQDOWNLOAD,\n\tLPI_CATEGORY_P2P,\n\t\"QQDownload\",\n\t14,\n\tmatch_qqdownload\n};\n\nvoid register_qqdownload(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qqdownload, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_qqlive_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n#include <stdio.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_qqlive_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n\t\tif (data->server_port == 53 || data->client_port == 53)\n\t\t\treturn false;\n\t}\n\n        if (!match_qqlive_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_qqlive_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n}\n\nstatic lpi_module_t lpi_qqlive_tcp = {\n\tLPI_PROTO_QQLIVE,\n\tLPI_CATEGORY_P2PTV,\n\t\"QQLive_TCP\",\n\t4,\n\tmatch_qqlive_tcp\n};\n\nvoid register_qqlive_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qqlive_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_qqspeedmobile_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_speedtcp_113(uint32_t payload, uint32_t len) {\n        if (len == 113 && MATCH(payload, 0x33, 0x66, 0x00, 0x08))\n                return true;\n        return false;\n}\n\nstatic inline bool match_speedtcp_212(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x33, 0x66, 0x00, 0x08)) {\n                if (len == 212 || len == 216)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_qqspeedmobile_tcp(lpi_data_t *data,\n                lpi_module_t *mod UNUSED) {\n\n        if (match_speedtcp_113(data->payload[0], data->payload_len[0])) {\n                if (match_speedtcp_212(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_speedtcp_113(data->payload[1], data->payload_len[1])) {\n                if (match_speedtcp_212(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_qqspeedmobile_tcp = {\n\tLPI_PROTO_QQSPEEDMOBILE,\n\tLPI_CATEGORY_GAMING,\n\t\"QQSpeedMobile_TCP\",\n\t5,\n\tmatch_qqspeedmobile_tcp\n};\n\nvoid register_qqspeedmobile_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qqspeedmobile_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_qvod.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Chinese variant of BitTorrent -- www.qvod.com */\n\nstatic inline bool match_qvod_message(uint32_t payload, uint32_t len) {\n\n        if (!MATCH(payload, 0x13, 'Q', 'V', 'O'))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_qvod(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_qvod_message(data->payload[0], data->payload_len[0])) {\n                if (match_qvod_message(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_qvod_message(data->payload[1], data->payload_len[1])) {\n                if (match_qvod_message(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_qvod = {\n\tLPI_PROTO_QVOD,\n\tLPI_CATEGORY_P2P,\n\t\"Qvod\",\n\t6,\n\tmatch_qvod\n};\n\nvoid register_qvod(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qvod, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rabbitmq.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_amqp_header(uint32_t payload, uint32_t len) {\n        if (len == 8 && MATCH(payload, 'A', 'M', 'Q', 'P')) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_amqp_start(uint32_t payload) {\n        /* only seen length 498 so far, but surely this could vary more */\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_rabbitmq(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 5672 && data->client_port != 5672) {\n                return false;\n        }\n\n        if (match_amqp_header(data->payload[0], data->payload_len[0])) {\n                if (match_amqp_start(data->payload[1])) {\n                        return true;\n                }\n        }\n\n        if (match_amqp_header(data->payload[1], data->payload_len[1])) {\n                if (match_amqp_start(data->payload[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rabbitmq = {\n\tLPI_PROTO_RABBITMQ,\n\tLPI_CATEGORY_MESSAGE_QUEUE,\n\t\"RabbitMQ\",\n\t75,\n\tmatch_rabbitmq\n};\n\nvoid register_rabbitmq(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rabbitmq, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ragnarokonline.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ro_0204(uint32_t payload, uint32_t len) {\n\n        if (len < 11) {\n                return false;\n        }\n\n        if (MATCH(payload, 0x02, 0x04, 0x00, 0x21)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ro_reply(uint32_t payload, uint32_t len) {\n        if (len == 53 && MATCH(payload, 0x00, 0x32, 0x00, 0x01)) {\n                return true;\n        }\n        if (len == 57 && MATCH(payload, 0x00, 0x36, 0x00, 0x01)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ragnarokonline(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 5222 && data->client_port != 5222) {\n                return false;\n        }\n\n        if (match_ro_0204(data->payload[0], data->payload_len[0])) {\n                if (match_ro_reply(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_ro_0204(data->payload[1], data->payload_len[1])) {\n                if (match_ro_reply(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ragnarokonline = {\n\tLPI_PROTO_RAGNAROK_ONLINE,\n\tLPI_CATEGORY_GAMING,\n\t\"RagnarokOnline\",\n\t80,\n\tmatch_ragnarokonline\n};\n\nvoid register_ragnarokonline(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ragnarokonline, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_razor.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Razor server contacts (ie SpamAssassin) */\n\nstatic inline bool match_razor(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_chars_either(data, 's', 'n', '=', ANY))\n\t\treturn true;\n\treturn false;\n}\nstatic lpi_module_t lpi_razor = {\n\tLPI_PROTO_RAZOR,\n\tLPI_CATEGORY_ANTISPAM,\n\t\"Razor\",\n\t2,\n\tmatch_razor\n};\n\nvoid register_razor(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_razor, mod_map);\n}\n"
  },
  {
    "path": "lib/tcp/lpi_rbls.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rbls(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"rbls\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rbls = {\n\tLPI_PROTO_RBLS,\n\tLPI_CATEGORY_ANTISPAM,\n\t\"RBL\",\n\t3,\n\tmatch_rbls\n};\n\nvoid register_rbls(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rbls, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rdp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rdp_sizes(lpi_data_t *data) {\n\n\t/* This should match the common packet sizes we see for genuine\n\t * RDP traffic */\n\n\tif (data->payload_len[0] == 11 || data->payload_len[0] == 19) {\n\t\tif (data->payload_len[1] == 19)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] >= 30 && data->payload_len[1] <= 47)\n\t\t\treturn true;\n\t}\n\n\tif (data->payload_len[1] == 11 || data->payload_len[1] == 19) {\n\t\tif (data->payload_len[0] == 19)\n\t\t\treturn true;\n\t\tif (data->payload_len[0] >= 30 && data->payload_len[0] <= 47)\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic inline bool match_rdp_port(lpi_data_t *data) {\n\n\t/* To try and avoid confusing RDP with other protocols that rely\n\t * on TPKT, most notably H.323, I've had to add a port requirement\n\t * here */\n\t \n\tif (data->server_port == 3389 || data->client_port == 3389)\n\t\treturn true;\n\treturn false;\n}\n\n\t\n\nstatic bool match_rdp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* RDP is transported via TPKT */\n\tif (!match_tpkt(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_tpkt(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\t\n\tif (match_rdp_port(data))\n\t\treturn true;\n\tif (match_rdp_sizes(data))\n\t\treturn true;\n\t\n\n#if 0\n\tif (match_tpkt(data->payload[0], data->payload_len[0])) {\n\t\tif (match_tpkt(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\t\n\t\t/* Some RDP responses seem to be encrypted - not sure if this\n\t\t * payload length is common to all flows */\n\t\tif (data->payload_len[1] == 309) \n\t\t\treturn true;\n\t}\n\tif (match_tpkt(data->payload[1], data->payload_len[1])) {\n\t\tif (data->payload_len[0] == 309) \n\t\t\treturn true;\n\t}\n#endif\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rdp = {\n\tLPI_PROTO_RDP,\n\tLPI_CATEGORY_REMOTE,\n\t\"RDP\",\n\t4, /*  Moving this to 4 purely on gut feeling */\n\tmatch_rdp\n};\n\nvoid register_rdp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rdp, mod_map);\n}\n"
  },
  {
    "path": "lib/tcp/lpi_realmofthemadgod.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rotmg_small(uint32_t payload, uint32_t len) {\n        if (ntohl(payload) == len && len < 100)\n                return true;\n        return false;\n}\n\nstatic inline bool match_rotmg_big(uint32_t payload, uint32_t len) {\n        if (ntohl(payload) == len && len > 400 && len < 520)\n                return true;\n        return false;\n}\n\nstatic inline bool match_realmofthemadgod(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 2050 && data->client_port != 2050) {\n                return false;\n        }\n\n        if (match_rotmg_small(data->payload[0], data->payload_len[0])) {\n                if (match_rotmg_big(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_rotmg_small(data->payload[1], data->payload_len[1])) {\n                if (match_rotmg_big(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_realmofthemadgod = {\n\tLPI_PROTO_REALMOFTHEMADGOD,\n\tLPI_CATEGORY_GAMING,\n\t\"RealmOfTheMadGod\",\n\t239,\n\tmatch_realmofthemadgod\n};\n\nvoid register_realmofthemadgod(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_realmofthemadgod, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_realvnc.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_real(uint32_t payload) {\n        if (MATCH(payload, 'R', 'E', 'A', 'L'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_real_resp(uint32_t payload, uint32_t len) {\n\n        /* Byte 3 could be a length field (len - 3). */\n        if (MATCH(payload, 0x81, 0x00, 0x14, ANY) && len == 23)\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_realvnc(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (match_real(data->payload[0])) {\n                if (match_real_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_real(data->payload[1])) {\n                if (match_real_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_realvnc = {\n\tLPI_PROTO_REALVNC,\n\tLPI_CATEGORY_REMOTE,\n\t\"RealVNC\",\n\t10,\n\tmatch_realvnc\n};\n\nvoid register_realvnc(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_realvnc, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rejection.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rejection(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This is an odd one - the server allows a TCP handshake to complete,\n         * but responds to any requests with a single 0x02 byte. Not sure\n         * whether this is some kind of honeypot or what.\n         *\n         * We see this behaviour on ports 445, 1433 and 80, if we need \n         * further checking */\n\n        if (MATCH(data->payload[0], 0x02, 0x00, 0x00, 0x00)) {\n                if (data->payload_len[0] == 1)\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x02, 0x00, 0x00, 0x00)) {\n                if (data->payload_len[1] == 1)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rejection = {\n\tLPI_PROTO_REJECTION,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Rejection\",\n\t255,\t/* This one must be dead last */\n\tmatch_rejection\n};\n\nvoid register_rejection(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rejection, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_relay.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* https://docs.syncthing.net/specs/relay-v1.html */\n\nstatic inline bool match_relay_magic(uint32_t payload) {\n        if (MATCH(payload, 0x9e, 0x79, 0xbc, 0x40))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_relay(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_relay_magic(data->payload[0])) {\n                if (match_relay_magic(data->payload[1]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_relay = {\n\tLPI_PROTO_RELAY,\n\tLPI_CATEGORY_NAT,\n\t\"Relay\",\n\t5,\n\tmatch_relay\n};\n\nvoid register_relay(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_relay, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_remote_manipulator.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Remote Manipulator System a.k.a Remote Utilities\n *\n * Russian RDP-style software, sometimes used in malware for remote control.\n */\n\nstatic inline bool match_rms_9504(uint32_t payload, uint32_t len) {\n        if (len == 1338 && MATCH(payload, 0x95, 0x04, 0x00, 0x00)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_rms_d90d(uint32_t payload, uint32_t len) {\n        if (len == 8 && MATCH(payload, 0xd9, 0x0d, 0x00, 0x00)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_remote_manipulator(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 5655 && data->client_port != 5655)\n                return false;\n\n        if (match_rms_9504(data->payload[0], data->payload_len[0])) {\n                if (match_rms_d90d(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_rms_9504(data->payload[1], data->payload_len[1])) {\n                if (match_rms_d90d(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_remote_manipulator = {\n\tLPI_PROTO_REMOTE_MANIPULATOR,\n\tLPI_CATEGORY_REMOTE,\n\t\"RemoteManipulator\",\n\t100,\n\tmatch_remote_manipulator\n};\n\nvoid register_remote_manipulator(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_remote_manipulator, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_revolver_nblbt.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This appears to be some sort of Chinese P2P game updating software from\n * Revolver Software (?).\n * \n * This is based on the appearance of the strings \"nblbt\" and \"nbmep\" in\n * the payload of the initial packets. NBLBT.rar and NBMEP.rar can be \n * downloaded from www.zy995.com which seems to host numerous offerings from\n * Revolver Software. \n *\n * Yet to fully confirm as a) I don't know enough Chinese to install and run\n * the software sensibly and b) I strongly suspect the software is bundled\n * with all sorts of malware so am reluctant to install it anywhere that isn't\n * a completely fenced-off sandbox.\n */\n\nstatic inline bool match_nblbt_ok(uint32_t payload, uint32_t len) {\n        if (len != 20)\n                return false;\n        if (!MATCH(payload, 'o', 'k', 0x00, 0x00))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_nblbt_reply(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (len != 1024)\n                return false;\n        if (!MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_revolver_nblbt(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_nblbt_ok(data->payload[0], data->payload_len[0])) {\n                if (match_nblbt_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_nblbt_ok(data->payload[1], data->payload_len[1])) {\n                if (match_nblbt_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_revolver_nblbt = {\n\tLPI_PROTO_REVOLVER_NBLBT,\n\tLPI_CATEGORY_P2P,\n\t\"RevolverNBLBT\",\n\t6,\n\tmatch_revolver_nblbt\n};\n\nvoid register_revolver_nblbt(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_revolver_nblbt, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rfb.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rfb(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"RFB \")) \n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rfb = {\n\tLPI_PROTO_RFB,\n\tLPI_CATEGORY_REMOTE,\n\t\"RFB\",\n\t3,\n\tmatch_rfb\n};\n\nvoid register_rfb(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rfb, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rpcscan.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rpcscan(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* RPC Exploit */\n\tif (match_chars_either(data, 0x05, 0x00, 0x0b, 0x03))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rpcscan = {\n\tLPI_PROTO_RPC_SCAN,\n\tLPI_CATEGORY_MALWARE,\n\t\"RPC_Exploit\",\n\t8, /* Most malware can go to priority 8 - want to match legit protocols\n\t    * first */\n\tmatch_rpcscan\n};\n\nvoid register_rpcscan(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rpcscan, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rrtv.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* rr.tv -- P2P TV/video streaming from China */\n\n/* XXX mobile only, need to test the app properly but the initial\n * packets literally include URLs referring to rr.tv so I'm pretty\n * confident.\n */\n\nstatic inline bool match_rrtv_header(uint32_t payload, uint32_t len) {\n\n        /* broad estimate based on what I've seen so far */\n        if (len < 380 || len > 900) {\n                return false;\n        }\n\n        if ((ntohl(payload) & 0x0000ffff) != len - 4) {\n                return false;\n        }\n\n        if (MATCH(payload, 0x01, 0x10, ANY, ANY)) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_rrtv(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_rrtv_header(data->payload[0], data->payload_len[0])) {\n                if (match_rrtv_header(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rrtv = {\n\tLPI_PROTO_RRTV,\n\tLPI_CATEGORY_P2PTV,\n\t\"RR.tv\",\n\t120,\n\tmatch_rrtv\n};\n\nvoid register_rrtv(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rrtv, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rsync.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rsync(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"@RSY\")) \n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rsync = {\n\tLPI_PROTO_RSYNC,\n\tLPI_CATEGORY_FILES,\n\t\"Rsync\",\n\t3,\n\tmatch_rsync\n};\n\nvoid register_rsync(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rsync, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rtmp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rtmp_server_handshake(uint32_t payload, uint32_t len,\n                bool defaultport) {\n\n\tif (len < 4 && !defaultport)\n\t\treturn false;\n\n\t/* Standard RTMP handshake types */\t\n\tif (MATCH(payload, 0x03, ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, 0x06, ANY, ANY, ANY))\n\t\treturn true;\n\n\t/* Encrypted, but not RTMPE? */\n\tif (MATCH(payload, 0x08, ANY, ANY, ANY))\n\t\treturn true;\n\n\n\t/* RTMPE handshake type */\n\tif (MATCH(payload, 0x09, ANY, ANY, ANY))\n\t\treturn true;\n\n\t/* New handshake type used by some YouTube videos */\n\tif (MATCH(payload, 0x0a, ANY, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_rtmp_client_handshake(uint32_t payload, uint32_t len) {\n\n\tif (len < 4)\n\t\treturn false;\n\n\t/* Standard RTMP handshake types */\t\n\tif (MATCH(payload, 0x03, ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, 0x06, ANY, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_rtmp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        bool defaultport = false;\n\n        if (data->server_port == 1935 || data->client_port == 1935)\n                defaultport = true;\n\n        /* Facebook live streaming wants to use port 80 sometimes and they\n         * love sending 1 byte handshakes :( */\n        if (data->server_port == 80 || data->client_port == 80)\n                defaultport = true;\n\n\tif (match_rtmp_client_handshake(data->payload[0], data->payload_len[0]))\n\t{\n\t\tif (match_rtmp_server_handshake(data->payload[1], \n\t\t\t\tdata->payload_len[1], defaultport)) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n\tif (match_rtmp_client_handshake(data->payload[1], data->payload_len[1]))\n\t{\n\t\tif (match_rtmp_server_handshake(data->payload[0], \n\t\t\t\tdata->payload_len[0], defaultport)) {\n\t\t\treturn true;\n\t\t}\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rtmp = {\n\tLPI_PROTO_RTMP,\n\tLPI_CATEGORY_STREAMING,\n\t\"RTMP\",\n\t169,\t/* Not a strong rule */\n\tmatch_rtmp\n};\n\nvoid register_rtmp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rtmp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_rtsp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rtsp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"RTSP\"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rtsp = {\n\tLPI_PROTO_RTSP,\n\tLPI_CATEGORY_STREAMING,\n\t\"RTSP\",\n\t2,\n\tmatch_rtsp\n};\n\nvoid register_rtsp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rtsp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_runescape.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Protocol is not documented and goes through all sorts of revisions\n * (mainly to stop hax0rs, no doubt) - so this is mostly based on \n * observations of traffic to Jagex servers and messing around with the \n * game myself\n */\n\nstatic inline bool match_runescape_req(uint32_t payload, uint32_t len) {\n\n\tif (len == 1 || len == 105) {\n               \tif (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n\t        \treturn true;\n        }\n\n        if (len == 9 && MATCH(payload, 0x00, ANY, ANY, ANY))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_runescape_resp(uint32_t payload, uint32_t len) {\n\n\t/* Don't allow empty responses, as the request rule is rather \n\t * non-specific */\n\n\t/* First byte appears to be a packet type\n\t * Second bytes is the packet length - 2\n\t *\n\t * It appears many types have a fixed size anyway, so no need to\n\t * get fancy :)\n\t */\n\n\tif (MATCH(payload, 0x0f, 0x29, 0x00, 0x00)) {\n\t\tif (len == 43)\n\t\t\treturn true;\n\t}\n\n\tif (MATCH(payload, 0x0f, 0x2a, 0x00, 0x00)) {\n\t\tif (len == 44)\n\t\t\treturn true;\n\t}\n\n\tif (MATCH(payload, 0x0e, 0x00, 0x00, 0x00)) {\n\t\tif (len == 1)\n\t\t\treturn true;\n\t}\n\tif (MATCH(payload, 0x0f, 0x00, 0x00, 0x00)) {\n\t\tif (len == 1)\n\t\t\treturn true;\n\t\tif (len == 5)\n\t\t\treturn true;\n\t}\n\treturn false;\n\n}\n\nstatic inline bool match_runescape(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_runescape_req(data->payload[0], data->payload_len[0])) {\n\t\tif (match_runescape_resp(data->payload[1], \n\t\t\t\tdata->payload_len[1])) {\n\t\t\treturn true;\n\t\t}\n\t}\n\tif (match_runescape_req(data->payload[1], data->payload_len[1])) {\n\t\tif (match_runescape_resp(data->payload[0], \n\t\t\t\tdata->payload_len[0])) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_runescape = {\n\tLPI_PROTO_RUNESCAPE,\n\tLPI_CATEGORY_GAMING,\n\t\"Runescape\",\n\t9,\n\tmatch_runescape\n};\n\nvoid register_runescape(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_runescape, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_s7comm.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_s7comm_sizes(lpi_data_t *data) {\n\n    /* Based on observations, size of first package is equal\n     * in both directions.\n     */\n\n    if (data->payload_len[0] == data->payload_len[1]) {\n        return true;\n    }\n    return false;\n}\n\nstatic inline bool match_s7comm_port(lpi_data_t *data) {\n     \n    if (data->server_port == 102 || data->client_port == 102) {\n        return true;\n    }\n    return false;\n}\n\nstatic bool match_s7comm(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n    /* S7COMM uses port 102 */\n    if (!match_s7comm_port(data))\n        return false;\n\n    /* S7COMM is transported via TPKT */\n    if (!match_tpkt(data->payload[0], data->payload_len[0]))\n        return false;\n    if (!match_tpkt(data->payload[1], data->payload_len[1]))\n        return false;   \n    \n    if (match_s7comm_sizes(data))\n        return true;\n    \n    return false;\n}\n\nstatic lpi_module_t lpi_s7comm = {\n    LPI_PROTO_S7COMM,\n    LPI_CATEGORY_ICS,\n    \"S7COMM\",\n    7, /*  Must come before TPKT */\n    match_s7comm\n};\n\nvoid register_s7comm(LPIModuleMap *mod_map) {\n    register_protocol(&lpi_s7comm, mod_map);\n}\n"
  },
  {
    "path": "lib/tcp/lpi_saprouter.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_nipong(uint32_t payload, uint32_t len) {\n        /* A NI_PONG message should always have the same structure... */\n        if (len == 12 && MATCH(payload, 0x00, 0x00, 0x00, 0x08))\n                return true;\n        return false;\n}\n\nstatic inline bool match_saprouter(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 3299 && data->client_port != 3299)\n                return false;\n\n        /* Not very distinctive, so we need the port restriction as well */\n        if (ntohl(data->payload[0]) == data->payload_len[0] - 4) {\n                if (match_nipong(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (ntohl(data->payload[1]) == data->payload_len[1] - 4) {\n                if (match_nipong(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_saprouter = {\n\tLPI_PROTO_SAPROUTER,\n\tLPI_CATEGORY_SERVICES,\n\t\"SAPRouter\",\n\t251,\n\tmatch_saprouter\n};\n\nvoid register_saprouter(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_saprouter, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_saszombieassault4.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_saszombieassault4(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 1445 */\n\n        if (MATCHSTR(data->payload[0], \"NKMl\")) {\n                if (MATCHSTR(data->payload[1], \"NKMl\"))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_saszombieassault4 = {\n\tLPI_PROTO_SAS_ZOMBIE_ASSAULT_4,\n\tLPI_CATEGORY_GAMING,\n\t\"SASZombieAssault4\",\n\t5,\n\tmatch_saszombieassault4\n};\n\nvoid register_saszombieassault4(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_saszombieassault4, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_second_life.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_second_life(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* SecondLife uses SSL over port 12043 and HTTP over port 12046 */\n\n\tif (data->server_port == 12043 || data->client_port == 12043) {\n\t\tif (match_ssl(data))\n\t\t\treturn true;\n\n\t}\n\t\n\tif (data->server_port == 12046 || data->client_port == 12046) {\n\t\tif (match_str_both(data, \"GET \", \"HTTP\"))\n\t\t\treturn true;\n\t\tif (match_str_either(data, \"GET \")) {\n\t\t\tif (data->payload_len[0] == 0)\n\t\t\t\treturn true;\n\t\t\tif (data->payload_len[1] == 0)\n\t\t\t\treturn true;\n\t\t}\n\t}\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_second_life = {\n\tLPI_PROTO_SECONDLIFE,\n\tLPI_CATEGORY_GAMING,\n\t\"SecondLife\",\n\t6,\n\tmatch_second_life\n};\n\nvoid register_second_life(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_second_life, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_shoutcast.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_shoutcast(lpi_data_t *data, lpi_module_t *mod UNUSED) \n{\n\tif (match_str_both(data, \"GET \", \"ICY \"))\n\t\treturn true;\n\tif (match_chars_either(data, 'O', 'K', '2', 0x0d))\n\t\treturn true;\n\tif (match_chars_either(data, 'I', 'C', 'Y', ' ')) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_shoutcast = {\n\tLPI_PROTO_SHOUTCAST,\n\tLPI_CATEGORY_STREAMING,\n\t\"Shoutcast\",\n\t1, /* Should be ahead of HTTP, due to \"GET\" */\n\tmatch_shoutcast\n};\n\nvoid register_shoutcast(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_shoutcast, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_silkroadonline.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sro_req(uint32_t payload, uint32_t len) {\n        if (len != 18)\n                return false;\n        if (MATCH(payload, 0x0c, 0x00, 0x00, 0x50))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_sro_resp(uint32_t payload, uint32_t len) {\n        if (len != 43)\n                return false;\n        if (MATCH(payload, 0x25, 0x00, 0x00, 0x50))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_silkroadonline(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Uses ports 15884 and 15779, also server is located at\n         * hyperfilter.com.\n         */\n\n        if (match_sro_req(data->payload[0], data->payload_len[0])) {\n                if (match_sro_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_sro_req(data->payload[1], data->payload_len[1])) {\n                if (match_sro_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_silkroadonline = {\n\tLPI_PROTO_SILKROADONLINE,\n\tLPI_CATEGORY_GAMING,\n\t\"SilkRoadOnline\",\n\t5,\n\tmatch_silkroadonline\n};\n\nvoid register_silkroadonline(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_silkroadonline, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_sip.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sip(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"SIP/\", \"REGI\"))\n\t\treturn true;\n\t/* Non-RFC SIP added by Donald Neal, June 2008 */\n\tif (match_str_either(data, \"SIP-\")) {\n\t\tif (match_chars_either(data, 'R', ' ', ANY, ANY))\n\t\t\treturn true;\n\t}\n\n\tif (match_str_either(data, \"REGI\") && \n\t\t\t(data->payload_len[0] == 0 || \n\t\t\tdata->payload_len[1] == 0))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_sip = {\n\tLPI_PROTO_SIP,\n\tLPI_CATEGORY_VOIP,\n\t\"SIP\",\n\t2,\n\tmatch_sip\n};\n\nvoid register_sip(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_sip, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_skyforge.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sf_req(uint32_t payload, uint32_t len) {\n\n        if (len == 168 && MATCH(payload, 0xa6, 0x00, 0xef, 0x03)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_sf_reply(uint32_t payload, uint32_t len) {\n\n        if (len == 10 && MATCH(payload, 0x08, 0x00, 0xef, 0x82)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_skyforge(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_sf_req(data->payload[0], data->payload_len[0])) {\n                if (match_sf_reply(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_sf_req(data->payload[1], data->payload_len[1])) {\n                if (match_sf_reply(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_skyforge = {\n\tLPI_PROTO_SKYFORGE,\n\tLPI_CATEGORY_GAMING,\n\t\"Skyforge\",\n\t5,\n\tmatch_skyforge\n};\n\nvoid register_skyforge(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_skyforge, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_skype_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_skype_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This rule matches SSL traffic sent by Skype clients\n\t *\n\t * It isn't clear what the TCP session is used for, though... */ \n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Ports 12350 and 13392 are used for these sessions */\n\tif (data->server_port != 12350 && data->client_port != 12350 && \n\t\t\tdata->server_port != 13392 &&\n\t\t\tdata->client_port != 13392)\n\t\treturn false;\n\n\t/* Other payload sizes are possible unfortunately, but rare */\n\n\tif (data->payload_len[0] == 5 ||\n\t\t\tdata->payload_len[0] == 92 ||\n\t\t\tdata->payload_len[0] == 89 ||\n\t\t\tdata->payload_len[0] == 90 ||\n\t\t\tdata->payload_len[0] == 33)\n\t\treturn true;\n\tif (data->payload_len[1] == 5 ||\n\t\t\tdata->payload_len[1] == 92 ||\n\t\t\tdata->payload_len[1] == 89 ||\n\t\t\tdata->payload_len[1] == 90 ||\n\t\t\tdata->payload_len[1] == 33)\n\t\treturn true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_skype_tcp = {\n\tLPI_PROTO_SKYPE_TCP,\n\tLPI_CATEGORY_VOIP,\n\t\"SkypeTCP\",\n\t20, /* Should be a higher priority than regular SSL */\n\tmatch_skype_tcp\n};\n\nvoid register_skype_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_skype_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_smb.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_smb_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (match_payload_length(payload, len))\n                return true;\n\n        /* Some stupid systems send the NetBIOS header separately, which\n         * makes this a lot harder to detect :( \n         *\n         * Instead, look for common payload sizes. */\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x85))\n                return true;\n\n        /* Also, sometimes we just forget the NetBIOS header, or the \n         * connection fails before it is retransmitted */\n        if (MATCH(payload, 0xff, 'S', 'M', 'B'))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_smb(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* SMB is often prepended with a NetBIOS session service header.\n         * It's easiest for us to treat it as a four byte length field (it\n         * is actually a bit more complicated than that, but all other fields\n         * tend to be zero anyway)\n         *\n         * More details at http://lists.samba.org/archive/samba-technical/2003-January/026283.html\n         */\n\n\t/* Only match on port 445 to avoid clashing with other 4 byte length\n\t * fields */\n        if (data->server_port != 445 && data->client_port != 445)\n                return false;\n\n        if (!match_smb_payload(data->payload[0], data->payload_len[0]))\n                return false;\n\n        if (!match_smb_payload(data->payload[1], data->payload_len[1]))\n                return false;\n        return true;\n\n\n}\n\nstatic lpi_module_t lpi_smb = {\n\tLPI_PROTO_SMB,\n\tLPI_CATEGORY_FILES,\n\t\"SMB\",\n\t3,\n\tmatch_smb\n};\n\nvoid register_smb(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_smb, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_smite_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_smite_magic(uint32_t payload, uint32_t len) {\n        if (len < 100 && MATCH(payload, 0x78, 0xdb, 0x39, 0x64))\n                return true;\n        return false;\n}\n\nstatic inline bool match_smite_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_smite_magic(data->payload[0], data->payload_len[0])) {\n                if (match_smite_magic(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_smite_tcp = {\n\tLPI_PROTO_SMITE,\n\tLPI_CATEGORY_GAMING,\n\t\"SmiteTCP\",\n\t55,\n\tmatch_smite_tcp\n};\n\nvoid register_smite_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_smite_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_smtp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_smtp_command(uint32_t payload, uint32_t len) {\n\n        if (MATCHSTR(payload, \"EHLO\"))\n                return true;\n        if (MATCHSTR(payload, \"ehlo\"))\n                return true;\n        if (MATCHSTR(payload, \"HELO\"))\n                return true;\n        if (MATCHSTR(payload, \"helo\"))\n                return true;\n        if (MATCHSTR(payload, \"NOOP\"))\n                return true;\n        if (MATCHSTR(payload, \"XXXX\"))\n                return true;\n        if (MATCHSTR(payload, \"HELP\"))\n                return true;\n        if (MATCHSTR(payload, \"EXPN\"))\n                return true;\n\n        /* Turns out there are idiots who send their ehlos one byte at a \n         * time :/ */\n        if (MATCH(payload, 'e', 0x00, 0x00, 0x00) && len == 1)\n                return true;\n        if (MATCH(payload, 'E', 0x00, 0x00, 0x00) && len == 1)\n                return true;\n        if (MATCH(payload, 'h', 0x00, 0x00, 0x00) && len == 1)\n                return true;\n        if (MATCH(payload, 'H', 0x00, 0x00, 0x00) && len == 1)\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_smtp_banner(uint32_t payload, uint32_t len) {\n\n        /* Stupid servers that only send the banner one or two bytes at\n         * a time! */\n\n        if (len == 1) {\n                if (MATCH(payload, '2', 0x00, 0x00, 0x00))\n                        return true;\n                return false;\n        }\n        if (len == 2) {\n                if (MATCH(payload, '2', '2', 0x00, 0x00))\n                        return true;\n                return false;\n        }\n        if (len == 3) {\n                if (MATCH(payload, '2', '2', '0', 0x00))\n                        return true;\n                return false;\n        }\n\n        if (MATCH(payload, '2', '2', '0', ' '))\n                return true;\n\n        if (MATCH(payload, '2', '2', '0', '-'))\n                return true;\n\n        return false;\n}\n\n\nstatic inline bool match_smtp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        /* Match all the random error codes */\n        if (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n                if (match_str_either(data, \"220 \"))\n                        return true;\n                if (match_str_either(data, \"450 \"))\n                        return true;\n                if (match_str_either(data, \"550 \"))\n                        return true;\n                if (match_str_either(data, \"550-\"))\n                        return true;\n                if (match_str_either(data, \"421 \"))\n                        return true;\n                if (match_str_either(data, \"421-\"))\n                        return true;\n                if (match_str_either(data, \"451 \"))\n                        return true;\n                if (match_str_either(data, \"451-\"))\n                        return true;\n                if (match_str_either(data, \"452 \"))\n                        return true;\n                if (match_str_either(data, \"420 \"))\n                        return true;\n                if (match_str_either(data, \"571 \"))\n                        return true;\n                if (match_str_either(data, \"553 \"))\n                        return true;\n                if (match_str_either(data, \"554 \"))\n                        return true;\n                if (match_str_either(data, \"554-\"))\n                        return true;\n                if (match_str_either(data, \"476 \"))\n                        return true;\n                if (match_str_either(data, \"475 \"))\n                        return true;\n        }\n\n        if (match_str_either(data, \"QUIT\") && (data->server_port == 25 ||\n                        data->client_port == 25))\n                return true;\n        if (match_str_either(data, \"quit\") && (data->server_port == 25 ||\n                        data->client_port == 25))\n                return true;\n        if (match_str_either(data, \"Quit\") && (data->server_port == 25 ||\n                        data->client_port == 25))\n                return true;\n        /* Match the server banner code */\n\n        if (match_smtp_banner(data->payload[0], data->payload_len[0])) {\n                if (match_smtp_command(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_smtp_banner(data->payload[1], data->payload_len[1])) {\n                if (match_smtp_command(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        return false;\n}\n\nstatic lpi_module_t lpi_smtp = {\n\tLPI_PROTO_SMTP,\n\tLPI_CATEGORY_MAIL,\n\t\"SMTP\",\n\t2,\n\tmatch_smtp\n};\n\nvoid register_smtp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_smtp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_smtps.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_smtps(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This rule matches legacy secure SMTP - this stuff shouldn't\n\t * really exist anymore... */\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Secure SMTP uses port 465 */\n\tif (data->server_port != 465 && data->client_port != 465)\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_smtps = {\n\tLPI_PROTO_SMTPS,\n\tLPI_CATEGORY_MAIL,\n\t\"SMTP_Secure\",\n\t5, /* Should be a higher priority than regular SSL */\n\tmatch_smtps\n};\n\nvoid register_smtps(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_smtps, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_socks4.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_socks4_req(uint32_t payload, uint32_t len) {\n\n        /* Assuming port 80 for now - will update if we see other ports\n         * used \n         *\n         * Octets 3 and 4 contain the port number */\n        if (!(MATCH(payload, 0x04, 0x01, 0x00, 0x50)))\n                return false;\n\t/* Port 25 */\n        if (!(MATCH(payload, 0x04, 0x01, 0x00, 0x19)))\n                return false;\n\n        if (len != 9)\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_socks4_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        /* Haven't seen any legit responses yet :/ */\n\n        return false;\n\n}\n\n\nstatic inline bool match_socks4(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_socks4_req(data->payload[0], data->payload_len[0])) {\n                if (match_socks4_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_socks4_req(data->payload[1], data->payload_len[1])) {\n                if (match_socks4_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_socks4 = {\n\tLPI_PROTO_SOCKS4,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"SOCKS4\",\n\t5,\n\tmatch_socks4\n};\n\nvoid register_socks4(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_socks4, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_socks5.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_socks5_req(uint32_t payload, uint32_t len) {\n\n        /* Just assume \"no auth\" method supported, for now */\n        if (!(MATCH(payload, 0x05, 0x01, 0x00, 0x00)))\n                return false;\n\n        if (len != 3)\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_socks5_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        /* Just assume \"no auth\" method supported, for now */\n        if (!(MATCH(payload, 0x05, 0x00, 0x00, 0x00)))\n                return false;\n\n        if (len != 2)\n                return false;\n\n        return true;\n\n}\n\n\nstatic inline bool match_socks5(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_socks5_req(data->payload[0], data->payload_len[0])) {\n                if (match_socks5_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_socks5_req(data->payload[1], data->payload_len[1])) {\n                if (match_socks5_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_socks5 = {\n\tLPI_PROTO_SOCKS5,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"SOCKS5\",\n\t3,\n\tmatch_socks5\n};\n\nvoid register_socks5(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_socks5, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_spdy.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_spdy_syn(uint32_t payload) {\n\n        if (MATCH(payload, 0x80, 0x03, 0x00, 0x01))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_spdy_settings(uint32_t payload) {\n\n        if (MATCH(payload, 0x80, 0x03, 0x00, 0x04))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_spdy_syn_reply(uint32_t payload) {\n\n        if (MATCH(payload, 0x80, 0x03, 0x00, 0x02))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_spdy_ping(uint32_t payload, uint32_t len){\n\n  \tif (MATCH(payload, 0x80, 0x03, 0x00, 0x06) && len == 12)\n    \t\treturn true;\n  \treturn false;\n\n}\n\n\n\nstatic inline bool match_spdy(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_spdy_syn(data->payload[0])) {\n                if (match_spdy_settings(data->payload[1]))\n                        return true;\n                if (match_spdy_syn_reply(data->payload[1]))\n                        return true;\n        }\n\n        if (match_spdy_syn(data->payload[1])) {\n                if (match_spdy_settings(data->payload[0]))\n                        return true;\n                if (match_spdy_syn_reply(data->payload[0]))\n                        return true;\n        }\n\n\tif (match_spdy_settings(data->payload[0]) && data->payload_len[0] == 28){\n\t\tif (match_spdy_ping(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_spdy = {\n\tLPI_PROTO_SPDY,\n\tLPI_CATEGORY_WEB,\n\t\"SPDY\",\n\t10,\n\tmatch_spdy\n};\n\nvoid register_spdy(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_spdy, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_speedify.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* Be super careful with this one -- looks a lot like Google Hangouts\n * and Facebook TURN :/\n */\n\nstatic inline bool match_speedify_header(uint32_t payload, uint32_t len) {\n\n        /* 2 byte length field */\n        if (len == 118 && MATCH(payload, 0x00, 0x74, 0x00, 0x01)) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_speedify(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_speedify_header(data->payload[0], data->payload_len[0])) {\n                if (match_speedify_header(data->payload[1],\n                                data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_speedify = {\n\tLPI_PROTO_SPEEDIFY,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"SpeedifyVPN\",\n\t199,\n\tmatch_speedify\n};\n\nvoid register_speedify(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_speedify, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_speedin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Speedin a.k.a. InVPN -- VPN for accessing Chinese content from outside\n * of China.\n */\nstatic inline bool match_speedin_3byte(uint32_t payload, uint32_t len) {\n\n        if (len == 3 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_speedin_other(uint32_t payload, uint32_t len) {\n        if (len <= 75 || len >= 137)\n                return false;\n\n        if (MATCH(payload, 0x23, 0x00, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x03, 0x00, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_port(uint16_t server, uint16_t client) {\n        if (server == 12000 || client == 12000)\n                return true;\n\n        if (server == 11100 || client == 11100)\n                return true;\n        if (server == 11000 || client == 11000)\n                return true;\n\n        /* Starting to see this on port 443 now :( */\n        if (server == 443 || client == 443)\n                return true;\n\n        return false;\n}\n\n\nstatic inline bool match_speedin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!match_port(data->server_port, data->client_port))\n                return false;\n\n        if (match_speedin_3byte(data->payload[0], data->payload_len[0])) {\n                if (match_speedin_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_speedin_3byte(data->payload[1], data->payload_len[1])) {\n                if (match_speedin_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_speedin = {\n\tLPI_PROTO_SPEEDIN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"Speedin\",\n\t22,\n\tmatch_speedin\n};\n\nvoid register_speedin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_speedin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_speedtest.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_speedtest_hi(uint32_t payload, uint32_t len) {\n\n        if (len != 3)\n                return false;\n        if (!MATCH(payload, 'H', 'I', 0x0a, 0x00))\n                return false;\n        return true;\n}\n\nstatic inline bool match_speedtest_bighi(uint32_t payload, uint32_t len) {\n\n        if (len == 40 && MATCH(payload, 'H', 'I', 0x20, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_speedtest_hello(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (!MATCH(payload, 'H', 'E', 'L', 'L'))\n                return false;\n        return true;\n}\n\nstatic inline bool match_speedtest(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_speedtest_hi(data->payload[0], data->payload_len[0])) {\n                if (match_speedtest_hello(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_speedtest_hi(data->payload[1], data->payload_len[1])) {\n                if (match_speedtest_hello(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n        if (match_speedtest_bighi(data->payload[0], data->payload_len[0])) {\n                if (match_speedtest_hello(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_speedtest_bighi(data->payload[1], data->payload_len[1])) {\n                if (match_speedtest_hello(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_speedtest = {\n\tLPI_PROTO_SPEEDTEST,\n\tLPI_CATEGORY_MONITORING,\n\t\"Speedtest.net\",\n\t5,\n\tmatch_speedtest\n};\n\nvoid register_speedtest(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_speedtest, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_spotify.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_spotify_02_req(uint32_t payload, uint32_t len) {\n\tuint32_t len_field = 0;\n\n\t/* Type 0x02 has a 16 bit length field */\n\n\t/* The 0x01 is part of the length too... */\n\tif (!MATCH(payload, 0x00, 0x02, 0x01, ANY))\n\t\treturn false;\n\t\n\t/* The last byte is the length of the packet - 256 */\n\tlen_field = (ntohl(payload)) & 0xff;\n\n\tif (len_field == len - 256)\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_spotify_04_req(uint32_t payload, uint32_t len) {\n\n\tif (!MATCH(payload, 0x00, 0x04, 0x00, 0x00))\n\t\treturn false;\n\n\treturn true;\n}\n\n\nstatic inline bool match_spotify_02_resp(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len < 512)\n\t\treturn false;\n\tif (!MATCH(payload, 0x00, ANY, ANY, ANY))\n\t\treturn false;\n\treturn true;\n}\n\nstatic inline bool match_spotify_04_resp(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (ntohl(payload) != len)\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_spotify_port(uint16_t port) {\n\n        if (port == 4070)\n                return true;\n        if (port == 80)\n                return true;\n        if (port == 443)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_spotify(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Make sure we're using the right port */\n        if (!match_spotify_port(data->server_port) && \n                        !match_spotify_port(data->client_port)) {\n                return false;\n        }\n\n\tif (match_spotify_02_req(data->payload[0], data->payload_len[0])) {\n\t\tif (match_spotify_02_resp(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_spotify_02_req(data->payload[1], data->payload_len[1])) {\n\t\tif (match_spotify_02_resp(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_spotify_04_req(data->payload[0], data->payload_len[0])) {\n\t\tif (match_spotify_04_resp(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_spotify_04_req(data->payload[1], data->payload_len[1])) {\n\t\tif (match_spotify_04_resp(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_spotify = {\n\tLPI_PROTO_SPOTIFY,\n\tLPI_CATEGORY_STREAMING,\n\t\"Spotify\",\n\t7,\n\tmatch_spotify\n};\n\nvoid register_spotify(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_spotify, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ssh.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ssh2_payload(uint32_t payload, uint32_t len) {\n\n        /* SSH-2 begins with a four byte length field */\n\n\n        if (len == 0)\n                return true;\n        \n\t/* DON'T BYTESWAP!!! */\n\tif (payload == len)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_ssh(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_str_either(data, \"SSH-\"))\n                return true;\n\n        /* Require port 22 for the following rules as they are not\n         * specific to SSH */\n        if (data->server_port != 22 && data->client_port != 22)\n                return false;\n        if (match_str_either(data, \"QUIT\"))\n                return true;\n\n\n       \tif (!match_ssh2_payload(data->payload[0], data->payload_len[0])) \n\t\treturn false;\n\n        if (!match_ssh2_payload(data->payload[1], data->payload_len[1])) \n              \treturn false;\n        \n\n        return true;\n\n}\n\nstatic lpi_module_t lpi_ssh = {\n\tLPI_PROTO_SSH,\n\tLPI_CATEGORY_REMOTE,\n\t\"SSH\",\n\t2,\n\tmatch_ssh\n};\n\nvoid register_ssh(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ssh, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ssjj.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Some Chinese Flash-based FPS game */\n\nstatic inline bool match_ssjj_3611(uint32_t payload, uint32_t len) {\n\n        /* payload is a length field, but length exceeds typical MTU */\n        if (len > 1380 && MATCH(payload, 0x00, 0x00, 0x36, 0x11))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_ssjj_61(uint32_t payload, uint32_t len) {\n\n        /* payload is a length field */\n        if (len == 101 && MATCH(payload, 0x00, 0x00, 0x00, 0x61))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_ssjj(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ssjj_3611(data->payload[0], data->payload_len[0])) {\n                if (match_ssjj_61(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ssjj_3611(data->payload[1], data->payload_len[1])) {\n                if (match_ssjj_61(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ssjj = {\n\tLPI_PROTO_SSJJ,\n\tLPI_CATEGORY_GAMING,\n\t\"SSJJ\",\n\t5,\n\tmatch_ssjj\n};\n\nvoid register_ssjj(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ssjj, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_ssl.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_other_ssl(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Ignore IMAPS and HTTPS, as these are separate protocols */\n\tif (data->server_port == 993 || data->client_port == 993)\n\t\treturn false;\n\tif (data->server_port == 443 || data->client_port == 443)\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_ssl = {\n\tLPI_PROTO_SSL,\n\tLPI_CATEGORY_ENCRYPT,\n\t\"SSL/TLS\",\n\t100, /* Make this lower priority than IMAPS and HTTPS, just in case */\n\tmatch_other_ssl\n};\n\nvoid register_ssl(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ssl, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_steam.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_old_steam(lpi_data_t *data) {\n\n\t/* Steam TCP Download */\n\n\tif (!match_str_either(data, \"\\x01\\x00\\x00\\x00\"))\n                return false;\n        if (!match_chars_either(data, 0x00, 0x00, 0x00, ANY))\n                return false;\n\n        if (data->payload_len[0] == 4 && data->payload_len[1] == 1) {\n                return true;\n        }\n        if (data->payload_len[0] == 4 && data->payload_len[1] == 5) {\n                return true;\n        }\n\n        if (data->payload_len[1] == 4 && data->payload_len[0] == 1) {\n                return true;\n        }\n        if (data->payload_len[1] == 4 && data->payload_len[0] == 5) {\n                return true;\n        }\n\t\n\n\treturn false;\n}\n\nstatic inline bool match_steam_len(uint32_t payload, uint32_t len) {\n\n        /* length is stored as a little-endian integer */\n#if BYTE_ORDER == BIG_ENDIAN\n        uint32_t plen = bswap32(payload);\n#else\n        uint32_t plen = payload;\n#endif\n\n        if (plen == len - 8) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_steam_vt01(lpi_data_t *data) {\n\n        /* I imagine other ports are possible? */\n\n        if (data->server_port != 27050 && data->client_port != 27050) {\n                return false;\n        }\n\n        /* Observed length pairs so far:\n         *   150, 76\n         */\n\n        if (match_steam_len(data->payload[0], data->payload_len[0])) {\n                if (match_steam_len(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        return false;\n}\n\nstatic inline bool match_steam(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_old_steam(data))\n                return true;\n        if (match_steam_vt01(data)) {\n                return true;\n        }\n        return false;\n}\n\n\nstatic lpi_module_t lpi_steam = {\n\tLPI_PROTO_STEAM,\n\tLPI_CATEGORY_GAMING,\n\t\"Steam_TCP\",\n\t104, /* Might not be as reliable as some other rules (?) */\n\tmatch_steam\n};\n\nvoid register_steam(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_steam, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_stratum.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool possible_port(uint16_t porta, uint16_t portb) {\n        /* Bit hax, but the payload alone doesn't exactly feel\n         * unique. */\n        if (porta >= 3300 && porta < 3400)\n                return true;\n\n        if (portb >= 3300 && portb < 3400)\n                return true;\n        return false;\n}\n\n/* Protocol used for pooled bitcoin mining */\nstatic inline bool match_stratum(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port can vary but usually something around 3357 */\n\n        if (!possible_port(data->server_port, data->client_port))\n                return false;\n\n        if (MATCH(data->payload[0], '{', '\"', 'i', 'd')) {\n                if (MATCH(data->payload[1], '{', '\"', 'i', 'd'))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_stratum = {\n\tLPI_PROTO_STRATUM,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"Stratum\",\n\t200,\n\tmatch_stratum\n};\n\nvoid register_stratum(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_stratum, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_stun.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_stun_payload(uint32_t payload, uint32_t len) {\n        /* Bytes 3 and 4 are the Message Length - the STUN header */\n        if ((ntohl(payload) & 0x0000ffff) != len - 20)\n                return false;\n\n        if (MATCH(payload, 0x00, 0x01, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x01, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x11, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x00, 0x03, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x03, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x13, ANY, ANY))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_stun_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Wouldn't have expected to see STUN over TCP, but sure we can \n\t * match that. */\n\n\tif (match_str_either(data, \"RSP/\"))\n\t\treturn true;\n\n        /* We can also see more conventional STUN payloads over TCP as well :/\n         */\n        if (data->server_port == 3478 || data->client_port == 3478) {\n                if (match_stun_payload(data->payload[0], data->payload_len[0]))\n                {\n                        if (match_stun_payload(data->payload[1],\n                                                data->payload_len[1])) {\n                                return true;\n                        }\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_stun_tcp = {\n\tLPI_PROTO_STUN,\n\tLPI_CATEGORY_NAT,\n\t\"STUN_TCP\",\n\t5,\n\tmatch_stun_tcp\n};\n\nvoid register_stun_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_stun_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_supl.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* SUPL - protocol to support location based services */\n\nstatic inline bool match_supl_out(uint32_t payload, uint32_t len) {\n\n\t/* First two bytes are a length field, followed by two bytes of version */\n\tif (len == 32 && MATCH(payload, 0x00, 0x20, 0x02, 0x00))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_supl_in(uint32_t payload, uint32_t len) {\n\n\t/* First two bytes are a length field, followed by two bytes of version */\n\tif (len == 18 && MATCH(payload, 0x00, 0x12, 0x02, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_supl(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 7275 && data->client_port != 7275)\n\t\treturn false;\n\n\tif (match_supl_out(data->payload[0], data->payload_len[0])) {\n\t\tif (match_supl_in(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\tif (match_supl_out(data->payload[1], data->payload_len[1])) {\n\t\tif (match_supl_in(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_supl = {\n\tLPI_PROTO_SUPL,\n\tLPI_CATEGORY_LOCATION,\n\t\"SUPL\",\n\t12,\n\tmatch_supl\n};\n\nvoid register_supl(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_supl, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_svn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_svn_greet(uint32_t payload, uint32_t len) {\n\n        if (MATCHSTR(payload, \"( su\"))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_svn_resp(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n\n        if (MATCHSTR(payload, \"( 2 \"))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_svn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_svn_greet(data->payload[0], data->payload_len[0])) {\n                if (match_svn_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_svn_greet(data->payload[1], data->payload_len[1])) {\n                if (match_svn_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_svn = {\n\tLPI_PROTO_SVN,\n\tLPI_CATEGORY_RCS,\n\t\"SVN\",\n\t3,\n\tmatch_svn\n};\n\nvoid register_svn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_svn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_talesrunner.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* MMORPG from the people behind \"Funtown\" */\n\nstatic inline bool match_0e01(uint32_t payload, uint32_t len) {\n\n        if (len == 5 && MATCH(payload, 0x05, 0x00, 0x0e, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_0f(uint32_t payload, uint32_t len) {\n\n        /* Bytes 1 and 2 are a length field, but length seems to\n         * correlate strongly with the value of byte 4 */\n\n        if (len == 64 && MATCH(payload, 0x40, 0x00, 0x0f, 0x0b))\n                return true;\n        if (len == 61 && MATCH(payload, 0x3d, 0x00, 0x0f, 0x08))\n                return true;\n        if (len == 60 && MATCH(payload, 0x3c, 0x00, 0x0f, 0x07))\n                return true;\n        return false;\n}\n\nstatic inline bool match_talesrunner(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* port 9153 */\n\n        if (match_0e01(data->payload[0], data->payload_len[0])) {\n                if (match_0f(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_0e01(data->payload[1], data->payload_len[1])) {\n                if (match_0f(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_talesrunner = {\n\tLPI_PROTO_TALESRUNNER,\n\tLPI_CATEGORY_GAMING,\n\t\"TalesRunner\",\n\t51,\n\tmatch_talesrunner\n};\n\nvoid register_talesrunner(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_talesrunner, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tankionline.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* A Flash-based version of TankiX */\n\nstatic inline bool to_port(uint16_t porta, uint16_t portb) {\n        if (porta == 5190 || porta == 15050)\n                return true;\n        if (portb == 15050 || portb == 5190)\n                return true;\n        return false;\n}\n\nstatic inline bool match_to(uint32_t payload, uint32_t len) {\n\n        if (len == 44 && MATCH(payload, 0x00, 0x2a, 0x00, 0x03))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tankionline(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!to_port(data->server_port, data->client_port)) {\n                return false;\n        }\n\n        /* The other direction is random MTU-sized payload. Apologies to\n         * people with small MTUs. */\n        if (match_to(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] >= 1300)\n                        return true;\n        }\n\n        if (match_to(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] >= 1300)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tankionline = {\n\tLPI_PROTO_TANKIONLINE,\n\tLPI_CATEGORY_GAMING,\n\t\"TankiOnline\",\n\t180,\n\tmatch_tankionline\n};\n\nvoid register_tankionline(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tankionline, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tankix.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tankix_19(uint32_t payload, uint32_t len) {\n\n        if (MATCHSTR(payload, \"\\xff\\x00\\x00\\x00\") && len == 19)\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_tankix(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 5050 */\n        if (match_tankix_19(data->payload[0], data->payload_len[0])) {\n                if (MATCHSTR(data->payload[1], \"\\xff\\x00\\x00\\x00\"))\n                        return true;\n        }\n\n        if (match_tankix_19(data->payload[1], data->payload_len[1])) {\n                if (MATCHSTR(data->payload[0], \"\\xff\\x00\\x00\\x00\"))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tankix = {\n\tLPI_PROTO_TANKIX,\n\tLPI_CATEGORY_GAMING,\n\t\"TankiX\",\n\t52,\n\tmatch_tankix\n};\n\nvoid register_tankix(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tankix, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_taobao.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Not entirely sure what this protocol is. Observed flows involve Taobao\n * CDN hosts and TCP port 80, but it is clearly not HTTP. Users doing this\n * protocol also speak conventional HTTP and HTTPS to the same Taobao host\n * at the same time, so it isn't a substitute for HTTP. Possibly a streaming\n * media protocol?\n *\n * For now I'm just going to use the generic name 'Taobao' and hope that\n * we can figure this out some time in the future.\n */\n\nstatic inline bool match_taobao_req(uint32_t payload, uint32_t len) {\n        /* Byte 4 is a length field, == len - 4 */\n\n        uint32_t taolen = ntohl(payload) & 0xffff;\n\n        if (MATCH(payload, 0xf5, 0x00, ANY, ANY)) {\n                if (taolen == len - 4)\n                        return true;\n        }\n\n        if (MATCH(payload, 0xf1, 0x00, ANY, ANY)) {\n                if (taolen == len - 4)\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_taobao_resp(uint32_t payload, uint32_t len) {\n        /* Byte 4 is a length field, == len - 4 */\n\n        uint32_t taolen = ntohl(payload) & 0xffff;\n\n        if (MATCH(payload, 0xf3, 0x00, ANY, ANY)) {\n                if (taolen == len - 4)\n                        return true;\n        }\n        return false;\n\n}\n\n\n/* Taobao seem to bastardize SSL. The request looks like a standard\n * TLS handshake, but the response is definitely something custom.\n */\nstatic inline bool match_taobao_sslreq(uint32_t payload) {\n        if (MATCH(payload, 0x16, 0x03, 0x01, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_taobao_sslresp(uint32_t payload) {\n        if (MATCH(payload, 0x10, 0x3a, 0xf3, 0x00))\n                return true;\n        if (MATCH(payload, 0x10, 0xae, 0xf3, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_taobao(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_taobao_req(data->payload[0], data->payload_len[0])) {\n                if (match_taobao_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_taobao_req(data->payload[1], data->payload_len[1])) {\n                if (match_taobao_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n        if (match_taobao_sslreq(data->payload[0])) {\n                if (match_taobao_sslresp(data->payload[1]))\n                        return true;\n        }\n\n        if (match_taobao_sslreq(data->payload[1])) {\n                if (match_taobao_sslresp(data->payload[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_taobao = {\n\tLPI_PROTO_TAOBAO,\n\tLPI_CATEGORY_CDN,\n\t\"Taobao\",\n\t20,\n\tmatch_taobao\n};\n\nvoid register_taobao(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_taobao, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tds.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tds_response(uint32_t payload, uint32_t len) {\n\n        uint32_t stated_len = 0;\n\n        if (len == 0)\n                return true;\n\n        if (!MATCH(payload, 0x04, 0x01, ANY, ANY))\n                return false;\n        stated_len = (ntohl(payload) & 0xffff);\n        if (stated_len != len)\n                return false;\n\n        return true;\n\n\n}\n\n\nstatic inline bool match_tds(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_tds_request(data->payload[0], data->payload_len[0])) {\n                if (match_tds_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_tds_request(data->payload[1], data->payload_len[1])) {\n                if (match_tds_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tds = {\n\tLPI_PROTO_TDS,\n\tLPI_CATEGORY_DATABASES,\n\t\"TDS\",\n\t4,\n\tmatch_tds\n};\n\nvoid register_tds(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tds, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_teamviewer.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_teamviewer_payload(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (!MATCH(payload, 0x17, 0x24, ANY, ANY))\n\t\treturn false;\n\n\tif (len < 256 && (ntohl(payload) & 0xff) != len - 5)\n\t\treturn false;\n\t\n\treturn true;\n\t\n\n}\n\nstatic inline bool match_teamviewer_alt(uint32_t payload, uint32_t len) {\n        if (!MATCH(payload, 0x11, 0x30, 0x36, 0x00))\n                return false;\n        return true;\n}\n\nstatic inline bool match_teamviewer_37(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x11, 0x30, 0x37, 0x00 && len == 32))\n                return true;\n        return false;\n}\n\nstatic inline bool match_teamviewer_38(uint32_t payload) {\n        if (MATCH(payload, 0x11, 0x30, 0x38, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_teamviewer(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_teamviewer_payload(data->payload[0], data->payload_len[0])) {\n                if (match_teamviewer_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_teamviewer_alt(data->payload[1], data->payload_len[1]))\n                        return true;\n\n        }\n\n\tif (match_teamviewer_payload(data->payload[1], data->payload_len[1])) {\n                if (match_teamviewer_payload(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_teamviewer_alt(data->payload[0], data->payload_len[0]))\n                        return true;\n\n        }\n\n        if (match_teamviewer_37(data->payload[0], data->payload_len[0])) {\n                if (match_teamviewer_38(data->payload[1]))\n                        return true;\n        }\n\n        if (match_teamviewer_37(data->payload[1], data->payload_len[1])) {\n                if (match_teamviewer_38(data->payload[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_teamviewer = {\n\tLPI_PROTO_TEAMVIEWER,\n\tLPI_CATEGORY_REMOTE,\n\t\"Teamviewer\",\n\t40,\n\tmatch_teamviewer\n};\n\nvoid register_teamviewer(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_teamviewer, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_telecomkey.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_telecomkey(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t/* Custom protocol used in transactions to telecomkey.com\n         *\n         * Not idea what it is, exactly.\n         */\n\n        if (MATCH(data->payload[0], 0x30, 0x30, 0x30, 0x30) &&\n                        data->payload_len[0] == 8)\n                return true;\n        if (MATCH(data->payload[1], 0x30, 0x30, 0x30, 0x30) &&\n                        data->payload_len[1] == 8)\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_telecomkey = {\n\tLPI_PROTO_TELECOMKEY,\n\tLPI_CATEGORY_TELCO,\n\t\"TelecomKey\",\n\t3,\n\tmatch_telecomkey\n};\n\nvoid register_telecomkey(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_telecomkey, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_telegram.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n#include <stdio.h>\n/* Protocol is documented at https://core.telegram.org/mtproto */\n\n\nstatic inline bool match_abridged_telegram_query(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xef, ANY, ANY, ANY)) {\n        \n                /* Bottom 7 bits of byte 2 are a length field */\n                uint32_t lenfield = ((ntohl(payload) >> 16) & 0x7f);\n\n                if (len - 2 == lenfield * 4) {\n                        return true;\n                }\n\n                /* XXX Some clients appear to follow the query with some\n                 * other message which TCP will combine into the same\n                 * segment, so we can still fail the length check. Do\n                 * we want to consider removing the length check and just\n                 * rely on the 0x3f byte for matching this?\n                 */\n\n        }\n\n        /* All 1s in the length field means the next three bytes are a\n         * length field. In this case, the first packet will almost\n         * certainly be MSS sized.\n         */\n        if (MATCH(payload, 0xef, 0x7f, ANY, ANY)) {\n                if (len >= 1300)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_telegram_query(uint32_t payload, uint32_t len) {\n\n        /* Random bytes but always 105 based on my observations */\n\n        if (len == 105)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_abridged_telegram_resp(uint32_t payload, uint32_t len) {\n\n        /* Fast acknowledgement -- technically this should only match if\n         * top bit of the length field is set, but we're probably ok to not\n         * enforce that.\n         */\n        if (len == 4 && (payload & 0x00000080))\n                return true;\n\n        /* Look out for very large packets that won't fit in a single segment */\n        if (MATCH(payload, 0x7f, ANY, ANY, 0x00))\n                return true;\n\n        /* Otherwise, first byte is the length field */\n        uint32_t lenfield = ((ntohl(payload) >> 24));\n        \n        if (lenfield * 4 == len - 1)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_telegram_resp(uint32_t payload, uint32_t len) {\n\n        /* First four bytes are a length field */\n        uint32_t lenfield = ntohl(payload);\n        \n        if (lenfield * 4 == len - 1)\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_telegram(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (match_abridged_telegram_query(data->payload[0], data->payload_len[0])) {\n                if (match_abridged_telegram_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_abridged_telegram_query(data->payload[1], data->payload_len[1])) {\n                if (match_abridged_telegram_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_telegram_query(data->payload[0], data->payload_len[0])) {\n                if (match_telegram_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_telegram_query(data->payload[1], data->payload_len[1])) {\n                if (match_telegram_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (data->payload_len[0] == 96 && data->payload_len[1] == 52) {\n                if (MATCH(data->payload[0], 0x60, 0x00, 0x00, 0x00) && \n                                MATCH(data->payload[1], 0x34, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n        if (data->payload_len[1] == 96 && data->payload_len[0] == 52) {\n                if (MATCH(data->payload[1], 0x60, 0x00, 0x00, 0x00) && \n                                MATCH(data->payload[0], 0x34, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_telegram = {\n\tLPI_PROTO_TELEGRAM,\n\tLPI_CATEGORY_CHAT,\n\t\"TelegramMessenger\",\n\t10,\n\tmatch_telegram\n};\n\nvoid register_telegram(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_telegram, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_telnet.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Rules adapted from l7-filter */\nstatic inline bool match_telnet_pattern(uint32_t payload, uint32_t len) {\n\n        /* Sadly we cannot use a simple MATCH, because we're looking for\n         * two 0xff characters, which happens to be the same value as ANY.\n         */\n\n        if (len >= 4) {\n                if ((ntohl(payload) & 0xff0000ff) != (0xff0000ff))\n                        return false;\n        }\n        else if (len == 3) {\n                if ((ntohl(payload) & 0xff000000) != (0xff000000))\n                        return false;\n        }\n        else\n                return false;\n\n        if (MATCH(payload, ANY, 0xfb, ANY, ANY))\n                return true;\n        if (MATCH(payload, ANY, 0xfc, ANY, ANY))\n                return true;\n        if (MATCH(payload, ANY, 0xfd, ANY, ANY))\n                return true;\n        if (MATCH(payload, ANY, 0xfe, ANY, ANY))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_atos_telnet(uint32_t payload) {\n\n\t/* ATOS seems to be related to ADSL routers, which really shouldn't\n\t * be allowing telnet over the public internet */\n\n\tif (MATCH(payload, 0x1b, 0x5b, 0x32, 0x4a))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_telnet(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_telnet_pattern(data->payload[0], data->payload_len[0]))\n                return true;\n        if (match_telnet_pattern(data->payload[1], data->payload_len[1]))\n                return true;\n\n\tif (match_atos_telnet(data->payload[0]) && data->payload_len[1] == 0)\n\t\treturn true;\n\tif (match_atos_telnet(data->payload[1]) && data->payload_len[0] == 0)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_telnet = {\n\tLPI_PROTO_TELNET,\n\tLPI_CATEGORY_REMOTE,\n\t\"Telnet\", \n\t2,\n\tmatch_telnet\n};\n\nvoid register_telnet(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_telnet, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_telnet_exploit.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_telnet_exploit(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Anyone firing up a telnet session and immediately sending 'root',\n\t * as opposed to the initial telnet commands, is probably up to no\n\t * good */\n\n\tif (data->server_port != 23 && data->client_port != 23)\n\t\treturn false;\n\n\tif (MATCH(data->payload[0], 'r', 'o', 'o', 't'))\n\t\treturn true;\n\tif (MATCH(data->payload[1], 'r', 'o', 'o', 't'))\n\t\treturn true;\n\n\t/* This is a common way for telnet servers to drop unwanted clients \n\t *\n\t * Full string is: \n\t *\n\t * %connection closed by remote host! */\n\tif (MATCH(data->payload[0], 0x0d, 0x0a, '%', 'c') && \n\t\t\tdata->payload_len[1] == 0)\n\t\treturn true;\n\tif (MATCH(data->payload[1], 0x0d, 0x0a, '%', 'c') &&\n\t\t\tdata->payload_len[0] == 0)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_telnet_exploit = {\n\tLPI_PROTO_TELNET_EXPLOIT,\n\tLPI_CATEGORY_MALWARE,\n\t\"TelnetExploit\",\n\t20,\n\tmatch_telnet_exploit\n};\n\nvoid register_telnet_exploit(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_telnet_exploit, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tencent_games.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This traffic has been observed with BNS China, an MMO operated by\n * Tencent. I can't be sure whether this is exclusive to BNS or is used\n * by all Tencent games yet, so I'll use the generic name \"TencentGames\"\n * rather than assuming it is only BNS.\n */\n\nstatic inline bool match_tcg_req(uint32_t payload, uint32_t len) {\n\n        uint32_t hdrlen = (ntohl(payload) & 0xffff);\n\n        if (hdrlen != len)\n                return false;\n\n        if (MATCH(payload, 0xd8, 0x5c, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tcg_reply(uint32_t payload, uint32_t len) {\n\n        uint32_t hdrlen = (ntohl(payload) & 0xffff);\n\n        if (hdrlen != len)\n                return false;\n\n        if (MATCH(payload, 0xd8, 0x5d, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tencent_games(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_tcg_req(data->payload[0], data->payload_len[0])) {\n                if (match_tcg_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_tcg_req(data->payload[1], data->payload_len[1])) {\n                if (match_tcg_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tencent_games = {\n\tLPI_PROTO_TENCENT_GAMES,\n\tLPI_CATEGORY_GAMING,\n\t\"TencentGames\",\n\t5,\n\tmatch_tencent_games\n};\n\nvoid register_tencent_games(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tencent_games, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tenfivecoin.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_tfc_magic(uint32_t payload, uint32_t len) {\n        if (len == 24 && MATCH(payload, 0xfa, 0xbf, 0xb5, 0xda))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tenfivecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_tfc_magic(data->payload[0], data->payload_len[0])) {\n                if (match_tfc_magic(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tenfivecoin = {\n\tLPI_PROTO_TENFIVECOIN,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"TenFiveCoin\",\n\t12,\n\tmatch_tenfivecoin\n};\n\nvoid register_tenfivecoin(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tenfivecoin, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tensafe.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* TenSafe is an anti-cheat mechanism that is included with major\n * online games published by Tencent, e.g. Blade N Soul, DNF.\n */\n\nstatic inline bool match_tensafe_req(uint32_t payload, uint32_t len) {\n        if (len != 42)\n                return false;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tensafe_resp(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n\n        if (len != 50)\n                return false;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool is_tensafe_port(uint16_t server, uint16_t client) {\n        if (server == 8080 || server == 80 || server == 443)\n                return true;\n        if (server == 10012)\n                return true;\n        if (client == 8080 || client == 80 || client == 443)\n                return true;\n        if (client == 10012)\n                return true;\n        return false;\n}\n\nstatic inline bool match_tensafe(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!is_tensafe_port(data->server_port, data->client_port))\n                return false;\n\n        if (match_tensafe_req(data->payload[0], data->payload_len[0])) {\n                if (match_tensafe_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_tensafe_req(data->payload[1], data->payload_len[1])) {\n                if (match_tensafe_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tensafe = {\n\tLPI_PROTO_TENSAFE,\n\tLPI_CATEGORY_GAMING,\n\t\"TenSafe\",\n\t70,\n\tmatch_tensafe\n};\n\nvoid register_tensafe(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tensafe, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tera.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_tera_resp(uint32_t payload, uint32_t len) {\n\n        if (len != 4)\n                return false;\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_tera(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* XXX This traffic generally only appears on port 10001 */\n\n        /* First C->S packet is 128 bytes, but first bytes are random */\n\n        if (data->payload_len[1] == 128) {\n                if (match_tera_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (data->payload_len[0] == 128) {\n                if (match_tera_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tera = {\n\tLPI_PROTO_TERA,\n\tLPI_CATEGORY_GAMING,\n\t\"Tera\",\n\t8,\n\tmatch_tera\n};\n\nvoid register_tera(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tera, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tetrisonline.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Only ever seen this on port 80 to hosts owned by Tetris Online. This\n * may not be exclusive to Tetris Online (i.e. it might be a generic flash\n * game protocol) but I can't be sure until I see it somewhere else.\n */\n\n\nstatic inline bool match_tetrisonline(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 80 && data->client_port != 80)\n                return false;\n\n        if (MATCH(data->payload[0], 'U', 'S', 'R', ' ')) {\n                if (MATCH(data->payload[1], 'U', 'S', 'R', ' '))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tetrisonline = {\n\tLPI_PROTO_TETRISONLINE,\n\tLPI_CATEGORY_GAMING,\n\t\"TetrisOnline\",\n\t5,\n\tmatch_tetrisonline\n};\n\nvoid register_tetrisonline(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tetrisonline, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_thedivision.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Tom Clancy's The Division -- Ubisoft game */\n\nstatic inline bool match_div_36(uint32_t payload, uint32_t len) {\n        if (len == 36 && MATCH(payload, 0x46, 0x01, 0x02, 0x20))\n                return true;\n        return false;\n}\n\nstatic inline bool match_div_8(uint32_t payload, uint32_t len) {\n        if (len == 8 && MATCH(payload, 0x0e, 0x01, 0x00, 0x04))\n                return true;\n        return false;\n}\n\nstatic inline bool match_thedivision(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 55000? */\n\n        if (match_div_36(data->payload[0], data->payload_len[0])) {\n                if (match_div_8(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_div_36(data->payload[1], data->payload_len[1])) {\n                if (match_div_8(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_thedivision = {\n\tLPI_PROTO_THE_DIVISION,\n\tLPI_CATEGORY_GAMING,\n\t\"TheDivision\",\n\t5,\n\tmatch_thedivision\n};\n\nvoid register_thedivision(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_thedivision, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tip.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tip(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"PUSH\"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tip = {\n\tLPI_PROTO_TIP,\n\tLPI_CATEGORY_ECOMMERCE,\n\t\"TIP\",\n\t5,\t/* Not a very strong rule */\n\tmatch_tip\n};\n\nvoid register_tip(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tip, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tor.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tor(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* I *think* this is TOR but have not confirmed */\n\t\n\t/* Don't believe in this rule anymore :) */\n\t/*\n\tif (match_chars_either(data, 0x3d, 0x00, 0x00, 0x00) &&\n\t\t\t(data->payload_len[0] == 4 ||\n\t\t\tdata->payload_len[1] == 4))\n\t\treturn true;\n\t*/\n\n\t/* Lots of TOR is SSL over port 443, which we can't really distinguish\n\t * from HTTPS. However, we can match the stuff on port 9001 */\n\n\tif (!match_ssl(data))\n\t\treturn false;\n\n\tif (data->server_port == 9001 || data->client_port == 9001)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tor = {\n\tLPI_PROTO_TOR,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"TOR\",\n\t7, \t/* Not the strongest rule */\n\tmatch_tor\n};\n\nvoid register_tor(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tor, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_tpkt.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* TPKT is a slightly annoying little protocol that is used by a variety of\n * applications. It is most notably used for RDP, but is also important for\n * anything based on the H.323 standard for multimedia conferencing (e.g.\n * Cisco CallManager).\n *\n * Basically, this module is going to be aimed at matching any generic\n * TPKT traffic that isn't something we can assign to a more specific\n * application, e.g. RDP\n */\n\nstatic inline bool match_tpkt_generic(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_tpkt(data->payload[0], data->payload_len[0])) {\n\t\tif (match_tpkt(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tpkt_generic = {\n\tLPI_PROTO_TPKT,\n\tLPI_CATEGORY_VOIP, /* Most TPKT stuff is for VOIP, conferencing etc */\n\t\"TPKT\",\n\t8,\t/* Must come after RDP and S7COMM but before RTMP */\n\tmatch_tpkt_generic\n};\n\nvoid register_tpkt_generic(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tpkt_generic, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_trackmania.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_trackmania_3450(lpi_data_t *data) {\n\n        /* Version of trackmania protocol usually seen on port 3450 */\n\n        if (data->server_port != 3450 && data->client_port != 3450)\n                return false;\n\n        if (match_str_both(data, \"\\x23\\x00\\x00\\x00\", \"\\x13\\x00\\x00\\x00\")) {\n\n                if (!match_payload_length(ntohl(data->payload[0]),\n                                data->payload_len[0]))\n                        return false;\n\n                if (!match_payload_length(ntohl(data->payload[1]),\n                                data->payload_len[1]))\n                        return false;\n                return true;\n        }\n\n        if (match_str_either(data, \"\\x23\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 39 && data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[1] == 39 && data->payload_len[0] == 0)\n                        return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_trackmania_2350(lpi_data_t *data) {\n\n        /* One version of the trackmania protocol, typically seen running\n         * on port 2350 */\n\n        if (!match_payload_length(ntohl(data->payload[0]),\n                        data->payload_len[0]))\n                return false;\n\n        if (!match_payload_length(ntohl(data->payload[1]),\n                        data->payload_len[1]))\n                return false;\n\n        if (!match_chars_either(data, 0x1c, 0x00, 0x00, 0x00))\n                return false;\n\n        return true;\n\n}\n\n\nstatic inline bool match_trackmania(lpi_data_t *data, lpi_module_t *mod UNUSED) \n{\n\tif (match_trackmania_3450(data))\n                return true;\n        if (match_trackmania_2350(data))\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_trackmania = {\n\tLPI_PROTO_TRACKMANIA,\n\tLPI_CATEGORY_GAMING,\n\t\"Trackmania\",\n\t3,\n\tmatch_trackmania\n};\n\nvoid register_trackmania(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_trackmania, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_transocks.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Chinese VPN for accessing mainland content */\n\nstatic inline bool match_ts_23(uint32_t payload, uint32_t len) {\n\n        if (len == 23 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_ts_reply(uint32_t payload, uint32_t len) {\n\n        /* Payload is random, but we could add rules to return false\n         * if the payload is 00000000 or ffffffff (or any other clearly\n         * intentional pattern), if this is generating FPs.\n         */\n\n        /* Lower path MTUs would affect this number, but let's concentrate\n         * on getting the lowest hanging fruit for now.\n         */\n        if (len == 1460 || len == 1406 || len == 1356) {\n                return true;\n        }\n\n        /* 503 is also a common length? also seen 501 and 507 occasionally.. */\n        if (len == 503) {\n                return true;\n        }\n\n        /* Starting to see a bit of variation in reply sizes now :/ */\n        if (len >= 678 && len <= 688) {\n                return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_transocks(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ts_23(data->payload[0], data->payload_len[0])) {\n                if (match_ts_reply(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_ts_23(data->payload[0], data->payload_len[0])) {\n                if (match_ts_reply(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_transocks = {\n\tLPI_PROTO_TRANSOCKS,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"Transocks\",\n\t240,\n\tmatch_transocks\n};\n\nvoid register_transocks(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_transocks, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_trion.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Trion - publisher of F2P online games e.g. Archeage, Trove, etc.\n * \n * For now, I'm just going to group all Trion's games into a single \"protocol\"\n * as I doubt there is much need to make a distinction.\n */\n\n/* This is probably a length field */\nstatic inline bool match_trion_29(uint32_t payload, uint32_t len) {\n        if (len != 29)\n                return false;\n        if (!MATCH(payload, 0x18, 0x00, 0x00, 0x00))\n                return false;\n        return true;\n\n}\n\n/* This is probably a length field */\nstatic inline bool match_trion_23(uint32_t payload, uint32_t len) {\n        if (len != 23)\n                return false;\n        if (!MATCH(payload, 0x12, 0x00, 0x00, 0x00))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_trion_37(uint32_t payload, uint32_t len) {\n\n        if (len == 37 && MATCH(payload, 0x20, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_trion_1c(uint32_t payload, uint32_t len) {\n        if (len == 263 && MATCH(payload, 0x1c, 0x80, 0x20, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_trion_2080(uint32_t payload, uint32_t len) {\n        if (len == 263 && MATCH(payload, 0x20, 0x80, 0x20, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_trion(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* We can also try to limit to port 6560 and 37000-37100, if\n         * necessary */\n\n        if (match_trion_29(data->payload[0], data->payload_len[0])) {\n                if (match_trion_23(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_trion_29(data->payload[1], data->payload_len[1])) {\n                if (match_trion_23(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        /* RIFT and Defiance require TCP port 6540 and 50000 and use a\n         * different payload pattern */\n        if (match_trion_1c(data->payload[0], data->payload_len[0])) {\n                if (match_trion_2080(data->payload[1], data->payload_len[1])) \n                        return true;\n        }\n\n        if (match_trion_1c(data->payload[1], data->payload_len[1])) {\n                if (match_trion_2080(data->payload[0], data->payload_len[0])) \n                        return true;\n        }\n\n        if (match_trion_37(data->payload[0], data->payload_len[0])) {\n                if (match_trion_37(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_trion = {\n\tLPI_PROTO_TRION,\n\tLPI_CATEGORY_GAMING,\n\t\"TrionGames\",\n\t8,\n\tmatch_trion\n};\n\nvoid register_trion(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_trion, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_trojan_win32_generic_sb.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_socks_response(uint32_t payload, uint32_t len) {\n\n\tif (len == 3 && MATCH(payload, 0x05, 0x01, 0x00, 0x00))\n\t\treturn true;\n\tif (len == 9 && MATCH(payload, 0x04, 0x01, 0x00, 0x19))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_trojan_request(uint32_t payload, uint32_t len) {\n\n\t/* This is the typical request packet sent to the SOCKS server\n\t * that the infected machines connect to */\n\tif (len != 5)\n\t\treturn false;\n\tif (!MATCH(payload, ANY, ANY, 0x00, 0x00))\n\t\treturn false;\n\treturn true;\n}\n\nstatic inline bool match_trojan_other(uint32_t payload, uint32_t len) {\n\n\t/* Occasionally, the infected machine and the SOCKS server\n\t * exchange packets that have this payload */\n\tif (!MATCH(payload, 0x01, 0x38, 0x71, 0x74)) \n\t\treturn false;\n\n\treturn true;\n\n}\n\nstatic inline bool match_trojan_win32_generic_sb(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 3000 && data->client_port != 3000)\n\t\treturn false;\n\n\tif (match_trojan_other(data->payload[0], data->payload_len[0])) {\n\t\tif (match_trojan_other(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_socks_response(data->payload[0], data->payload_len[0])) {\n\t\tif (match_trojan_request(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_socks_response(data->payload[1], data->payload_len[1])) {\n\t\tif (match_trojan_request(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_trojan_win32_generic_sb = {\n\tLPI_PROTO_TROJAN_WIN32_GENERIC_SB,\n\tLPI_CATEGORY_MALWARE,\n\t\"Trojan.Win32.Generic!SB\",\n\t10,\n\tmatch_trojan_win32_generic_sb\n};\n\nvoid register_trojan_win32_generic_sb(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_trojan_win32_generic_sb, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_trojan_zeroaccess.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_zeroaccess_in(uint32_t payload, uint32_t len) {\n\n\tif (len != 20)\n\t\treturn false;\n\tif (!MATCH(payload, 0xe5, 0xaa, 0xc0, 0x31))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_zeroaccess_out(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (!MATCH(payload, 0xe5, 0xaa, 0xc0, 0x31))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_trojan_zeroaccess(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* More info on this trojan can be found at \n\t * http://www.antivirus365.org/PCAntivirus/43465.html */\n\n\tif (match_zeroaccess_in(data->payload[0], data->payload_len[0])) {\n\t\tif (match_zeroaccess_out(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\tif (match_zeroaccess_in(data->payload[1], data->payload_len[1])) {\n\t\tif (match_zeroaccess_out(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_trojan_zeroaccess = {\n\tLPI_PROTO_TROJAN_ZEROACCESS,\n\tLPI_CATEGORY_MALWARE,\n\t\"TrojanZeroAccess\",\n\t10,\n\tmatch_trojan_zeroaccess\n};\n\nvoid register_trojan_zeroaccess(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_trojan_zeroaccess, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_twitcasting.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Live self-streaming protocol, popular in Japan */\n\nstatic inline bool match_tc_get(uint32_t payload) {\n        /* Yes, they have managed to co-opt \"GET\" for this protocol */\n\n        if (MATCH(payload, 'G', 'E', 'T', 0x20))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tc_reply(uint32_t payload, uint32_t len) {\n\n        /* Possible that bytes 3 and 4 are a length field? */\n\n        if (len == 19 && MATCH(payload, 'T', 'C', 0x0c, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_twitcasting(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Can use port 8094 if we need to */\n\n        if (match_tc_get(data->payload[0])) {\n                if (match_tc_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_tc_get(data->payload[0])) {\n                if (match_tc_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_twitcasting = {\n\tLPI_PROTO_TWITCASTING,\n\tLPI_CATEGORY_STREAMING,\n\t\"TwitCasting\",\n\t25,             /* Should definitely be higher than HTTP */\n\tmatch_twitcasting\n};\n\nvoid register_twitcasting(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_twitcasting, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_twitch_irc.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Twitch IRC expects the use of a CAP command to check for membership lists.\n * The response will begin with :tmi.twitch.tv, regardless of what the\n * result of the CAP command is.\n */\n\nstatic inline bool match_twitch_cap(uint32_t payload) {\n        if (MATCH(payload, 'C', 'A', 'P', 0x20))\n                return true;\n        return false;\n}\n\nstatic inline bool match_twitch_tmi(uint32_t payload) {\n        if (MATCH(payload, ':', 't', 'm', 'i'))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_twitch_irc(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_twitch_cap(data->payload[1])) {\n                if (match_twitch_tmi(data->payload[0])) {\n                        return true;\n                }\n        }\n\n        if (match_twitch_cap(data->payload[0])) {\n                if (match_twitch_tmi(data->payload[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_twitch_irc = {\n\tLPI_PROTO_TWITCH_IRC,\n\tLPI_CATEGORY_CHAT,\n\t\"TwitchIRC\",\n\t5,\n\tmatch_twitch_irc\n};\n\nvoid register_twitch_irc(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_twitch_irc, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_utherverse.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Virtual world a la Second Life, but even more targeted towards virtual sex */\n\nstatic inline bool match_uther_21(uint32_t payload, uint32_t len) {\n        if (len == 21 && MATCH(payload, 0x11, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_uther_other(uint32_t payload, uint32_t len) {\n\n        /* It's a length field, but in little endian */\n        /* Max length appears to be hard-coded to 1350 */\n\n        if (len > 1350) {\n                return false;\n        } else if (len == 1350) {\n                if (MATCH(payload, ANY, ANY, 0x00, 0x00)) {\n                        if (!MATCH(payload, ANY, 0x00, 0x00, 0x00))\n                                return true;\n                }\n        } else {\n                if (bswap_le_to_host32(payload) == len + 4) {\n                        return true;\n                }\n        }\n\n        return false;\n}\n\nstatic inline bool match_utherverse(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 4991 && data->client_port != 4991) {\n                return false;\n        }\n\n        if (match_uther_21(data->payload[0], data->payload_len[0])) {\n                if (match_uther_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_uther_21(data->payload[1], data->payload_len[1])) {\n                if (match_uther_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_utherverse = {\n\tLPI_PROTO_UTHERVERSE,\n\tLPI_CATEGORY_GAMING,\n\t\"Utherverse\",\n\t200,\n\tmatch_utherverse\n};\n\nvoid register_utherverse(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_utherverse, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_vainglory.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Vainglory -- MOBA for touch screens */\n\nstatic inline bool match_vg_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x86, 0x00, 0x05) && len == 136)\n                return true;\n        if (MATCH(payload, 0x00, 0x86, 0x00, 0x06) && len == 136)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_vg_resp(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x03, 0x00, 0x07) && len == 5)\n                return true;\n        if (MATCH(payload, 0x00, 0x03, 0x00, 0x06) && len == 5)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_vainglory(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_vg_req(data->payload[0], data->payload_len[0])) {\n                if (match_vg_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_vg_req(data->payload[1], data->payload_len[1])) {\n                if (match_vg_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vainglory = {\n\tLPI_PROTO_VAINGLORY,\n\tLPI_CATEGORY_GAMING,\n\t\"Vainglory\",\n\t5,\n\tmatch_vainglory\n};\n\nvoid register_vainglory(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vainglory, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_vhdp2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_vhd(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x13, 'v', 'h', 'd') && len < 150) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_vhdp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_vhd(data->payload[0], data->payload_len[0])) {\n                if (match_vhd(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vhdp2p = {\n\tLPI_PROTO_VHDP2P,\n\tLPI_CATEGORY_P2P,\n\t\"VHD_P2P\",\n\t7,\n\tmatch_vhdp2p\n};\n\nvoid register_vhdp2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vhdp2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_viber.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* I'm fairly confident this is viber - uses port 5242, destination is an\n * Amazon AWS server. Hard to test because capturing mobile traffic is much\n * trickier than capturing a desktop app */\n\nstatic inline bool match_viber_in(uint32_t payload, uint32_t len) {\n\n\t/* First two bytes are length, but we only support one packet\n\t * type right now anyway */\n\n\tif (len != 24)\n\t\treturn false;\n\tif (MATCH(payload, 0x18, 0x00, 0x00, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_viber_4244_req(uint32_t payload, uint32_t len) {\n\n        if (len == 96 && MATCH(payload, 0x60, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_viber_4244_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 56 && MATCH(payload, 0x38, 0x00, ANY, 0x04))\n                return true;\n        if (len == 56 && MATCH(payload, 0x38, 0x00, ANY, 0x05))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_viber_out(uint32_t payload, uint32_t len) {\n\n\t/* Again, bytes 1 and 2 are the length */\n\tif (len != 154)\n\t\treturn false;\n\tif (MATCH(payload, 0x9a, 0x00, ANY, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_viber(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Could enforce port 5242 if we're getting false positives */\n\n\tif (match_viber_in(data->payload[0], data->payload_len[0])) {\n\t\tif (match_viber_out(data->payload[1], data->payload_len[1])) {\n\t\t\treturn true;\n\t\t}\n\t\tif (data->payload_len[1] == 0) {\n\t\t\tif (data->server_port == 5242 || data->client_port == 5242)\n\t\t\t\treturn true;\n\t\t}\n\t}\n\n\tif (match_viber_in(data->payload[1], data->payload_len[1])) {\n\t\tif (match_viber_out(data->payload[0], data->payload_len[0])) {\n\t\t\treturn true;\n\t\t}\n\t\tif (data->payload_len[0] == 0) {\n\t\t\tif (data->server_port == 5242 || data->client_port == 5242)\n\t\t\t\treturn true;\n\t\t}\n\t}\n\n        /* Seen on port 4244 */\n\n        if (match_viber_4244_req(data->payload[0], data->payload_len[0])) {\n                if (match_viber_4244_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_viber_4244_req(data->payload[1], data->payload_len[1])) {\n                if (match_viber_4244_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\treturn false;\n}\n\nstatic lpi_module_t lpi_viber = {\n\tLPI_PROTO_VIBER,\n\tLPI_CATEGORY_VOIP,\n\t\"Viber\",\n\t9,\n\tmatch_viber\n};\n\nvoid register_viber(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_viber, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_vmware.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_vmware_banner(uint32_t payload) {\n        if (MATCH(payload, '2', '2', '0', 0x20))\n                return true;\n        return false;\n}\n\nstatic inline bool match_vmware_ssl(uint32_t payload) {\n        if (MATCH(payload, 0x16, 0x03, 0x01, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_vmware(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Require port 902 to avoid confusion with other SSL or \"220 \"\n         * protocols */\n        if (data->server_port != 902 && data->client_port != 902)\n                return false;\n\n        if (match_vmware_banner(data->payload[0])) {\n                if (match_vmware_ssl(data->payload[1]))\n                        return true;\n        }\n\n        if (match_vmware_banner(data->payload[1])) {\n                if (match_vmware_ssl(data->payload[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vmware = {\n\tLPI_PROTO_VMWARE,\n\tLPI_CATEGORY_CLOUD,\n\t\"VMWare\",\n\t125,\n\tmatch_vmware\n};\n\nvoid register_vmware(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vmware, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_vodlocker.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Vodlocker is basically HTTP, but it uses a non-standard port (8777) and\n * the capitalisation on the HTTP responses can be a bit inconsistent.\n * Rather than pollute HTTP with this crap, I think we can get away with\n * having a separate rule for it */\n\nstatic inline bool match_vodlocker(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8777 && data->client_port != 8777)\n                return false;\n\n        if (MATCH(data->payload[0], 'G', 'E', 'T', 0x20)) {\n                if (MATCH(data->payload[1], 'H', 't', 'T', 'P'))\n                        return true;\n                if (MATCH(data->payload[1], 'H', 'T', 'T', 'P'))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 'G', 'E', 'T', 0x20)) {\n                if (MATCH(data->payload[0], 'H', 't', 'T', 'P'))\n                        return true;\n                if (MATCH(data->payload[0], 'H', 'T', 'T', 'P'))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vodlocker = {\n\tLPI_PROTO_VODLOCKER,\n\tLPI_CATEGORY_WEB,\n\t\"Vodlocker\",\n\t100,\n\tmatch_vodlocker\n};\n\nvoid register_vodlocker(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vodlocker, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_vpnrobot_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_um(uint32_t payload, uint32_t len) {\n\n        /* First two bytes are a length field */\n        uint32_t hlen = ntohl(payload) >> 16;\n\n        if (hlen == len - 2) {\n                if (MATCH(payload, ANY, ANY, 'U', 'M'))\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_2byte_reply(uint32_t payload, uint32_t len) {\n\n        if (len == 2 && MATCH(payload, 0x00, 0x0e, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_vpnrobot_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Don't have any examples of a successful connection to a VPN\n         * server yet, which may look a little different */\n\n        /* Commonly seen on ports 66 and 119 */\n\n        if (match_um(data->payload[0], data->payload_len[0])) {\n                if (match_2byte_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_um(data->payload[1], data->payload_len[1])) {\n                if (match_2byte_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vpnrobot_tcp = {\n\tLPI_PROTO_VPNROBOT,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"VPNRobot\",\n\t55,\n\tmatch_vpnrobot_tcp\n};\n\nvoid register_vpnrobot_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vpnrobot_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_vpnunlimited_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Custom VPN protocol used by VPN Unlimited -- OpenVPN is the default, but\n * this is also offered for \"ultimate security\" (at some performance cost).\n */\n\n/* Looks like first 2 bytes are a length field */\n\nstatic inline bool match_vpn_req(uint32_t payload, uint32_t len) {\n        if (len == 44 && MATCH(payload, 0x00, 0x2a, 0x5e, 0x4d))\n                return true;\n        return false;\n}\n\nstatic inline bool match_vpn_resp(uint32_t payload, uint32_t len) {\n        if (len == 56 && MATCH(payload, 0x00, 0x36, 0x26, 0x51))\n                return true;\n        return false;\n}\n\nstatic inline bool match_vpnunlimited_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Always seen on port 443 */\n        if (match_vpn_req(data->payload[0], data->payload_len[0])) {\n                if (match_vpn_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_vpn_req(data->payload[1], data->payload_len[1])) {\n                if (match_vpn_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vpnunlimited_tcp = {\n\tLPI_PROTO_VPN_UNLIMITED,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"VPNUnlimitedTCP\",\n\t10,\n\tmatch_vpnunlimited_tcp\n};\n\nvoid register_vpnunlimited_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vpnunlimited_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_warcraft3.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_warcraft3(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Warcraft 3 packets all begin with 0xf7 */\n\tif (!MATCH(data->payload[0], 0xf7, ANY, ANY, ANY) || \n\t\t\t!MATCH(data->payload[1], 0xf7, ANY, ANY, ANY))\n\t\treturn false;\n\n\tif (match_chars_either(data, 0xf7, 0x37, 0x12, 0x00))\n\t\treturn true;\n        /* Another Warcraft 3 example added by Donald Neal */\n        if (match_chars_either(data, 0xf7, 0x1e, ANY, 0x00))\n\t\treturn true;\n\n\n        /* XXX - I have my doubts about these rules */\n#if 0   \n        if (match_chars_either(proto_d, 0xf7, 0xf7, ANY, ANY)) \n                return LPI_PROTO_WARCRAFT3;\n#endif\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_warcraft3 = {\n\tLPI_PROTO_WARCRAFT3,\n\tLPI_CATEGORY_GAMING,\n\t\"Warcraft3\",\n\t5, /* I'm a bit dubious about the value of this rule */\n\tmatch_warcraft3\n};\n\nvoid register_warcraft3(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_warcraft3, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_web_junk.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_web_junk(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Connections to web servers where the client clearly is not\n         * speaking HTTP.\n         *\n         * XXX Check flows matching this occasionally for new HTTP request\n         * types that we've missed :( \n         */\n        if (data->payload_len[0] == 0 || data->payload_len[1] == 0)\n                return false;\n\n        if (!match_http_request(data->payload[0], data->payload_len[0])) {\n                if (MATCHSTR(data->payload[1], \"HTTP\"))\n                        return true;\n        }\n\n        if (!match_http_request(data->payload[1], data->payload_len[1])) {\n                if (MATCHSTR(data->payload[0], \"HTTP\"))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_web_junk = {\n\tLPI_PROTO_WEB_JUNK,\n\tLPI_CATEGORY_MIXED,\n\t\"Web_Junk\",\n\t210,\n\tmatch_web_junk\n};\n\nvoid register_web_junk(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_web_junk, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_webex_stun.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Bastardization of the STUN protocol used by Cisco Webex */\n\nstatic inline bool match_webex_req(uint32_t payload, uint32_t len) {\n\n        if (len == 28 && MATCH(payload, 0x00, 0x03, 0x00, 0x08)) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_webex_resp(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x01, 0x13, 0x00, ANY)) {\n                if ((ntohl(payload) & 0x0000ffff) == len - 20)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_webex_stun(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 80 && data->client_port != 80) {\n                return false;\n        }\n\n        if (match_webex_req(data->payload[0], data->payload_len[0])) {\n                if (match_webex_resp(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_webex_req(data->payload[1], data->payload_len[1])) {\n                if (match_webex_resp(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_webex_stun = {\n\tLPI_PROTO_WEBEX_STUN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"WebexSTUN\",\n\t140,\n\tmatch_webex_stun\n};\n\nvoid register_webex_stun(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_webex_stun, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_weblogic.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_weblogic(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t\n\t/* T3 is the protocol used by Weblogic, a Java application server */\n\n        /* sa is the admin username for MSSQL databases */\n        if (MATCH(data->payload[1], 0x00, 0x02, 's', 'a')) {\n                if (match_payload_length(data->payload[0],\n                                data->payload_len[0]))\n                        return true;\n                if (data->client_port == 7001 || data->server_port == 7001)\n                        return true;\n        }\n\n        if (MATCH(data->payload[0], 0x00, 0x02, 's', 'a')) {\n                if (match_payload_length(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n                if (data->client_port == 7001 || data->server_port == 7001)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_weblogic = {\n\tLPI_PROTO_WEBLOGIC,\n\tLPI_CATEGORY_DATABASES,\n\t\"Weblogic\",\n\t8,\n\tmatch_weblogic\n};\n\nvoid register_weblogic(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_weblogic, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_wechat.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_wc_pair(uint32_t payloada, uint32_t lena,\n                uint32_t payloadb, uint32_t lenb) {\n\n        if (lena == 16 && MATCH(payloada, 0x00, 0x00, 0x00, 0x10)) {\n                if (lenb == 16 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x10))\n                        return true;\n                if (lenb == 18 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x12))\n                        return true;\n        }\n\n        if (lena == 21 && MATCH(payloada, 0x00, 0x00, 0x00, 0x15)) {\n                if (lenb == 25 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x19))\n                        return true;\n                if (lenb == 21 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x15))\n                        return true;\n        }\n\n        return false;\n\n\n}\n\nstatic inline bool match_wc_ab_request(uint32_t payload, uint32_t len) {\n        /* This is 0xab, followed by 4 bytes of length for the first\n         * packet.\n         */\n\n        if (len <= 255 && MATCH(payload, 0xab, 0x00, 0x00, 0x00))\n                return true;\n\n        if (MATCH(payload, 0xab, 0x00, 0x00, 0x01))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_wc_ab_big02(uint32_t payload, uint32_t len) {\n        /* again 0xab followed by length, except this time the length is\n         * for the entire flow.\n         */\n        if (len < 255)\n                return false;\n\n        /* Flows are unlikely to need a full 4 bytes for length so I'm\n         * going to stick 0x00 or 0x01 in the top byte for now */\n        if (MATCH(payload, 0xab, 0x00, ANY, ANY)) {\n                return true;\n        }\n        if (MATCH(payload, 0xab, 0x01, ANY, ANY)) {\n                return true;\n        }\n        return false;\n        \n}\n\nstatic inline bool match_wc_ab_big01(uint32_t payload, uint32_t len) {\n\n        if (len < 100)\n                return false;\n        if (len <= 255 && MATCH(payload, 0xab, 0x00, 0x00, 0x00))\n                return true;\n        if (len > 255 && len < 512 && MATCH(payload, 0xab, 0x00, 0x00, 0x01))\n                return true;\n        if (len >= 512 && len < 768 && MATCH(payload, 0xab, 0x00, 0x00, 0x02))\n                return true;\n        if (len >= 768 && len < 1024 && MATCH(payload, 0xab, 0x00, 0x00, 0x03))\n                return true;\n        return false;\n}\n\nstatic inline bool match_wc_ab_reply(uint32_t payload, uint32_t len) {\n        /* All replies appear to be 41 or 53 bytes */\n\n        if (len != 41 && len != 53)\n                return false;\n\n        if (MATCH(payload, 0xab, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\n/* This appears to be some sort of SSL ripoff */\nstatic inline bool match_wc_ssl_111(uint32_t payload, uint32_t len) {\n        if (len == 111 && MATCH(payload, 0x16, 0xf1, 0x03, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_wc_ssl_166(uint32_t payload, uint32_t len) {\n        if (len == 166 && MATCH(payload, 0x16, 0xf1, 0x03, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_wechat(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tbool valid_port = false;\n\n\t/* WeChat begins with a very simple 4 byte length field.\n\t * This is not unique to WeChat though, so we need to be careful.\n\t */\n\n\t/* Only observed on port 80, 443, 14000, 10001 or 8080. Because the payload\n\t * signature is not entirely unique to WeChat, let's restrict matches\n\t * to flows using those ports unless it shows up on other ports.\n\t */\n\tif (data->server_port == 80 || data->client_port == 80)\n\t\tvalid_port = true;\n\tif (data->server_port == 8080 || data->client_port == 8080)\n\t\tvalid_port = true;\n\tif (data->server_port == 443 || data->client_port == 443)\n\t\tvalid_port = true;\n\tif (data->server_port == 14000 || data->client_port == 14000)\n\t\tvalid_port = true;\n\tif (data->server_port == 10001 || data->client_port == 10001)\n\t\tvalid_port = true;\n\n\tif (!valid_port)\n\t\treturn false;\n\n\tif (match_wc_pair(data->payload[0], data->payload_len[0],\n                        data->payload[1], data->payload_len[1])) {\n\t\treturn true;\n\t}\n\t\n\tif (match_wc_pair(data->payload[1], data->payload_len[1],\n                        data->payload[0], data->payload_len[0])) {\n\t\treturn true;\n\t}\n\t\n        if (match_wc_ab_request(data->payload[0], data->payload_len[0])) {\n                if (match_wc_ab_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wc_ab_request(data->payload[1], data->payload_len[1])) {\n                if (match_wc_ab_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_wc_ab_big01(data->payload[0], data->payload_len[0])) {\n                if (match_wc_ab_big02(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wc_ab_big01(data->payload[1], data->payload_len[1])) {\n                if (match_wc_ab_big02(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_wc_ssl_111(data->payload[0], data->payload_len[0])) {\n                if (match_wc_ssl_166(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wc_ssl_111(data->payload[1], data->payload_len[1])) {\n                if (match_wc_ssl_166(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_wechat = {\n\tLPI_PROTO_WECHAT,\n\tLPI_CATEGORY_CHAT,\n\t\"WeChat\",\n\t10, \n\tmatch_wechat\n};\n\nvoid register_wechat(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wechat, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_weibo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_weibo_req(uint32_t payload, uint32_t len) {\n\n        if (len < 230)\n                return false;\n\n        if (payload + 4 == len)\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_weibo_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len == 30 && MATCH(payload, 0x1a, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 37 && MATCH(payload, 0x21, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_weibo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8080 && data->client_port != 8080)\n                return false;\n\n        if (match_weibo_req(data->payload[0], data->payload_len[0])) {\n                if (match_weibo_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_weibo_req(data->payload[1], data->payload_len[1])) {\n                if (match_weibo_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_weibo = {\n\tLPI_PROTO_WEIBO,\n\tLPI_CATEGORY_CHAT,\n\t\"Weibo\",\n\t15,\n\tmatch_weibo\n};\n\nvoid register_weibo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_weibo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_weiqi.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* AKA Fox Go -- Multiplayer Go client included with QQ Games */ \n\nstatic inline bool match_weiqi_tgw(uint32_t payload, uint32_t len) {\n        if (len == 43 && MATCH(payload, 't', 'g', 'w', '_'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_weiqi_other(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x0e, 0x0f, 0xa5))\n                return true;\n        return false;\n}\n\nstatic inline bool match_weiqi(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 8000 */\n\n        if (match_weiqi_tgw(data->payload[0], data->payload_len[0])) {\n                if (match_weiqi_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_weiqi_tgw(data->payload[1], data->payload_len[1])) {\n                if (match_weiqi_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_weiqi = {\n\tLPI_PROTO_WEIQI,\n\tLPI_CATEGORY_GAMING,\n\t\"WeiqiQQ\",\n\t20,\n\tmatch_weiqi\n};\n\nvoid register_weiqi(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_weiqi, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_whatsapp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_wa_first(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 'W', 'A', 0x01, 0x02))\n\t\treturn true;\n\tif (MATCH(payload, 'W', 'A', 0x01, 0x05))\n\t\treturn true;\n\n        if (len == 1 && MATCH(payload, 'W', 0x00, 0x00, 0x00))\n                return true;\n\treturn false;\n\n}\n\nstatic inline bool match_wa_first_20(uint32_t payload, uint32_t len) {\n        /* New protocol version? 2.0? */\n\tif (MATCH(payload, 'W', 'A', 0x02, 0x00))\n\t\treturn true;\n        if (len == 1 && MATCH(payload, 'W', 0x00, 0x00, 0x00))\n                return true;\n\treturn false;\n}\n\nstatic inline bool match_ed_first(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 'E', 'D', 0x00, 0x01))\n                return true;\n        if (len == 1 && MATCH(payload, 'E', 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_wa_second(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\t\n\tif (MATCH(payload, 0x00, 0x00, 0x05, 0xf8))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_wa_second_20(uint32_t payload, uint32_t len) {\n\tuint32_t walen = ntohl(payload) >> 8;\n\n        if (len == 0)\n\t\treturn true;\n\n        if (walen == len - 3) {\n                if (MATCH(payload, ANY, ANY, ANY, 0x1a))\n                        return true;\n        }\n\t\n\treturn false;\n}\n\nstatic inline bool match_wa_fixed_second(uint32_t payload) {\n        if (MATCH(payload, 0x00, 0x00, 0x36, 0x1a)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_whatsapp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* WhatsApp uses a modified form of XMPP and typically runs on\n\t * either port 443 or 5222\n\t */\n\n\tif (match_wa_first(data->payload[0], data->payload_len[0])) {\n\t\tif (match_wa_second(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_wa_first(data->payload[1], data->payload_len[1])) {\n\t\tif (match_wa_second(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\tif (match_wa_first_20(data->payload[0], data->payload_len[0])) {\n\t\tif (match_wa_second_20(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_wa_first_20(data->payload[1], data->payload_len[1])) {\n\t\tif (match_wa_second_20(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n        if (match_ed_first(data->payload[0], data->payload_len[0])) {\n\t\tif (match_wa_second_20(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_wa_fixed_second(data->payload[1]))\n\t\t\treturn true;\n\t}\n\n        if (match_ed_first(data->payload[1], data->payload_len[1])) {\n\t\tif (match_wa_second_20(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_wa_fixed_second(data->payload[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_whatsapp = {\n\tLPI_PROTO_WHATSAPP,\n\tLPI_CATEGORY_CHAT,\n\t\"WhatsApp\",\n\t4, \n\tmatch_whatsapp\n};\n\nvoid register_whatsapp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_whatsapp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_whois.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dot_second(uint32_t payload) {\n\tif (MATCH(payload, ANY, '.', ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_dot_third(uint32_t payload) {\n\tif (MATCH(payload, ANY, ANY, '.', ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_dot_last(uint32_t payload) {\n\tif (MATCH(payload, ANY, ANY, ANY, '.'))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_digit_first(uint32_t payload) {\n\n\tif (MATCH(payload, '1', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '2', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '3', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '4', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '5', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '6', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '7', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '8', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '9', ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, '0', ANY, ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_digit_second(uint32_t payload) {\n\n\tif (MATCH(payload, ANY, '1', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '2', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '3', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '4', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '5', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '6', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '7', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '8', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '9', ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, '0', ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_digit_third(uint32_t payload) {\n\n\tif (MATCH(payload, ANY, ANY, '1', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '2', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '3', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '4', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '5', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '6', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '7', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '8', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '9', ANY))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, '0', ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_digit_last(uint32_t payload) {\n\n\tif (MATCH(payload, ANY, ANY, ANY, '1'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '2'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '3'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '4'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '5'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '6'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '7'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '8'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '9'))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, ANY, '0'))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_ipv4_text(uint32_t payload) {\n\n\t/* Gotta start with a digit */\n\tif (!match_digit_first(payload))\n\t\treturn false;\n\n\t/* Matching the case 1.XX */\n\tif (match_dot_second(payload)) {\n\t\t/* Can't have two dots in a row */\n\t\tif (!match_digit_third(payload))\n\t\t\treturn false;\n\n\t\t/* We can have either two digits, e.g. 1.45 */\n\t\tif (match_digit_last(payload))\n\t\t\treturn true;\n\t\t/* Or a another dot, e.g. 1.1. */\n\t\tif (match_dot_last(payload))\n\t\t\treturn true;\n\t\treturn false;\n\t} \n\t\n\t/* Not a dot so must be a digit, e.g. 11XX */\n\tif (!match_digit_second(payload)) {\n\t\treturn false;\n\t}\n\n\t/* If the third character is a dot, then we need a digit as the last\n\t * e.g. 10.4 */\n\tif (match_dot_third(payload)) {\n\t\tif (!match_digit_last(payload))\n\t\t\treturn false;\n\t\treturn true;\n\t} \n\n\t/* Third character must be a digit, then */\n\tif (!match_digit_third(payload))\n\t\treturn false;\n\n\t/* If we've got three digits, we must end on a dot - e.g. 192. */\n\tif (match_dot_last(payload))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_md5_option(uint32_t payload) {\n\n\tif (MATCHSTR(payload, \"-V M\"))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_whois(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 43 && data->client_port != 43)\n\t\treturn false;\n\n\tif (match_ipv4_text(data->payload[0])) {\n\t\tif (data->payload_len[0] >= 4)\n\t\t\treturn true;\n\t}\n\n\tif (match_md5_option(data->payload[0]))\n\t\treturn true;\n\n\tif (match_ipv4_text(data->payload[1])) {\n\t\tif (data->payload_len[1] >= 4)\n\t\t\treturn true;\n\t}\n\tif (match_md5_option(data->payload[1]))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_whois = {\n\tLPI_PROTO_WHOIS,\n\tLPI_CATEGORY_SERVICES,\n\t\"Whois\",\n\t20,\n\tmatch_whois\n};\n\nvoid register_whois(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_whois, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_winmx.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_winmx(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"SEND\")) {\n                if (data->payload_len[0] == 1)\n                        return true;\n                if (data->payload_len[1] == 1)\n                        return true;\n        }\n        if (match_chars_either(data, 'G', 'E', 'T', ANY)) {\n                if (data->payload_len[0] == 1)\n                        return true;\n                if (data->payload_len[1] == 1)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_winmx = {\n\tLPI_PROTO_WINMX,\n\tLPI_CATEGORY_P2P,\n\t\"WinMX\",\n\t4,\t/* Have this lower priority than HTTP - GET-based rule */\n\tmatch_winmx\n};\n\nvoid register_winmx(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_winmx, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_wizard101.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_wiz_23(uint32_t payload, uint32_t len) {\n\n        /* Bytes 3 and 4 are a length field */\n        if (len == 23 && MATCH(payload, 0x0d, 0xf0, 0x13, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_wiz_13(uint32_t payload, uint32_t len) {\n\n        /* Bytes 3 and 4 are a length field */\n        if (len == 13 && MATCH(payload, 0x0d, 0xf0, 0x09, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_wizard101(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_wiz_23(data->payload[0], data->payload_len[0])) {\n                if (match_wiz_13(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wiz_23(data->payload[1], data->payload_len[1])) {\n                if (match_wiz_13(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_wizard101 = {\n\tLPI_PROTO_WIZARD101,\n\tLPI_CATEGORY_GAMING,\n\t\"Wizard101\",\n\t19,\n\tmatch_wizard101\n};\n\nvoid register_wizard101(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wizard101, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_wns.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_wns(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (MATCH(data->payload[0], 'w', 'n', 's', 0x00)) {\n                if (MATCH(data->payload[1], 'w', 'n', 's', 0x00))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_wns = {\n\tLPI_PROTO_WNS,\n\tLPI_CATEGORY_CLOUD,\n\t\"TencentWNS\",\n\t8,\n\tmatch_wns\n};\n\nvoid register_wns(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wns, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_wow.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_wow_request(uint32_t payload, uint32_t len) {\n\n        if (!MATCH(payload, 0x00, 0x08, ANY, 0x00))\n                return false;\n\n        payload = ntohl(payload);\n\n        /* 3rd and 4th bytes are the size of the packet, minus the four\n         * byte header */\n        if (htons(payload & 0xffff) == len - 4)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_wow_response(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (len != 119)\n                return false;\n\n        if (!MATCH(payload, 0x00, 0x00, 0x00, ANY))\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_wow_s2c(uint32_t payload, uint32_t len) {\n\t/* WoW seems to have changed the server to client protocol recently,\n\t * possibly with the new expansion Cataclysm */\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 50)\n\t\treturn false;\n\tif (MATCH(payload, 0x30, 0x00, 0x57, 0x4f))\n\t\treturn true;\n\treturn false;\n}\n\n\nstatic inline bool match_wow_2016(uint32_t payload, uint32_t len) {\n        if (len == 47 || len == 48 || len == 52) {\n                if (MATCHSTR(payload, \"WORL\"))\n                        return true;\n        }\n        return false;\n\n}\n\n\nstatic inline bool match_china_wow(uint32_t payload, uint32_t len) {\n        if (len == 57 || len == 59) {\n                if (MATCH(payload, 0x05, 0x01, 0x93, 0x01))\n                        return true;\n                if (MATCH(payload, 0x05, 0x01, 0x99, 0x01))\n                        return true;\n        }\n\n        /* New alternative -- clearly a length field, rest of packet\n         * is mostly JSON */\n        if (len == 112 && MATCH(payload, 0x00, 0x00, 0x00, 0x6c))\n                return true;\n        if (len == 113 && MATCH(payload, 0x00, 0x00, 0x00, 0x6d))\n                return true;\n        if (len == 114 && MATCH(payload, 0x00, 0x00, 0x00, 0x6e))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_china_wow512(uint32_t payload, uint32_t len) {\n        if (len == 512 && MATCH(payload, 0x00, 0x01, 0x00, 0x25))\n                return true;\n        return false;\n}\n\nstatic inline bool match_china_wow03(uint32_t payload, uint32_t len) {\n\n        uint32_t hdrlen;\n        uint32_t swapped;\n\n        if (!MATCH(payload, 0x03, 0x00, ANY, ANY)) {\n                return false;\n        }\n\n        /* bytes 3 and 4 are a length field, but in little endian */\n        hdrlen = ntohl(payload);\n        swapped = ((hdrlen & 0xff) << 8) + ((hdrlen & 0xff00) >> 8);\n\n        if (swapped == len) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool chinese_wow_port(lpi_data_t *data) {\n        if (data->server_port >= 8000 && data->server_port <= 8002)\n                return true;\n        if (data->client_port >= 8000 && data->client_port <= 8002)\n                return true;\n        if (data->server_port == 443 || data->client_port == 443)\n                return true;\n        if (data->server_port == 2082 || data->client_port == 2082)\n                return true;\n        return false;\n}\n\nstatic inline bool match_wow(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t if (match_wow_request(data->payload[0], data->payload_len[0])) {\n                if (match_wow_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wow_request(data->payload[1], data->payload_len[1])) {\n                if (match_wow_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\tif (match_wow_s2c(data->payload[0], data->payload_len[0])) {\n\t\tif (match_wow_s2c(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n        if (data->server_port == 3724 || data->client_port == 3724) {\n                /* New initial exchange observed in packet traces from 2016 */\n                if (match_wow_2016(data->payload[0], data->payload_len[0]) &&\n                                match_wow_2016(data->payload[1],\n                                                data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        /* Chinese WOW is a little different */\n        if (chinese_wow_port(data)) {\n                if (match_wow_2016(data->payload[0], data->payload_len[0])) {\n                        if (match_wow_2016(data->payload[1], data->payload_len[1]))\n                                return true;\n\n                        if (match_china_wow(data->payload[1], data->payload_len[1]))\n                                return true;\n                }\n\n                if (match_wow_2016(data->payload[1], data->payload_len[1])) {\n                        if (match_china_wow(data->payload[0], data->payload_len[0]))\n                                return true;\n                }\n\n                if (match_china_wow(data->payload[0], data->payload_len[0])) {\n                        if (match_china_wow03(data->payload[1], data->payload_len[1]))\n                                return true;\n                        if (match_china_wow512(data->payload[1], data->payload_len[1]))\n                                return true;\n                }\n\n                if (match_china_wow(data->payload[1], data->payload_len[1])) {\n                        if (match_china_wow03(data->payload[0], data->payload_len[0]))\n                                return true;\n                        if (match_china_wow512(data->payload[0], data->payload_len[0]))\n                                return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_wow = {\n\tLPI_PROTO_WOW,\n\tLPI_CATEGORY_GAMING,\n\t\"WorldOfWarcraft\",\n\t4,\t/* Not super-strong, especially for one-way */\n\tmatch_wow\n};\n\nvoid register_wow(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wow, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_wuala.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_wuala_out(uint32_t payload, uint32_t len) {\n\n\tif (len != 18)\n\t\treturn false;\n\tif (!MATCH(payload, 0xfe, 0x08, 0x00, 0x00))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_wuala_in(uint32_t payload, uint32_t len) {\n\n\tif (len != 18)\n\t\treturn false;\n\tif (!MATCH(payload, 0xfe, 0x18, 0x00, 0x00))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_wuala(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_wuala_out(data->payload[0], data->payload_len[0])) {\n\t\tif (match_wuala_in(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_wuala_out(data->payload[1], data->payload_len[1])) {\n\t\tif (match_wuala_in(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_wuala = {\n\tLPI_PROTO_WUALA,\n\tLPI_CATEGORY_CLOUD,\n\t\"Wuala\",\n\t6,\n\tmatch_wuala\n};\n\nvoid register_wuala(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wuala, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_xiami.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_xiami(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->payload_len[0] == 187 && data->payload_len[1] == 0) {\n                if (MATCH(data->payload[0], 0xbb, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n        if (data->payload_len[1] == 187 && data->payload_len[0] == 0) {\n                if (MATCH(data->payload[1], 0xbb, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_xiami = {\n\tLPI_PROTO_XIAMI,\n\tLPI_CATEGORY_STREAMING,\n\t\"Xiami\",\n\t34,\n\tmatch_xiami\n};\n\nvoid register_xiami(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xiami, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_xmpp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_xmpp_payload(uint32_t data, uint32_t len) {\n\n\tif (MATCHSTR(data, \"<?xm\"))\n\t\treturn true;\n\tif (MATCHSTR(data, \"<str\"))\n\t\treturn true;\n\tif (MATCHSTR(data, \"<pre\"))\n\t\treturn true;\n\n\tif (MATCH(data, 0x20, 0x20, 0x20, 0x20) && len == 147)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_xmpp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* If this is overmatching, enforce TCP port 5222 */\n\n\tif (!match_xmpp_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_xmpp_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\t\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_xmpp = {\n\tLPI_PROTO_XMPP,\n\tLPI_CATEGORY_CHAT,\n\t\"XMPP\",\n\t4,\n\tmatch_xmpp\n};\n\nvoid register_xmpp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xmpp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_xmpps.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gtalk(lpi_data_t *data) {\n\n\t/* This rule matches the encrypted traffic sent to google talk\n\t * clients */ \n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Port 5228 is used for this */\n\tif (data->server_port != 5228 && data->client_port != 5228)\n\t\treturn false;\n\n\t/* Try and avoid false positives using payload size checks */\n\n\tif (data->payload_len[0] == 80 ||\n\t\t\tdata->payload_len[0] == 120 ||\n\t\t\tdata->payload_len[0] == 118 ||\n\t\t\tdata->payload_len[0] == 184)\n\t\treturn true;\n\t\n\tif (data->payload_len[1] == 80 ||\n\t\t\tdata->payload_len[1] == 120 ||\n\t\t\tdata->payload_len[1] == 118 ||\n\t\t\tdata->payload_len[1] == 184)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_facebook_chat(lpi_data_t *data) {\n\n\t/* This rule matches the encrypted traffic sent to facebook chat\n\t * clients */ \n\n\tif (!match_ssl(data))\n\t\treturn false;\n\t\n\t/* Port 5228 is used for this */\n\tif (data->server_port != 8883 && data->client_port != 8883)\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic inline bool match_xmpps(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_gtalk(data))\n\t\treturn true;\n\tif (match_facebook_chat(data))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic lpi_module_t lpi_xmpps = {\n\tLPI_PROTO_XMPPS,\n\tLPI_CATEGORY_CHAT,\n\t\"XMPPS\",\n\t10, \n\tmatch_xmpps\n};\n\nvoid register_xmpps(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xmpps, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_xunlei.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_shuijing_44(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x44, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x42, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_shuijing_3e(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x3e, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_shuijing_41(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x41, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_shuijing_46(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x46, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_shuijing_43(uint32_t payload, uint32_t len) {\n        if (len == 9 && MATCH(payload, 0x43, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_xunlei_3e(uint32_t payload, uint32_t len) {\n        if (len == 132 && MATCH(payload, 0x3e, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_xunlei_36(uint32_t payload, uint32_t len) {\n        if (len == 51 && MATCH(payload, 0x36, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_xunlei(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/*\n        if (match_str_both(data, \"\\x3c\\x00\\x00\\x00\", \"\\x3c\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x3d\\x00\\x00\\x00\", \"\\x39\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x3d\\x00\\x00\\x00\", \"\\x3a\\x00\\x00\\x00\"))\n                return true;\n        */\n\n        if (match_str_both(data, \"\\x29\\x00\\x00\\x00\", \"\\x29\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x36\\x00\\x00\\x00\", \"\\x33\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x36\\x00\\x00\\x00\", \"\\x36\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_either(data, \"\\x33\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0 && data->payload_len[1] == 87)\n                        return true;\n                if (data->payload_len[1] == 0 && data->payload_len[0] == 87)\n                        return true;\n        }\n\n        if (match_str_either(data, \"\\x36\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0 && data->payload_len[1] == 71)\n                        return true;\n                if (data->payload_len[1] == 0 && data->payload_len[0] == 71)\n                        return true;\n        }\n\n        if (match_str_either(data, \"\\x29\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n\n        /* Pretty sure this is \"Thunder Crystal\" (a.k.a. Xunlei Shuijing),\n         * a P2P approach to doing CDN. Uses TCP port 4593, usually.\n         * Ref: http://dl.acm.org/citation.cfm?id=2736085\n         *\n         * XXX Should this be a separate protocol?\n         */\n\n        if (match_shuijing_44(data->payload[0], data->payload_len[0])) {\n                if (match_shuijing_3e(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_shuijing_46(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_shuijing_44(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_shuijing_43(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_shuijing_41(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        if (match_shuijing_44(data->payload[1], data->payload_len[1])) {\n                if (match_shuijing_3e(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_shuijing_46(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_shuijing_44(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_shuijing_43(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_shuijing_41(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        \n        /* Almost certainly Xunlei-related, appears on port 8080 to hosts\n         * that are in subnets used by Xunlei. Many IP ranges appear in\n         * http://ipfilter-emule.googlecode.com/svn/trunk/ipfilter-xl/.htaccess?id=htxl\n         * \n         * Update: the above URL no longer exists, but thankfully archive.org\n         * has saved a copy:\n         *   http://web.archive.org/web/20160410231755/http://ipfilter-emule.googlecode.com/svn/trunk/ipfilter-xl/.htaccess\n         */\n\n        if (match_xunlei_3e(data->payload[0], data->payload_len[0])) {\n                if (match_xunlei_36(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_xunlei_3e(data->payload[1], data->payload_len[1])) {\n                if (match_xunlei_36(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_xunlei = {\n\tLPI_PROTO_XUNLEI,\n\tLPI_CATEGORY_P2P,\n\t\"Xunlei\",\n\t3,\n\tmatch_xunlei\n};\n\nvoid register_xunlei(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xunlei, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_xunlei_accel.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* This protocol is definitely tied up with Xunlei. It appears to only be\n * used when using the \"accelerated\" download option in the Thunder client.\n * Basically, the download will be accelerated by pulling parts of the content\n * from servers owned by Xunlei in addition to the standard P2P downloading\n * from other Xunlei users.\n *\n * Not 100% sure this should be a separate protocol, but the distinction\n * compared with the other Xunlei stuff is possibly interesting.\n */\n\n/* NOTE: we see a lot of other xunlei traffic with a similar payload pattern\n * on other ports but the payload sizes don't match up so I suspect this is\n * 'other' thunder traffic of some sort.\n */\n\nstatic inline bool match_xaccel_req(uint32_t payload, uint32_t len) {\n\n        uint32_t byte4;\n        /* Byte 4 must be either 0x4X or 0x5X */\n        \n        byte4 = (ntohl(payload) & 0xff);\n\n        if (byte4 < 0x40 || byte4 > 0x5f)\n                return false;\n\n        /* Observed requests seem to fall in a very specific packet size\n         * range (at least the stuff on port 8080 does) \n         */\n        if (len >= 532 && len <= 542)\n                return true;\n        if (len >= 309 && len <= 312)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_xaccel_resp(uint32_t payload, uint32_t len) {\n\n        uint32_t byte4;\n        /* Byte 4 must be either 0x4X or 0x5X */\n        \n        byte4 = (ntohl(payload) & 0xff);\n\n        if (byte4 < 0x40 || byte4 > 0x5f)\n                return false;\n\n        /* Observed requests seem to fall in a very specific packet size\n         * range (at least the stuff on port 8080 does) \n         */\n        if (len >= 104 && len <= 116)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_xunlei_accel(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Tough to match reliably -- we don't have a lot to go on */\n\n        /* The Xunlei-controlled servers all seem to listen on port 8080 */\n        if (data->server_port != 8080 && data->client_port != 8080)\n                return false;\n\n        if (match_xaccel_req(data->payload[0], data->payload_len[0])) {\n                if (match_xaccel_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_xaccel_req(data->payload[1], data->payload_len[1])) {\n                if (match_xaccel_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_xunlei_accel = {\n\tLPI_PROTO_XUNLEI_ACCEL,\n\tLPI_CATEGORY_P2P,\n\t\"XunleiAccelerated\",\n\t240,\n\tmatch_xunlei_accel\n};\n\nvoid register_xunlei_accel(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xunlei_accel, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_xymon.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_xymon(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Xymon aka \"Big Brother\" aka \"Hobbit\" */\n\n\t/* Runs over port 1984 - clever :) */\n\tif (data->server_port != 1984 && data->client_port != 1984)\n\t\treturn false;\n\n\tif (match_chars_either(data, 's', 't', 'a', 't'))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_xymon = {\n\tLPI_PROTO_XYMON,\n\tLPI_CATEGORY_MONITORING,\n\t\"Xymon\",\n\t6,\n\tmatch_xymon\n};\n\nvoid register_xymon(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xymon, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_yahoo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_yahoo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t/* Yahoo messenger starts with YMSG */\n        if (match_str_either(data, \"YMSG\")) return true;\n\n        /* Some flows start with YAHO - I'm going to go with my gut instinct */\n        if (match_str_either(data, \"YAHO\")) return true;\n\n        /* Some versions appear to use <Yms as the beginning */\n        if (match_str_either(data, \"<Yms\")) return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_yahoo = {\n\tLPI_PROTO_YAHOO,\n\tLPI_CATEGORY_CHAT,\n\t\"Yahoo\",\n\t3,\n\tmatch_yahoo\n};\n\nvoid register_yahoo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_yahoo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_yahoo_error.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_yahoo_error(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Yahoo seems to respond to HTTP errors in a really odd way - it\n         * opens up a new connection and just sends raw HTML with the\n         * error message in it. Not sure how they expect that to work, though.\n         */\n\n        if (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n                return false;\n\n        /* The html isn't entirely valid either - they start with <HEAD>\n         * rather than <HTML>...\n         */\n        if (match_str_either(data, \"<HEA\"))\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_yahoo_error = {\n\tLPI_PROTO_YAHOO_ERROR,\n\tLPI_CATEGORY_CHAT,\n\t\"YahooError\",\n\t10,\t/* This rule is a bit odd */\n\tmatch_yahoo_error\n};\n\nvoid register_yahoo_error(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_yahoo_error, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_yahoo_games.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This traffic all seems to go to games.X.yahoo.com, so I'm going to assume\n * that this is Yahoo Games */\n\nstatic inline bool match_yahoo_games_req(uint32_t payload, uint32_t len) {\n\n        if (len != 1)\n                return false;\n        if (!MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_yahoo_games_resp(uint32_t payload, uint32_t len) {\n\n        if (len != 22)\n                return false;\n        if (!MATCH(payload, 0x81, 0xd3, 0x70, 0x6c))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_yahoo_games(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_yahoo_games_req(data->payload[0], data->payload_len[0])) {\n                if (match_yahoo_games_resp(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n        if (match_yahoo_games_req(data->payload[1], data->payload_len[1])) {\n                if (match_yahoo_games_resp(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_yahoo_games = {\n\tLPI_PROTO_YAHOO_GAMES,\n\tLPI_CATEGORY_GAMING,\n\t\"YahooGames\",\n\t4,\n\tmatch_yahoo_games\n};\n\nvoid register_yahoo_games(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_yahoo_games, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_yahoo_webcam.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_yahoo_webcam(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"<SND\"))\n                return true;\n        if (match_str_either(data, \"<REQ\"))\n                return true;\n        if (match_chars_either(data, 0x0d, 0x00, 0x05, 0x00))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_yahoo_webcam = {\n\tLPI_PROTO_YAHOO_WEBCAM,\n\tLPI_CATEGORY_CHAT,\n\t\"Yahoo_Webcam\",\n\t3, \n\tmatch_yahoo_webcam\n};\n\nvoid register_yahoo_webcam(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_yahoo_webcam, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_youku.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_youku_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This took a lot of detective work and liberal use of Google\n\t * translate to figure out what this protocol this pattern matched */\n\n\tif (match_youku_payload(data->payload[0], data->payload_len[0])) {\n\t\tif (match_youku_payload(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_youku = {\n\tLPI_PROTO_YOUKU,\n\tLPI_CATEGORY_STREAMING,\n\t\"Youku\",\n\t4,\n\tmatch_youku_tcp\n};\n\nvoid register_youku_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_youku, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_yy_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* YY Live Streaming from China */\n/* Unfortunately YY uses a 4 byte length field (albeit in little endian\n * byte order) so there's a good chance this rule will get a few FPs :/\n */\nstatic inline bool match_yy_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_yy_payload(data->payload[0], data->payload_len[0])) {\n                if (match_yy_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_yy_tcp = {\n\tLPI_PROTO_YY,\n\tLPI_CATEGORY_STREAMING,\n\t\"YY_TCP\",\n\t200,\n\tmatch_yy_tcp\n};\n\nvoid register_yy_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_yy_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_zabbix.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_zabbix(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"ZBXD\"))\n\t\treturn true;\n\n        /* Everything below this line requires one of the ports to be the\n         * default zabbix port */\n        if (data->server_port != 10050 && data->client_port != 10050)\n                return false;\n\n        /* Zabbix Windows performance counters \n         * TODO capture some genuine responses and match on those too */\n        if (MATCH(data->payload[0], 'p', 'e', 'r', 'f'))\n                return true;\n        if (MATCH(data->payload[1], 'p', 'e', 'r', 'f'))\n                return true;\n\n        if (MATCH(data->payload[0], 's', 'y', 's', 't'))\n                return true;\n        if (MATCH(data->payload[1], 's', 'y', 's', 't'))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_zabbix = {\n\tLPI_PROTO_ZABBIX,\n\tLPI_CATEGORY_MONITORING,\n\t\"Zabbix\",\n\t5,\n\tmatch_zabbix\n};\n\nvoid register_zabbix(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_zabbix, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_zero.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Zero: a modified version of QUIC crypto used by Facebook until TLS 1.3 is\n * available.\n * \n * See http://cryptologie.net/article/321/real-world-crypto-day-2/ for a bit\n * more detail.\n */\n\nstatic inline bool match_zero_fb_chlo(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, '1', 'Q', 'T', 'V'))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_zero_fb_shlo(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (MATCH(payload, '1', 'Q', 'T', 'V'))\n                return true;\n        if (MATCH(payload, 0x30, ANY, 0x0c, 0x00))\n                return true;\n        if (MATCH(payload, 0x30, ANY, 0x0d, 0x00))\n                return true;\n        if (MATCH(payload, 0x30, 0x11, 0x0f, 0x00))\n                return true;\n        if (MATCH(payload, 0x30, 0x14, 0x05, 0x00))\n                return true;\n        if (MATCH(payload, 0x30, ANY, 0x00, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_zero_facebook(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 443 && data->client_port != 443)\n                return false;\n\n        if (match_zero_fb_chlo(data->payload[0], data->payload_len[0])) {\n                if (match_zero_fb_shlo(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_zero_fb_chlo(data->payload[1], data->payload_len[1])) {\n                if (match_zero_fb_shlo(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_zero_facebook = {\n\tLPI_PROTO_ZERO_FACEBOOK,\n\tLPI_CATEGORY_WEB,\n\t\"Zero_Facebook\",\n\t5,\n\tmatch_zero_facebook\n};\n\nvoid register_zero_facebook(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_zero_facebook, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_zoom_tcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_zoom_01(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x01, 0x00, 0x6c, 0x00) && len == 111)\n                return true;\n        if (MATCH(payload, 0x01, 0x00, 0x6a, 0x00) && len == 109)\n                return true;\n        if (MATCH(payload, 0x01, 0x00, 0x83, 0x00) && len == 134)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_zoom_02(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x02, 0x00, 0x22, 0x00) && len == 37)\n                return true;\n        if (MATCH(payload, 0x02, 0x00, 0x24, 0x00) && len == 39)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_zoom_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8801 && data->client_port != 8801) {\n                return false;\n        }\n\n        /* Byte 4 must match in both directions */\n        if ((data->payload[0] & 0xff000000) != (data->payload[1] & 0xff000000))\n                return false;\n\n        if (match_zoom_01(data->payload[0], data->payload_len[0])) {\n                if (match_zoom_02(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_zoom_01(data->payload[1], data->payload_len[1])) {\n                if (match_zoom_02(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_zoom_tcp = {\n\tLPI_PROTO_ZOOM,\n\tLPI_CATEGORY_VOIP,\n\t\"ZoomTCP\",\n\t5,\n\tmatch_zoom_tcp\n};\n\nvoid register_zoom_tcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_zoom_tcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/lpi_zynga.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_zynga(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"pres\", \"3 se\"))\n\t\treturn true;\n\tif (match_str_both(data, \"pres\", \"4 se\"))\n\t\treturn true;\n\tif (match_str_both(data, \"imsg\", \"4 se\"))\n\t\treturn true;\n\n\t/* Flash facebook games */\n\tif (match_str_both(data, \"<msg\", \"<?xm\")) {\n\t\tif (data->server_port == 9339 || data->client_port == 9339)\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_zynga = {\n\tLPI_PROTO_ZYNGA,\n\tLPI_CATEGORY_GAMING,\n\t\"Zynga\",\n\t3,\n\tmatch_zynga\n};\n\nvoid register_zynga(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_zynga, mod_map);\n}\n\n"
  },
  {
    "path": "lib/tcp/tcp_protocols.h",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n#ifndef TCP_PROTOCOLS_H_\n#define TCP_PROTOCOLS_H_\n\n#include \"proto_manager.h\"\n\nvoid register_300heroes(LPIModuleMap *mod_map);\nvoid register_360safeguard(LPIModuleMap *mod_map);\nvoid register_4d(LPIModuleMap *mod_map);\nvoid register_acestream(LPIModuleMap *mod_map);\nvoid register_afp(LPIModuleMap *mod_map);\nvoid register_airdroid(LPIModuleMap *mod_map);\nvoid register_airmedia(LPIModuleMap *mod_map);\nvoid register_akamai_tcp(LPIModuleMap *mod_map);\nvoid register_amp(LPIModuleMap *mod_map);\nvoid register_antcoin(LPIModuleMap *mod_map);\nvoid register_appearin(LPIModuleMap *mod_map);\nvoid register_apple_push(LPIModuleMap *mod_map);\nvoid register_ares(LPIModuleMap *mod_map);\nvoid register_badbaidu(LPIModuleMap *mod_map);\nvoid register_baofeng_tcp(LPIModuleMap *mod_map);\nvoid register_beam(LPIModuleMap *mod_map);\nvoid register_bitcoin(LPIModuleMap *mod_map);\nvoid register_bitextend(LPIModuleMap *mod_map);\nvoid register_bittorrent(LPIModuleMap *mod_map);\nvoid register_blackdesert(LPIModuleMap *mod_map);\nvoid register_blizzard(LPIModuleMap *mod_map);\nvoid register_btsync(LPIModuleMap *mod_map);\nvoid register_bwsyncandshare(LPIModuleMap *mod_map);\nvoid register_cacaoweb(LPIModuleMap *mod_map);\nvoid register_cgp(LPIModuleMap *mod_map);\nvoid register_chatango(LPIModuleMap *mod_map);\nvoid register_cisco_vpn(LPIModuleMap *mod_map);\nvoid register_clashofclans(LPIModuleMap *mod_map);\nvoid register_classin_tcp(LPIModuleMap *mod_map);\nvoid register_clubbox(LPIModuleMap *mod_map);\nvoid register_cod_waw(LPIModuleMap *mod_map);\nvoid register_conquer(LPIModuleMap *mod_map);\nvoid register_crashplan(LPIModuleMap *mod_map);\nvoid register_crossfire_tcp(LPIModuleMap *mod_map);\nvoid register_cryptic(LPIModuleMap *mod_map);\nvoid register_cvs(LPIModuleMap *mod_map);\nvoid register_dahua_tcp(LPIModuleMap *mod_map);\nvoid register_dash(LPIModuleMap *mod_map);\nvoid register_dell_backup(LPIModuleMap *mod_map);\nvoid register_destiny(LPIModuleMap *mod_map);\nvoid register_diablo3(LPIModuleMap *mod_map);\nvoid register_dianping_tcp(LPIModuleMap *mod_map);\nvoid register_directconnect(LPIModuleMap *mod_map);\nvoid register_dnf(LPIModuleMap *mod_map);\nvoid register_dns_tcp(LPIModuleMap *mod_map);\nvoid register_dogecoin(LPIModuleMap *mod_map);\nvoid register_douyu(LPIModuleMap *mod_map);\nvoid register_douyu_chat(LPIModuleMap *mod_map);\nvoid register_duelingnetwork(LPIModuleMap *mod_map);\nvoid register_dvrns(LPIModuleMap *mod_map);\nvoid register_dxp(LPIModuleMap *mod_map);\nvoid register_ea_games(LPIModuleMap *mod_map);\nvoid register_emule(LPIModuleMap *mod_map);\nvoid register_ethernetip(LPIModuleMap *mod_map);\nvoid register_eye(LPIModuleMap *mod_map);\nvoid register_facebook_turn(LPIModuleMap *mod_map);\nvoid register_fb_message(LPIModuleMap *mod_map);\nvoid register_fbcdn_ssl(LPIModuleMap *mod_map);\nvoid register_ffxiv(LPIModuleMap *mod_map);\nvoid register_filenori(LPIModuleMap *mod_map);\nvoid register_flash(LPIModuleMap *mod_map);\nvoid register_fliggy(LPIModuleMap *mod_map);\nvoid register_fring(LPIModuleMap *mod_map);\nvoid register_ftpcontrol(LPIModuleMap *mod_map);\nvoid register_ftpdata(LPIModuleMap *mod_map);\nvoid register_fuckcoin(LPIModuleMap *mod_map);\nvoid register_funshion_tcp(LPIModuleMap *mod_map);\nvoid register_gamespy_tcp(LPIModuleMap *mod_map);\nvoid register_gcafe_updater(LPIModuleMap *mod_map);\nvoid register_giop(LPIModuleMap *mod_map);\nvoid register_git(LPIModuleMap *mod_map);\nvoid register_glupteba(LPIModuleMap *mod_map);\nvoid register_gnutella(LPIModuleMap *mod_map);\nvoid register_goku(LPIModuleMap *mod_map);\nvoid register_googlehangouts(LPIModuleMap *mod_map);\nvoid register_graalonlineera(LPIModuleMap *mod_map);\nvoid register_guildwars2(LPIModuleMap *mod_map);\nvoid register_hamachi(LPIModuleMap *mod_map);\nvoid register_harveys(LPIModuleMap *mod_map);\nvoid register_hearthstone(LPIModuleMap *mod_map);\nvoid register_hola(LPIModuleMap *mod_map);\nvoid register_hots_tcp(LPIModuleMap *mod_map);\nvoid register_http_badport(LPIModuleMap *mod_map);\nvoid register_http(LPIModuleMap *mod_map);\nvoid register_http_nonstandard(LPIModuleMap *mod_map);\nvoid register_https(LPIModuleMap *mod_map);\nvoid register_http_tunnel(LPIModuleMap *mod_map);\nvoid register_ica(LPIModuleMap *mod_map);\nvoid register_icep(LPIModuleMap *mod_map);\nvoid register_id(LPIModuleMap *mod_map);\nvoid register_idrivesync(LPIModuleMap *mod_map);\nvoid register_ihexin(LPIModuleMap *mod_map);\nvoid register_imap(LPIModuleMap *mod_map);\nvoid register_imaps(LPIModuleMap *mod_map);\nvoid register_imesh(LPIModuleMap *mod_map);\nvoid register_invalid(LPIModuleMap *mod_map);\nvoid register_invalid_bittorrent(LPIModuleMap *mod_map);\nvoid register_invalid_http(LPIModuleMap *mod_map);\nvoid register_invalid_pop(LPIModuleMap *mod_map);\nvoid register_invalid_smtp(LPIModuleMap *mod_map);\nvoid register_ipfs(LPIModuleMap *mod_map);\nvoid register_ipop(LPIModuleMap *mod_map);\nvoid register_ipsharkk(LPIModuleMap *mod_map);\nvoid register_irc(LPIModuleMap *mod_map);\nvoid register_java(LPIModuleMap *mod_map);\nvoid register_jedi(LPIModuleMap *mod_map);\nvoid register_jx3online(LPIModuleMap *mod_map);\nvoid register_kakao(LPIModuleMap *mod_map);\nvoid register_kankan_tcp(LPIModuleMap *mod_map);\nvoid register_kaseya(LPIModuleMap *mod_map);\nvoid register_kaspersky(LPIModuleMap *mod_map);\nvoid register_kik(LPIModuleMap *mod_map);\nvoid register_kingofglory_tcp(LPIModuleMap *mod_map);\nvoid register_kuaibo(LPIModuleMap *mod_map);\nvoid register_ldap(LPIModuleMap *mod_map);\nvoid register_lifeforge(LPIModuleMap *mod_map);\nvoid register_line(LPIModuleMap *mod_map);\nvoid register_litecoin(LPIModuleMap *mod_map);\nvoid register_llp2p(LPIModuleMap *mod_map);\nvoid register_maplestory_china(LPIModuleMap *mod_map);\nvoid register_maxicloud(LPIModuleMap *mod_map);\nvoid register_message4u(LPIModuleMap *mod_map);\nvoid register_minecraft(LPIModuleMap *mod_map);\nvoid register_mitglieder(LPIModuleMap *mod_map);\nvoid register_mms(LPIModuleMap *mod_map);\nvoid register_mongo(LPIModuleMap *mod_map);\nvoid register_mp2p(LPIModuleMap *mod_map);\nvoid register_msn(LPIModuleMap *mod_map);\nvoid register_msnc(LPIModuleMap *mod_map);\nvoid register_msnv(LPIModuleMap *mod_map);\nvoid register_munin(LPIModuleMap *mod_map);\nvoid register_mysql(LPIModuleMap *mod_map);\nvoid register_mystery_8000(LPIModuleMap *mod_map);\nvoid register_mystery_9000(LPIModuleMap *mod_map);\nvoid register_mystery_conn(LPIModuleMap *mod_map);\nvoid register_mystery_iG(LPIModuleMap *mod_map);\nvoid register_mystery_pspr(LPIModuleMap *mod_map);\nvoid register_mystery_rxxf(LPIModuleMap *mod_map);\nvoid register_mystery_symantec(LPIModuleMap *mod_map);\nvoid register_mzinga(LPIModuleMap *mod_map);\nvoid register_naverp2p(LPIModuleMap *mod_map);\nvoid register_ncsoft(LPIModuleMap *mod_map);\nvoid register_ndt_tput(LPIModuleMap *mod_map);\nvoid register_netbios(LPIModuleMap *mod_map);\nvoid register_netcat_cctv(LPIModuleMap *mod_map);\nvoid register_netmfp(LPIModuleMap *mod_map);\nvoid register_nntp(LPIModuleMap *mod_map);\nvoid register_nntps(LPIModuleMap *mod_map);\nvoid register_nomachine(LPIModuleMap *mod_map);\nvoid register_norton_backup(LPIModuleMap *mod_map);\nvoid register_notes_rpc(LPIModuleMap *mod_map);\nvoid register_tcp_no_payload(LPIModuleMap *mod_map);\nvoid register_tcp_no_firstpkt(LPIModuleMap *mod_map);\nvoid register_nsq(LPIModuleMap *mod_map);\nvoid register_omegle(LPIModuleMap *mod_map);\nvoid register_openvpn(LPIModuleMap *mod_map);\nvoid register_ourworld(LPIModuleMap *mod_map);\nvoid register_palringo(LPIModuleMap *mod_map);\nvoid register_paltalk(LPIModuleMap *mod_map);\nvoid register_pandatv(LPIModuleMap *mod_map);\nvoid register_pando(LPIModuleMap *mod_map);\nvoid register_pathofexile(LPIModuleMap *mod_map);\nvoid register_pdbox(LPIModuleMap *mod_map);\nvoid register_pop3(LPIModuleMap *mod_map);\nvoid register_pop3s(LPIModuleMap *mod_map);\nvoid register_postgresql(LPIModuleMap *mod_map);\nvoid register_pptp(LPIModuleMap *mod_map);\nvoid register_psn_store(LPIModuleMap *mod_map);\nvoid register_qcloud_ilvb(LPIModuleMap *mod_map);\nvoid register_qq_tcp(LPIModuleMap *mod_map);\nvoid register_qqdownload(LPIModuleMap *mod_map);\nvoid register_qqlive_tcp(LPIModuleMap *mod_map);\nvoid register_qqspeedmobile_tcp(LPIModuleMap *mod_map);\nvoid register_qvod(LPIModuleMap *mod_map);\nvoid register_rabbitmq(LPIModuleMap *mod_map);\nvoid register_ragnarokonline(LPIModuleMap *mod_map);\nvoid register_razor(LPIModuleMap *mod_map);\nvoid register_rbls(LPIModuleMap *mod_map);\nvoid register_rdp(LPIModuleMap *mod_map);\nvoid register_realmofthemadgod(LPIModuleMap *mod_map);\nvoid register_realvnc(LPIModuleMap *mod_map);\nvoid register_rejection(LPIModuleMap *mod_map);\nvoid register_relay(LPIModuleMap *mod_map);\nvoid register_remote_manipulator(LPIModuleMap *mod_map);\nvoid register_revolver_nblbt(LPIModuleMap *mod_map);\nvoid register_rfb(LPIModuleMap *mod_map);\nvoid register_rpcscan(LPIModuleMap *mod_map);\nvoid register_rrtv(LPIModuleMap *mod_map);\nvoid register_rsync(LPIModuleMap *mod_map);\nvoid register_rtmp(LPIModuleMap *mod_map);\nvoid register_rtsp(LPIModuleMap *mod_map);\nvoid register_runescape(LPIModuleMap *mod_map);\nvoid register_s7comm(LPIModuleMap *mod_map);\nvoid register_saprouter(LPIModuleMap *mod_map);\nvoid register_saszombieassault4(LPIModuleMap *mod_map);\nvoid register_second_life(LPIModuleMap *mod_map);\nvoid register_shoutcast(LPIModuleMap *mod_map);\nvoid register_silkroadonline(LPIModuleMap *mod_map);\nvoid register_sip(LPIModuleMap *mod_map);\nvoid register_skyforge(LPIModuleMap *mod_map);\nvoid register_skype_tcp(LPIModuleMap *mod_map);\nvoid register_smb(LPIModuleMap *mod_map);\nvoid register_smite_tcp(LPIModuleMap *mod_map);\nvoid register_smtp(LPIModuleMap *mod_map);\nvoid register_smtps(LPIModuleMap *mod_map);\nvoid register_socks4(LPIModuleMap *mod_map);\nvoid register_socks5(LPIModuleMap *mod_map);\nvoid register_spdy(LPIModuleMap *mod_map);\nvoid register_speedify(LPIModuleMap *mod_map);\nvoid register_speedin(LPIModuleMap *mod_map);\nvoid register_speedtest(LPIModuleMap *mod_map);\nvoid register_spotify(LPIModuleMap *mod_map);\nvoid register_ssh(LPIModuleMap *mod_map);\nvoid register_ssjj(LPIModuleMap *mod_map);\nvoid register_ssl(LPIModuleMap *mod_map);\nvoid register_steam(LPIModuleMap *mod_map);\nvoid register_stratum(LPIModuleMap *mod_map);\nvoid register_stun_tcp(LPIModuleMap *mod_map);\nvoid register_supl(LPIModuleMap *mod_map);\nvoid register_svn(LPIModuleMap *mod_map);\nvoid register_talesrunner(LPIModuleMap *mod_map);\nvoid register_tankionline(LPIModuleMap *mod_map);\nvoid register_tankix(LPIModuleMap *mod_map);\nvoid register_taobao(LPIModuleMap *mod_map);\nvoid register_tds(LPIModuleMap *mod_map);\nvoid register_teamviewer(LPIModuleMap *mod_map);\nvoid register_telecomkey(LPIModuleMap *mod_map);\nvoid register_telegram(LPIModuleMap *mod_map);\nvoid register_telnet(LPIModuleMap *mod_map);\nvoid register_telnet_exploit(LPIModuleMap *mod_map);\nvoid register_tencent_games(LPIModuleMap *mod_map);\nvoid register_tenfivecoin(LPIModuleMap *mod_map);\nvoid register_tensafe(LPIModuleMap *mod_map);\nvoid register_tera(LPIModuleMap *mod_map);\nvoid register_tetrisonline(LPIModuleMap *mod_map);\nvoid register_thedivision(LPIModuleMap *mod_map);\nvoid register_tip(LPIModuleMap *mod_map);\nvoid register_tor(LPIModuleMap *mod_map);\nvoid register_tpkt_generic(LPIModuleMap *mod_map);\nvoid register_trackmania(LPIModuleMap *mod_map);\nvoid register_transocks(LPIModuleMap *mod_map);\nvoid register_trion(LPIModuleMap *mod_map);\nvoid register_trojan_win32_generic_sb(LPIModuleMap *mod_map);\nvoid register_trojan_zeroaccess(LPIModuleMap *mod_map);\nvoid register_twitcasting(LPIModuleMap *mod_map);\nvoid register_twitch_irc(LPIModuleMap *mod_map);\nvoid register_utherverse(LPIModuleMap *mod_map);\nvoid register_vainglory(LPIModuleMap *mod_map);\nvoid register_vhdp2p(LPIModuleMap *mod_map);\nvoid register_viber(LPIModuleMap *mod_map);\nvoid register_vmware(LPIModuleMap *mod_map);\nvoid register_vodlocker(LPIModuleMap *mod_map);\nvoid register_vpnrobot_tcp(LPIModuleMap *mod_map);\nvoid register_vpnunlimited_tcp(LPIModuleMap *mod_map);\nvoid register_warcraft3(LPIModuleMap *mod_map);\nvoid register_web_junk(LPIModuleMap *mod_map);\nvoid register_webex_stun(LPIModuleMap *mod_map);\nvoid register_weblogic(LPIModuleMap *mod_map);\nvoid register_wechat(LPIModuleMap *mod_map);\nvoid register_weibo(LPIModuleMap *mod_map);\nvoid register_weiqi(LPIModuleMap *mod_map);\nvoid register_whatsapp(LPIModuleMap *mod_map);\nvoid register_whois(LPIModuleMap *mod_map);\nvoid register_winmx(LPIModuleMap *mod_map);\nvoid register_wizard101(LPIModuleMap *mod_map);\nvoid register_wns(LPIModuleMap *mod_map);\nvoid register_wow(LPIModuleMap *mod_map);\nvoid register_wuala(LPIModuleMap *mod_map);\nvoid register_xiami(LPIModuleMap *mod_map);\nvoid register_xmpp(LPIModuleMap *mod_map);\nvoid register_xmpps(LPIModuleMap *mod_map);\nvoid register_xunlei(LPIModuleMap *mod_map);\nvoid register_xunlei_accel(LPIModuleMap *mod_map);\nvoid register_xymon(LPIModuleMap *mod_map);\nvoid register_yahoo(LPIModuleMap *mod_map);\nvoid register_yahoo_error(LPIModuleMap *mod_map);\nvoid register_yahoo_games(LPIModuleMap *mod_map);\nvoid register_yahoo_webcam(LPIModuleMap *mod_map);\nvoid register_youku_tcp(LPIModuleMap *mod_map);\nvoid register_yy_tcp(LPIModuleMap *mod_map);\nvoid register_zabbix(LPIModuleMap *mod_map);\nvoid register_zero_facebook(LPIModuleMap *mod_map);\nvoid register_zoom_tcp(LPIModuleMap *mod_map);\nvoid register_zynga(LPIModuleMap *mod_map);\n\n#endif\n"
  },
  {
    "path": "lib/udp/Makefile.am",
    "content": "noinst_LTLIBRARIES = libprotoident_udp.la\nlibprotoident_udp_la_SOURCES = \\\n\tlpi_360cn.cc \\\n\tlpi_360p2p.cc \\\n\tlpi_aachen_udp.cc \\\n\tlpi_acercloud.cc \\\n\tlpi_akamai.cc \\\n\tlpi_akamai_transfer.cc \\\n\tlpi_amanda.cc \\\n\tlpi_apple_facetime_init.cc \\\n\tlpi_ard.cc \\\n\tlpi_ares.cc \\\n\tlpi_ark.cc \\\n\tlpi_arma_server.cc \\\n\tlpi_arma3_server.cc \\\n\tlpi_artcp.cc \\\n\tlpi_assettocorsa.cc \\\n\tlpi_avast_secure_dns.cc \\\n        lpi_backweb.cc \\\n        lpi_bacnet.cc \\\n\tlpi_baiduyun_p2p.cc \\\n\tlpi_baofeng_udp.cc \\\n\tlpi_battlefield.cc \\\n\tlpi_bjnp.cc \\\n\tlpi_bmdp.cc \\\n\tlpi_btsync.cc \\\n\tlpi_cacaoweb_udp.cc \\\n\tlpi_canon_mfnp.cc \\\n\tlpi_chargen_exploit.cc \\\n\tlpi_checkpoint_rdp.cc \\\n\tlpi_chivalry.cc \\\n        lpi_ethernetip.cc \\\n\tlpi_cip_io.cc \\\n\tlpi_cirn.cc \\\n\tlpi_cisco_ipsec.cc \\\n\tlpi_cisco_sslvpn.cc \\\n\tlpi_classin_udp.cc \\\n\tlpi_cloudflare_warp.cc \\\n\tlpi_cod.cc \\\n\tlpi_codmobile.cc \\\n\tlpi_combatarms.cc \\\n\tlpi_combatarms_p2p.cc \\\n\tlpi_contract_wars.cc \\\n\tlpi_crossfire.cc \\\n\tlpi_crossout.cc \\\n\tlpi_csgo.cc \\\n\tlpi_csoriginal.cc \\\n\tlpi_dahua.cc \\\n\tlpi_db2.cc \\\n\tlpi_dcc.cc \\\n\tlpi_demonware.cc \\\n\tlpi_destiny_udp.cc \\\n\tlpi_dhcp.cc \\\n\tlpi_dht_dict.cc \\\n\tlpi_dht_other.cc \\\n\tlpi_diablo2.cc \\\n\tlpi_dianping_udp.cc \\\n\tlpi_dianshijia.cc \\\n\tlpi_directconnect.cc \\\n\tlpi_discord.cc \\\n\tlpi_dns.cc \\\n\tlpi_dota2.cc \\\n\tlpi_doyo.cc \\\n\tlpi_driveshare.cc \\\n\tlpi_dtls.cc \\\n\tlpi_emule.cc \\\n\tlpi_emule_weak.cc \\\n\tlpi_epson.cc \\\n\tlpi_eso.cc \\\n\tlpi_esp_encap.cc \\\n\tlpi_eye.cc \\\n\tlpi_fasp.cc \\\n\tlpi_feitwo.cc \\\n\tlpi_forticlient_sslvpn.cc \\\n\tlpi_fortinet.cc \\\n\tlpi_foscam.cc \\\n\tlpi_freechal.cc \\\n\tlpi_freefire.cc \\\n\tlpi_funshion.cc \\\n\tlpi_gamespy.cc \\\n\tlpi_ganglia.cc \\\n\tlpi_gangsofspace.cc \\\n\tlpi_garena.cc \\\n\tlpi_gearsofwar.cc \\\n\tlpi_gnutella.cc \\\n\tlpi_gnutella2.cc \\\n\tlpi_gnutella_weak.cc \\\n\tlpi_gotomeeting.cc \\\n\tlpi_gprs_tunnel.cc \\\n\tlpi_gsm.cc \\\n\tlpi_h1z1.cc \\\n\tlpi_halflife.cc \\\n\tlpi_haloonline.cc \\\n\tlpi_hamachi.cc \\\n\tlpi_heroesevolved.cc \\\n\tlpi_heroes_generals.cc \\\n\tlpi_heliborne.cc \\\n\tlpi_hollachat.cc \\\n\tlpi_hots.cc \\\n\tlpi_icp.cc \\\n\tlpi_imesh.cc \\\n\tlpi_ipmsg.cc \\\n\tlpi_ipv6.cc \\\n\tlpi_isakmp.cc \\\n\tlpi_jedi.cc \\\n\tlpi_jedi_academy.cc \\\n\tlpi_kademlia.cc \\\n\tlpi_kankan.cc \\\n\tlpi_kaspersky.cc \\\n\tlpi_kazaa.cc \\\n\tlpi_kingofglory_udp.cc \\\n\tlpi_kuguo.cc \\\n\tlpi_l2tp.cc \\\n\tlpi_lansync.cc \\\n\tlpi_ldap_ad.cc \\\n\tlpi_line_udp.cc \\\n\tlpi_linkproof.cc \\\n\tlpi_loadout.cc \\\n\tlpi_lol.cc \\\n\tlpi_mdns.cc \\\n\tlpi_merakicloud.cc \\\n\tlpi_moh.cc \\\n\tlpi_moonhunters.cc \\\n\tlpi_mp2p.cc \\\n\tlpi_msn_cache.cc \\\n\tlpi_msn_video.cc \\\n\tlpi_msoffice_mac.cc \\\n\tlpi_mta.cc \\\n\tlpi_mystery_05.cc \\\n\tlpi_mystery_0660.cc \\\n\tlpi_mystery_0d.cc \\\n\tlpi_mystery_45.cc \\\n\tlpi_mystery_61_72.cc \\\n\tlpi_mystery_8000.cc \\\n\tlpi_mystery_99.cc \\\n\tlpi_mystery_e9.cc \\\n\tlpi_mystery_qq.cc \\\n\tlpi_n2ping.cc \\\n\tlpi_natpmp.cc \\\n\tlpi_netbios.cc \\\n\tlpi_netcat_cctv_udp.cc \\\n\tlpi_netcore_scan.cc \\\n\tlpi_netflow.cc \\\n\tlpi_newerth.cc \\\n\tlpi_nintendo.cc \\\n\tlpi_noction.cc \\\n\tlpi_noe.cc \\\n\tlpi_nopayload.cc \\\n\tlpi_norton.cc \\\n\tlpi_ntp.cc \\\n\tlpi_ntp_reflect.cc \\\n\tlpi_nwn.cc \\\n\tlpi_nvidia_gamestream.cc \\\n\tlpi_opaserv.cc \\\n\tlpi_openvpn.cc \\\n\tlpi_orbit.cc \\\n\tlpi_overwatch.cc \\\n\tlpi_paladins.cc \\\n\tlpi_pando.cc \\\n\tlpi_panipani.cc \\\n\tlpi_planetside2.cc \\\n\tlpi_portmap_rpc.cc \\\n\tlpi_pplive.cc \\\n\tlpi_ppstream.cc \\\n\tlpi_probable_gnutella.cc \\\n\tlpi_ps4_remoteplay.cc \\\n\tlpi_psn.cc \\\n\tlpi_punkbuster.cc \\\n\tlpi_pyzor.cc \\\n\tlpi_qq.cc \\\n\tlpi_qqlive.cc \\\n\tlpi_qqpcmgr.cc \\\n\tlpi_qqspeedmobile_udp.cc \\\n\tlpi_quake.cc \\\n\tlpi_quic.cc \\\n\tlpi_qvod_udp.cc \\\n\tlpi_radius.cc \\\n\tlpi_ramseydash.cc \\\n\tlpi_rdp_udp.cc \\\n\tlpi_real.cc \\\n\tlpi_risingstorm.cc \\\n\tlpi_raknet.cc \\\n\tlpi_robocraft.cc \\\n\tlpi_rocket_league.cc \\\n\tlpi_rrshare.cc \\\n\tlpi_rtcp.cc \\\n\tlpi_rtmfp.cc \\\n\tlpi_rtp.cc \\\n\tlpi_rulesofsurvival.cc \\\n\tlpi_sanandreas_mp.cc \\\n\tlpi_second_life.cc \\\n\tlpi_serialnumberd.cc \\\n\tlpi_sip.cc \\\n\tlpi_skype.cc \\\n\tlpi_slp.cc \\\n\tlpi_smite.cc \\\n\tlpi_snapvpn.cc \\\n\tlpi_snmp.cc \\\n\tlpi_sopcast.cc \\\n\tlpi_spamfighter.cc \\\n\tlpi_spotify_bcast.cc \\\n\tlpi_sql_worm.cc \\\n\tlpi_ssdp.cc \\\n\tlpi_starcitizen.cc \\\n\tlpi_starcraft.cc \\\n\tlpi_starleaf.cc \\\n\tlpi_steam.cc \\\n\tlpi_steamfriends.cc \\\n\tlpi_steam_inhomebroadcast.cc \\\n\tlpi_steam_localbroadcast.cc \\\n\tlpi_storm_worm.cc \\\n\tlpi_stun.cc \\\n\tlpi_syslog.cc \\\n\tlpi_talesrunner_udp.cc \\\n\tlpi_teamspeak.cc \\\n\tlpi_teamviewer.cc \\\n\tlpi_teredo.cc \\\n\tlpi_tf2.cc \\\n\tlpi_tftp.cc \\\n\tlpi_thecrew.cc \\\n\tlpi_thq.cc \\\n\tlpi_torchlight2.cc \\\n\tlpi_tox.cc \\\n\tlpi_traceroute.cc \\\n\tlpi_tremulous.cc \\\n\tlpi_turbovpn.cc \\\n\tlpi_tvants.cc \\\n\tlpi_ubisoft_games.cc \\\n\tlpi_umeye.cc \\\n\tlpi_unreal.cc \\\n\tlpi_ventrilo.cc \\\n\tlpi_viber.cc \\\n\tlpi_vivox.cc \\\n\tlpi_vpnmaster.cc \\\n\tlpi_vpnrobot_udp.cc \\\n\tlpi_vxworks_exploit.cc \\\n\tlpi_warthunder.cc \\\n\tlpi_webex.cc \\\n\tlpi_wechat_udp.cc \\\n\tlpi_winmessage.cc \\\n\tlpi_wireguard.cc \\\n\tlpi_wolfet.cc \\\n\tlpi_worm_22105.cc \\\n\tlpi_xfire_p2p.cc \\\n\tlpi_xlsp.cc \\\n\tlpi_xunlei.cc \\\n\tlpi_xunlei_jsq.cc \\\n\tlpi_xunyou.cc \\\n\tlpi_youdao_dict.cc \\\n\tlpi_youku.cc \\\n\tlpi_yuanfudao.cc \\\n\tlpi_yy_udp.cc \\\n\tlpi_zalo_call.cc \\\n\tlpi_zeroaccess_udp.cc \\\n\tlpi_zoom.cc\n\nEXTRA_DIST=udp_protocols.h\n\nlibprotoident_udp_la_CFLAGS=-I\"$(top_srcdir)/lib\"\nlibprotoident_udp_la_CPPFLAGS=-I\"$(top_srcdir)/lib\"\nINCLUDES=@ADD_INCLS@\n\n"
  },
  {
    "path": "lib/udp/lpi_360cn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Not 100% sure what this is but:\n *  - it's on port 53 but is definitely not DNS\n *  - involves servers owned by 360.cn, who 'supposedly' are antivirus experts\n *  - the protocol appears to be a custom encryption protocol\n */\n\n\nstatic inline bool match_360cn_0102(uint32_t a, uint32_t b) {\n\n\n        if (a != b)\n                return false;\n        if (MATCH(a, ANY, ANY, 0x01, 0x02))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_360cn_0a04(uint32_t pload, uint32_t len) {\n\n        uint32_t hdrlen = (ntohl(pload)) & 0xffff;\n\n        if (len == 0)\n                return true;\n\n        if (!MATCH(pload, 0x0a, 0x04, ANY, ANY))\n                return false;\n\n        if (hdrlen + 10 == len)\n                return true;\n\n        return false;\n\n\n}\n\nstatic inline bool match_360cn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 53 && data->client_port != 53)\n                return false;\n        \n        if (match_360cn_0102(data->payload[0], data->payload[1]))\n                return true;\n\n        if (match_360cn_0a04(data->payload[0], data->payload_len[0])) {\n                if (match_360cn_0a04(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_360cn = {\n\tLPI_PROTO_UDP_360CN,\n\tLPI_CATEGORY_SECURITY,\n\t\"360.cn\",\n\t50,\n\tmatch_360cn\n};\n\nvoid register_360cn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_360cn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_360p2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_360p2p_request(uint32_t payload, uint32_t len) {\n        if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 40 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_360p2p_reply(uint32_t payload, uint32_t len) {\n        if (len == 40 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 30 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 50 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_360p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_360p2p_request(data->payload[0], data->payload_len[0])) {\n                if (match_360p2p_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_360p2p_request(data->payload[1], data->payload_len[1])) {\n                if (match_360p2p_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_360p2p = {\n\tLPI_PROTO_UDP_360P2P,\n\tLPI_CATEGORY_SECURITY,\n\t\"360Safeguard_P2P\",\n\t211,\n\tmatch_360p2p\n};\n\nvoid register_360p2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_360p2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_aachen_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_aachen_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Regular UDP port 80 and port 443 probes from RWTH-Aachen University\n         * for research purposes. See http://137.226.113.7/ for more details.\n         */\n\n        if (data->server_port == 80 || data->client_port == 80 ||\n                                data->server_port == 443 ||\n                                data->client_port == 443) {\n                if (data->payload_len[0] == 0) {\n                        if (data->payload_len[1] != 1055)\n                                return false;\n                        if (MATCH(data->payload[1], 0x0d, 'S', 'C', 'A'))\n                                return true;\n                }\n\n                if (data->payload_len[1] == 0) {\n                        if (data->payload_len[0] != 1055)\n                                return false;\n                        if (MATCH(data->payload[0], 0x0d, 'S', 'C', 'A'))\n                                return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_aachen_udp = {\n\tLPI_PROTO_UDP_RWTH_AACHEN,\n\tLPI_CATEGORY_MONITORING,\n\t\"RWTHAachenScan\",\n\t100,\n\tmatch_aachen_udp\n};\n\nvoid register_aachen_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_aachen_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_acercloud.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_acer_ff99(uint32_t payload, uint32_t len) {\n\n    if (len == 102 && MATCHSTR(payload, \"\\xff\\xff\\xff\\x99\"))\n\treturn true;\n    return false;\n\n}\n\nstatic inline bool match_acercloud(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n\tif (match_acer_ff99(data->payload[0], data->payload_len[0])) {\n\t\tif (match_acer_ff99(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_acercloud = {\n\tLPI_PROTO_UDP_ACERCLOUD,\n\tLPI_CATEGORY_CLOUD,\n\t\"AcerCloud\",\n\t6,\n\tmatch_acercloud\n};\n\nvoid register_acercloud(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_acercloud, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_akamai.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_akamai(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This appears to be some sort of protocol used by Akamai nodes\n\t * to talk to one another - probably the monitoring for the Akamai\n\t * network */\n\n\t/* All messages begin with 8 bytes of zeroes */\n\tif (data->payload[0] != 0 || data->payload[1] != 0)\n\t\treturn false;\n\n\tif (data->payload_len[0] == 1080 && data->payload_len[1] == 0)\n\t\treturn true;\n\tif (data->payload_len[1] == 1080 && data->payload_len[0] == 0)\n\t\treturn true;\n\n\tif (data->payload_len[0] == 1032) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 1032)\n\t\t\treturn true;\n\t}\n\n\tif (data->payload_len[1] == 1032) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_akamai = {\n\tLPI_PROTO_UDP_AKAMAI,\n\tLPI_CATEGORY_MONITORING,\n\t\"Akamai\",\n\t5,\n\tmatch_akamai\n};\n\nvoid register_akamai(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_akamai, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_akamai_transfer.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic bool match_akamai_out(uint32_t payload, uint32_t len) {\n\n\tif (len < 200)\n\t\treturn false;\n\n\tif (MATCH(payload, 0x02, 0x24, ANY, ANY))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_akamai_transfer(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This protocol is used by Akamai boxes to transfer large quantities\n\t * of data back to the main Akamai network. This involves a one-way\n\t * UDP flow */\n\n\n\t/* Restrict based on port number, because this rule is a bit weak */\n\tif (data->server_port != 1485 && data->client_port != 1485)\n\t\treturn false;\n\n\tif (match_akamai_out(data->payload[0], data->payload_len[0])) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\t\n\tif (match_akamai_out(data->payload[1], data->payload_len[1])) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_akamai_transfer = {\n\tLPI_PROTO_UDP_AKAMAI_TRANSFER,\n\tLPI_CATEGORY_CDN,\n\t\"AkamaiTransfer\",\n\t15,\n\tmatch_akamai_transfer\n};\n\nvoid register_akamai_transfer(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_akamai_transfer, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_amanda.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_amanda(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"Aman\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_amanda = {\n\tLPI_PROTO_UDP_AMANDA,\n\tLPI_CATEGORY_FILES,\n\t\"AmandaUDP\",\n\t6,\n\tmatch_amanda\n};\n\nvoid register_amanda(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_amanda, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_apple_facetime_init.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Protocol used to talk to Apple servers when commencing a Facetime call.\n * iMessage may also use this protocol to determine whether iMessage is \n * available between two devices.\n * May also be used by Game Center (but this is not verified).\n *\n * NOTE: this protocol is not used for the actual Facetime call itself - that\n * is done via RTP, SIP and other standard protocols.\n */\n\nstatic inline bool match_afi_server_port(uint16_t port) {\n\n\tif (port < 16384)\n\t\treturn false;\n\tif (port > 16387)\n\t\treturn false;\n\treturn true;\n}\n\nstatic inline bool match_afi_client_port(uint16_t port) {\n\tif (port < 16402)\n\t\treturn false;\n\tif (port > 16410)\n\t\treturn false;\n\treturn true;\n}\n\nstatic inline bool match_facetime_req(uint32_t payload, uint32_t len) {\n\t\n\tif (len != 16)\n\t\treturn false;\n\tif (MATCH(payload, 0x00, 0x01, 0x00, 0x02))\n\t\treturn true;\n\tif (MATCH(payload, 0x00, 0x00, 0x00, 0x02))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_facetime_resp(uint32_t payload, uint32_t len) {\n\t\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 16)\n\t\treturn false;\n\tif (MATCH(payload, 0x00, 0x01, 0x00, 0x01))\n\t\treturn true;\n\tif (MATCH(payload, 0x00, 0x00, 0x00, 0x01))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_apple_facetime_init(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_afi_server_port(data->server_port) && \n\t\t\t!match_afi_client_port(data->server_port)) {\n\t\treturn false;\n\t}\n\t\n\tif (!match_afi_server_port(data->client_port) && \n\t\t\t!match_afi_client_port(data->client_port)) {\n\t\treturn false;\n\t}\n\n\tif (match_facetime_req(data->payload[0], data->payload_len[0])) {\n\t\tif (match_facetime_resp(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_facetime_req(data->payload[1], data->payload_len[1])) {\n\t\tif (match_facetime_resp(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_apple_facetime_init = {\n\tLPI_PROTO_UDP_APPLE_FACETIME_INIT,\n\tLPI_CATEGORY_NAT,\t// Unsure about this one...\n\t\"AppleFacetimeInit\",\n\t16,\n\tmatch_apple_facetime_init\n};\n\nvoid register_apple_facetime_init(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_apple_facetime_init, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ard.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Apple Remote Desktop protocol, generally used to remotely manage Macs.\n * Probably shouldn't be seen on the Internet, particularly with the patterns\n * presented here as this was almost certainly a case where a Mac with remote\n * management enabled was being abused into performing an amplification attack.\n *\n * Of course, being Apple, there is no public documentation of this protocol\n * anywhere so it's pretty hard to write rules that cover legitimate uses of\n * this protocol.\n */\n\nstatic inline bool match_ard_tiny_req(uint32_t payload, uint32_t len) {\n        if (len == 5 && MATCH(payload, 0x00, 0x14, 0x00, 0x01)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ard_large_resp(uint32_t payload, uint32_t len) {\n\n        /* Match the case where the client doesn't reply (i.e. participate\n         * in the amplification attack).\n         */\n        if (len == 0) {\n                return true;\n        }\n\n        /* All my examples were 1006 bytes, but that's just from one\n         * specific machine */\n        if (len < 1000) {\n                return false;\n        }\n\n        if ((ntohl(payload) & 0x0000ffff) != len - 4) {\n                return false;\n        }\n\n        if (MATCH(payload, 0x00, 0x01, ANY, ANY)) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_ard(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 3283 && data->client_port != 3283) {\n                return false;\n        }\n\n        if (match_ard_tiny_req(data->payload[0], data->payload_len[0])) {\n                if (match_ard_large_resp(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_ard_tiny_req(data->payload[1], data->payload_len[1])) {\n                if (match_ard_large_resp(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ard = {\n\tLPI_PROTO_UDP_ARD,\n\tLPI_CATEGORY_REMOTE,\n\t\"ARD\",\n\t20,\n\tmatch_ard\n};\n\nvoid register_ard(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ard, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ares.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ares_client(uint32_t payload, uint32_t len) {\n\n\tif (len != 3)\n\t\treturn false;\n\tif (!MATCH(payload, 0x00, ANY, ANY, 0x00))\n\t\treturn false;\n\treturn true;\n}\n\nstatic inline bool match_ares_peer(uint32_t payload, uint32_t len) {\n\n\tif (len != 3)\n\t\treturn false;\n\tif (!MATCH(payload, 0x01, ANY, ANY, 0x00))\n\t\treturn false;\n\treturn true;\n}\n\nstatic inline bool match_ares_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_ares_client(data->payload[0], data->payload_len[0])) {\n\t\tif (match_ares_peer(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_ares_client(data->payload[1], data->payload_len[1])) {\n\t\tif (match_ares_peer(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ares_udp = {\n\tLPI_PROTO_UDP_ARES,\n\tLPI_CATEGORY_P2P,\n\t\"Ares_UDP\",\n\t9,\n\tmatch_ares_udp\n};\n\nvoid register_ares_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ares_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ark.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_ark_request(uint32_t payload, uint32_t len) {\n        if (len == 38 && MATCH(payload, 0x00, 0x80, 0x05, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ark_response(uint32_t payload, uint32_t len) {\n        if (len == 26 && MATCH(payload, 0x00, 0x00, 0x01, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_arksurvival(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (match_ark_request(data->payload[0], data->payload_len[0])) {\n                if (match_ark_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ark_request(data->payload[1], data->payload_len[1])) {\n                if (match_ark_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_arksurvival = {\n\tLPI_PROTO_UDP_ARK_SURVIVAL,\n\tLPI_CATEGORY_GAMING,\n\t\"ARKSurvivalEvolved\",\n\t20,\n\tmatch_arksurvival\n};\n\nvoid register_arksurvival(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_arksurvival, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_arma3_server.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_arma3_server_payload(uint32_t payload, uint32_t len) {\n\n        uint32_t replen;\n\n        if (len == 0)\n                return true;\n\n        replen = (payload & 0xffff);\n        if (replen != len)\n                return false;\n\n        if (MATCH(payload, ANY, ANY, 0xe2, 0x16))\n                return true;\n        if (MATCH(payload, ANY, ANY, 0x60, 0xcf))\n                return true;\n\n\n        return false;\n\n\n}\n\nstatic inline bool match_arma_port_range(lpi_data_t *data) {\n\n        if (data->server_port >= 2300 && data->server_port <= 2400)\n                return true;\n        if (data->client_port >= 2300 && data->client_port <= 2400)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_arma3_server(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_arma3_server_payload(data->payload[0], data->payload_len[0])) {\n                if (match_arma3_server_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_arma3_server = {\n\tLPI_PROTO_UDP_ARMA3_SERVER,\n\tLPI_CATEGORY_GAMING,\n\t\"ARMA3Server\",\n\t4,\n\tmatch_arma3_server\n};\n\nvoid register_arma3_server(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_arma3_server, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_arma_server.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_arma_server_payload(uint32_t payload, uint32_t len) {\n\n        uint32_t replen;\n\n        if (len == 0)\n                return true;\n\n        if (!MATCH(payload, ANY, ANY, 0x01, 0x08))\n                return false;\n\n        replen = (payload & 0xffff);\n        if (replen != len)\n                return false;\n\n        return true;\n\n\n}\n\nstatic inline bool match_arma_nine(uint32_t payload, uint32_t len) {\n\n        /* The HalfLife protocol and its derivatives all use a similar\n         * type of packet -- probably a server ping probe? \n         * This is probably copied or heavily influenced by that.\n         */\n\n        if (len != 9)\n                return false;\n        if (MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_arma_port_range(lpi_data_t *data) {\n\n        if (data->server_port >= 2300 && data->server_port <= 2400)\n                return true;\n        if (data->client_port >= 2300 && data->client_port <= 2400)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_arma_server(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_arma_server_payload(data->payload[0], data->payload_len[0])) {\n                if (match_arma_server_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        /* The next rule is prone to conflicts so restrict to flows that\n         * are using common ARMA ports */\n        if (!match_arma_port_range(data))\n                return false;\n\n        if (match_arma_nine(data->payload[0], data->payload_len[0])) {\n                if (match_arma_nine(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_arma_server = {\n\tLPI_PROTO_UDP_ARMA_SERVER,\n\tLPI_CATEGORY_GAMING,\n\t\"ARMA2Server\",\n\t4,\n\tmatch_arma_server\n};\n\nvoid register_arma_server(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_arma_server, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_artcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Custom version of RTCP used by Alibaba cloud for streaming */\n\nstatic inline bool match_artcp_payload(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (MATCH(payload, 0x83, 0xcc, 0x00, ANY))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_artcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (data->server_port == 1106 || data->client_port == 1106) {\n\n        \tif (!match_artcp_payload(data->payload[0],\n                                data->payload_len[0]))\n                        return false;\n                if (!match_artcp_payload(data->payload[1],\n                                data->payload_len[1]))\n                        return false;\n                return true;\n        }\n        return false;\n\n}\n\nstatic lpi_module_t lpi_artcp = {\n\tLPI_PROTO_UDP_ARTCP,\n\tLPI_CATEGORY_STREAMING,\n\t\"ARTCP\",\n\t200,\n\tmatch_artcp\n};\n\nvoid register_artcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_artcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_assettocorsa.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* A multiplayer car racing sim -- costs $$ to play so unconfirmed but\n * supporting evidence is strong */\n\nstatic inline bool match_ac_two(uint32_t payload, uint32_t len) {\n\n        /* ANY is usually between 0x00 and 0x18 */\n        if (len == 2 && MATCH(payload, 0x4e, ANY, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ac_one(uint32_t payload, uint32_t len) {\n\n        if (len == 1 && MATCH(payload, 0x4e, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_assettocorsa(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ac_two(data->payload[0], data->payload_len[0])) {\n                if (match_ac_one(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ac_one(data->payload[0], data->payload_len[0])) {\n                if (match_ac_two(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_assettocorsa = {\n\tLPI_PROTO_UDP_ASSETTO_CORSA,\n\tLPI_CATEGORY_GAMING,\n\t\"AssettoCorsa\",\n\t200,\n\tmatch_assettocorsa\n};\n\nvoid register_assettocorsa(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_assettocorsa, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_avast_secure_dns.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_asd_reply(uint32_t payload) {\n        \n        if (MATCH(payload, 'r', '6', 'f', 'n'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_asd_request(uint32_t payload) {\n        \n        if (MATCH(payload, '7', 'P', 'Y', 'q'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_avast_secure_dns(lpi_data_t *data, \n                lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 53 && data->client_port != 53 && \n                        data->server_port != 443 && data->client_port != 443) {\n                return false;\n        }\n\n        if (match_asd_request(data->payload[0])) {\n                if (match_asd_reply(data->payload[1]))\n                        return true;\n        }\n        \n        if (match_asd_request(data->payload[1])) {\n                if (match_asd_reply(data->payload[0]))\n                        return true;\n        }\n\n        /* The requests have no obvious pattern, except being always 512\n         * bytes. */\n        if (match_asd_reply(data->payload[0]) && data->payload_len[1] == 512)\n                return true;\n        if (match_asd_reply(data->payload[1]) && data->payload_len[0] == 512)\n                return true;\n\n        if (data->server_port == 443 || data->client_port == 443) {\n                if (match_dns(data)) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_avast_secure_dns = {\n\tLPI_PROTO_UDP_AVAST_DNS,\n\tLPI_CATEGORY_SERVICES,\n\t\"AvastSecureDNS\",\n\t14,\n\tmatch_avast_secure_dns\n};\n\nvoid register_avast_secure_dns(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_avast_secure_dns, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_backweb.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_backweb(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 370 && data->client_port != 370)\n                return false;\n\n        if (match_chars_either(data, 0x21, 0x24, 0x00, ANY))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_backweb = {\n\tLPI_PROTO_UDP_BACKWEB,\n\tLPI_CATEGORY_SECURITY,\n\t\"BackWeb\",\n\t5,\n\tmatch_backweb\n};\n\nvoid register_backweb(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_backweb, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_bacnet.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_bacnet_request(uint32_t payload, uint32_t len) {\n\n        uint32_t baclen = (ntohl(payload) & 0xffff);\n\n        if (baclen == len && MATCH(payload, 0x81, 0x0a, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_bacnet(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 47808 && data->client_port != 47808)\n                return false;\n\n        /* I've only seen scans for this stuff, so don't know what a reply\n         * would look like */\n\n        if (match_bacnet_request(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_bacnet_request(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_bacnet = {\n\tLPI_PROTO_UDP_BACNET,\n\tLPI_CATEGORY_REMOTE,    /* XXX Create a new category for building\n                                 * automation?? */\n\t\"BACnet\",\n\t23,\n\tmatch_bacnet\n};\n\nvoid register_bacnet(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_bacnet, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_baiduyun_p2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Protocol used by Baidu Yun for sharing files between friends. Not\n * 100% confirmed, but I've managed to observe other confirmed Baidu Yun\n * traffic for the same host / port prior to the suspected peer starting\n * flows matching this pattern.\n *\n * For some reason I was unable to make P2P transfers work when using Baidu\n * Yun myself (possibly because I was behind NAT?), which is why I haven't\n * been able to confirm.\n */\n\nstatic inline bool match_byun_p2p(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (len == 64 || len == 32 || len == 50) {\n                if (MATCH(payload, 0x01, ANY, ANY, ANY))\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_baiduyun_p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /*\n        if (data->server_port != 7273 && data->client_port != 7273 &&\n                        data->server_port != 7274 &&\n                        data->client_port != 7274)\n                return false;\n        */\n\n\n        if (match_byun_p2p(data->payload[0], data->payload_len[0])) {\n                if (match_byun_p2p(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_baiduyun_p2p = {\n\tLPI_PROTO_UDP_BAIDU_YUN_P2P,\n\tLPI_CATEGORY_P2P,\n\t\"BaiduYunP2P\",\n\t220,\n\tmatch_baiduyun_p2p\n};\n\nvoid register_baiduyun_p2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_baiduyun_p2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_baofeng_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_bao(uint32_t payload, uint32_t len) {\n        uint32_t first = ntohl(payload) >> 24;\n\n        if (len < 38 || len > 55)\n                return false;\n\n        /* First byte always begins with 0x2X or 0x3X */\n        if (first < 0x20 || first > 0x3f)\n                return false;\n\n        return true;\n}\n\nstatic inline bool match_baofeng_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 9909 && data->client_port != 9909)\n                return false;\n\n        if (match_bao(data->payload[0], data->payload_len[0])) {\n                if (match_bao(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_baofeng_udp = {\n\tLPI_PROTO_UDP_BAOFENG,\n\tLPI_CATEGORY_STREAMING,\n\t\"Baofeng\",\n\t105,\n\tmatch_baofeng_udp\n};\n\nvoid register_baofeng_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_baofeng_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_battlefield.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_battlefield(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Server browsing for battlefield 1942 */\n\n        if (match_str_both(data, \"ping\", \"Ping\"))\n                return true;\n\n        if (MATCHSTR(data->payload[0], \"ping\")) {\n                if (data->payload_len[0] != 5)\n                        return false;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (MATCHSTR(data->payload[1], \"ping\")) {\n                if (data->payload_len[1] != 5)\n                        return false;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_battlefield = {\n\tLPI_PROTO_UDP_BATTLEFIELD,\n\tLPI_CATEGORY_GAMING,\n\t\"Battlefield\",\n\t7,\n\tmatch_battlefield\n};\n\nvoid register_battlefield(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_battlefield, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_bjnp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_bjnp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Could strengthen this by requiring 16 byte packets too if needed */\n\n\tif (match_str_either(data, \"BJNP\"))\n\t\treturn true;\n\n\t/* Apparently, there are a few other combinations that we can see */\n\tif (match_str_either(data, \"BNJB\"))\n\t\treturn true;\n\tif (match_str_either(data, \"BJNB\"))\n\t\treturn true;\n\tif (match_str_either(data, \"PJNB\"))\n\t\treturn true;\n\tif (match_str_either(data, \"PNJB\"))\n\t\treturn true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_bjnp = {\n\tLPI_PROTO_UDP_BJNP,\n\tLPI_CATEGORY_PRINTING,\n\t\"Canon_BJNP\",\n\t3,\n\tmatch_bjnp\n};\n\nvoid register_bjnp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_bjnp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_bmdp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n#include <stdio.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* BMDP is a protocol used by Microsoft Automated Deployment Services, a\n * system for remotely installing, configuring and maintained Windows Servers.\n *\n * Unfortunately, there is no obvious BMDP spec out there so this is just\n * based on what we have seen in our traffic.\n */\n\nstatic inline bool match_bmdp_payload(uint32_t payload, uint32_t len) {\n        uint32_t byte3 = ntohl(payload) & 0xff00;\n        uint32_t byte4 = ntohl(payload) & 0x00ff;\n\n        if (len == 0)\n                return false;\n\n        /* Byte 3 is always Xd, where X >=0 and X < 8 */\n        if ((ntohl(payload) & 0x7d00) != byte3)\n                return false;\n\n        /* There seem to be a fixed set of values for byte 4 and these seem\n         * to also determine the length.\n         *\n         * So far I've limited this to byte4's that I've seen on multiple\n         * occasions.\n         */\n        if (byte4 == 0x2d && (len == 115 || len == 114))\n                return true;\n\n        if (byte4 == 0x42 && len == 116)\n                return true;\n\n        if (byte4 == 0x5c && len == 117)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_bmdp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* XXX The typical port number is 8197, but usually you will see this\n         * on a port ranging from 8190 to 8210. We could consider limiting\n         * this rule to traffic matching those ports if we really wanted.\n         */\n\n        /* Traffic is always one-way only */\n        if (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n                return false;\n\n        if (match_bmdp_payload(data->payload[0], data->payload_len[0]))\n                return true;\n\n        if (match_bmdp_payload(data->payload[1], data->payload_len[1]))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_bmdp = {\n\tLPI_PROTO_UDP_BMDP,\n\tLPI_CATEGORY_FILES,\n\t\"BMDP\",\n\t70,\n\tmatch_bmdp\n};\n\nvoid register_bmdp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_bmdp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_btsync.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_btsync_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"BSYN\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_btsync_udp = {\n\tLPI_PROTO_UDP_BTSYNC,\n\tLPI_CATEGORY_FILES,\n\t\"BitTorrentSync_UDP\",\n\t8,\n\tmatch_btsync_udp\n};\n\nvoid register_btsync_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_btsync_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_cacaoweb_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cacao_smalla(uint32_t payload, uint32_t len) {\n\n        if (len > 15)\n                return false;\n\n        if ((ntohl(payload) & 0xa0000000) == 0xa0000000)\n                return true;\n        return false;\n}\n\nstatic inline bool match_cacao_other(uint32_t payload, uint32_t opp) {\n\n        uint32_t firsta = ntohl(payload) >> 24;\n        uint32_t lastb = ntohl(opp) & 0xff;\n\n        if (firsta == lastb && firsta != 0)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_cacao_c0_12(uint32_t payload, uint32_t len) {\n        if (len == 12 && MATCH(payload, 0xc0, ANY, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_cacao_c0_14(uint32_t payload, uint32_t len) {\n        if (len == 14 && MATCH(payload, 0xc0, ANY, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_cacaoweb_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_cacao_smalla(data->payload[0], data->payload_len[0])) {\n                if (match_cacao_other(data->payload[1], data->payload[0])) {\n                        return true;\n                }\n        }\n\n        if (match_cacao_smalla(data->payload[1], data->payload_len[1])) {\n                if (match_cacao_other(data->payload[0], data->payload[1])) {\n                        return true;\n                }\n        }\n\n        if (match_cacao_c0_12(data->payload[0], data->payload_len[0])) {\n                if (match_cacao_c0_14(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_cacao_c0_12(data->payload[1], data->payload_len[1])) {\n                if (match_cacao_c0_14(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cacaoweb_udp = {\n\tLPI_PROTO_UDP_CACAOWEB,\n\tLPI_CATEGORY_P2P,\n\t\"CacaowebUDP\",\n\t231,\n\tmatch_cacaoweb_udp\n};\n\nvoid register_cacaoweb_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cacaoweb_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_canon_mfnp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_canon_mfnp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8610 && data->client_port != 8610)\n                return false;\n\n        if (match_str_either(data, \"MFNP\"))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_canon_mfnp = {\n\tLPI_PROTO_UDP_MFNP,\n\tLPI_CATEGORY_PRINTING,\n\t\"Canon_MFNP\",\n\t8,\n\tmatch_canon_mfnp\n};\n\nvoid register_canon_mfnp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_canon_mfnp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_chargen_exploit.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_chargen_exploit(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 19 && data->client_port != 19)\n                return false;\n\n        /* Matching chargen replies to spoofed sources */\n        if (data->payload_len[0] == 0 &&\n                        MATCH(data->payload[1], 0x20, 0x21, 0x22, 0x23))\n                return true;\n\n        if (data->payload_len[1] == 0 &&\n                        MATCH(data->payload[0], 0x20, 0x21, 0x22, 0x23))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_chargen_exploit = {\n\tLPI_PROTO_UDP_CHARGEN_EXPLOIT,\n\tLPI_CATEGORY_MALWARE,\n\t\"ChargenExploit\",\n\t200,\n\tmatch_chargen_exploit\n};\n\nvoid register_chargen_exploit(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_chargen_exploit, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_checkpoint_rdp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_checkpoint_rdp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* We only see this on port 259, so I'm pretty sure that this is\n         * the Checkpoint proprietary RDP protocol (not to be confused with\n         * Remote Desktop Protocol or the RDP transport protocol).\n         *\n         * Begins with a four byte magic number */\n\n        if (match_str_both(data, \"\\xf0\\x01\\xcc\\xcc\", \"\\xf0\\x01\\xcc\\xcc\"))\n                return true;\n        if (match_str_either(data, \"\\xf0\\x01\\xcc\\xcc\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_checkpoint_rdp = {\n\tLPI_PROTO_UDP_CP_RDP,\n\tLPI_CATEGORY_KEY_EXCHANGE,\n\t\"Checkpoint_RDP\",\n\t3,\n\tmatch_checkpoint_rdp\n};\n\nvoid register_checkpoint_rdp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_checkpoint_rdp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_chivalry.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Chivalry: Medieval Warfare -- a game */\n\nstatic inline bool match_chivalry(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00) &&\n                        MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) {\n                if (data->payload_len[0] == 12 && data->payload_len[1] == 15)\n                        return true;\n                if (data->payload_len[1] == 12 && data->payload_len[0] == 15)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_chivalry = {\n\tLPI_PROTO_UDP_CHIVALRY,\n\tLPI_CATEGORY_GAMING,\n\t\"Chivalry\",\n\t200,\n\tmatch_chivalry\n};\n\nvoid register_chivalry(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_chivalry, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_cip_io.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n * 239.192.27.192 10.1.1.215 2222 2222 17 1599194119.713 1599194136.242 0 527360 00000000 .... 0 02000280 .... 80\n * 10.1.1.215 10.1.1.200 2222 2222 17 1599194119.716 1599194136.397 187488 0 02000280 .... 56 00000000 .... 0\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cip(lpi_data_t *data) {\n\n\tif (MATCH(data->payload[0], 0x02, 0x00, 0x02, 0x80) &&\n            MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00))\n\t\treturn true;\n\n\tif (MATCH(data->payload[1], 0x02, 0x00, 0x02, 0x80) &&\n            MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_cip_io(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 2222 || data->client_port != 2222)\n\t\treturn false;\n\n\tif (match_cip(data))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cip_io = {\n\tLPI_PROTO_UDP_CIP_IO,\n\tLPI_CATEGORY_ICS,\n\t\"CIP_I/O\",\n\t100,\n\tmatch_cip_io\n};\n\nvoid register_cip_io(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cip_io, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_cirn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cirn_probe(uint32_t payload, uint32_t len) {\n\tif (MATCH(payload, 'P', 'a', 't', 'h') && len == 10)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_cirn_response(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_cirn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_cirn_probe(data->payload[0], data->payload_len[0])) {\n\t\tif (match_cirn_response(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_cirn_probe(data->payload[1], data->payload_len[1])) {\n\t\tif (match_cirn_response(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cirn = {\n\tLPI_PROTO_UDP_CIRN,\n\tLPI_CATEGORY_MONITORING,\n\t\"CIRN_Probe\",\n\t8,\n\tmatch_cirn\n};\n\nvoid register_cirn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cirn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_cisco_ipsec.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cisco_ipsec_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len == 109)\n                return true;\n        if (len == 93)\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_cisco_ipsec(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t/* Been seeing this on UDP port 10000, which I assume is the\n         * Cisco IPSec VPN */\n\n        if (data->server_port != 10000 && data->client_port != 10000)\n                return false;\n\n        if (!match_cisco_ipsec_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_cisco_ipsec_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\n\n}\n\nstatic lpi_module_t lpi_cisco_ipsec = {\n\tLPI_PROTO_UDP_CISCO_VPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"Cisco_VPN_UDP\",\n\t8,\n\tmatch_cisco_ipsec\n};\n\nvoid register_cisco_ipsec(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cisco_ipsec, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_cisco_sslvpn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sslvpn(uint32_t payload) {\n\n        /* Payload looks like SSL, except they've set the version field\n         * to 1.0 (which would be invalid in real SSL) -- oh, Cisco!\n         */\n        if (MATCH(payload, 0x16, 0x01, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_cisco_sslvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_sslvpn(data->payload[0]) && match_sslvpn(data->payload[1]))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cisco_sslvpn = {\n\tLPI_PROTO_UDP_CISCO_SSLVPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"CiscoSSLVPN\",\n\t5,\n\tmatch_cisco_sslvpn\n};\n\nvoid register_cisco_sslvpn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cisco_sslvpn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_classin_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_classin_41(uint32_t payload, uint32_t len) {\n        if (len == 41 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_classin_56(uint32_t payload, uint32_t len) {\n        if (len == 56 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_classin_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_classin_41(data->payload[0], data->payload_len[0])) {\n                if (match_classin_56(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_classin_41(data->payload[1], data->payload_len[1])) {\n                if (match_classin_56(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_classin_udp = {\n\tLPI_PROTO_UDP_CLASSIN,\n\tLPI_CATEGORY_EDUCATIONAL,\n\t\"ClassIn_UDP\",\n\t133,\n\tmatch_classin_udp\n};\n\nvoid register_classin_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_classin_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_cloudflare_warp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* 01 == handshake begin */\nstatic inline bool match_warp_01(uint32_t payload, uint32_t len) {\n\n        if (len != 148) {\n                return false;\n        }\n\n        if (MATCH(payload, 0x01, ANY, ANY, ANY)) {\n                if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) {\n                        return false;\n                }\n                return true;\n        }\n        return false;\n}\n\n/* 02 == handshake reply */\nstatic inline bool match_warp_02(uint32_t payload, uint32_t len) {\n\n        if (len != 92) {\n                return false;\n        }\n\n        if (MATCH(payload, 0x02, ANY, ANY, ANY)) {\n                return true;\n        }\n        return false;\n}\n\n/* 04 == data (for sessions where we missed part of the handshake */\nstatic inline bool match_warp_04(uint32_t payload, uint32_t len) {\n\n        /* 100 is approximate, but 1312 seems to be an actual\n         * Max Datagram Size */\n        if (len < 100 || len > 1312) {\n                return false;\n        }\n\n        if (MATCH(payload, 0x04, ANY, ANY, ANY)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool is_cf_warp_port(lpi_data_t *data) {\n        if (data->server_port == 2408 || data->client_port == 2408) {\n                return true;\n        }\n        if (data->server_port == 1701 || data->client_port == 1701) {\n                return true;\n        }\n        if (data->server_port == 500 || data->client_port == 500) {\n                return true;\n        }\n        return false;\n}\n\n\nstatic inline bool match_cloudflare_warp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!is_cf_warp_port(data)) {\n                return false;\n        }\n\n        if (match_warp_01(data->payload[0], data->payload_len[0])) {\n                if (match_warp_02(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n                if (match_warp_04(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_warp_01(data->payload[1], data->payload_len[1])) {\n                if (match_warp_02(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n                if (match_warp_04(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_cloudflare_warp = {\n\tLPI_PROTO_UDP_CLOUDFLARE_WARP,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"CloudflareWarp\",\n\t21,\n\tmatch_cloudflare_warp\n};\n\nvoid register_cloudflare_warp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_cloudflare_warp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_cod.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cod_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (!MATCH(payload, 0xff, 0xff, 0xff, 0xff))\n                return false;\n        return true;\n\n}\n\n\nstatic inline bool match_callofduty(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_cod_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_cod_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        /* One packet is always 14 or 15 bytes, the other is usually much \n         * larger */\n        if (data->payload_len[0] == 14 || data->payload_len[0] == 15) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[1] > 100)\n                        return true;\n        }\n\n        if (data->payload_len[1] == 14 || data->payload_len[1] == 15) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[0] > 100)\n                        return true;\n        }\n\n        /* 13 is also observed */\n        if (data->payload_len[0] == 13) {\n                if (data->payload_len[1] > 880)\n                        return true;\n                if (data->payload_len[1] >= 225 && data->payload_len[1] <= 250)\n                        return true;\n        }\n\n        /* Other packet size combos */\n\n        /* 74 seems to be common on port 20800 which is associated with\n         * COD:WaW\n         */\n        if (data->payload_len[0] == 74) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[1] == 74) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[0] == 45) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[1] == 45) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[0] == 53) {\n                if (data->payload_len[1] < 30)\n                        return false;\n                if (data->payload_len[1] > 33)\n                        return false;\n                return true;\n        }\n        if (data->payload_len[1] == 53) {\n                if (data->payload_len[0] < 30)\n                        return false;\n                if (data->payload_len[0] > 33)\n                        return false;\n                return true;\n        }\n\n        if (data->payload_len[0] == 16) {\n                if (data->payload_len[1] == 18)\n                        return true;\n                if (data->payload_len[1] == 16)\n                        return true;\n                if (data->payload_len[1] == 13)\n                        return true;\n                if (data->payload_len[1] == 0) {\n                \treturn true;\n\t\t}\n        }\n\n        if (data->payload_len[1] == 16) {\n                if (data->payload_len[0] == 18)\n                        return true;\n                if (data->payload_len[0] == 16)\n                        return true;\n                if (data->payload_len[0] == 13)\n                        return true;\n                if (data->payload_len[0] == 0) {\n                        return true;\n                }\n        }\n\n        if (data->payload_len[0] >= 16 && data->payload_len[0] <= 19) {\n                if (data->payload_len[1] < 40)\n                        return false;\n                if (data->payload_len[1] > 44)\n                        return false;\n                return true;\n        }\n\n        if (data->payload_len[1] >= 16 && data->payload_len[1] <= 19) {\n                if (data->payload_len[0] < 40)\n                        return false;\n                if (data->payload_len[0] > 44)\n                        return false;\n                return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_callofduty = {\n\tLPI_PROTO_UDP_COD,\n\tLPI_CATEGORY_GAMING,\n\t\"Call_of_Duty\",\n\t60,\t/* Must be lower priority than XLSP */\n\tmatch_callofduty\n};\n\nvoid register_callofduty(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_callofduty, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_codmobile.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cod_mob84(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x43, 0x01, 0xc0, 0x12) && len == 84) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_cod_mob12(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x43, 0x02, 0xc0, 0x00) && len == 12) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_codmobile(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_cod_mob84(data->payload[0], data->payload_len[0])) {\n                if (match_cod_mob12(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_cod_mob84(data->payload[1], data->payload_len[1])) {\n                if (match_cod_mob12(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_codmobile = {\n\tLPI_PROTO_UDP_COD_MOBILE,\n\tLPI_CATEGORY_GAMING,\n\t\"CallOfDuty_Mobile\",\n\t15,\n\tmatch_codmobile\n};\n\nvoid register_codmobile(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_codmobile, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_combatarms.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_arms_5(uint32_t payload, uint32_t len) {\n        if (len == 5 && MATCH(payload, 0x00, 0xf1, 0x37, 0x13))\n                return true;\n        return false;\n}\n\nstatic inline bool match_arms_any(uint32_t payload, uint32_t len) {\n        if (len < 100 && MATCH(payload, 0x00, 0xf1, 0x37, 0x13))\n                return true;\n        return false;\n}\n\nstatic inline bool match_combatarms(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_arms_5(data->payload[0],data->payload_len[0])) {\n                if (match_arms_any(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_arms_5(data->payload[1],data->payload_len[1])) {\n                if (match_arms_any(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_combatarms = {\n\tLPI_PROTO_UDP_COMBATARMS,\n\tLPI_CATEGORY_GAMING,\n\t\"CombatArms\",\n\t40,\n\tmatch_combatarms\n};\n\nvoid register_combatarms(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_combatarms, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_combatarms_p2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_arms_p2p_ping(uint32_t payload, uint32_t len) {\n        if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x00))\n                return true;\n        if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_arms_p2p_pong(uint32_t payload, uint32_t len) {\n        if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x00))\n                return true;\n        if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x01))\n                return true;\n        if (len == 0)\n                return true;\n        return false;\n}\n\nstatic inline bool match_combatarms_p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Another protocol, probably used for direct player to\n         * player communication. */\n\n        if (match_arms_p2p_ping(data->payload[0], data->payload_len[0])) {\n                if (match_arms_p2p_pong(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_arms_p2p_ping(data->payload[1], data->payload_len[1])) {\n                if (match_arms_p2p_pong(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_combatarms_p2p = {\n\tLPI_PROTO_UDP_COMBATARMS_P2P,\n\tLPI_CATEGORY_GAMING,\n\t\"CombatArms_P2P\",\n\t140,\n\tmatch_combatarms_p2p\n};\n\nvoid register_combatarms_p2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_combatarms_p2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_contract_wars.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_cw_09(uint32_t payload, uint32_t len) {\n\n        if (len < 1300) {\n                return false;\n        }\n\n        if (MATCH(payload, 0x09, 0x0b, 0x0d, 0xd0)) {\n                return true;\n        }\n        if (MATCH(payload, 0x09, 0x0b, 0x00, 0x80)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_cw_0a(uint32_t payload, uint32_t len) {\n\n        if (len < 1300) {\n                return false;\n        }\n\n        if (MATCHSTR(payload, \"\\x0a\\x00\\xff\\xff\")) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_contract_wars(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_cw_09(data->payload[0], data->payload_len[0])) {\n                if (match_cw_0a(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_cw_09(data->payload[1], data->payload_len[1])) {\n                if (match_cw_0a(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_contract_wars = {\n\tLPI_PROTO_UDP_CONTRACT_WARS,\n\tLPI_CATEGORY_GAMING,\n\t\"ContractWars\",\n\t50,\n\tmatch_contract_wars\n};\n\nvoid register_contract_wars(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_contract_wars, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_crossfire.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_cf_25(uint32_t payload, uint32_t len) {\n\n        if (len == 25 && MATCH(payload, 0xc7, 0xd9, 0x19, 0x99))\n                return true;\n        if (len == 35 && MATCH(payload, 0xc7, 0xd9, 0x19, 0x99))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_cf_5(uint32_t payload, uint32_t len) {\n\n        if (len == 5 && MATCH(payload, 0xc7, 0xd9, 0x19, 0x99))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_crossfire(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_cf_25(data->payload[0], data->payload_len[0])) {\n                if (match_cf_5(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_cf_25(data->payload[1], data->payload_len[1])) {\n                if (match_cf_5(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_crossfire = {\n\tLPI_PROTO_UDP_CROSSFIRE,\n\tLPI_CATEGORY_GAMING,\n\t\"CrossfireUDP\",\n\t10,\n\tmatch_crossfire\n};\n\nvoid register_crossfire(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_crossfire, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_crossout.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_co_05(uint32_t payload, uint32_t len) {\n\n        if (len == 1322 && MATCHSTR(payload, \"\\x05\\x00\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_co_06(uint32_t payload, uint32_t len) {\n\n        if (len == 1322 && MATCHSTR(payload, \"\\x06\\x00\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_crossout(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_co_05(data->payload[0], data->payload_len[0])) {\n                if (match_co_06(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_co_05(data->payload[1], data->payload_len[1])) {\n                if (match_co_06(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_crossout = {\n\tLPI_PROTO_UDP_CROSSOUT,\n\tLPI_CATEGORY_GAMING,\n\t\"Crossout\",\n\t11,\n\tmatch_crossout\n};\n\nvoid register_crossout(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_crossout, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_csgo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Pretty sure this is Counterstrike: Global Offensive (saw references to the\n * map 'mg_de_dust' in other flows between the same endpoints).\n */\n\nstatic inline bool match_ff_csgo(lpi_data_t *data) {\n\n        if (!match_str_both(data, \"\\xff\\xff\\xff\\xff\", \"\\xff\\xff\\xff\\xff\"))\n                return false;\n\n        if (data->payload_len[0] == 33 && data->payload_len[1] == 18)\n                return true;\n        if (data->payload_len[1] == 33 && data->payload_len[0] == 18)\n                return true;\n\n        if (data->payload_len[0] == 23 && data->payload_len[1] >= 61 &&\n                        data->payload_len[1] <= 66)\n                return true;\n        if (data->payload_len[1] == 23 && data->payload_len[0] >= 61 &&\n                        data->payload_len[0] <= 66)\n                return true;\n\n\treturn false;\n}\n\nstatic inline bool match_sdping(uint32_t payload) {\n        if (MATCH(payload, 0x01, 0x00, 's', 'd'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_sdpong(uint32_t payload) {\n        if (MATCH(payload, 0x02, 0x12, 'T', 'l'))\n                return true;\n        if (MATCH(payload, 0x02, 0x12, 'T', 'd'))\n                return true;\n        if (MATCH(payload, 0x02, 0x12, 'X', 'd'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_csgo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ff_csgo(data)) {\n                return true;\n        }\n\n        if (match_sdping(data->payload[0])) {\n                if (match_sdpong(data->payload[1]))\n                        return true;\n        }\n\n        if (match_sdping(data->payload[1])) {\n                if (match_sdpong(data->payload[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_csgo = {\n\tLPI_PROTO_UDP_CS_GLOBAL_OFFENSIVE,\n\tLPI_CATEGORY_GAMING,\n\t\"CSGlobalOffensive\",\n\t18,\n\tmatch_csgo\n};\n\nvoid register_csgo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_csgo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_csoriginal.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_csorig_14(uint32_t payload, uint32_t len) {\n        if (len == 14 && MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_csorig_big(uint32_t payload, uint32_t len) {\n\n        if (len >= 800 && len < 1000 && MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_csoriginal(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_csorig_14(data->payload[0], data->payload_len[0])) {\n                if (match_csorig_big(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_csorig_14(data->payload[1], data->payload_len[1])) {\n                if (match_csorig_big(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_csoriginal = {\n\tLPI_PROTO_UDP_COUNTERSTRIKE_16,\n\tLPI_CATEGORY_GAMING,\n\t\"Counterstrike1.6\",\n\t50,\n\tmatch_csoriginal\n};\n\nvoid register_csoriginal(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_csoriginal, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dahua.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Chinese IP surveillance Cameras */\n\nstatic inline bool match_dahua_p2p(uint32_t payload, uint32_t len) {\n        if (len == 44 && MATCHSTR(payload, \"\\xff\\xfe\\xff\\xe7\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dahua(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_dahua_p2p(data->payload[0], data->payload_len[0])) {\n                if (match_dahua_p2p(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dahua = {\n\tLPI_PROTO_UDP_DAHUA,\n\tLPI_CATEGORY_IPCAMERAS,\n\t\"Dahua\",\n\t13,\n\tmatch_dahua\n};\n\nvoid register_dahua(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dahua, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_db2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_db2_query(uint32_t payload, uint32_t len) {\n\n        if (len != 20)\n                return false;\n\n        if (!MATCHSTR(payload, \"DB2G\"))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_db2_response(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_db2(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n        /* Only ever seen this as scan traffic so far, so no idea what the\n         * response should look like.\n         */\n\n        /* Assume port 523 for now */\n        if (data->server_port != 523 && data->client_port != 523)\n                return false;\n\n        if (match_db2_query(data->payload[0], data->payload_len[0])) {\n                if (match_db2_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_db2_query(data->payload[1], data->payload_len[1])) {\n                if (match_db2_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\treturn false;\n}\n\nstatic lpi_module_t lpi_db2 = {\n\tLPI_PROTO_UDP_DB2,\n\tLPI_CATEGORY_DATABASES,\n\t\"IBM-DB2\",\n\t6,\n\tmatch_db2\n};\n\nvoid register_db2(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_db2, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dcc.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* DCC is the IRC-based file sharing protocol, not to be confused with\n * Direct Connect */\n\nstatic inline bool match_dcc_length(uint32_t payload, uint32_t len) {\n\n\tuint32_t hdr_len;\n\n\thdr_len = (ntohl(payload)) >> 16;\n\n\tif (hdr_len == len)\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_dcc_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_dcc_length(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_dcc_length(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\n\t/* Byte 3 must match */\n\tif ((ntohl(data->payload[0]) & 0xff00) != (ntohl(data->payload[1]) & 0xff00))\n\t\treturn false;\n\n\tif (MATCH(data->payload[0], ANY, ANY, ANY, 0x01)) {\n\t\tif (MATCH(data->payload[1], ANY, ANY, ANY, 0x06))\n\t\t\treturn true;\n\t}\n\t\n\tif (MATCH(data->payload[1], ANY, ANY, ANY, 0x01)) {\n\t\tif (MATCH(data->payload[0], ANY, ANY, ANY, 0x06))\n\t\t\treturn true;\n\t}\n\n\tif (MATCH(data->payload[0], ANY, ANY, ANY, 0x02)) {\n\t\tif (MATCH(data->payload[1], ANY, ANY, ANY, 0x04))\n\t\t\treturn true;\n\t}\n\t\n\tif (MATCH(data->payload[1], ANY, ANY, ANY, 0x02)) {\n\t\tif (MATCH(data->payload[0], ANY, ANY, ANY, 0x04))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dcc_udp = {\n\tLPI_PROTO_UDP_DCC,\n\tLPI_CATEGORY_CHAT,\n\t\"DCC_UDP\",\n\t8,\n\tmatch_dcc_udp\n};\n\nvoid register_dcc_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dcc_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_demonware.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_demonware(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This is some sort of control channel for demonware? */\n        if (data->payload_len[0] == 15 && data->payload_len[1] == 0) {\n                if (MATCH(data->payload[0], 0x15, 0x02, 0x00, ANY))\n                        return true;\n        }\n\n        if (data->payload_len[1] == 15 && data->payload_len[0] == 0) {\n                if (MATCH(data->payload[1], 0x15, 0x02, 0x00, ANY))\n                        return true;\n        }\n\n\n        /* Demonware bandwidth testing involves sending a series of 1024\n         * byte packets to a known server - each packet has an incrementing\n         * seqno, starting from zero */\n\n        if (!match_str_both(data, \"\\x00\\x00\\x00\\x00\", \"\\x00\\x00\\x00\\x00\"))\n                return false;\n\n        if (data->payload_len[0] == 1024) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[1] == 1024)\n                        return true;\n        }\n\n        if (data->payload_len[1] == 1024) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        /* Sometimes 512 bytes are used as well, but only ever one-way */\n        if (data->payload_len[0] == 512) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n        if (data->payload_len[1] == 512) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        /* Could also check for ports 3074 and 3075 if needed */\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_demonware = {\n\tLPI_PROTO_UDP_DEMONWARE,\n\tLPI_CATEGORY_GAMING,\n\t\"Demonware\",\n\t4,\n\tmatch_demonware\n};\n\nvoid register_demonware(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_demonware, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_destiny_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_destiny_299(uint32_t payload, uint32_t len) {\n        if (len == 299 && MATCH(payload, 0x00, 0x00, 0x00, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_destiny_423(uint32_t payload, uint32_t len) {\n        if (len == 423 && MATCH(payload, 0x00, 0x00, 0x00, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_destiny_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 3074 && data->client_port != 3074)\n                return false;\n\n        if (match_destiny_299(data->payload[0], data->payload_len[0])) {\n                if (match_destiny_423(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_destiny_299(data->payload[1], data->payload_len[1])) {\n                if (match_destiny_423(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_destiny_udp = {\n\tLPI_PROTO_UDP_DESTINY,\n\tLPI_CATEGORY_GAMING,\n\t\"DestinyUDP\",\n\t166,\n\tmatch_destiny_udp\n};\n\nvoid register_destiny_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_destiny_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dhcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_dhcp_v4(lpi_data_t *data) {\n\tif (match_chars_either(data, 0x01, 0x01, 0x06, 0x00))\n\t\treturn true;\n\tif (match_chars_either(data, 0x02, 0x01, 0x06, 0x00))\n\t\treturn true;\n\t\n\treturn false;\n}\n\nstatic inline bool match_dhcp_v6_ports(uint16_t porta, uint16_t portb) {\n\tif (porta == 547 && portb == 546)\n\t\treturn true;\n\tif (portb == 547 && porta == 546)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_dhcp_v6_solicit(uint32_t payload, uint32_t len) {\n\n\tif (len < 52)\n\t\treturn false;\n\tif (!MATCH(payload, 0x01, ANY, ANY, ANY))\n\t\treturn false;\n\n\treturn true;\n\n}\n\nstatic inline bool match_dhcp_v6_advert(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (MATCH(payload, 0x02, ANY, ANY, ANY))\n\t\treturn false;\n\t\n\treturn true;\n\n}\n\nstatic inline bool match_dhcp_v6(lpi_data_t *data) {\n\n\tif (!match_dhcp_v6_ports(data->server_port, data->client_port))\n\t\treturn false;\n\n\tif (match_dhcp_v6_solicit(data->payload[0], data->payload_len[0])) {\n\t\tif (match_dhcp_v6_advert(data->payload[1], \n\t\t\t\tdata->payload_len[1])) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n\tif (match_dhcp_v6_solicit(data->payload[1], data->payload_len[1])) {\n\t\tif (match_dhcp_v6_advert(data->payload[0], \n\t\t\t\tdata->payload_len[0])) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n\treturn false;\n}\n\nstatic inline bool match_dhcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n\tif (match_dhcp_v4(data))\n\t\treturn true;\n\tif (match_dhcp_v6(data))\n\t\treturn true;\n\t\n\treturn false;\n\t\n}\n\n\nstatic lpi_module_t lpi_dhcp = {\n\tLPI_PROTO_UDP_DHCP,\n\tLPI_CATEGORY_SERVICES,\n\t\"DHCP\",\n\t8,\n\tmatch_dhcp\n};\n\nvoid register_dhcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dhcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dht_dict.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Separate modules for dictionary-style DHT (which has a much stronger rule)\n * and Vuze DHTs (which are not so strong) \n *\n * This source file also covers the uTP protocol, which typically shares the\n * same flow as the dictionary DHTs\n */\n\nstatic inline bool match_utp_query(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 0x01, 0x00, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x11, 0x00, ANY, ANY) && len == 20)\n                return true;\n\tif (MATCH(payload, 0x21, 0x02, ANY, ANY) && len == 30)\n                return true;\n        if (MATCH(payload, 0x21, 0x00, ANY, ANY) && len == 20)\n                return true;\n\tif (MATCH(payload, 0x31, 0x02, ANY, ANY) && len == 30)\n                return true;\n        if (MATCH(payload, 0x31, 0x00, ANY, ANY) && len == 20)\n                return true;\n\tif (MATCH(payload, 0x41, 0x02, ANY, ANY) && len == 30)\n                return true;\n        if (MATCH(payload, 0x41, 0x00, ANY, ANY) && len == 20)\n                return true;\n        return false;\t\n\n}\n\nstatic inline bool match_utp_reply(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n        if (MATCH(payload, 0x11, 0x00, ANY, ANY) && len == 20)\n                return true;\n\tif (MATCH(payload, 0x21, 0x02, ANY, ANY) && (len == 30 || len == 33))\n                return true;\n        if (MATCH(payload, 0x21, 0x01, ANY, ANY) && (len == 26 || len == 23))\n                return true;\n        if (MATCH(payload, 0x21, 0x00, ANY, ANY) && len == 20)\n                return true;\n\tif (MATCH(payload, 0x31, 0x02, ANY, ANY) && len == 30)\n                return true;\n        if (MATCH(payload, 0x31, 0x00, ANY, ANY) && len == 20)\n                return true;\n        if (MATCH(payload, 0x41, 0x00, ANY, ANY) && len == 20)\n                return true;\n\tif (MATCH(payload, 0x41, 0x02, ANY, ANY) && (len == 33 || len == 30))\n                return true;\n\n\treturn false;\n}\n\nstatic inline bool match_opentracker_98(uint32_t payload, uint32_t len) {\n        if (len == 98 || len == 109)\n                return true;\n        return false;\n}\n\nstatic inline bool match_opentracker_X6(uint32_t payload, uint32_t len) {\n        if (len >= 36 && (len % 10) == 6)\n                return true;\n        return false;\n}\n\nstatic inline bool match_opentracker_01(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x01))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_opentracker_02(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x02))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dict_query(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 'd', '1', ':', 'a'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 'r'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 'e'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 'q'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 't'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ANY, ':'))\n\t\treturn true;\n\t\n\treturn false;\n\n}\n\nstatic inline bool match_dict_reply(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\n\tif (MATCH(payload, 'd', '1', ':', 'a'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 'r'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 'e'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ANY, ':'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '2', ':', 'i'))\n\t\treturn true;\n\t\n\t/* These are a bit iffy, but this seems to be what happens in\n\t * response to a lot of dict queries :/ */\n\tif (len == 23)\n\t\treturn true;\n\tif (len == 33)\n\t\treturn true;\n\n\n\treturn false;\n\n}\n\nstatic inline bool num_seq_match(uint32_t query, uint32_t resp) {\n\n\tuint32_t query_seq = (ntohl(query)) & 0x0000ffff;\n\tuint32_t resp_seq = (ntohl(resp)) & 0x0000ffff;\n\n\tif (query_seq == resp_seq)\n\t\treturn true;\n\n\t/* Allowed to be seq +/- 1 as well, apparently */\n\tif (query_seq == resp_seq + 1)\n\t\treturn true;\n\tif (query_seq == resp_seq - 1)\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_bt_search(uint32_t payload, uint32_t len) {\n\n\t/* Matches the BT-SEARCH command, which we've seen while messing with\n\t * World of Warcraft */\n\tif (MATCHSTR(payload, \"BT-S\"))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_dht_dict(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_dict_query(data->payload[0], data->payload_len[0])) {\n\t\tif (match_dict_reply(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_utp_reply(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_utp_query(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_dict_query(data->payload[1], data->payload_len[1])) {\n\t\tif (match_dict_reply(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_utp_reply(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_utp_query(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\tif (match_utp_query(data->payload[0], data->payload_len[0])) {\n\t\t\n\t\tif (MATCH(data->payload[0], 0x01, 0x00, ANY, ANY)) {\n\t\t\tif (!num_seq_match(data->payload[0], data->payload[1]))\n\t\t\t\treturn false;\n\t\t\t\n\t\t}\n\n\t\tif (match_utp_reply(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_dict_reply(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_utp_query(data->payload[1], data->payload_len[1])) {\n\t\tif (MATCH(data->payload[1], 0x01, 0x00, ANY, ANY)) {\n\t\t\tif (!num_seq_match(data->payload[1], data->payload[0]))\n\t\t\t\treturn false;\n\t\t}\n\t\tif (match_utp_reply(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_dict_reply(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\tif (match_bt_search(data->payload[0], data->payload_len[0])) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\tif (match_bt_search(data->payload[1], data->payload_len[1])) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n\n        if (match_opentracker_X6(data->payload[0], data->payload_len[0])) {\n                if (match_opentracker_02(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        \n        if (match_opentracker_X6(data->payload[1], data->payload_len[1])) {\n                if (match_opentracker_02(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n        \n        if (match_opentracker_98(data->payload[0], data->payload_len[0])) {\n                if (match_opentracker_01(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        \n        if (match_opentracker_98(data->payload[1], data->payload_len[1])) {\n                if (match_opentracker_01(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\n\nstatic lpi_module_t lpi_dht_dict = {\n\tLPI_PROTO_UDP_BTDHT,\n\tLPI_CATEGORY_P2P,\n\t\"BitTorrent_UDP\",\n\t6,\n\tmatch_dht_dict\n};\n\nvoid register_dht_dict(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dht_dict, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dht_other.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* http://xbtt.sourceforge.net/udp_tracker_protocol.html */\nstatic inline bool match_xbt_tracker(lpi_data_t *data) {\n\n        if (data->payload_len[0] != 0 && data->payload_len[0] != 16)\n                return false;\n        if (data->payload_len[1] != 0 && data->payload_len[1] != 16)\n                return false;\n\n        if (!match_chars_either(data, 0x00, 0x00, 0x04, 0x17))\n                return false;\n\n        if (data->payload_len[0] == 0 || data->payload_len[1] == 0)\n                return true;\n\n        if (data->payload_len[0] == 16 && data->payload_len[1] == 16 &&\n                        match_chars_either(data, 0x00, 0x00, 0x00, 0x00))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_unknown_btudp(lpi_data_t *data) {\n\n        /* I have not been able to figure out exactly what this stuff\n         * is, but I'm pretty confident it is somehow related to a\n         * BitTorrent implementation or two */\n\n        /* The recipient does not reply */\n        if (data->payload_len[0] > 0 && data->payload_len[1] > 0)\n                return false;\n\n        if (!(match_str_both(data, \"\\x00\\x00\\x00\\x00\", \"\\x00\\x00\\x00\\x00\")))\n                return false;\n\n        if (data->payload_len[0] == 14 || data->payload_len[0] == 18)\n                return true;\n        if (data->payload_len[1] == 14 || data->payload_len[1] == 18)\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_vuze_dht_request(uint32_t payload, uint32_t len,\n                bool check_msb) {\n\n\n        /* Some implementations don't choose an appropriate MSB or get the\n         * byte ordering wrong, so we only force an MSB check when we're\n         * examining requests that get no response.\n         */\n\n        if (len < 4)\n                return false;\n\n        if (check_msb) {\n\n                if ((ntohl(payload) & 0x80000000) != 0x80000000)\n                        return false;\n\n        } else {\n                /* Automatically return true if the MSB is set, regardless of\n                 * request size */\n\n                if ((ntohl(payload) & 0x80000000) == 0x80000000)\n                        return true;\n        }\n\n\n        if (len == 42 || len == 51) {\n                return true;\n        }\n\n        if (len == 63 || len == 65 || len == 71)\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_vuze_dht_reply(uint32_t data, uint32_t len) {\n\n        /* Each reply action is an odd number */\n\n        if (MATCH(data, 0x00, 0x00, 0x04, 0x01))\n                return true;\n        if (MATCH(data, 0x00, 0x00, 0x04, 0x03))\n                return true;\n        if (MATCH(data, 0x00, 0x00, 0x04, 0x05))\n                return true;\n        if (MATCH(data, 0x00, 0x00, 0x04, 0x07))\n                return true;\n\n        /* Except for this one, which is an error message */\n        if (MATCH(data, 0x00, 0x00, 0x04, 0x08))\n                return true;\n\n        return false;\n\n\n}\n\nstatic inline bool match_vuze_dht_alt(lpi_data_t *data) {\n\n        /* Flows matching this rule *appear* to be doing something related\n         * to the Vuze DHT system, but this behaviour is undocumented.\n         *\n         * I have observed flows that match the conventional Vuze DHT rule\n         * involving the same IP/port as flows that match this rule, so\n         * that does suggest it is related to Vuze somehow. */\n\n        if (data->payload_len[0] != 0 &&\n                        (ntohl(data->payload[0]) & 0x80000000) != 0x80000000)\n                return false;\n        if (data->payload_len[1] != 0 &&\n                        (ntohl(data->payload[1]) & 0x80000000) != 0x80000000)\n                return false;\n\n        if (data->payload_len[0] == 90 && data->payload_len[1] == 79)\n                return true;\n        if (data->payload_len[1] == 90 && data->payload_len[0] == 79)\n                return true;\n        if (data->payload_len[0] == 90 && data->payload_len[1] == 0)\n                return true;\n        if (data->payload_len[1] == 90 && data->payload_len[0] == 0)\n                return true;\n\n        return false;\n}\n\n\nstatic inline bool match_vuze_dht(lpi_data_t *data) {\n\n        /* OK, gotta rework this one as this protocol is a bit messed up in \n         * the implementation.\n         *\n         * Normally, we have a request which contains a random number in\n         * the first four bytes. However, the MSB of that number must be\n         * set to one.\n         *\n         * The reply begins with a four byte action which is easy to identify.\n         *\n         * However, we also get replies in both directions (which is a bit\n         * odd). I'm also seeing requests where the MSB is not set, which is\n         * a definite violation.\n         *\n         * However, I think we want to count these - they are clearly attempts\n         * to use this protocol so classing them as unknown doesn't seem\n         * right.\n         */\n\n        if (match_vuze_dht_reply(data->payload[0], data->payload_len[0])) {\n\n                if (data->payload_len[1] == 0)\n                        return true;\n\n                if (match_vuze_dht_request(data->payload[1],\n                                data->payload_len[1], false))\n                        return true;\n\n                /* Check for replies in both directions */\n                if (match_vuze_dht_reply(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n\n        }\n        if (match_vuze_dht_reply(data->payload[1], data->payload_len[1])) {\n\n                if (data->payload_len[0] == 0)\n                        return true;\n\n                if (match_vuze_dht_request(data->payload[0],\n                                data->payload_len[0], false))\n                        return true;\n\n                /* Check for replies in both directions */\n                if (match_vuze_dht_reply(data->payload[0],\n                                data->payload_len[0]))\n                        return true;\n\n        }\n\n        /* Check for unanswered requests - these are much harder to match,\n         * because they are simply a random conn id. We can only hope to match\n         * on common packet sizes and the MSB being set \n         *\n         * XXX This could lead to a few false positives, so be careful */\n\n        if (data->payload[0] == 0) {\n                if (match_vuze_dht_request(data->payload[1],\n                                data->payload_len[1], true))\n                        return true;\n        }\n\n        if (data->payload[1] == 0) {\n                if (match_vuze_dht_request(data->payload[0],\n                                data->payload_len[0], true))\n                        return true;\n        }\n\n\t/* Apparently, we can also see requests both ways, which is a bit\n\t * less than ideal....\n\t */\n\tif (match_vuze_dht_request(data->payload[0], data->payload_len[0], true) && match_vuze_dht_request(data->payload[1], data->payload_len[1], true))\n\t\treturn true;\n\t\n\n        if (match_vuze_dht_alt(data))\n                return true;\n\n        return false;\n\n\n\n}\n\nstatic inline bool match_unknown_dht(lpi_data_t *data) {\n\n        /* I don't know exactly what BT clients do this, but there are often\n         * DHT queries and responses present in flows that match this rule,\n         * so we're going to go with some form of Bittorrent */\n\n        if (data->payload[0] == 0 || data->payload[1] == 0)\n                return false;\n\n        /* Both initial packets are 33 bytes and have the exact same \n         * payload */\n        if (data->payload_len[0] != 33 || data->payload_len[1] != 33)\n                return false;\n\n        if (data->payload[0] != data->payload[1])\n                return false;\n\n        return true;\n\n}\n\n\nstatic inline bool match_dht_other(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_unknown_btudp(data))\n\t\treturn true;\t\n\tif (match_vuze_dht(data))\n\t\treturn true;\n\tif (match_xbt_tracker(data))\n\t\treturn true;\n\tif (match_unknown_dht(data))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dht_other = {\n\tLPI_PROTO_UDP_BTDHT,\n\tLPI_CATEGORY_P2P,\n\t\"BitTorrent_UDP\",\n\t12,\t/* Need to be lower priority than DNS, at least in cases \n\t\t * where traffic is one-way only */\n\tmatch_dht_other\n};\n\nvoid register_dht_other(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dht_other, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_diablo2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_diablo2_message(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 0x03, 0x00, 0x00, 0x00) && len == 8)\n                return true;\n        if (MATCH(payload, 0x05, 0x00, 0x00, 0x00) && len == 8)\n                return true;\n        if (MATCH(payload, 0x09, 0x00, 0x00, 0x00) && len == 12)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_diablo2(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 6112 && data->client_port != 6112)\n                return false;\n\n        if (!match_diablo2_message(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_diablo2_message(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n}\n\nstatic lpi_module_t lpi_diablo2 = {\n\tLPI_PROTO_UDP_DIABLO2,\n\tLPI_CATEGORY_GAMING,\n\t\"Diablo2\",\n\t3,\n\tmatch_diablo2\n};\n\nvoid register_diablo2(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_diablo2, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dianping_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_dianping_query(uint32_t payload, uint32_t len) {\n        \n        if (len != 14)\n                return false;\n        if (MATCH(payload, 0x4e, 0x58, 0x00, 0x0a))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dianping_resp(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (len != 16)\n                return false;\n        if (MATCH(payload, 0x4e, 0x58, 0x00, 0x0c))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dianping_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_dianping_query(data->payload[0], data->payload_len[0])) {\n                if (match_dianping_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dianping_query(data->payload[1], data->payload_len[1])) {\n                if (match_dianping_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dianping_udp = {\n\tLPI_PROTO_UDP_DIANPING,\n\tLPI_CATEGORY_MOBILE_APP,\n\t\"DianpingUDP\",\n\t21,\n\tmatch_dianping_udp\n};\n\nvoid register_dianping_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dianping_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dianshijia.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* APK name = com.dianshijia.tvlive */\n/* Published by New Zealand ibestv Trading Limited (?) */\n\nstatic inline bool match_dsj_req(uint32_t payload, uint32_t len) {\n        if (len == 20 && MATCHSTR(payload, \"\\xff\\x03\\x00\\x00\"))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_dsj_reply(uint32_t payload, uint32_t len) {\n        if (len == 20 && MATCHSTR(payload, \"\\xff\\x05\\x00\\x00\"))\n                return true;\n        if (len == 20 && MATCHSTR(payload, \"\\xff\\x03\\x01\\x00\"))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_dianshijia(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (match_dsj_req(data->payload[0], data->payload_len[0])) {\n                if (match_dsj_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n        if (match_dsj_req(data->payload[1], data->payload_len[1])) {\n                if (match_dsj_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dianshijia = {\n\tLPI_PROTO_UDP_DIANSHIJIA,\n\tLPI_CATEGORY_P2PTV,             /* I think... */\n\t\"Dianshijia\",\n\t100,\n\tmatch_dianshijia\n};\n\nvoid register_dianshijia(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dianshijia, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_directconnect.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_directconnect_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] == 0 &&\n                        MATCHSTR(data->payload[1], \"$SR \"))\n                return true;\n        if (data->payload_len[1] == 0 &&\n                        MATCHSTR(data->payload[0], \"$SR \"))\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_directconnect_udp = {\n\tLPI_PROTO_UDP_DC,\n\tLPI_CATEGORY_P2P,\n\t\"DirectConnect_UDP\",\n\t3,\n\tmatch_directconnect_udp\n};\n\nvoid register_directconnect_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_directconnect_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_discord.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* discord.gg */\n\nstatic inline bool discord_payload_match(uint32_t a, uint32_t b) {\n\n        uint32_t bytea = (ntohl(a) >> 24);\n        uint32_t byteb = (ntohl(b) & 0xff);\n\n        if (bytea == byteb && bytea != 0x00) {\n                if (MATCH(a, ANY, 0x00, 0x00, 0x00) &&\n                                MATCH(b, 0x00, 0x00, 0x00, ANY)) {\n                        return true;\n                }\n        }\n\n        bytea = (ntohl(a) & 0xff);\n        byteb = (ntohl(b) >> 24);\n\n        if (bytea == byteb && bytea != 0x00) {\n                if (MATCH(b, ANY, 0x00, 0x00, 0x00) &&\n                                MATCH(a, 0x00, 0x00, 0x00, ANY)) {\n                        return true;\n                }\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_discord_01(uint32_t payload, uint32_t len) {\n        if (len == 74 && MATCH(payload, 0x00, 0x01, 0x00, 0x46)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_discord_02(uint32_t payload, uint32_t len) {\n        if (len == 74 && MATCH(payload, 0x00, 0x02, 0x00, 0x46)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_discord(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Discord voice call/chat */\n        if (match_discord_01(data->payload[0], data->payload_len[0])) {\n                if (match_discord_02(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_discord_01(data->payload[1], data->payload_len[1])) {\n                if (match_discord_02(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (discord_payload_match(data->payload[0], data->payload[1])) {\n                if (data->payload_len[0] == 70 && data->payload_len[1] == 70)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_discord = {\n\tLPI_PROTO_UDP_DISCORD,\n\tLPI_CATEGORY_VOIP,\n\t\"Discord\",\n\t19,\n\tmatch_discord\n};\n\nvoid register_discord(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_discord, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dns.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_reordered_dns(lpi_data_t *data) {\n\n        /* Unfortunately, UDP can get reordered so if there are multiple\n         * queries in a flow we cannot guarantee that the first response\n         * will have the same ID as the first query.\n         */\n\n\n        /* Just try and match common request / response flag arrangements */\n        if (MATCH(data->payload[0], ANY, ANY, 0x01, 0x00)) {\n                if (MATCH(data->payload[1], ANY, ANY, 0x81, 0x80))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], ANY, ANY, 0x01, 0x00)) {\n                if (MATCH(data->payload[0], ANY, ANY, 0x81, 0x80))\n                        return true;\n        }\n\n        return false;\n\n\n}\n\nstatic inline bool match_dns_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* As loath as I am to do this, we probably shouldn't allow any DNS\n\t * on ports other than 53 */\n\tif (data->server_port != 53 && data->client_port != 53)\n\t\treturn false;\n\n\tif (match_dns(data))\n\t\treturn true;\n\n        if (match_reordered_dns(data))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dns_udp = {\n\tLPI_PROTO_UDP_DNS,\n\tLPI_CATEGORY_SERVICES,\n\t\"DNS\",\n\t10,\t/* Not a high certainty */\n\tmatch_dns_udp\n};\n\nvoid register_dns_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dns_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dota2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* DOTA 2 -- a popular multiplayer battleground game */\n\nstatic inline bool match_dota2_20(uint32_t payload, uint32_t len) {\n\n        if (len != 20)\n                return false;\n        if (MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dota2_30(uint32_t payload, uint32_t len) {\n\n        if (len != 30)\n                return false;\n        if (MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dota2_0100(uint32_t payload, uint32_t len) {\n\n        if (len == 216 && MATCH(payload, 0x01, 0x00, 0x73, 0x64))\n                return true;\n        if (len == 416 && MATCH(payload, 0x01, 0x00, 0x73, 0x64))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_dota2_0212(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x02, 0x12, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_dota2_512(uint32_t payload, uint32_t len) {\n\n        if (len == 512) {\n                if (MATCH(payload, 0x20, 0x0e, 0x00, 0x0d))\n                        return true;\n                if (MATCH(payload, 0x20, 0x10, 0x00, 0x0d))\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_dota2_24(uint32_t payload, uint32_t len) {\n\n        if (len == 24 && MATCH(payload, 0x21, 0x0d, ANY, ANY))\n                return true;\n        if (len == 26 && MATCH(payload, 0x21, 0x0d, ANY, ANY))\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_dota2(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_dota2_20(data->payload[0], data->payload_len[0])) {\n                if (match_dota2_30(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dota2_20(data->payload[1], data->payload_len[1])) {\n                if (match_dota2_30(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_dota2_0100(data->payload[0], data->payload_len[0])) {\n                if (match_dota2_0212(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dota2_0100(data->payload[1], data->payload_len[1])) {\n                if (match_dota2_0212(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_dota2_512(data->payload[0], data->payload_len[0])) {\n                if (match_dota2_24(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_dota2_512(data->payload[1], data->payload_len[1])) {\n                if (match_dota2_24(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dota2 = {\n\tLPI_PROTO_UDP_DOTA2,\n\tLPI_CATEGORY_GAMING,\n\t\"DOTA2\",\n\t10,\n\tmatch_dota2\n};\n\nvoid register_dota2(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dota2, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_doyo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Doyo -- Chinese service for downloading free games (especially\n * ones that you would otherwise have to buy!)\n */\n\nstatic inline bool match_doyo_p2p(uint32_t payload, uint32_t len) {\n        /* Not the strongest of rules, but not much we can do */\n        if (len == 56 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_doyo_nonzero(uint32_t payload, uint32_t len) {\n        if (len == 20 && MATCH(payload, ANY, 0x00, 0x00, 0x00) && payload != 0)\n                return true;\n        return false;\n}\n\nstatic inline bool match_doyo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_doyo_p2p(data->payload[0], data->payload_len[0])) {\n                if (match_doyo_p2p(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_doyo_nonzero(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_doyo_p2p(data->payload[1], data->payload_len[1])) {\n                if (match_doyo_nonzero(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_doyo_nonzero(data->payload[0], data->payload_len[0])) {\n                if (match_doyo_nonzero(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_doyo = {\n\tLPI_PROTO_UDP_DOYO,\n\tLPI_CATEGORY_P2P,\n\t\"DoyoP2P\",\n\t200,\n\tmatch_doyo\n};\n\nvoid register_doyo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_doyo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_driveshare.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n#include <stdio.h>\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_driveshare_payload(uint32_t pload, uint32_t len) {\n\n\t/* I *think* this is driveshare, which seems to do SMB-like things\n\t * on port 8109 UDP */\n\n\tif (len == ntohl(pload)) {\n\t\treturn true;\n\t}\n\tif (MATCH(pload, 0x00, 0x00, 0x00, 0x00) && len == 48) {\n\t\treturn true;\n\t}\n\n\treturn false;\n\n}\n\nstatic inline bool match_driveshare(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Add a port restriction here, just to be safe */\n\tif (data->client_port != 8109 && data->server_port != 8109)\n\t\treturn false;\n\n\tif (!match_driveshare_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_driveshare_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_driveshare = {\n\tLPI_PROTO_UDP_DRIVESHARE,\n\tLPI_CATEGORY_FILES,\n\t\"DriveShare\",\n\t12,\n\tmatch_driveshare\n};\n\nvoid register_driveshare(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_driveshare, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_dtls.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This is basically SSL for UDP. Used by AnyConnect.\n * It is possible that we can subclassify this traffic, e.g. maybe AnyConnect\n * is the only DTLS app that uses port 443 for instance...\n * \n * Thanks to Remy Mudingay for helping to identify this protocol\n */\n\nstatic inline bool match_dtls(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* DTLS uses entirely different versioning to conventional TLS */\n\n\tif (MATCH(data->payload[0], 0x17, 0x01, 0x00, 0x00)) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t\tif (MATCH(data->payload[1], 0x17, 0x01, 0x00, 0x00))\n\t\t\treturn true;\n\t}\n\n\tif (MATCH(data->payload[1], 0x17, 0x01, 0x00, 0x00)) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n        if (MATCHSTR(data->payload[0], \"\\x16\\xfe\\xff\\x00\")) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCHSTR(data->payload[1], \"\\x16\\xfe\\xff\\x00\"))\n                        return true;\n        }\n\n\tif (MATCHSTR(data->payload[1], \"\\x16\\xfe\\xff\\x00\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n        /* DTLS 1.2 */\n        if (MATCHSTR(data->payload[0], \"\\x16\\xfe\\xfd\\x00\")) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCHSTR(data->payload[1], \"\\x16\\xfe\\xfd\\x00\"))\n                        return true;\n        }\n\n\tif (MATCHSTR(data->payload[1], \"\\x16\\xfe\\xfd\\x00\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n        /* This is probably Google Duo  -- consider separate protocol? */\n        if (MATCHSTR(data->payload[0], \"\\x17\\xfe\\xfd\\x00\")) {\n                if (MATCHSTR(data->payload[1], \"\\x17\\xfe\\xfd\\x00\"))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_dtls = {\n\tLPI_PROTO_UDP_DTLS,\n\tLPI_CATEGORY_ENCRYPT,\n\t\"DTLS\",\n\t100,\n\tmatch_dtls\n};\n\nvoid register_dtls(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_dtls, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_emule.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_emule_kad(uint32_t payload, uint32_t len) {\n\n        /* Many of these can be tracked back to\n         * http://easymule.googlecode.com/svn/trunk/src/WorkLayer/opcodes.h\n         *\n         * XXX Some of these are request/response pairs that we may need to\n         * match together if we start getting false positives \n         */\n\n\n        /* Bootstrap version 2 request and response */\n        if (MATCH(payload, 0xe4, 0x00, ANY, ANY) && len == 27)\n                return true;\n        if (MATCH(payload, 0xe4, 0x08, ANY, ANY) && len == 529)\n                return true;\n\n        /* Bootstrap version 2 request and response */\n        if (MATCH(payload, 0xe4, 0x01, 0x00, 0x00) && (\n                        len == 2 || len == 18))\n                return true;\n        if (MATCH(payload, 0xe4, 0x09, ANY, ANY) && len == 523)\n                return true;\n\n\n        if (MATCH(payload, 0xe4, 0x21, ANY, ANY) && len == 35)\n                return true;\n        if (MATCH(payload, 0xe4, 0x4b, ANY, ANY) && len == 19)\n                return true;\n        if (MATCH(payload, 0xe4, 0x11, ANY, ANY)) {\n                return true;\n        }\n\n        if (MATCH(payload, 0xe4, 0x19, ANY, ANY)) {\n                if (len == 22 || len == 38 || len == 28)\n                        return true;\n        }\n\n        if (MATCH(payload, 0xe4, 0x20, ANY, ANY) && len == 35)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x18, ANY, ANY) && len == 27)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x10, ANY, ANY) && len == 27)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x58, ANY, ANY) && len == 6)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x50, ANY, ANY) && len == 4)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x52, ANY, ANY) && len == 36)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x40, ANY, ANY) && len == 48)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x43, ANY, ANY) && len == 225)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x48, ANY, ANY) && len == 19)\n                return true;\n\n        if (MATCH(payload, 0xe4, 0x29, ANY, ANY)) {\n                if (len == 119 || len == 69 || len == 294)\n                        return true;\n        }\n\n        if (MATCH(payload, 0xe4, 0x28, ANY, ANY)) {\n                if (len == 119 || len == 69 || len == 294)\n                        return true;\n                if (len == 44)\n                        return true;\n                if (len == 269)\n                        return true;\n        }\n\n\treturn false;\n}\n\n\nstatic bool is_emule_udp(uint32_t payload, uint32_t len) {\n\n        /* Mainly looking at Kad stuff here - Kad packets start with 0xe4\n         * for uncompressed and 0xe5 for compressed data */\n\n\n        if (MATCH(payload, 0xe5, 0x43, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe5, 0x08, 0x78, 0xda))\n                return true;\n        if (MATCH(payload, 0xe5, 0x28, 0x78, 0xda))\n                return true;\n\n        /* emule extensions */\n        if (MATCH(payload, 0xc5, 0x90, ANY, ANY)) {\n                return true;\n        }\n        if (MATCH(payload, 0xc5, 0x91, ANY, ANY)) {\n                return true;\n        }\n        if (MATCH(payload, 0xc5, 0x92, ANY, ANY) && (len == 2))\n                return true;\n        if (MATCH(payload, 0xc5, 0x93, ANY, ANY) && (len == 2))\n                return true;\n        if (MATCH(payload, 0xc5, 0x94, ANY, ANY)) {\n                if (len >= 38 && len <= 70)\n                        return true;\n        }\n\n        /* 0xe3 covers conventional emule messages */\n        if (MATCH(payload, 0xe3, 0x9a, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe3, 0x9b, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe3, 0x96, ANY, ANY) && len == 6)\n                return true;\n\n        if (MATCH(payload, 0xe3, 0x97, ANY, ANY)) {\n                if (len <= 34 && ((len - 2) % 4 == 0))\n                        return true;\n        }\n        if (MATCH(payload, 0xe3, 0x92, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe3, 0x94, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe3, 0x98, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe3, 0x99, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe3, 0xa2, ANY, ANY) && len == 6)\n                return true;\n        if (MATCH(payload, 0xe3, 0xa3, ANY, ANY))\n                return true;\n\n\n\n\n        if (match_emule_kad(payload, len))\n                return true;\n\n\n        return false;\n\n}\n\nstatic inline bool match_emule_verycd(uint32_t payload, uint32_t len) {\n\n        /* Later packets in the flow are clearly referencing eMule builds\n         * and software, in particular VeryCD and xl build61 */\n        if (len != 31)\n                return false;\n        if (!MATCH(payload, 0x3b, 0x00, 0x00, 0x00))\n                return false;\n        return true;\n\n}\n\n\nstatic inline bool match_emule_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_emule(data))\n\t\treturn true;\n\n        if (data->payload_len[0] == 0 &&\n                        is_emule_udp(data->payload[1], data->payload_len[1])) {\n                return true;\n        }\n\n        if (data->payload_len[1] == 0 &&\n                        is_emule_udp(data->payload[0], data->payload_len[0])) {\n                return true;\n        }\n\n        if (is_emule_udp(data->payload[0], data->payload_len[0]) &&\n                        is_emule_udp(data->payload[1], data->payload_len[1]))\n                return true;\n\n\n        /* Having doubts about the correctness of this rule, so disabling\n         * for now. */\n        /*\n        if (match_emule_verycd(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] != 0)\n                        return true;\n        }\n\n        if (match_emule_verycd(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] != 0)\n                        return true;\n        }\n        */\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_emule_udp = {\n\tLPI_PROTO_UDP_EMULE,\n\tLPI_CATEGORY_P2P,\n\t\"eMule_UDP\",\n\t11,\n\tmatch_emule_udp\n};\n\nvoid register_emule_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_emule_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_emule_weak.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/** XXX This module is currently disabled due to a tendency to overmatch! */\n\nstatic inline bool match_mystery_emule(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n        /* These particular patterns occur frequently on port 4672, making\n         * me think they're some sort of emule traffic but there is no\n         * obvious documentation. The payloads appear to be random, which\n         * is unlike all other emule traffic. The flows tend to consist of\n         * only one or two packets in each direction.\n\t *\n\t * XXX Comparison with DPI tools suggest that this is indeed eMule!\n\t *\n         */\n\n        if (data->payload_len[0] == 44 && data->payload_len[1] >= 38 &&\n                        data->payload_len[1] <= 50)\n                return true;\n        if (data->payload_len[1] == 44 && data->payload_len[0] >= 38 &&\n                        data->payload_len[0] <= 50)\n                return true;\n\n        if (data->payload_len[0] == 51 && (data->payload_len[1] == 135 ||\n                        data->payload_len[1] == 85 ||\n                        data->payload_len[1] == 310))\n                return true;\n        if (data->payload_len[1] == 51 && (data->payload_len[0] == 135 ||\n                        data->payload_len[0] == 85 ||\n                        data->payload_len[0] == 310))\n                return true;\n\n\n        return false;\n}\n\n\nstatic inline bool match_emule_weak_udp(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* This covers a particular branch of emule traffic which is harder\n\t * to reliably detect than even regular emule (which isn't great to\n\t * begin with).\n\t */\n\n\tif (match_mystery_emule(data, NULL))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_emule_weak_udp = {\n\tLPI_PROTO_UDP_EMULE,\n\tLPI_CATEGORY_P2P,\n\t\"eMule_UDP\",\n\t20,\n\tmatch_emule_weak_udp\n};\n\nvoid register_emule_weak_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_emule_weak_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_epson.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_epson(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"EPSO\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_epson = {\n\tLPI_PROTO_UDP_EPSON,\n\tLPI_CATEGORY_PRINTING,\n\t\"Epson\",\n\t5,\n\tmatch_epson\n};\n\nvoid register_epson(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_epson, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_eso.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_eso_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len == 40 && MATCH(payload, 0x00, ANY, ANY, ANY))\n                return true;\n        if (len == 10 && MATCH(payload, 0x07, 0xa9, 0x00, 0x00))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_eso(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* I'm pretty sure this is Ensemble game traffic, as it is the\n         * only thing I can find matching the port 2300 that it commonly\n         * occurs on. No game docs available, though :( */\n\n        if (!match_eso_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_eso_payload(data->payload[1], data->payload_len[1]))\n                return false;\n        return true;\n\t\n\n}\n\nstatic lpi_module_t lpi_eso = {\n\tLPI_PROTO_UDP_ESO,\n\tLPI_CATEGORY_GAMING,\n\t\"EnsembleOnline\",\n\t12,\n\tmatch_eso\n};\n\nvoid register_eso(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_eso, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_esp_encap.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_esp_encap(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This sucks, as the four bytes are the security association ID for\n         * the flow. We can only really go on port numbers, although we can\n         * identify IKE packets by looking for the Non-ESP marker (which is\n         * all zeroes)\n         *\n         * Just have to match on ports, I guess :(\n         */\n\n        if (data->server_port == 4500 && data->client_port == 4500)\n                return true;\n\n        /* If only one port is 4500, check for the Non-ESP marker */\n        if (data->server_port == 4500 || data->client_port == 4500) {\n                if (data->payload[0] == 0 && data->payload[1] == 0)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_esp_encap = {\n\tLPI_PROTO_UDP_ESP,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"ESP_UDP\",\n\t200,\t/* This is a pretty terrible rule */\n\tmatch_esp_encap\n};\n\nvoid register_esp_encap(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_esp_encap, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ethernetip.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n * 255.255.255.255 192.168.10.105 44818 1136 17 1226525494.728 1226525530.720 0 888 00000000 .... 0 63000000 c... 24\n * 192.168.10.105 192.168.10.120 1136 44818 17 1226525494.730 1226525530.722 2775 0 63003300 c.3. 75 00000000 .... 0\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_command(uint32_t payload, uint16_t payload_len) {\n\n        // the second uint16 of the ethernetip header is payload the length\n        // but not including the header size of 24 bytes\n        uint16_t len = ntohs((uint16_t)ntohl(payload)) + 24;\n\n        if (payload_len != len)\n                return false;\n\n\t// no op\n\tif (MATCH(payload, 0x00, 0x00, ANY, ANY))\n\t\treturn true;\n\t// list services\n\tif (MATCH(payload, 0x04, 0x00, ANY, ANY))\n\t\treturn true;\n\t// list identity\n\tif (MATCH(payload, 0x63, 0x00, ANY, ANY))\n\t\treturn true;\n\t// list interfaces\n\tif (MATCH(payload, 0x64, 0x00, ANY, ANY))\n\t\treturn true;\n\t// register session\n\tif (MATCH(payload, 0x65, 0x00, 0x04, 0x00))\n\t\treturn true;\n\t// un-register session\n\tif (MATCH(payload, 0x66, 0x00, ANY, ANY))\n\t\treturn true;\n\t// sendrrdata\n\tif (MATCH(payload, 0x6f, 0x00, ANY, ANY))\n\t\treturn true;\n\t// send unit data\n\tif (MATCH(payload, 0x70, 0x00, ANY, ANY))\n\t\treturn true;\n\t// indicate status\n\tif (MATCH(payload, 0x72, 0x00, ANY, ANY))\n\t\treturn true;\n\t// cancel\n\tif (MATCH(payload, 0x73, 0x00, ANY, ANY))\n\t\treturn true;\n\t// error\n\tif (MATCH(payload, 0xff, 0xff, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_ethernetip_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 44818 && data->client_port != 44818)\n\t\treturn false;\n\n\tif (match_command(data->payload[0], data->payload_len[0]) ||\n            match_command(data->payload[1], data->payload_len[1]))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ethernetip_udp = {\n\tLPI_PROTO_UDP_ETHERNETIP,\n\tLPI_CATEGORY_ICS,\n\t\"EtherNet/IP_UDP\",\n\t100,\n\tmatch_ethernetip_udp\n};\n\nvoid register_ethernetip_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ethernetip_udp, mod_map);\n}\n"
  },
  {
    "path": "lib/udp/lpi_eye.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_eye_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"EYE1\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_eye_udp = {\n\tLPI_PROTO_UDP_EYE,\n\tLPI_CATEGORY_GAMING,\n\t\"AllSeeingEye_UDP\",\n\t3,\n\tmatch_eye_udp\n};\n\nvoid register_eye_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_eye_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_fasp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_fasp_out(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, ANY, 0x21, 0x00, 0x00))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_fasp_in(uint32_t payload, uint32_t len) {\n\tif (len != 64)\n\t\treturn false;\n\n\tif (MATCH(payload, ANY, 0x20, 0x00, 0x00))\n\t\treturn true;\n\t\n\treturn false;\n\n}\n\nstatic inline bool match_fasp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* First byte must match in both directions */\n\tif ((data->payload[0] & 0xff) != (data->payload[1] & 0xff)) {\n\t\treturn false;\n        }\n\n\tif (match_fasp_out(data->payload[0], data->payload_len[0])) {\n\t\tif (match_fasp_in(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_fasp_out(data->payload[1], data->payload_len[1])) {\n\t\tif (match_fasp_in(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_fasp = {\n\tLPI_PROTO_UDP_FASP,\n\tLPI_CATEGORY_FILES,\n\t\"FASP\",\n\t16,\n\tmatch_fasp\n};\n\nvoid register_fasp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_fasp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_feitwo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_feitwo_sig(uint32_t payload) {\n\n        if (MATCH(payload, 0x83, 0x80, 0x00, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_feitwo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 3333 */\n\n        if (match_feitwo_sig(data->payload[0])) {\n                if (match_feitwo_sig(data->payload[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_feitwo = {\n\tLPI_PROTO_UDP_FEITWO,\n\tLPI_CATEGORY_P2P,\n\t\"Feitwo\",\n\t112,\n\tmatch_feitwo\n};\n\nvoid register_feitwo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_feitwo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_forticlient_sslvpn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_forti_vpn_48(uint32_t payload, uint32_t len) {\n        if (len != 48 && len != 192)\n                return false;\n        if (MATCHSTR(payload, \"\\x16\\xfe\\xff\\x00\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_forti_vpn(uint32_t payload, uint32_t len) {\n        if (MATCHSTR(payload, \"\\x16\\xfe\\xff\\x00\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_forti_fd_99(uint32_t payload, uint32_t len) {\n        if (len == 99 && MATCHSTR(payload, \"\\x16\\xfe\\xfd\\x00\"))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_forticlient_sslvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_forti_vpn_48(data->payload[0], data->payload_len[0])) {\n                if (match_forti_vpn(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_forti_fd_99(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_forti_vpn_48(data->payload[1], data->payload_len[1])) {\n                if (match_forti_vpn(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_forti_fd_99(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_forticlient_sslvpn = {\n\tLPI_PROTO_UDP_FORTICLIENT_SSLVPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"FortiClientSSLVPN\",\n\t12,\n\tmatch_forticlient_sslvpn\n};\n\nvoid register_forticlient_sslvpn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_forticlient_sslvpn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_fortinet.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_fortinet_req(uint32_t payload, uint32_t len) {\n\n\tif (MATCHSTR(payload, \"ikro\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ikuo\"))\n\t\treturn true;\n\n\n        /* All the following strings require a 64 byte datagram */\n        if (len != 64)\n\t\treturn false;\n\n\tif (MATCHSTR(payload, \"ihrk\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ihri\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"iiri\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ihrh\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ihrj\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ihro\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"iiro\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ikri\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ikvk\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"ikvo\"))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_fortinet_resp(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len == 36 && MATCHSTR(payload, \"kowO\"))\n\t\treturn true;\n\tif (len == 44 && MATCHSTR(payload, \"kowG\"))\n\t\treturn true;\n\tif (len == 12 && MATCHSTR(payload, \"nkwg\"))\n\t\treturn true;\n\tif (len == 32 && MATCHSTR(payload, \"khwK\"))\n\t\treturn true;\n\tif (len == 64 && MATCHSTR(payload, \"kkw+\"))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_fortinet(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Seems to be part of the Fortinet update system */\n\tif (match_fortinet_req(data->payload[0], data->payload_len[0])) {\n\t\tif (match_fortinet_resp(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\tif (match_fortinet_req(data->payload[1], data->payload_len[1])) {\n\t\tif (match_fortinet_resp(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\n\tif (match_str_either(data, \"Comm\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_fortinet = {\n\tLPI_PROTO_UDP_FORTINET,\n\tLPI_CATEGORY_SECURITY,\n\t\"Fortinet\",\n\t3,\n\tmatch_fortinet\n};\n\nvoid register_fortinet(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_fortinet, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_foscam.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* All Foscam traffic begins with 0xf1. Bytes 3 and 4 are a length field */\n\nstatic inline bool match_fcam_probe(uint32_t payload, uint32_t len) {\n\n        if (len == 4 && MATCH(payload, 0xf1, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_fcam_probereply(uint32_t payload, uint32_t len) {\n\n        if (len == 20 && MATCH(payload, 0xf1, 0x01, 0x00, 0x10))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_fcam_4(uint32_t payload, uint32_t len) {\n\n        if (len == 4 && MATCH(payload, 0xf1, 0x03, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_fcam_70(uint32_t payload, uint32_t len) {\n        if (len == 4 && MATCH(payload, 0xf1, 0x70, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_fcam_32(uint32_t payload, uint32_t len) {\n\n        if (len == 32 && MATCH(payload, 0xf1, 0x83, 0x00, 0x1c))\n                return true;\n        return false;\n}\n\nstatic inline bool match_fcam_p2p_ping(uint32_t payload, uint32_t len) {\n        if (len != 60 && len != 288) {\n                return false;\n        }\n        if (MATCH(payload, 0x3e, 0x2f, 0x8d, 0xcc)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_fcam_p2p_pong(uint32_t payload, uint32_t len) {\n        if (len != 60 && len != 288) {\n                return false;\n        }\n        if (MATCH(payload, 0x7e, 0x2a, 0x9d, 0xec)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_foscam(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_fcam_4(data->payload[0], data->payload_len[0])) {\n                if (match_fcam_32(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_fcam_70(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_fcam_4(data->payload[1], data->payload_len[1])) {\n                if (match_fcam_32(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_fcam_70(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_fcam_probe(data->payload[0], data->payload_len[0])) {\n                if (match_fcam_probereply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_fcam_probe(data->payload[1], data->payload_len[1])) {\n                if (match_fcam_probereply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        /* Periodic pings and replies seemingly sent by Foscam cameras to\n         * servers on the internet (port 10001)\n         * More info:\n         * http://foscam.us/forum/foscam-dialing-out-to-suspect-hosts-t17699.html */\n        if (data->payload_len[0] == data->payload_len[1] &&\n                        (data->server_port == 10001 ||\n                         data->client_port == 10001)) {\n                if (match_fcam_p2p_ping(data->payload[0], data->payload_len[0])) {\n                        if (match_fcam_p2p_pong(data->payload[1], data->payload_len[1]))\n                                return true;\n                }\n\n                if (match_fcam_p2p_ping(data->payload[1], data->payload_len[1])) {\n                        if (match_fcam_p2p_pong(data->payload[0], data->payload_len[0]))\n                                return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_foscam = {\n\tLPI_PROTO_UDP_FOSCAM,\n\tLPI_CATEGORY_IPCAMERAS,\n\t\"Foscam\",\n\t100,\n\tmatch_foscam\n};\n\nvoid register_foscam(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_foscam, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_freechal.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_freechal(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"GET \", \"FCP2\"))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_freechal = {\n\tLPI_PROTO_UDP_FREECHAL,\n\tLPI_CATEGORY_P2P,\n\t\"FreeChal_UDP\",\n\t3,\n\tmatch_freechal\n};\n\nvoid register_freechal(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_freechal, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_freefire.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Battle royale game for mobile from Garena */\n\nstatic inline bool match_ff_0101(uint32_t payload, uint32_t len) {\n        if (len == 28 && MATCH(payload, 0x6c, ANY, 0x01, 0x01))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_ff_0002(uint32_t payload, uint32_t len) {\n        if (len == 14 && MATCH(payload, 0x6c, 0x65, 0x00, 0x02))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_freefire(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Ports are in 1000-10005 range */\n\n        if (match_ff_0101(data->payload[0], data->payload_len[0])) {\n                if (match_ff_0002(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_ff_0101(data->payload[1], data->payload_len[1])) {\n                if (match_ff_0002(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_freefire = {\n\tLPI_PROTO_UDP_FREEFIRE,\n\tLPI_CATEGORY_GAMING,\n\t\"FreeFire\",\n\t101,\n\tmatch_freefire\n};\n\nvoid register_freefire(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_freefire, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_funshion.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n#include <stdio.h>\n\n/* Funshion is a Chinese P2PTV application that seems to use a bunch\n * of different protocols / messages.\n */ \nstatic inline bool match_funshion_25(uint32_t payload, uint32_t len) {\n\n\t/* One-way flows are also common, but we'd need a stronger set\n\t * of rules before I'd feel comfortable allowing this.\n\t */\n\t\n\tif (len != 25)\n\t\treturn false;\n\n\t\n\t/* The payload here is almost definitely a timestamp, but it only\n\t * bears an approximate resemblance to the timestamp of the packet\n\t * itself. \n\t * Sometimes it is up to a day in excess of the current timestamp,\n\t * sometimes it is several hours behind.\n\t *\n\t * Not much chance of doing any useful matches on the payload.\n\t */\n\treturn true;\n}\n\nstatic inline bool match_funshion_104(uint32_t payload, uint32_t len) {\n\n\t/* The payload for these packets is all zeroes, so be careful\n\t * regarding false positives, e.g. XboxLive traffic.\n\t */\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 104)\n\t\treturn false;\n\tif (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_funshion_dt(uint32_t payload, uint32_t otherlen) {\n\n\tif (otherlen != 0)\n\t\treturn false;\n\n\t/* The 'command' begins with byte 4, so I'm going to try \n\t * and match all known commands rather than just allowing\n\t * anything in byte 4.\n\t * \n\t * We might miss a few rare commands but should get the \n\t * common ones.\n\t */\n\t\n\t/* init, inline_page */\n\tif (MATCH(payload, 'd', 't', '=', 'i'))\n\t\treturn true;\n\n\t/* dtfsp, dtjs */\t\n\tif (MATCH(payload, 'd', 't', '=', 'd'))\n\t\treturn true;\n\n\t/* play_* */\t\n\tif (MATCH(payload, 'd', 't', '=', 'p'))\n\t\treturn true;\n\t\n\t/* wt_bh */\t\n\tif (MATCH(payload, 'd', 't', '=', 'w'))\n\t\treturn true;\n\n\t/* taskflux */\t\n\tif (MATCH(payload, 'd', 't', '=', 't'))\n\t\treturn true;\n\n\t/* compress_uncompress */\t\n\tif (MATCH(payload, 'd', 't', '=', 'c'))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_funshion_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_funshion_25(data->payload[0], data->payload_len[0])) {\n\t\tif (match_funshion_25(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_funshion_104(data->payload[0], data->payload_len[0])) {\n\t\tif (match_funshion_104(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_funshion_dt(data->payload[0], data->payload_len[1])) \n\t\treturn true;\n\tif (match_funshion_dt(data->payload[1], data->payload_len[0])) \n\t\treturn true;\n\t\n\n        return false;\n\n}\n\nstatic lpi_module_t lpi_funshion_udp = {\n\tLPI_PROTO_UDP_FUNSHION,\n\tLPI_CATEGORY_P2PTV,\n\t\"Funshion_UDP\",\n\t50,\n\tmatch_funshion_udp\n};\n\nvoid register_funshion_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_funshion_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gamespy.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gamespy(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"\\\\sta\"))\n                return true;\n        if (match_str_either(data, \"\\\\inf\"))\n                return true;\n        if (match_str_either(data, \"\\\\gam\"))\n                return true;\n        if (match_str_either(data, \"\\\\hos\"))\n                return true;\n        if (match_str_either(data, \"\\\\bas\"))\n                return true;\n\n        /* Gamespy request begins with 0xfe 0xfd FOO BAR. The response begins\n         * with FOO BAR, where FOO and BAR are specific bytes */\n\n        if (MATCH(data->payload[0], 0xfe, 0xfd, ANY, ANY) &&\n                ((data->payload[1] << 16) == (data->payload[0] & 0xffff0000)))\n                return true;\n        if (MATCH(data->payload[1], 0xfe, 0xfd, ANY, ANY) &&\n                ((data->payload[0] << 16) == (data->payload[1] & 0xffff0000)))\n                return true;\n\n        /* These packets have also been observed between gamespy servers\n         * and for gamespy-powered games, e.g. GTA 4 */\n        if (match_str_both(data, \"\\xfd\\xfc\\x1e\\x66\", \"\\xfd\\xfc\\x1e\\x66\"))\n                return true;\n\n        if (match_str_either(data, \"\\xfd\\xfc\\x1e\\x66\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gamespy = {\n\tLPI_PROTO_UDP_GAMESPY,\n\tLPI_CATEGORY_GAMING,\n\t\"GameSpy\",\n\t3,\n\tmatch_gamespy\n};\n\nvoid register_gamespy(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gamespy, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ganglia.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Ganglia -- monitoring for clusters / grid computing */\n\nstatic inline bool match_gangmsg(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x80)) {\n                /* The payload usually contains a host name so can\n                 * vary a fair bit.\n                 */\n                if (len >= 100 && len <= 250) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_ganglia(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8649 && data->client_port != 8649) {\n                return false;\n        }\n\n        if (match_gangmsg(data->payload[0], data->payload_len[0])) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_gangmsg(data->payload[1], data->payload_len[1])) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ganglia = {\n\tLPI_PROTO_UDP_GANGLIA,\n\tLPI_CATEGORY_MONITORING,\n\t\"Ganglia\",\n\t50,\n\tmatch_ganglia\n};\n\nvoid register_ganglia(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ganglia, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gangsofspace.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gos_37(uint32_t payload, uint32_t len) {\n\n        /* bytes 3 and 4 appear to be a length field */\n        if (len == 37 && MATCH(payload, 0x07, 0x00, 0x00, 0x21))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_gos_45(uint32_t payload, uint32_t len) {\n\n        /* bytes 3 and 4 appear to be a length field */\n        if (len == 45 && MATCH(payload, 0x07, 0x00, 0x00, 0x29))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_gangsofspace(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_gos_37(data->payload[0], data->payload_len[0])) {\n                if (match_gos_45(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_gos_37(data->payload[1], data->payload_len[1])) {\n                if (match_gos_45(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gangsofspace = {\n\tLPI_PROTO_UDP_GANGSOFSPACE,\n\tLPI_CATEGORY_GAMING,\n\t\"GangsOfSpace\",\n\t12,\n\tmatch_gangsofspace\n};\n\nvoid register_gangsofspace(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gangsofspace, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_garena.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_garena(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* http://garenalinux.pastebay.com/71533 */\n\n        if (data->server_port == 53 || data->client_port == 53)\n                return false;\n        \n\t/* Garena is NOT always on port 1513 */\n\n        /* Matching HELLO in each direction */\n        if (MATCH(data->payload[0], 0x02, 0x00, 0x00, 0x00)) {\n                if (data->payload_len[0] != 16)\n                        return false;\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[1] != 16)\n                        return false;\n                if (MATCH(data->payload[1], 0x02, 0x00, 0x00, 0x00))\n                        return true;\n                if (MATCH(data->payload[1], 0x0f, 0x00, 0x00, 0x00))\n                        return true;\n                return false;\n        }\n\n        if (MATCH(data->payload[1], 0x02, 0x00, 0x00, 0x00)) {\n                if (data->payload_len[1] != 16)\n                        return false;\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[0] != 16)\n                        return false;\n                if (MATCH(data->payload[0], 0x02, 0x00, 0x00, 0x00))\n                        return true;\n                if (MATCH(data->payload[0], 0x0f, 0x00, 0x00, 0x00))\n                        return true;\n                return false;\n        }\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_garena = {\n\tLPI_PROTO_UDP_GARENA,\n\tLPI_CATEGORY_GAMING,\n\t\"Garena_UDP\",\n\t5,\n\tmatch_garena\n};\n\nvoid register_garena(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_garena, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gearsofwar.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gow_44(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 44)\n                return true;\n        return false;\n}\n\nstatic inline bool match_gow_51(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 51)\n                return true;\n        return false;\n}\n\nstatic inline bool match_gow_port(uint32_t sp, uint32_t cp) {\n\n        if (sp == 30200 || cp == 30200)\n                return true;\n        if (sp == 30400 || cp == 30400)\n                return true;\n        if (sp == 30600 || cp == 30600)\n                return true;\n        if (sp == 31000 || cp == 31000)\n                return true;\n        if (sp == 30800 || cp == 30800)\n                return true;\n        if (sp == 30000 || cp == 30000)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_gearsofwar(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!match_gow_port(data->server_port, data->client_port))\n                return false;\n\n        if (match_gow_44(data->payload[0], data->payload_len[0])) {\n                if (match_gow_51(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_gow_44(data->payload[1], data->payload_len[1])) {\n                if (match_gow_51(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gearsofwar = {\n\tLPI_PROTO_UDP_GEARSOFWAR,\n\tLPI_CATEGORY_GAMING,\n\t\"GearsOfWar\",\n\t199,\n\tmatch_gearsofwar\n};\n\nvoid register_gearsofwar(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gearsofwar, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gnutella.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gnutella_maint(lpi_data_t *data) {\n\n\n        /* All Gnutella UDP communications begin with a random 16 byte\n         * message ID - the request and the response must have the same\n         * message ID */\n\n        /* OK, for now I'm going to just work with two-way exchanges, because\n         * one-way is going to be pretty unreliable :( */\n\n        /* One exception! Unanswered PINGs */\n        if (data->payload_len[0] == 23 && data->payload_len[1] == 0)\n                return true;\n        if (data->payload_len[1] == 23 && data->payload_len[0] == 0)\n                return true;\n\n        if (data->payload_len[1] == 0 || data->payload_len[0] == 0)\n                return false;\n\n        /* There seem to be some message types that do weird stuff with the\n         * GUID - I suspect they are Limewire extensions. */\n\n        if (data->payload_len[0] == 23 && data->payload_len[1] == 23) {\n                if (match_chars_either(data, 0x00, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n        /* If there is payload in both directions, the message IDs must match */\n        if (data->payload[0] != data->payload[1])\n                return false;\n\n\n        /* All of these payload combinations are based purely on transactions\n         * observed on UDP port 6346 (a known Gnutella port) - sadly, there's\n         * no genuinely good documentation on the typical size of Gnutella\n         * UDP requests */\n\n        /* PING */\n        /*\n        if (data->payload_len[0] == 23 && data->payload_len[1] < 100)\n                return true;\n        if (data->payload_len[1] == 23 && data->payload_len[0] < 100)\n                return true;\n        */\n\n        /* 727 byte packets are matched with 81 or 86 byte packets */\n        if (data->payload_len[0] == 727 && (data->payload_len[1] == 81 ||\n                        data->payload_len[1] == 86))\n                return true;\n        if (data->payload_len[1] == 727 && (data->payload_len[0] == 81 ||\n                        data->payload_len[0] == 86))\n\t\treturn true;\n\n        /* 72 and (61 or 81 or 86) byte packets seem to go together */\n        if (data->payload_len[0] == 72) {\n                if (data->payload_len[1] == 61)\n                        return true;\n                if (data->payload_len[1] == 81)\n                        return true;\n                if (data->payload_len[1] == 86)\n                        return true;\n        }\n\n        if (data->payload_len[1] == 72) {\n                if (data->payload_len[0] == 61)\n                        return true;\n                if (data->payload_len[0] == 81)\n                        return true;\n                if (data->payload_len[0] == 86)\n                        return true;\n        }\n\n        /* 81 and 544 */\n        if (data->payload_len[0] == 81 && data->payload_len[1] == 544)\n                return true;\n        if (data->payload_len[1] == 81 && data->payload_len[0] == 544)\n                return true;\n\n        /* 55 and 47 */\n        if (data->payload_len[0] == 55 && data->payload_len[1] == 47)\n                return true;\n        if (data->payload_len[1] == 55 && data->payload_len[0] == 47)\n                return true;\n\n        /* 38 and 96 */\n        if (data->payload_len[0] == 38 && data->payload_len[1] == 96)\n                return true;\n        if (data->payload_len[1] == 38 && data->payload_len[0] == 96)\n                return true;\n\n        /* 67 and (81 or 86) */\n        if (data->payload_len[0] == 67 && (data->payload_len[1] == 81 ||\n                        data->payload_len[1] == 86))\n                return true;\n        if (data->payload_len[1] == 67 && (data->payload_len[0] == 81 ||\n                        data->payload_len[0] == 86))\n                return true;\n\n\n        /* 29 byte requests seem to be met with 80-100 byte responses OR\n         * a 46 byte response */\n        if (data->payload_len[0] == 29) {\n                if (data->payload_len[1] <= 100 && data->payload_len[1] >= 80)\n                        return true;\n                if (data->payload_len[1] == 46)\n                        return true;\n        }\n        if (data->payload_len[1] == 29) {\n                if (data->payload_len[0] <= 100 && data->payload_len[0] >= 80)\n                        return true;\n                if (data->payload_len[0] == 46)\n                        return true;\n        }\n\n        /* 34 byte requests seem to be met with 138-165 byte responses */\n        if (data->payload_len[0] == 34 && (data->payload_len[1] <= 165 &&\n                        data->payload_len[1] >= 138))\n                return true;\n        if (data->payload_len[1] == 34 && (data->payload_len[0] <= 165 &&\n                        data->payload_len[0] >= 138))\n                return true;\n\n\n        /* 193 matches 108 or 111 */\n        if (data->payload_len[0] == 193 && (data->payload_len[1] == 108 ||\n                        data->payload_len[1] == 111))\n                return true;\n        if (data->payload_len[1] == 193 && (data->payload_len[0] == 108 ||\n                        data->payload_len[0] == 111))\n                return true;\n\n\n        return false;\n\n}\n\n/* http://wiki.limewire.org/index.php?title=Out_of_Band_System */\nstatic inline bool match_gnutella_oob(lpi_data_t *data) {\n\n\t/* DANGER: anonymised IP addresses! */\n        if (!match_ip_address_both(data))\n                return false;\n\n        /* Payload size seems to be either 32 or 33 bytes */\n        if (data->payload_len[0] == 32 || data->payload_len[1] == 32)\n                return true;\n        if (data->payload_len[0] == 33 || data->payload_len[1] == 33)\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_gnutella_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_gnutella_oob(data))\n\t\treturn true;\n\t\n\tif (match_gnutella_maint(data))\n\t\treturn true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gnutella_udp = {\n\tLPI_PROTO_UDP_GNUTELLA,\n\tLPI_CATEGORY_P2P,\n\t\"Gnutella_UDP\",\n\t110,\t/* Rules are pretty dodgy so make this low priority */\n\tmatch_gnutella_udp\n};\n\nvoid register_gnutella_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gnutella_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gnutella2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gnutella2_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_chars_either(data, 'G', 'N', 'D', ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gnutella2_udp = {\n\tLPI_PROTO_UDP_GNUTELLA2,\n\tLPI_CATEGORY_P2P,\n\t\"Gnutella2_UDP\",\n\t3,\n\tmatch_gnutella2_udp\n};\n\nvoid register_gnutella2_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gnutella2_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gnutella_weak.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gnutella_weak(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* Not confident in this rule at all in terms of not creating\n\t * false positives. Need to *regularly* check up on this one\n\t * and make sure we're not over-matching */\n\n\tif (data->payload_len[0] == 31 && data->payload_len[1] == 0)\n\t\treturn true;\n\tif (data->payload_len[1] == 31 && data->payload_len[0] == 1)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gnutella_weak = {\n\tLPI_PROTO_UDP_GNUTELLA,\n\tLPI_CATEGORY_P2P,\n\t\"Gnutella_UDP\",\n\t220,\n\tmatch_gnutella_weak\n};\n\nvoid register_gnutella_weak(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gnutella_weak, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gotomeeting.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gtm_ping(uint32_t payload, uint32_t len) {\n\n        if (len == 16 && MATCH(payload, 'P', 'I', 'N', 'G'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_gtm_pong(uint32_t payload, uint32_t len) {\n\n        if (len == 16 && MATCH(payload, 'P', 'O', 'N', 'G'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_gtm_webcam(uint32_t ploada, uint32_t ploadb) {\n\n        /* Bytes 2,3,4 match, but be careful not to match stuff like\n         * 0x000000 */\n\n        if (MATCH(ploada, ANY, 0x00, 0x00, 0x00))\n                return false;\n\n        if ((ploada & 0xffffff00) == (ploadb & 0xffffff00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_gotomeeting(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* VOIP tends to be on port 8200 */\n\n        if (match_gtm_ping(data->payload[0], data->payload_len[0])) {\n                if (match_gtm_pong(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_gtm_ping(data->payload[1], data->payload_len[1])) {\n                if (match_gtm_pong(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        /* Webcam goes over port 1853 */\n        if (match_gtm_webcam(data->payload[0], data->payload[1])) {\n                if (data->server_port == 1853 || data->client_port == 1853)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gotomeeting = {\n\tLPI_PROTO_UDP_GOTOMEETING,\n\tLPI_CATEGORY_VOIP,\n\t\"GoToMeeting\",\n\t149,\n\tmatch_gotomeeting\n};\n\nvoid register_gotomeeting(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gotomeeting, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gprs_tunnel.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gtp_payload(uint32_t payload, uint32_t len) {\n        uint32_t swap = ntohl(payload);\n        uint32_t replen = swap & 0x0000ffff;\n\n        if (len == 0)\n                return true;\n\n        if (len != replen)\n                return false;\n\n        if ((swap & 0xf0ff0000) != 0x30010000) {\n                return false;\n        }\n\n        return true;\n}\n\n\nstatic inline bool match_gprs_tunnel(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n        if (match_gtp_payload(data->payload[0], data->payload_len[0])) {\n                if (match_gtp_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n         \n        if (match_gtp_payload(data->payload[1], data->payload_len[1])) {\n                if (match_gtp_payload(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gprs_tunnel = {\n\tLPI_PROTO_UDP_GPRS_TUNNEL,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"GPRS_Tunnelling\",\n\t10,\n\tmatch_gprs_tunnel\n};\n\nvoid register_gprs_tunnel(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gprs_tunnel, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_gsm.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gsm(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* There are other commands but these are the only ones I've seen in\n\t * the wild so far */\n\n\tif (match_str_either(data, \"+CSQ\"))\n\t\treturn true;\n\tif (match_str_either(data, \"+CIM\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_gsm = {\n\tLPI_PROTO_UDP_GSM,\n\tLPI_CATEGORY_MONITORING,\n\t\"GSM\",\n\t3,\n\tmatch_gsm\n};\n\nvoid register_gsm(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_gsm, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_h1z1.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* Appears to be H1Z1, an early access MMO (DayZ clone) from Sony Online */\n\nstatic inline bool match_h1z1_req1(uint32_t payload, uint32_t len) {\n\n        if (len == 25 && MATCH(payload, 0x00, 0x01, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_h1z1_resp1(uint32_t payload, uint32_t len) {\n\n        if (len == 21 && MATCH(payload, 0x00, 0x02, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_h1z1_req2(uint32_t payload, uint32_t len) {\n\n        if (len == 35 && MATCH(payload, 0x00, 0x01, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_h1z1_resp2(uint32_t payload, uint32_t len) {\n\n        if (len == 6 && MATCH(payload, 0x00, 0x15, ANY, ANY))\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_h1z1(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* There are a couple of request / response patterns */\n\n        if (match_h1z1_req1(data->payload[1], data->payload_len[1])) {\n                if (match_h1z1_resp1(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_h1z1_req1(data->payload[0], data->payload_len[0])) {\n                if (match_h1z1_resp1(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_h1z1_req2(data->payload[1], data->payload_len[1])) {\n                if (match_h1z1_resp2(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_h1z1_req2(data->payload[0], data->payload_len[0])) {\n                if (match_h1z1_resp2(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_h1z1 = {\n\tLPI_PROTO_UDP_H1Z1,\n\tLPI_CATEGORY_GAMING,\n\t\"H1Z1\",\n\t25,\n\tmatch_h1z1\n};\n\nvoid register_h1z1(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_h1z1, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_halflife.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_halflife_ports(lpi_data_t *data) {\n        if (data->server_port >= 27000 && data->server_port < 28000)\n                return true;\n        if (data->client_port >= 27000 && data->client_port < 28000)\n                return true;\n        return false;\n}\n\nstatic inline bool match_halflife_nine(uint32_t payload, uint32_t len) {\n\n        if (len != 9)\n                return false;\n        if (!MATCHSTR(payload,  \"\\xff\\xff\\xff\\xff\"))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_halflife_generic(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (!MATCHSTR(payload,  \"\\xff\\xff\\xff\\xff\"))\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_halflife(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_halflife_nine(data->payload[0], data->payload_len[0])) {\n                if (match_halflife_nine(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (!match_halflife_ports(data))\n                return false;\n\n        /*\n        if (match_halflife_generic(data->payload[0], data->payload_len[0])) {\n                if (match_halflife_generic(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        */\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_halflife = {\n\tLPI_PROTO_UDP_HL,\n\tLPI_CATEGORY_GAMING,\n\t\"HalfLife\",\n\t100,     /* Make sure this comes after other similar game protocols,\n                 * e.g. ARMA, Quake */\n\tmatch_halflife\n};\n\nvoid register_halflife(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_halflife, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_haloonline.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Halo Online -- multiplayer FPS that has already been shut down but is\n * somehow still being played by FPS \"aficionados\".\n */\n\nstatic inline bool match_bla_17(uint32_t payload, uint32_t len) {\n        if (len == 17 && MATCH(payload, 0x01, 'b', 'l', 'a'))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_bla_86(uint32_t payload, uint32_t len) {\n        if (len == 86 && MATCH(payload, 0x01, 'b', 'l', 'a'))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_haloonline(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 11774 */\n        if (match_bla_17(data->payload[0], data->payload_len[0])) {\n                if (match_bla_86(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_bla_17(data->payload[1], data->payload_len[1])) {\n                if (match_bla_86(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_haloonline = {\n\tLPI_PROTO_UDP_HALO_ONLINE,\n\tLPI_CATEGORY_GAMING,\n\t\"HaloOnline\",\n\t5,\n\tmatch_haloonline\n};\n\nvoid register_haloonline(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_haloonline, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_hamachi.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_hamachi(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Based on traffic observed on port 17771 where one endpoint is in\n\t * an IP range owned by LogMeIn */\n\n\tif (!MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00))\n\t\treturn false;\n\tif (!MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00))\n\t\treturn false;\n\tif (data->payload_len[0] != 76)\n\t\treturn false;\n\tif (data->payload_len[1] != 76)\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_hamachi = {\n\tLPI_PROTO_UDP_HAMACHI,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"Hamachi_UDP\",\n\t8,\n\tmatch_hamachi\n};\n\nvoid register_hamachi_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_hamachi, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_heliborne.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_hb_60(uint32_t payload, uint32_t len) {\n        if (len == 60 && MATCHSTR(payload, \"\\xff\\xff\\xcc\\x01\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_hb_76(uint32_t payload, uint32_t len) {\n\n        if (len == 76 && MATCH(payload, 0x00, 0x00, 0x00, 0x02))\n                return true;\n        if (len == 80 && MATCH(payload, 0x00, 0x00, 0xcc, 0x02))\n                return true;\n        return false;\n}\n\nstatic inline bool match_heliborne(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Ports 5055 and 5056 */\n        if (match_hb_60(data->payload[0], data->payload_len[0])) {\n                if (match_hb_76(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_hb_60(data->payload[1], data->payload_len[1])) {\n                if (match_hb_76(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_heliborne = {\n\tLPI_PROTO_UDP_HELIBORNE,\n\tLPI_CATEGORY_GAMING,\n\t\"Heliborne\",\n\t49,\n\tmatch_heliborne\n};\n\nvoid register_heliborne(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_heliborne, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_heroes_generals.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_hg_149(uint32_t payload, uint32_t len) {\n        if (len == 149 && MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_hg_1400(uint32_t payload, uint32_t len) {\n\n        /* MTU could affect this XXX */\n        if (len != 1400)\n                return false;\n        \n        /* Bits 5-8 of the first byte are always 0 -- rest is random */\n        if ((payload & 0x0000000f) != 0x00000000)\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_heroes_generals(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_hg_149(data->payload[0], data->payload_len[0])) {\n                if (match_hg_1400(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_hg_149(data->payload[1], data->payload_len[1])) {\n                if (match_hg_1400(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_heroes_generals = {\n\tLPI_PROTO_UDP_HEROES_GENERALS,\n\tLPI_CATEGORY_GAMING,\n\t\"HeroesAndGenerals\",\n\t20,\n\tmatch_heroes_generals\n};\n\nvoid register_heroes_generals(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_heroes_generals, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_heroesevolved.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Mobile MOBA from R2Games */\n\n\nstatic inline bool match_he(uint32_t payload, uint32_t len) {\n        if (len == 5 && MATCH(payload, 0xdc, 'H', 'E', 0xe4))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ffff(uint32_t payload, uint32_t len) {\n        if (len == 17 && MATCHSTR(payload, \"\\x01\\x00\\xff\\xff\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_heroesevolved(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\n        if (match_he(data->payload[0], data->payload_len[0])) {\n                if (match_ffff(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_he(data->payload[1], data->payload_len[1])) {\n                if (match_ffff(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_heroesevolved = {\n\tLPI_PROTO_UDP_HEROES_EVOLVED,\n\tLPI_CATEGORY_GAMING,\n\t\"HeroesEvolved\",\n\t50,\n\tmatch_heroesevolved\n};\n\nvoid register_heroesevolved(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_heroesevolved, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_hollachat.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_holla_header(uint32_t payload, uint32_t len) {\n\n        uint32_t hdrlen;\n        uint16_t swapped;\n\n        hdrlen = ntohl(payload) >> 16;\n        swapped = bswap_be_to_host16((uint16_t)hdrlen);\n\n        if (len == swapped && MATCH(payload, ANY, ANY, 0x01, 0x00))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool restrict_port(uint16_t porta, uint16_t portb) {\n        if (porta == 5888 || portb == 5888)\n                return true;\n        if (porta >= 4000 && porta <= 4010)\n                return true;\n        if (portb >= 4000 && portb <= 4010)\n                return true;\n        return false;\n}\n\nstatic inline bool match_hollachat(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Ports 5888 and 4000-4009 are common */\n        if (restrict_port(data->server_port, data->client_port) == false) {\n                return false;\n        }\n\n        if (match_holla_header(data->payload[0], data->payload_len[0])) {\n                if (match_holla_header(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_hollachat = {\n\tLPI_PROTO_UDP_HOLLA,\n\tLPI_CATEGORY_CHAT,\n\t\"HollaChat\",\n\t210,\n\tmatch_hollachat\n};\n\nvoid register_hollachat(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_hollachat, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_hots.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Heroes of the Storm -- Blizzard MOBA */\n\nstatic inline bool match_hots_zero(uint32_t payload, uint32_t len) {\n\n        if (len == 20 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_hots_other(uint32_t payload, uint32_t len) {\n\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x01, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x02, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x03, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x04, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x05, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x06, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x07, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x08, 0x00))\n                return true;\n        if (len == 20 && MATCH(payload, ANY, ANY, 0x00, 0x00)) {\n                if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                        return false;\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_hots(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        bool validport = false;\n\n        if (data->server_port == 1119 || data->client_port == 1119)\n                validport = true;\n        if (data->server_port == 3724 || data->client_port == 3724)\n                validport = true;\n\n        if (!validport)\n                return false;\n\n        if (match_hots_zero(data->payload[0], data->payload_len[0])) {\n                if (match_hots_other(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_hots_zero(data->payload[1], data->payload_len[1])) {\n                if (match_hots_other(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_hots = {\n\tLPI_PROTO_UDP_HOTS,\n\tLPI_CATEGORY_GAMING,\n\t\"HeroesOfTheStorm\",\n\t101,\n\tmatch_hots\n};\n\nvoid register_hots(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_hots, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_icp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_icp_query(uint32_t payload, uint32_t len) {\n\n        uint32_t stated_len = 0;\n\n        stated_len = ntohl(payload) & 0xffff;\n        if (stated_len != len)\n                return false;\n\t\n\t/* Just going to match v2 for now */\n\tif (MATCH(payload, 0x01, 0x02, ANY, ANY))\n\t\treturn true;\n\treturn false;\t\n\n\n}\n\nstatic inline bool match_icp_response(uint32_t payload, uint32_t len) {\n\n        uint32_t stated_len = 0;\n\n        stated_len = ntohl(payload) & 0xffff;\n        if (stated_len != len)\n                return false;\n\t\n\t/* Just going to match v2 for now */\n\n\t/* HIT */\n\tif (MATCH(payload, 0x02, 0x02, ANY, ANY))\n\t\treturn true;\n\t/* MISS */\n\tif (MATCH(payload, 0x03, 0x02, ANY, ANY))\n\t\treturn true;\n\t\n\t/* XXX we possibly could match invalid and error codes as well,\n\t * but let's wait until we actually see these things */\n\treturn false;\t\n\n\n}\n\nstatic inline bool match_icp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_icp_query(data->payload[0], data->payload_len[0])) {\n\t\tif (match_icp_response(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_icp_query(data->payload[1], data->payload_len[1])) {\n\t\tif (match_icp_response(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_icp = {\n\tLPI_PROTO_UDP_ICP,\n\tLPI_CATEGORY_CACHING,\n\t\"ICP\",\n\t8,\t/* Must be run before RADIUS */\n\tmatch_icp\n};\n\nvoid register_icp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_icp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_imesh.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_imesh_req(uint32_t data, uint32_t len) {\n\n\tif (len != 36 && len != 32)\n\t\treturn false;\n\t\n        if (MATCH(data, 0x02, 0x00, 0x00, 0x00))\n                return true;\n\n\treturn false;\n}\n\nstatic inline bool match_imesh_resp(uint32_t data, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 36 && len != 32)\n\t\treturn false;\n\t\n\tif (MATCH(data, 0x02, 0x00, ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n/* XXX Not really sure on this one - based on the code from OpenDPI but I\n * can't find any documentation that confirms this */\nstatic inline bool match_imesh_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_imesh_req(data->payload[0], data->payload_len[0])) {\n\t\tif (match_imesh_resp(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\tif (match_imesh_req(data->payload[1], data->payload_len[1])) {\n\t\tif (match_imesh_resp(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_imesh_udp = {\n\tLPI_PROTO_UDP_IMESH,\n\tLPI_CATEGORY_P2P,\n\t\"iMesh_UDP\",\n\t6,\n\tmatch_imesh_udp\n};\n\nvoid register_imesh_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_imesh_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ipmsg.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ipmsg(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t /* IPMSG packet format:\n         *\n         * Version:MessageNumber:User:Host:Command:MsgContent\n         *\n         * Version is always 1.\n         *\n         * All IPMsg observed so far has a message number beginning with\n         * 80...\n         */\n\n        /* Do a port check as well, just to be sure */\n        if (data->server_port != 2425 && data->client_port != 2425)\n                return false;\n\n        if (match_chars_either(data, '1', ':', '8', '0'))\n                return true;\n\n        return false;\n}\n\nstatic lpi_module_t lpi_ipmsg = {\n\tLPI_PROTO_UDP_IPMSG,\n\tLPI_CATEGORY_CHAT,\n\t\"IPMsg\",\n\t5,\n\tmatch_ipmsg\n};\n\nvoid register_ipmsg(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ipmsg, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ipv6.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ipv6_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] < 4 && data->payload_len[1] < 4)\n                return false;\n\n        if (match_str_both(data, \"\\x60\\x00\\x00\\x00\", \"\\x60\\x00\\x00\\x00\")) {\n                return true;\n        }\n\n\t/* One-way DNS check */\t\n\tif (data->server_port == 53 || data->client_port == 53)\n\t\treturn false;\n\n        if (MATCHSTR(data->payload[0], \"\\x60\\x00\\x00\\x00\")) {\n\t\tif (data->payload_len[1] == 0) {\n                        return true;\n                }\n        }\n\n        if (MATCHSTR(data->payload[1], \"\\x60\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0) {\n                        return true;\n                }\n        }\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ipv6_udp = {\n\tLPI_PROTO_UDP_IPV6,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"UDP_IPv6\",\n\t4,\n\tmatch_ipv6_udp\n};\n\nvoid register_ipv6_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ipv6_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_isakmp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_isakmp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Rule out anything not on UDP port 500 */\n        if (data->server_port != 500 && data->client_port != 500)\n                return false;\n\n        /* Catching one-way ISAKMP is hard, we have to rely on port numbers\n         * because nothing else is consistent :( */\n        if (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n                if (data->server_port == 500 && data->client_port == 500)\n                        return true;\n                /* Match shadowserver.org scan traffic */\n                if (MATCH(data->payload[0], 0x3e, 0x35, 0xc7, 0x07))\n                        return true;\n                if (MATCH(data->payload[1], 0x3e, 0x35, 0xc7, 0x07))\n                        return true;\n                return false;\n        }\n\n\n        /* First four bytes are the cookie for the initiator, so should match \n         * in both directions */\n\n        if (data->payload[0] != data->payload[1])\n                return false;\n        if (data->payload_len[0] < 4 && data->payload_len[1] < 4)\n                return false;\n\n        return true;\n\n}\n\nstatic lpi_module_t lpi_isakmp = {\n\tLPI_PROTO_UDP_ISAKMP,\n\tLPI_CATEGORY_KEY_EXCHANGE,\n\t\"ISAKMP\",\n\t6,\n\tmatch_isakmp\n};\n\nvoid register_isakmp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_isakmp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_jedi.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_jedi_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Citrix have a protocol called JEDI which is used for streaming\n\t * in products like GoToMyPC */\n\n\tif (match_str_both(data, \"JEDI\", \"JEDI\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_jedi = {\n\tLPI_PROTO_UDP_JEDI,\n\tLPI_CATEGORY_REMOTE,\n\t\"Citrix_Jedi_UDP\",\n\t3,\n\tmatch_jedi_udp\n};\n\nvoid register_jedi_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_jedi, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_jedi_academy.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_jedi_academy(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* Pretty rare, but we can write a rule for it */\n        if (match_str_both(data, \"\\xff\\xff\\xff\\xff\", \"\\xff\\xff\\xff\\xff\")) {\n                /* Server browsing */\n                if (data->payload_len[0] == 65 && data->payload_len[1] == 181)\n                        return true;\n                if (data->payload_len[0] == 66 && data->payload_len[1] == 182)\n                        return true;\n                if (data->payload_len[1] == 65 && data->payload_len[0] == 181)\n                        return true;\n                if (data->payload_len[1] == 66 && data->payload_len[0] == 182)\n                        return true;\n\n                /* Actual gameplay */\n                if (data->payload_len[0] == 16 && data->payload_len[1] == 32)\n                        return true;\n                if (data->payload_len[1] == 16 && data->payload_len[0] == 32)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_jedi = {\n\tLPI_PROTO_UDP_JEDI_ACADEMY,\n\tLPI_CATEGORY_GAMING,\n\t\"JediAcademy\",\n\t5,\n\tmatch_jedi_academy\n};\n\nvoid register_jedi_academy(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_jedi, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_kademlia.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic bool is_kad_e9_payload(uint32_t payload, uint32_t len) {\n\n        /* This seem to be some variant of Kademlia, although I have not\n         * been able to figure out which */\n\n        /* All packets begin with e9, while possible second bytes are \n         * 0x55, 0x56, 0x60, 0x61, 0x76, 0x75\n         *\n         * 0x56 is a response to 0x55\n         * 0x61 is a response to 0x60\n         * 0x76 is a kind of FIN packet, it also responds to 0x75\n\t *\n\t * 0x92 seems to be a valid response to unsolicited 0x56 or 0x61 ??\n         *\n         * There are also packets that seem to begin with 0xea 0x75 0x78 0x9c.\n         */\n\n        if (MATCH(payload, 0xe9, 0x55, ANY, ANY) && len == 27)\n                return true;\n        if (MATCH(payload, 0xe9, 0x56, ANY, ANY) && len == 27)\n                return true;\n        if (MATCH(payload, 0xe9, 0x60, ANY, ANY) && len == 34)\n                return true;\n        if (MATCH(payload, 0xe9, 0x61, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe9, 0x76, ANY, ANY) && len == 18)\n                return true;\n        if (MATCH(payload, 0xe9, 0x75, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0xe9, 0x92, ANY, ANY) && len == 3)\n                return true;\n\n\n        if (MATCH(payload, 0xea, 0x75, 0x78, 0x9c))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_kademlia(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] == 0 && is_kad_e9_payload(data->payload[1],\n                                data->payload_len[1]))\n                return true;\n\n        if (data->payload_len[1] == 0 && is_kad_e9_payload(data->payload[0],\n                                data->payload_len[0]))\n                return true;\n\n        if (is_kad_e9_payload(data->payload[0], data->payload_len[0]) &&\n                        is_kad_e9_payload(data->payload[1],\n                        data->payload_len[1]))\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kademlia = {\n\tLPI_PROTO_UDP_KADEMLIA,\n\tLPI_CATEGORY_P2P,\n\t\"Kademlia\",\n\t11,\n\tmatch_kademlia\n};\n\nvoid register_kademlia(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kademlia, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_kankan.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Kankan -- video streaming by Xunlei */\n\nstatic inline bool match_kankan(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port == 8080 || data->client_port == 8080) {\n\t    /* Small flows used probably for DHT-like purposes */\n\t    if (data->payload_len[0] == 68 && data->payload_len[1] == 180)\n\t\treturn true;\n\t    if (data->payload_len[0] == 68 && data->payload_len[1] == 0)\n\t\treturn true;\n\t    if (data->payload_len[1] == 68 && data->payload_len[0] == 180)\n\t\treturn true;\n\t    if (data->payload_len[1] == 68 && data->payload_len[0] == 0)\n\t\treturn true;\n\n\t}\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kankan = {\n\tLPI_PROTO_UDP_KANKAN,\n\tLPI_CATEGORY_STREAMING,\n\t\"Kankan\",\n\t100,\n\tmatch_kankan\n};\n\nvoid register_kankan(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kankan, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_kaspersky.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kaspersky_udp(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 2001 && data->client_port != 2001)\n\t\treturn false;\n\n\treturn match_kaspersky(data);\n}\n\nstatic lpi_module_t lpi_kaspersky = {\n\tLPI_PROTO_UDP_KASPERSKY,\n\tLPI_CATEGORY_SECURITY,\n\t\"Kaspersky_UDP\",\n\t3,\n\tmatch_kaspersky_udp\n};\n\nvoid register_kaspersky_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kaspersky, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_kazaa.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kazaa(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* 0x27 is a ping, 0x28 and 0x29 are pongs */\n\n        /* A Kazaa ping is usually 12 bytes, 0x28 pong is 17, 0x29 pong is 21 */\n\n        if (match_str_both(data, \"\\x27\\x00\\x00\\x00\", \"\\x28\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x27\\x00\\x00\\x00\", \"\\x29\\x00\\x00\\x00\"))\n                return true;\n\n        if (match_str_either(data, \"\\x27\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0 && data->payload_len[1] == 12)\n                        return true;\n                if (data->payload_len[1] == 0 && data->payload_len[0] == 12)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kazaa = {\n\tLPI_PROTO_UDP_KAZAA,\n\tLPI_CATEGORY_P2P,\n\t\"Kazaa_UDP\",\n\t4,\n\tmatch_kazaa\n};\n\nvoid register_kazaa(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kazaa, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_kingofglory_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kog_44(uint32_t payload, uint32_t len) {\n        if (len == 44 && MATCH(payload, 0x01, 0x02, 0x00, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_kog_24(uint32_t payload, uint32_t len) {\n        if (len == 24)\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_kingofglory_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_kog_44(data->payload[0], data->payload_len[0])) {\n                if (match_kog_24(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_kog_44(data->payload[1], data->payload_len[1])) {\n                if (match_kog_24(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kingofglory_udp = {\n\tLPI_PROTO_UDP_KINGOFGLORY,\n\tLPI_CATEGORY_GAMING,\n\t\"KingOfGlory_UDP\",\n\t101,\n\tmatch_kingofglory_udp\n};\n\nvoid register_kingofglory_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kingofglory_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_kuguo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_kugou_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x65, ANY, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x64, ANY, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_kugou_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 0x65, ANY, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x64, ANY, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_kugou(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Rule is very weak, need to limit to known Kuguo ports */\n\n        if (data->server_port != 8000 && data->client_port != 8000)\n                return false;\n\n        if (match_kugou_req(data->payload[0], data->payload_len[0])) {\n                if (match_kugou_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_kugou_req(data->payload[1], data->payload_len[1])) {\n                if (match_kugou_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_kugou = {\n\tLPI_PROTO_UDP_KUGOU,\n\tLPI_CATEGORY_STREAMING,\n\t\"Kugou\",\n\t200,\n\tmatch_kugou\n};\n\nvoid register_kugou(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_kugou, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_l2tp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_l2tp_payload(uint32_t payload, uint32_t len) {\n\n\tuint32_t hdrlen = ntohl(payload) & 0xffff;\n\n        if (len == 0)\n\t\treturn true;\n\n        if (len != hdrlen)\n                return false;\n\n\tif (!MATCH(payload, 0xc8, 0x02, ANY, ANY))\n\t\treturn false;\n\n\treturn true;\n\n}\n\nstatic inline bool match_l2tp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_l2tp_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_l2tp_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_l2tp = {\n\tLPI_PROTO_UDP_L2TP,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"L2TP\",\n\t6,\n\tmatch_l2tp\n};\n\nvoid register_l2tp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_l2tp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_lansync.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* LANSync is the protocol used by DropBox to sync data changes within the\n * local network.\n *\n * Ref: http://geeklogs.posterous.com/dropbox-lan-sync-protocol\n */\n\nstatic inline bool match_lansync_disc(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn false;\n\tif (MATCH(payload, '{', '\"', 'h', 'o'))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_lansync_udp(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 17500 && data->client_port != 17500)\n\t\treturn false;\n\n\tif (match_lansync_disc(data->payload[0], data->payload_len[0])) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\tif (match_lansync_disc(data->payload[1], data->payload_len[1])) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_lansync_udp = {\n\tLPI_PROTO_UDP_LANSYNC,\n\tLPI_CATEGORY_BROADCAST,\n\t\"LanSync_UDP\",\n\t6,\n\tmatch_lansync_udp\n};\n\nvoid register_lansync_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_lansync_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ldap_ad.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ldap_ad_payload(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\tif (MATCH(payload, 0x30, 0x84, 0x00, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_ldap_ad(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Rule out one-way DNS, which could look like our LDAP AD payload */\n\tif (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n\t\tif (data->server_port == 53 || data->client_port == 53)\n\t\t\treturn false;\n\t}\n\n\tif (!match_ldap_ad_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\t\n\tif (!match_ldap_ad_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\t\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_ldap_ad = {\n\tLPI_PROTO_UDP_LDAP_AD,\n\tLPI_CATEGORY_SERVICES,\n\t\"LDAP_AD\",\n\t5,\n\tmatch_ldap_ad\n};\n\nvoid register_ldap_ad(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ldap_ad, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_line_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_line_108(uint32_t payload, uint32_t len) {\n\n        if (len != 108)\n                return false;\n        if (MATCH(payload, 0xb6, 0x12, 0x00, 0x68))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_line_110(uint32_t payload, uint32_t len) {\n\n        if (len != 110)\n                return false;\n        if (MATCH(payload, 0xb6, 0x18, 0x00, 0x6a))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_line_35(uint32_t payload, uint32_t len) {\n\n        if (!MATCH(payload, 0xb6, 0x13, 0x00, 0x06))\n                return false;\n        if (len == 35 || len == 46)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_line_16(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n\n        if (len == 16 && MATCH(payload, 0xb6, 0x09, 0x00, 0x0c))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_line_43(uint32_t payload, uint32_t len) {\n\n        if (len == 43 && MATCH(payload, 0xb6, 0x13, 0x00, 0x27))\n                return true;\n        if (len == 43 && MATCH(payload, 0xb6, 0x14, 0x00, 0x27))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_line_46(uint32_t payload, uint32_t len) {\n\n        if (len == 46 && MATCH(payload, 0xb6, 0x15, 0x00, 0x06))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_line_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_line_108(data->payload[0], data->payload_len[0])) {\n                if (match_line_35(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_line_108(data->payload[1], data->payload_len[1])) {\n                if (match_line_35(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_line_110(data->payload[0], data->payload_len[0])) {\n                if (match_line_35(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_line_110(data->payload[1], data->payload_len[1])) {\n                if (match_line_35(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_line_43(data->payload[0], data->payload_len[0])) {\n                if (match_line_46(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_line_43(data->payload[1], data->payload_len[1])) {\n                if (match_line_46(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        /* Not 100% sure about this one, but the few clues I have make me\n         * think this is likely to be Line.\n         *   1. all connections use at least one port in the 50000+ range.\n         *   2. many remote addresses are in Japanese ASNs.\n         *   3. first byte of payload is 0xb6.\n         */\n        if (match_line_16(data->payload[0], data->payload_len[0])) {\n                if (match_line_16(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_line_udp = {\n\tLPI_PROTO_UDP_LINE,\n\tLPI_CATEGORY_CHAT,\n\t\"Line_UDP\",\n\t16,\n\tmatch_line_udp\n};\n\nvoid register_line_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_line_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_linkproof.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_linkproof(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n                return false;\n\n        if (!match_str_either(data, \"link\"))\n                return false;\n\n        if (data->payload_len[0] == 50 || data->payload_len[1] == 50)\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_linkproof = {\n\tLPI_PROTO_UDP_LINKPROOF,\n\tLPI_CATEGORY_MONITORING,\n\t\"Linkproof\",\n\t3,\n\tmatch_linkproof\n};\n\nvoid register_linkproof(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_linkproof, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_loadout.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_load_42(uint32_t payload, uint32_t len) {\n        if (len == 42 && MATCH(payload, 0x60, 0x0a, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_load_46(uint32_t payload, uint32_t len) {\n        if (len == 46 && MATCH(payload, 0x60, 0x0a, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_loadout(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_load_42(data->payload[0], data->payload_len[0])) {\n                if (match_load_46(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_load_42(data->payload[1], data->payload_len[1])) {\n                if (match_load_46(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_loadout = {\n\tLPI_PROTO_UDP_LOADOUT,\n\tLPI_CATEGORY_GAMING,\n\t\"Loadout\",\n\t60,\n\tmatch_loadout\n};\n\nvoid register_loadout(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_loadout, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_lol.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* League of Legends: a popular online game circa 2012/2013 */\nstatic inline bool match_lol(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if ((data->server_port < 5100 || data->server_port > 5150) &&\n                        (data->client_port < 5100 || data->client_port > 5150))\n                return false;\n\n\tif (data->payload_len[0] == 44 && data->payload_len[1] == 48)\n\t\treturn true;\n\tif (data->payload_len[1] == 44 && data->payload_len[0] == 48)\n\t\treturn true;\n\n\tif (data->payload_len[0] == 52 && data->payload_len[1] == 48)\n\t\treturn true;\n\tif (data->payload_len[1] == 52 && data->payload_len[0] == 48)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_lol = {\n\tLPI_PROTO_UDP_LOL,\n\tLPI_CATEGORY_GAMING,\n\t\"LeagueOfLegends\",\n\t35,\n\tmatch_lol\n};\n\nvoid register_lol(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_lol, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mdns.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Multicast DNS */\n\nstatic inline bool match_unicast_mdns(lpi_data_t *data) {\n        if (data->server_port != 5353 && data->client_port != 5353) {\n                return false;\n        }\n\n        /* Only time I've ever seen this is Russian hackers trying\n         * to get more info about the local network.  */\n\n        if (MATCH(data->payload[0], 0x00, 0x00, 0x84, 0x00)) {\n                if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x00, 0x00, 0x84, 0x00)) {\n                if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00))\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_mdns(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_unicast_mdns(data))\n                return true;\n\n\tif (data->server_port != 5353)\n\t\treturn false;\n\tif (data->client_port != 5353)\n\t\treturn false;\n\n\t/* Flags are set */\n\tif (MATCH(data->payload[0], 0x00, 0x00, 0x84, 0x00)) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\tif (MATCH(data->payload[1], 0x00, 0x00, 0x84, 0x00)) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n\t/* Flags are not set - this is tricky because the payload is zero */\n\tif (data->payload_len[0] != 0 && data->payload[0] == 0) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\tif (data->payload_len[1] != 0 && data->payload[1] == 0) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\t\t\n\t\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mdns = {\n\tLPI_PROTO_UDP_MDNS,\n\tLPI_CATEGORY_SERVICES,\n\t\"mDNS\",\n\t20,\n\tmatch_mdns\n};\n\nvoid register_mdns(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mdns, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_merakicloud.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_merakicloud(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 7351 */\n\n        /* This may just be a user id of some sort -- need to see multiple\n         * users to confirm this is a fixed pattern.\n         */\n        if (MATCH(data->payload[0], 0xfe, 0xf7, 0x28, 0x91)) {\n                if (MATCH(data->payload[1], 0xfe, 0xf7, 0x28, 0x91)) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_merakicloud = {\n\tLPI_PROTO_UDP_MERAKICLOUD,\n\tLPI_CATEGORY_CLOUD,\n\t\"MerakiCloud\",\n\t34,\n\tmatch_merakicloud\n};\n\nvoid register_merakicloud(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_merakicloud, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_moh.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_moh_ping(lpi_data_t *data) {\n\n        /* Seems to be server browsing for Medal of Honor: AA */\n\n        if (match_str_both(data, \"ping\", \"\\xff\\xff\\xff\\xff\"))\n                return true;\n\n        if (MATCHSTR(data->payload[0], \"ping\")) {\n                if (data->payload_len[0] != 4)\n                        return false;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (MATCHSTR(data->payload[1], \"ping\")) {\n                if (data->payload_len[1] != 4)\n                        return false;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        return false;\n}\n\n\nstatic inline bool match_moh(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_moh_ping(data))\n                return true;\n\n        if (!MATCH(data->payload[0], 0xff, 0xff, 0xff, 0xff))\n                return false;\n        if (!MATCH(data->payload[1], 0xff, 0xff, 0xff, 0xff))\n                return false;\n\n        /* This is kinda a broad match, so let's refine it a bit by using the\n         * port number */\n        if (data->server_port >= 12200 && data->server_port <= 12210) {\n\n                if (data->payload_len[0] == 16 && data->payload_len[1] > 600)\n                        return true;\n                if (data->payload_len[1] == 16 && data->payload_len[0] > 600)\n                        return true;\n        }\n\n        if (data->client_port >= 12200 && data->client_port <= 12210) {\n\n                if (data->payload_len[0] == 16 && data->payload_len[1] > 600)\n                        return true;\n                if (data->payload_len[1] == 16 && data->payload_len[0] > 600)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_moh = {\n\tLPI_PROTO_UDP_MOH,\n\tLPI_CATEGORY_GAMING,\n\t\"MedalOfHonor\",\n\t8,\n\tmatch_moh\n};\n\nvoid register_moh(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_moh, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_moonhunters.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Needs to be confirmed, as this game costs money, but pretty confident\n * that Moon Hunters is the source of the traffic for this rule.\n */\n\nstatic inline bool match_mh_27(uint32_t payload, uint32_t len) {\n\n        if (len == 27 && MATCH(payload, 0x00, 0x00, 0x05, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_mh_10(uint32_t payload, uint32_t len) {\n\n        if (len == 10 && MATCH(payload, 0x00, 0x00, 0x05, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_moonhunters(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 9999 && data->client_port != 9999)\n                return false;\n\n        if (match_mh_27(data->payload[0], data->payload_len[0])) {\n                if (match_mh_10(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_mh_27(data->payload[1], data->payload_len[1])) {\n                if (match_mh_10(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_moonhunters = {\n\tLPI_PROTO_UDP_MOONHUNTERS,\n\tLPI_CATEGORY_GAMING,\n\t\"MoonHunters\",\n\t51,\n\tmatch_moonhunters\n};\n\nvoid register_moonhunters(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_moonhunters, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mp2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mp2p_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* At least one of the endpoints needs to be on the known port */\n        if (data->server_port != 41170 && data->client_port != 41170)\n                return false;\n\n        if (match_chars_either(data, 0x3d, 0x4a, 0xd9, ANY))\n                return true;\n        if (match_chars_either(data, 0x3e, 0x4a, 0xd9, ANY))\n                return true;\n        if (match_chars_either(data, 0x3d, 0x4b, 0xd9, ANY))\n                return true;\n        if (match_chars_either(data, 0x3e, 0x4b, 0xd9, ANY))\n                return true;\n        if (match_chars_either(data, ANY, 0x4b, 0xd9, 0x65))\n                return true;\n        if (match_chars_either(data, ANY, 0x4a, 0xd9, 0x65))\n                return true;\n        if (match_chars_either(data, ANY, 0x4a, 0xd6, 0x6f))\n                return true;\n        if (match_chars_either(data, ANY, 0x4a, 0xd6, 0x90))\n                return true;\n\n\n        /* Seeing a lot of these in flows using port 41170 both ways */\n\n\t/* Watch out for one-way DNS again */\n        if (data->server_port == 53 || data->client_port == 53)\n\t\treturn false;\n\t\n\tif (MATCH(data->payload[0], ANY, ANY, 0x00, 0x00) &&\n                        data->payload_len[0] != 0) {\n                if (data->payload_len[1] != 0)\n                        return false;\n                return true;\n        }\n\n        if (MATCH(data->payload[1], ANY, ANY, 0x00, 0x00) &&\n                        data->payload_len[1] != 0) {\n                if (data->payload_len[0] != 0)\n                        return false;\n                return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mp2p_udp = {\n\tLPI_PROTO_UDP_MP2P,\n\tLPI_CATEGORY_P2P,\n\t\"MP2P_UDP\",\n\t4,\n\tmatch_mp2p_udp\n};\n\nvoid register_mp2p_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mp2p_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_msn_cache.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_msn_cache(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n                return false;\n\n        /* These packets seem to be 20 bytes */\n        if (data->payload_len[0] != 20 && data->payload_len[1] != 20)\n                return false;\n\n        if (match_chars_either(data, 0x02, 0x04, 0x00, 0x00))\n                return true;\n        if (match_chars_either(data, 0x02, 0x01, 0x41, 0x31))\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_msn_cache = {\n\tLPI_PROTO_UDP_MSN_CACHE,\n\tLPI_CATEGORY_CHAT,\n\t\"MSN_Cache\",\n\t3,\n\tmatch_msn_cache\n};\n\nvoid register_msn_cache(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_msn_cache, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_msn_video.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_msn_video(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t /* The authorization messages use a code of 0x48, followed by 3\n         * bytes of zero. The packet contains no non-header payload, so the\n         * payload length must be the size of the MSN video header (10 bytes)\n         *\n         * Ref: http://ml20rc.msnfanatic.com/vc_1_1/index.html\n         */\n        if (!(MATCHSTR(data->payload[0], \"\\x48\\x00\\x00\\x00\") &&\n                        data->payload_len[0] == 10))\n                return false;\n\n        if (!(MATCHSTR(data->payload[1], \"\\x48\\x00\\x00\\x00\") &&\n                        data->payload_len[1] == 10))\n                return false;\n\n        return true;\n\t\n}\n\nstatic lpi_module_t lpi_msn_video = {\n\tLPI_PROTO_UDP_MSN_VIDEO,\n\tLPI_CATEGORY_CHAT,\n\t\"MSN_Video_UDP\",\n\t3,\n\tmatch_msn_video\n};\n\nvoid register_msn_video(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_msn_video, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_msoffice_mac.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* Protocol used by MS Office 2008 (Mac OS X version only) for license checking \n * on a local network.\n */\n\nstatic inline bool match_office_2008(lpi_data_t *data) {\n\n\tif (!match_str_either(data, \"MSOP\"))\n\t\treturn false;\n\t\n\tif (data->payload_len[0] == 72 && data->payload_len[1] == 0)\n\t\treturn true;\n\tif (data->payload_len[1] == 72 && data->payload_len[0] == 0)\n\t\treturn true;\n\n\treturn false;\n}\n \nstatic inline bool match_msoffice_mac(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\tif (data->server_port == 2223 || data->client_port == 2223) {\n\t\treturn match_office_2008(data);\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_msoffice_mac = {\n\tLPI_PROTO_UDP_MSOFFICE_MAC,\n\tLPI_CATEGORY_BROADCAST,\n\t\"MSOffice_Mac\",\n\t10,\n\tmatch_msoffice_mac\n};\n\nvoid register_msoffice_mac(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_msoffice_mac, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mta.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ase_ping(lpi_data_t *data) {\n\n        /* Commonly used by MultiTheftAuto - the use of \"ping\" and\n         * \"Ping\" is not documented though */\n\n        if (MATCHSTR(data->payload[0], \"ping\")) {\n                if (data->payload_len[0] != 16)\n                        return false;\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[1] != 16)\n                        return false;\n                if (MATCHSTR(data->payload[1], \"Ping\"))\n                        return true;\n                return false;\n        }\n\n        if (MATCHSTR(data->payload[1], \"ping\")) {\n                if (data->payload_len[1] != 16)\n                        return false;\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[0] != 16)\n                        return false;\n                if (MATCHSTR(data->payload[0], \"Ping\"))\n                        return true;\n                return false;\n        }\n\n        return false;\n\n}\n\n\nstatic inline bool match_mta(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Multitheftauto uses ASE on UDP to ping servers */\n\tif (match_ase_ping(data))\n\t\treturn true;\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mta = {\n\tLPI_PROTO_UDP_MTA,\n\tLPI_CATEGORY_GAMING,\n\t\"MultiTheftAuto\",\n\t5,\n\tmatch_mta\n};\n\nvoid register_mta(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mta, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_02_36.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_02_36(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Another mystery protocol :/\n         *\n         * Characterised by 36 byte datagrams in both directions, always\n         * beginning with 02 00 XX 00.\n         *\n         * Later packets also begin with 02 and have 00 in the fourth byte.\n         * Packet size varies.\n         */\n\n        if (MATCH(data->payload[0], 0x02, 0x00, ANY, ANY) &&\n                        data->payload_len[0] == 36) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCH(data->payload[1], 0x02, 0x00, ANY, ANY) &&\n                                data->payload_len[1] == 36)\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x02, 0x00, ANY, ANY) &&\n                        data->payload_len[1] == 36) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (MATCH(data->payload[0], 0x02, 0x00, ANY, ANY) &&\n                                data->payload_len[0] == 36)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_02_36 = {\n\tLPI_PROTO_UDP_MYSTERY_02_36,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_02_36\",\n\t250,\n\tmatch_mystery_02_36\n};\n\nvoid register_mystery_02_36(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_02_36, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_05.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_05_ffff(uint32_t payload, uint32_t len) {\n\tif (len != 6)\n\t\treturn false;\n\tif (MATCHSTR(payload, \"\\x05\\x03\\xff\\xff\"))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_05_reply(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 8)\n\t\treturn false;\n\tif (MATCH(payload, 0x05, 0x00, 0x00, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_mystery_05(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* No idea what this stuff is, but it accounts for a lot of flows \n\t * and a lot of bytes. Lots of Malaysian remote hosts? */\n\n\tif (match_05_ffff(data->payload[0], data->payload_len[0])) {\n\t\tif (match_05_ffff(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_05_reply(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_05_ffff(data->payload[1], data->payload_len[1])) {\n\t\tif (match_05_ffff(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_05_reply(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_05 = {\n\tLPI_PROTO_UDP_MYSTERY_05,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_05\",\n\t250,\n\tmatch_mystery_05\n};\n\nvoid register_mystery_05(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_05, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_0660.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_0660(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] != 0 && data->payload_len[0] != 15)\n                return false;\n        if (data->payload_len[1] != 0 && data->payload_len[1] != 15)\n                return false;\n\n        if (MATCH(data->payload[0], 0x06, 0x60, 0x00, 0x00)) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCH(data->payload[1], 0x06, 0x60, 0x00, 0x00))\n                        return true;\n                return false;\n        }\n\n        if (MATCH(data->payload[1], 0x06, 0x60, 0x00, 0x00)) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (MATCH(data->payload[0], 0x06, 0x60, 0x00, 0x00))\n                        return true;\n                return false;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_0660 = {\n\tLPI_PROTO_UDP_MYSTERY_0660,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_0660\",\n\t250,\n\tmatch_mystery_0660\n};\n\nvoid register_mystery_0660(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_0660, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_0d.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_0d(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This protocol has driven me nuts for weeks. It's pretty easy to\n         * match - one direction sends a single byte datagram containing 0x0d,\n         * the other responds with a 25 byte packet beginning with 0x0a. The\n         * next three bytes of the response appear to be some sort of flow id\n         * that is repeated in all subsequent packets > 1 byte.\n         *\n         * Other codes used during the exchange are 0x0b, 0x15 and 0x1e.\n         *\n         * However, there appears to be no info on the Internet about what this\n         * protocol is. Random ports are always used for both ends, so no help\n         * there.\n         *\n         * TODO Figure out what the hell this is and give it a better name\n         * than \"mystery_0d\" !\n         */\n\n        if (data->payload_len[0]==1 && MATCH(data->payload[0], 0x0d, 0, 0, 0)) {\n                if (data->payload_len[1] == 25 &&\n                                MATCH(data->payload[1], 0x0a, ANY, ANY, ANY))\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[1]==1 && MATCH(data->payload[1], 0x0d, 0, 0, 0)) {\n                if (data->payload_len[0] == 25 &&\n                                MATCH(data->payload[0], 0x0a, ANY, ANY, ANY))\n                        return true;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        /* We also see the 25 byte 0x0a packet without a matching 0x0d packet\n         */\n\n        if (data->payload_len[0] == 0) {\n                if (data->payload_len[1] == 25 &&\n                                MATCH(data->payload[1], 0x0a, ANY, ANY, ANY))\n                        return true;\n        }\n        if (data->payload_len[1] == 0) {\n                if (data->payload_len[0] == 25 &&\n                                MATCH(data->payload[0], 0x0a, ANY, ANY, ANY))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_0d = {\n\tLPI_PROTO_UDP_MYSTERY_0D,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_0D\",\n\t250,\n\tmatch_mystery_0d\n};\n\nvoid register_mystery_0d(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_0d, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_45.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_45(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tif (data->payload_len[0] != 0 && data->payload_len[0] != 33\n                        && data->payload_len[0] != 69)\n                return false;\n\n        if (data->payload_len[1] != 0 && data->payload_len[1] != 33\n                        && data->payload_len[1] != 69)\n                return false;\n\n        if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x45)) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (!MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x45))\n                        return false;\n\n                if (data->payload_len[0] == 33 && data->payload_len[1] == 69)\n                        return true;\n                if (data->payload_len[1] == 33 && data->payload_len[0] == 69)\n                        return true;\n                return false;\n        }\n\n        if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x45)) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (!MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x45))\n                        return false;\n\n                if (data->payload_len[0] == 33 && data->payload_len[1] == 69)\n                        return true;\n                if (data->payload_len[1] == 33 && data->payload_len[0] == 69)\n                        return true;\n                return false;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_45 = {\n\tLPI_PROTO_UDP_MYSTERY_45,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_45\",\n\t250,\n\tmatch_mystery_45\n};\n\nvoid register_mystery_45(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_45, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_61_72.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_61_72(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* Not sure what this is, but there are a lot of these flows in my\n\t * unknown NAT hole data */\n\n\tif (data->payload[0] != data->payload[1])\n\t\treturn false;\n\tif (data->payload[0] == 0 || data->payload[1] == 0)\n\t\treturn false;\n\tif (data->payload_len[0] == 61 && data->payload_len[1] == 72)\n\t\treturn true;\n\tif (data->payload_len[0] == 72 && data->payload_len[1] == 61)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_61_72 = {\n\tLPI_PROTO_UDP_MYSTERY_61_72,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_UDP_61_72\",\n\t250,\n\tmatch_mystery_61_72\n};\n\nvoid register_mystery_61_72(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_61_72, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_8000.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_8000_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* These patterns typically appear on UDP port 8000 (and occasionally\n         * TCP port 80) */\n\n        if (!match_8000_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_8000_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_mystery_8000_udp = {\n\tLPI_PROTO_UDP_MYSTERY_8000,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_8000_UDP\",\n\t250,\n\tmatch_mystery_8000_udp\n};\n\nvoid register_mystery_8000_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_8000_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_99.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_99(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t/* Another mystery protocol - this one is possibly something to do\n         * with bittorrent, as I've seen it on port 6881 from time to time */\n\n        /* Both payloads must match */\n        if (data->payload[0] != data->payload[1])\n                return false;\n\n        /* One of the payloads is 99 bytes, the other is between 168 and 173\n         * bytes */\n\n        if (data->payload_len[0] == 99) {\n                if (data->payload_len[1] >= 168 && data->payload_len[1] <= 173)\n                        return true;\n        }\n\n        if (data->payload_len[1] == 99) {\n                if (data->payload_len[0] >= 168 && data->payload_len[0] <= 173)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_99 = {\n\tLPI_PROTO_UDP_MYSTERY_99,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_99\",\n\t250,\n\tmatch_mystery_99\n};\n\nvoid register_mystery_99(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_99, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_bt_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This appears to be associated with BitTorrent somehow - there are occasional\n * DHT-style bencoding dictionaries in these flows, but cannot find anything\n * to confirm this :/\n */\n\nstatic inline bool payload_check(uint32_t a, uint32_t b) {\n\n\t/* In most cases, the last two bytes must match but I've also seen\n\t * instances where one of the bytes is one greater than the other\n\t *\n\t * No idea what is actually going on though :/ */\n\n\tif (a == b)\n\t\treturn true;\n\tif (a - 1 == b)\n\t\treturn true;\n\tif (a + 1 == b)\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_2102_response(uint32_t payload, uint32_t other,\n\t\tuint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\n\tif (!payload_check(htonl(payload) & 0x0000ffff, \n\t\t\t\thtonl(other) & 0x0000ffff))\n\t\treturn false;\n\n\tif (MATCH(payload, 0x21, 0x02, ANY, ANY) && len == 30)\n\t\treturn true;\n\tif (MATCH(payload, 0x21, 0x00, ANY, ANY) && len == 20)\n\t\treturn true;\n\tif (MATCH(payload, 0x21, 0x01, ANY, ANY) && len == 26)\n\t\treturn true;\n\t\n\n\treturn false;\n\n\n}\n\nstatic inline bool match_3102_response(uint32_t payload, uint32_t other,\n\t\tuint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 30 && len != 20)\n\t\treturn false;\n\n\tif (!payload_check(htonl(payload) & 0x0000ffff, \n\t\t\t\thtonl(other) & 0x0000ffff))\n\t\treturn false;\n\t\n\tif (MATCH(payload, 0x31, 0x02, ANY, ANY) && len == 30)\n\t\treturn true;\n\tif (MATCH(payload, 0x31, 0x00, ANY, ANY) && len == 20)\n\t\treturn true;\n\t\n\n\treturn false;\n\n\n}\n\nstatic inline bool match_4102_response(uint32_t payload, uint32_t other,\n\t\tuint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 33)\n\t\treturn false;\n\n\tif (!payload_check(htonl(payload) & 0x0000ffff, \n\t\t\t\thtonl(other) & 0x0000ffff))\n\t\treturn false;\n\n        if (!MATCH(payload, 0x41, 0x02, ANY, ANY))\n                return false;\n\n\treturn true;\t\n\n}\n\nstatic inline bool match_dict(uint32_t payload, uint32_t len) {\n\n\t/* Check for bencoded dictionary */\n\tif (MATCH(payload, 'd', '1', ':', 'r'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 'a'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ':', 'e'))\n\t\treturn true;\n\tif (MATCH(payload, 'd', '1', ANY, ':'))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_0100_request(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 0x01, 0x00, ANY, ANY) && len > 500)\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_2102_request(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 0x21, 0x02, ANY, ANY) && len == 30)\n\t\treturn true;\n\tif (MATCH(payload, 0x21, 0x00, ANY, ANY) && len == 20)\n\t\treturn true;\n\tif (MATCH(payload, 0x21, 0x01, ANY, ANY) && len == 26)\n\t\treturn true;\n\treturn false;\n\n}\nstatic inline bool match_3102_request(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 0x31, 0x02, ANY, ANY) && len == 30)\n\t\treturn true;\n\tif (MATCH(payload, 0x31, 0x00, ANY, ANY) && len == 20)\n\t\treturn true;\n\treturn false;\n\n}\nstatic inline bool match_4102_request(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 0x41, 0x02, ANY, ANY) && len == 30)\n\t\treturn true;\n\tif (MATCH(payload, 0x41, 0x00, ANY, ANY) && len == 20)\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_mystery_bt_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t\n\t\n\tif (match_4102_request(data->payload[0], data->payload_len[0])) {\n\t\tif (match_2102_response(data->payload[1], data->payload[0], \n\t\t\t\tdata->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_4102_response(data->payload[1], data->payload[0], \n\t\t\t\tdata->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_dict(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_4102_request(data->payload[1], data->payload_len[1])) {\n\t\tif (match_2102_response(data->payload[0], data->payload[1], \n\t\t\t\tdata->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_4102_response(data->payload[0], data->payload[1], \n\t\t\t\tdata->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_dict(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\tif (match_2102_request(data->payload[0], data->payload_len[0])) {\n\t\tif (match_3102_response(data->payload[1], data->payload[0], \n\t\t\t\tdata->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_2102_request(data->payload[1], data->payload_len[1])) {\n\t\tif (match_3102_response(data->payload[0], data->payload[1], \n\t\t\t\tdata->payload_len[0]))\n\t\t\treturn true;\n\t}\n\t\n\tif (match_0100_request(data->payload[0], data->payload_len[0])) {\n\t\tif (match_3102_response(data->payload[1], data->payload[0], \n\t\t\t\tdata->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_2102_response(data->payload[1], data->payload[0], \n\t\t\t\tdata->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_0100_request(data->payload[1], data->payload_len[1])) {\n\t\tif (match_3102_response(data->payload[0], data->payload[1], \n\t\t\t\tdata->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_2102_response(data->payload[0], data->payload[1], \n\t\t\t\tdata->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\tif (match_3102_request(data->payload[0], data->payload_len[0])) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\tif (match_3102_request(data->payload[1], data->payload_len[1])) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\t\n\n\t\n\tif (match_dict(data->payload[0], data->payload_len[0])) {\n\t\tif (match_2102_response(data->payload[1], data->payload[0], \n\t\t\t\tdata->payload_len[1]))\n\t\t\treturn true;\n\t}\t\n\n\tif (match_dict(data->payload[1], data->payload_len[1])) {\n\t\tif (match_2102_response(data->payload[0], data->payload[1], \n\t\t\t\tdata->payload_len[0]))\n\t\t\treturn true;\n\t}\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_bt_udp= {\n\tLPI_PROTO_UDP_MYSTERY_BT,\n\tLPI_CATEGORY_P2P,\n\t\"Mystery_BitTorrent_UDP\",\n\t9,\t/* Need to be higher than Skype or Gnutella */\n\tmatch_mystery_bt_udp\n};\n\nvoid register_mystery_bt_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_bt_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_e9.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_e9_payload(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xe9, 0x82, ANY, ANY)) {\n                if (len == 58)\n                        return true;\n                if (len == 28)\n                        return true;\n        }\n\n        if (MATCH(payload, 0xe9, 0x83, ANY, ANY)) {\n                if (len == 23)\n                        return true;\n                if (len == 28)\n                        return true;\n                if (len == 46)\n                        return true;\n        }\n\n        if (MATCH(payload, 0xe9, 0x60, ANY, ANY)) {\n                if (len == 34) \n                        return true;\n        }\n\n        return false;\n\n}\n\n\nstatic inline bool match_mystery_e9(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tif (data->payload_len[1] == 0) {\n\t\tif (match_e9_payload(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\tif (data->payload_len[0] == 0) {\n\t\tif (match_e9_payload(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t\n\t/* Bytes 3 and 4 of payload should match */\n\n        if ((data->payload[0] & 0xffff0000) != (data->payload[1] & 0xffff0000))\n                return false;\n\n        if (!match_e9_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_e9_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\n}\n\nstatic lpi_module_t lpi_mystery_e9 = {\n\tLPI_PROTO_UDP_MYSTERY_E9,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_E9\",\n\t250,\n\tmatch_mystery_e9\n};\n\nvoid register_mystery_e9(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_e9, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_emule.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_mystery_emule(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\t/* These particular patterns occur frequently on port 4672, making\n         * me think they're some sort of emule traffic but there is no\n         * obvious documentation. The payloads appear to be random, which\n         * is unlike all other emule traffic. The flows tend to consist of\n         * only one or two packets in each direction.\n         */\n\n        if (data->payload_len[0] == 44 && data->payload_len[1] >= 38 &&\n                        data->payload_len[1] <= 50)\n                return true;\n        if (data->payload_len[1] == 44 && data->payload_len[0] >= 38 &&\n                        data->payload_len[0] <= 50)\n                return true;\n\n        if (data->payload_len[0] == 51 && (data->payload_len[1] == 135 ||\n                        data->payload_len[1] == 85 ||\n                        data->payload_len[1] == 310))\n                return true;\n        if (data->payload_len[1] == 51 && (data->payload_len[0] == 135 ||\n                        data->payload_len[0] == 85 ||\n                        data->payload_len[0] == 310))\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_emule = {\n\tLPI_PROTO_UDP_EMULE_MYSTERY,\n\tLPI_CATEGORY_P2P,\n\t\"eMule_UDP_Mystery\",\n\t250,\n\tmatch_mystery_emule\n};\n\nvoid register_mystery_emule(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_emule, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_mystery_qq.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_qq_payload(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 24)\n\t\treturn false;\n\tif (MATCH(payload, 0x51, 0x51, 0x05, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_mystery_qq(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Not to be confused with Tencent QQ.\n\t *\n\t * This is almost certainly a gaming protocol related to the\n\t * PlayStation (based on port number).\n\t */\n\n\tif (data->server_port != 3658 && data->client_port != 3658) \n\t\treturn false;\n\n\tif (match_qq_payload(data->payload[0], data->payload_len[0])) {\n\t\tif (match_qq_payload(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_mystery_qq = {\n\tLPI_PROTO_UDP_MYSTERY_QQ,\n\tLPI_CATEGORY_NO_CATEGORY,\n\t\"Mystery_QQ\",\n\t2,\n\tmatch_mystery_qq\n};\n\nvoid register_mystery_qq(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_mystery_qq, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_n2ping.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This is a horrible pseudo-VPN that is used to access content that is\n * restricted to China only. Despite their claims, the traffic is not\n * encrypted -- just tunnelled over a custom UDP application protocol\n * to a server in Hong Kong.\n */\n\nstatic inline bool match_n2ping_header(uint32_t payload) {\n\n        if (MATCH(payload, 0x08, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_n2ping(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        bool validport = false;\n\n        if (data->server_port == 44778 || data->client_port == 44778) {\n                validport = true;\n        }\n        if (data->server_port == 23 || data->client_port == 23) {\n                validport = true;\n        }\n\n        if (validport && match_n2ping_header(data->payload[0]) &&\n                        match_n2ping_header(data->payload[1])) {\n                if (data->payload_len[0] < 100)\n                        return true;\n                if (data->payload_len[1] < 100)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_n2ping = {\n\tLPI_PROTO_UDP_N2PING,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"N2Ping\",\n\t150,\n\tmatch_n2ping\n};\n\nvoid register_n2ping(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_n2ping, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_natpmp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_natpmp_probe(uint32_t payload, uint32_t len) {\n        if (len != 2)\n                return false;\n\n        if (!MATCHSTR(payload, \"\\x00\\x00\\x00\\x00\"))\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_natpmp_response(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n\n        /* Just guessing based on RFC6886 */\n        if (len != 12)\n                return false;\n\n        if (!MATCHSTR(payload, \"\\x00\\x80\\x00\\x00\"))\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_natpmp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* XXX Shall we limit to port 5351 only? */\n\n        /* Only seen attempted scanning so far */\n        if (match_natpmp_probe(data->payload[0], data->payload_len[0])) {\n                if (match_natpmp_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_natpmp_probe(data->payload[1], data->payload_len[1])) {\n                if (match_natpmp_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\treturn false;\n}\n\nstatic lpi_module_t lpi_natpmp = {\n\tLPI_PROTO_UDP_NATPMP,\n\tLPI_CATEGORY_NAT,\n\t\"NAT-PMP\",\n\t20,\n\tmatch_natpmp\n};\n\nvoid register_natpmp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_natpmp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_netbios.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_netbios_name_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, ANY, ANY, 0x00, 0x00)) {\n                if (len == 50)\n                        return true;\n                if (len == 20)\n                        return true;\n\t\tif (len == 33)\n\t\t\treturn true;\n        }\n        \n        if (MATCH(payload, ANY, ANY, 0x01, 0x00)) {\n                if (len == 50)\n                        return true;\n\n        }\n        \n\tif (MATCH(payload, ANY, ANY, 0x40, 0x00)) {\n                if (len == 68)\n                        return true;\n\n        }\n\n\tif (MATCH(payload, ANY, ANY, 0x29, 0x10)) {\n\t\tif (len == 68)\n\t\t\treturn true;\n\t}\n\n        /* Broadcast traffic */\n        if (MATCH(payload, ANY, ANY, 0x01, 0x10)) {\n                if (len == 50)\n                        return true;\n\n        }\n        return false;\n\n}\n\nstatic inline bool match_netbios_name_resp(uint32_t resp, uint32_t req) {\n\n\tif (!MATCH(resp, ANY, ANY, 0x84, 0x00))\n\t\treturn false;\n\t\n\t/* First two bytes must match */\n\tif ((resp & 0x0000ffff) != (req & 0x0000ffff))\n\t\treturn false;\n\n\treturn true;\n\n}\n\nstatic inline bool match_netbios_datagram(uint32_t payload, uint32_t len) {\n\n\tif (MATCH(payload, 0x11, 0x02, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, 0x11, 0x06, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, 0x11, 0x0e, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_name_resp_only(lpi_data_t *data) {\n\n\t/* Match the \"special\" case where only a name response is \n\t * observed, presumably misdirected traffic */\n\n\tif (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n\t\treturn false;\n\t\n\tif (data->server_port != 137 && data->client_port != 137)\n\t\treturn false;\n\n\tif (!match_chars_either(data, ANY, ANY, 0x84, 0x00))\n\t\treturn false;\n\n\treturn true;\n\n\n}\n\nstatic inline bool match_netbios_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_netbios_name_req(data->payload[0], data->payload_len[0])) {\n\t\tif (data->server_port != 137 && data->client_port != 137)\n\t\t\treturn false;\n\n\t\tif (match_netbios_name_resp(data->payload[1], data->payload[0]))\n\t\t\treturn true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_netbios_name_req(data->payload[1], data->payload_len[1])) {\n\t\tif (data->server_port != 137 && data->client_port != 137)\n\t\t\treturn false;\n\t\tif (match_netbios_name_resp(data->payload[0], data->payload[1]))\n\t\t\treturn true;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        if (match_netbios_datagram(data->payload[0], data->payload_len[0])) {\n\t\tif (data->server_port != 138 && data->client_port != 138)\n\t\t\treturn false;\n\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_netbios_datagram(data->payload[1], data->payload_len[1])) {\n\t\tif (data->server_port != 138 && data->client_port != 138)\n\t\t\treturn false;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\tif (match_name_resp_only(data))\n\t\treturn true;\n\t\n\treturn false;\n}\n\nstatic lpi_module_t lpi_netbios_udp = {\n\tLPI_PROTO_UDP_NETBIOS,\n\tLPI_CATEGORY_SERVICES,\n\t\"NetBIOS_UDP\",\n\t5,\n\tmatch_netbios_udp\n};\n\nvoid register_netbios_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_netbios_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_netcat_cctv_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_xmip_header(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x12, 0x20, 0xd0, 0x07)) {\n                if (len == 112 || len == 120 || len == 184 || len == 148)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_netcat_cctv_udp(lpi_data_t *data,\n                lpi_module_t *mod UNUSED) {\n\n\n        if (match_xmip_header(data->payload[0], data->payload_len[0])) {\n                if (match_xmip_header(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_netcat_cctv_udp = {\n\tLPI_PROTO_UDP_NETCAT_CCTV,\n\tLPI_CATEGORY_IPCAMERAS,\n\t\"NetcatCCTV_UDP\",\n\t22,\n\tmatch_netcat_cctv_udp\n};\n\nvoid register_netcat_cctv_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_netcat_cctv_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_netcore_scan.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_netcore_scan(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Well-known vulnerability in Netcore CPEs, which listen on port\n         * 53413 on the WAN interface.\n         *\n         * Mostly just a major source of UDP scan traffic.\n         */\n\n        if (data->server_port != 53413 && data->client_port != 53413)\n                return false;\n\n        if (MATCHSTR(data->payload[0], \"AAAA\"))\n                return true;\n        if (MATCHSTR(data->payload[1], \"AAAA\"))\n                return true;\n\n        if (MATCHSTR(data->payload[0], \"AA\\x00\\x00\"))\n                return true;\n        if (MATCHSTR(data->payload[1], \"AA\\x00\\x00\"))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_netcore_scan = {\n\tLPI_PROTO_UDP_NETCORE,\n\tLPI_CATEGORY_MALWARE,\n\t\"NetcoreScan\",\n\t199,\n\tmatch_netcore_scan\n};\n\nvoid register_netcore_scan(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_netcore_scan, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_netflow.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_netflow(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* NetFlow is one-way only */\n\tif (data->payload_len[0] != 0 && data->payload_len[1] != 0)\n\t\treturn false;\n\t\n\t/* Force port requirement for now */\n\tif (data->server_port != 9996 && data->client_port != 9996)\n\t\treturn false;\n\n\t/* Match NetFlow version 5 */\n\tif (MATCH(data->payload[0], 0x00, 0x05, 0x00, ANY))\n\t\treturn true;\n\tif (MATCH(data->payload[1], 0x00, 0x05, 0x00, ANY))\n\t\treturn true;\n\t/* Match NetFlow version 9 */\n\tif (MATCH(data->payload[0], 0x00, 0x09, 0x00, ANY))\n\t\treturn true;\n\tif (MATCH(data->payload[1], 0x00, 0x09, 0x00, ANY))\n\t\treturn true;\n\t\n\treturn false;\n}\n\nstatic lpi_module_t lpi_netflow = {\n\tLPI_PROTO_UDP_NETFLOW,\n\tLPI_CATEGORY_MONITORING,\n\t\"NetFlow\",\n\t14,\n\tmatch_netflow\n};\n\nvoid register_netflow(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_netflow, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_newerth.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_newerth_301(uint32_t payload, uint32_t len) {\n        if (len == 27 && MATCH(payload, 0x00, 0x00, 0x03, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_newerth_1c9(uint32_t payload, uint32_t len) {\n        if (len == 4 && MATCH(payload, 0x00, 0x00, 0x01, 0xc9))\n                return true;\n        return false;\n}\n\n\n\nstatic inline bool match_newerth_payload(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (MATCH(payload, 0x00, 0x00, 0x01, 0x66))\n                return true;\n        if (MATCH(payload, 0x00, 0x00, 0x01, 0xca) && len == 6)\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_newerth(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_newerth_1c9(data->payload[0], data->payload_len[0])) {\n                if (match_newerth_301(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_newerth_1c9(data->payload[1], data->payload_len[1])) {\n                if (match_newerth_301(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\tif (!match_newerth_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_newerth_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\n\n}\n\nstatic lpi_module_t lpi_newerth = {\n\tLPI_PROTO_UDP_NEWERTH,\n\tLPI_CATEGORY_GAMING,\n\t\"NewerthGames\",\n\t3,\n\tmatch_newerth\n};\n\nvoid register_newerth(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_newerth, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_nintendo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_nintendo_magic(uint32_t payload, uint32_t len) {\n        /* https://github.com/Shragei/SplatNet/blob/master/NinMainTiming.txt */\n\n        if ((len == 64 || len == 84) && MATCH(payload, 0x32, 0xab, 0x98, 0x64))\n                return true;\n        return false;\n}\n\nstatic inline bool match_nintendo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_nintendo_magic(data->payload[0], data->payload_len[0])) {\n                if (match_nintendo_magic(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_nintendo = {\n\tLPI_PROTO_UDP_NINTENDO,\n\tLPI_CATEGORY_GAMING,\n\t\"NintendoGames\",\n\t5,\n\tmatch_nintendo\n};\n\nvoid register_nintendo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_nintendo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_noction.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_noction(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Never seen anyone reply to this stuff */\n\n        if (match_str_either(data, \"NOCT\"))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_noction = {\n\tLPI_PROTO_UDP_NOCTION,\n\tLPI_CATEGORY_MONITORING,\n\t\"NoctionIRP\",\n\t3,\n\tmatch_noction\n};\n\nvoid register_noction(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_noction, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_noe.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Alcatel's New Office Environment proprietary VOIP protocol\n * Thanks to Remy Mudingay for providing traces to identify this protocol\n */\n\nstatic inline bool match_noe_5byte(uint32_t payload, uint32_t plen) {\n\n\tif (plen != 5)\n\t\treturn false;\n\tif (MATCH(payload, 0x07, ANY, ANY, ANY))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_noe_20byte(uint32_t payload, uint32_t plen) {\n\n\tif (plen != 20)\n\t\treturn false;\n\tif (MATCH(payload, 0x07, ANY, ANY, ANY))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_noe(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] == 1 && data->payload_len[1] == 1) {\n\t\tif (match_str_both(data, \"\\x05\\x00\\x00\\x00\", \n\t\t\t\t\"\\x04\\x00\\x00\\x00\")) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n\tif (match_noe_5byte(data->payload[0], data->payload_len[0])) {\n\t\tif (match_noe_20byte(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_noe_5byte(data->payload[1], data->payload_len[1])) {\n\t\tif (match_noe_20byte(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_noe = {\n\tLPI_PROTO_UDP_NOE,\n\tLPI_CATEGORY_VOIP,\n\t\"NOE\",\n\t12,\n\tmatch_noe\n};\n\nvoid register_noe(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_noe, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_nopayload.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_udp_no_payload(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->observed[0] == 0 && data->observed[1] == 0)\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_udp_no_payload = {\n\tLPI_PROTO_NO_PAYLOAD,\n\tLPI_CATEGORY_NOPAYLOAD,\n\t\"No_Payload\",\n\t0,\t/* Must be highest priority! */\n\tmatch_udp_no_payload\n};\n\nvoid register_udp_no_payload(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_udp_no_payload, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_norton.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_norton_24_00(uint32_t payload, uint32_t len) {\n\n\tif (len != 24)\n\t\treturn false;\n\tif (MATCH(payload, 0x00, 0x10, 0x00, 0x14))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_norton_24_80(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 24)\n\t\treturn false;\n\tif (MATCH(payload, 0x80, 0x10, 0x00, 0x14))\n\t\treturn true;\n\treturn false;\n\n}\n\n\nstatic inline bool match_norton(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (MATCH(data->payload[0], 0x02, 0x0a, 0x00, 0xc0)) {\n                if (data->payload_len[0] != 16)\n                        return false;\n                if (data->payload_len[1] != 0)\n                        return false;\n                return true;\n        }\n        if (MATCH(data->payload[1], 0x02, 0x0a, 0x00, 0xc0)) {\n                if (data->payload_len[1] != 16)\n                        return false;\n                if (data->payload_len[0] != 0)\n                        return false;\n                return true;\n        }\n\t\n\n\t/* New behaviour observed in 2012 - interesting use of port 53 */\n\tif (match_norton_24_00(data->payload[0], data->payload_len[0])) {\n\t\t\n\t\tif (data->server_port != 53 && data->client_port != 53)\n\t\t\treturn false;\n\n\t\tif (match_norton_24_80(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_norton_24_00(data->payload[1], data->payload_len[1])) {\n\t\tif (data->server_port != 53 && data->client_port != 53)\n\t\t\treturn false;\n\t\tif (match_norton_24_80(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_norton = {\n\tLPI_PROTO_UDP_NORTON,\n\tLPI_CATEGORY_SECURITY,\n\t\"Norton_UDP\",\n\t5,\n\tmatch_norton\n};\n\nvoid register_norton(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_norton, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ntp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ntp_request(uint32_t payload, uint32_t len) {\n\n        uint8_t first;\n\tuint8_t *ptr;\n        uint8_t version;\n\n        if (len != 48 && len != 68 && len != 64)\n                return false;\n\n\tptr = (uint8_t *)&payload;\n\tfirst = *ptr;\n\n        //first = (uint8_t) (payload);\n\n        version = (first & 0x38) >> 3;\n\n        if (version > 4 || version == 0)\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_version0_request(uint32_t payload, uint32_t len) {\n\n        uint32_t secondbyte = 0;\n\n        if (len != 48)\n                return false;\n\n        /* Only supporting the 'clock good' status for now */\n        if (!MATCH(payload, 0x00, ANY, ANY, ANY))\n                return false;\n\n        secondbyte = ((ntohl(payload) >> 16) & 0xff);\n        if (secondbyte > 4)\n                return false;\n        return true;\n\n\n}\n\nstatic inline bool match_ntp_response(uint32_t payload, uint32_t len) {\n\n        uint8_t first;\n        uint8_t version;\n        uint8_t mode;\n\n        /* Server may not have replied */\n        if (len == 0)\n                return true;\n\n        first = (uint8_t) (payload);\n\n        version = (first & 0x38) >> 3;\n        mode = (first & 0x07);\n\n        if (version > 4 || version == 0)\n                return false;\n        if (mode == 3)\n                return false;\n\n        return true;\n}\n\n\nstatic inline bool match_ntp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Force NTP to be on port 123 */\n\n        if (data->server_port != 123 && data->client_port != 123)\n                return false;\n\n        if (match_ntp_request(data->payload[0], data->payload_len[0])) {\n                if (match_ntp_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ntp_request(data->payload[1], data->payload_len[1])) {\n                if (match_ntp_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_version0_request(data->payload[0], data->payload_len[0])) {\n                if (match_ntp_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_version0_request(data->payload[1], data->payload_len[1])) {\n                if (match_ntp_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\t/* OK, turns out we can have NTP servers that keep sending responses\n\t * without a specific request from the client */\n\tif (match_ntp_response(data->payload[0], data->payload_len[0]) &&\n\t\t\tdata->payload_len[0] == 48 &&\n\t\t\tdata->payload_len[1] == 0) {\n\t\treturn true;\n\t}\n\tif (match_ntp_response(data->payload[1], data->payload_len[1]) &&\n\t\t\tdata->payload_len[1] == 48 &&\n\t\t\tdata->payload_len[0] == 0) {\n\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ntp = {\n\tLPI_PROTO_UDP_NTP,\n\tLPI_CATEGORY_SERVICES,\n\t\"NTP\",\n\t2,\n\tmatch_ntp\n};\n\nvoid register_ntp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ntp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ntp_reflect.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_monlist(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 0x17, 0x00, 0x03, 0x2a))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_monlist_reply(uint32_t payload, uint32_t len) {\n\n        /* Hopefully nobody replies :) */\n        if (len == 0)\n                return true;\n\n        /* NTPv2 reply */\n        if (MATCH(payload, 0x97, 0x00, 0x03, 0x2a))\n                return true;\n        if (MATCH(payload, 0xd7, ANY, 0x03, 0x2a))\n                return true;\n\n        /* NTPv3 reply */\n        if (MATCH(payload, 0x9f, 0x00, 0x03, 0x2a))\n                return true;\n        if (MATCH(payload, 0xdf, 0x00, 0x03, 0x2a))\n                return true;\n\n\n\n        return false;\n\n}\n\nstatic inline bool match_ntp_reflect(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 123 && data->client_port != 123)\n                return false;\n\n        if (match_monlist(data->payload[0], data->payload_len[0])) {\n                if (match_monlist_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_monlist(data->payload[1], data->payload_len[1])) {\n                if (match_monlist_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ntp_reflect = {\n\tLPI_PROTO_UDP_NTP_REFLECT,\n\tLPI_CATEGORY_MALWARE,\n\t\"NTPReflection\",\n\t50,\n\tmatch_ntp_reflect\n};\n\nvoid register_ntp_reflect(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ntp_reflect, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_nvidia_gamestream.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gs_ping(uint32_t payload, uint32_t len) {\n        if (len == 4 && MATCHSTR(payload, \"PING\")) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_gs_rtp(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x80, 0x61, 0x00, 0x00)) {\n                if (len == 72) {\n                        return true;\n                }\n        }\n\n        if (MATCH(payload, 0x90, 0x67, 0x00, 0x00)) {\n                if (len == 1040) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_nvidia_gamestream(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_gs_ping(data->payload[0], data->payload_len[0])) {\n                if (match_gs_rtp(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_gs_ping(data->payload[1], data->payload_len[1])) {\n                if (match_gs_rtp(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_nvidia_gamestream = {\n\tLPI_PROTO_UDP_NVIDIA_GAMESTREAM,\n\tLPI_CATEGORY_GAMING,\n\t\"NVIDIAGamestream\",\n\t99,\n\tmatch_nvidia_gamestream\n};\n\nvoid register_nvidia_gamestream(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_nvidia_gamestream, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_nwn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_nwn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"BNES\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_nwn = {\n\tLPI_PROTO_UDP_NEVERWINTER,\n\tLPI_CATEGORY_GAMING,\n\t\"NeverwinterNights\",\n\t4,\n\tmatch_nwn\n};\n\nvoid register_nwn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_nwn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_opaserv.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Matches the Opaserv worm that attacks UDP port 137\n * Ref: http://www.usenix.org/events/osdi04/tech/full_papers/singh/singh_html/\n */\n\nstatic inline bool match_opaserv(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* The recipient does not reply (usually) */\n        if (data->payload_len[0] > 0 && data->payload_len[1] > 0)\n                return false;\n\n        if (data->server_port != 137 && data->client_port != 137)\n                return false;\n\n        if (match_chars_either(data, 0x01, 0x00, 0x00, 0x10))\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_opaserv = {\n\tLPI_PROTO_UDP_OPASERV,\n\tLPI_CATEGORY_MALWARE,\n\t\"Opaserv\",\n\t10,\n\tmatch_opaserv\n};\n\nvoid register_opaserv(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_opaserv, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_openvpn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Thanks to Remy Mudingay for providing traces to identify this protocol */\n\nstatic inline bool match_openvpn_handshake(uint32_t pl_a, uint32_t pl_b) {\n\n\n\t/* 0x31 and 0x37 are commonly used as the first byte of a UDP\n\t * OpenVPN exchange. However, if one end uses 0x31 then the other\n\t * must also use 0x31 -- same for 0x37. \n\t */\n\n\tif (MATCH(pl_a, 0x31, ANY, ANY, ANY)) {\n\t\tif (MATCH(pl_b, 0x31, ANY, ANY, ANY))\n\t\t\treturn true;\n\t}\n\t\n\tif (MATCH(pl_a, 0x37, ANY, ANY, ANY)) {\n\t\tif (MATCH(pl_b, 0x37, ANY, ANY, ANY))\n\t\t\treturn true;\n\t}\n\n\tif (MATCH(pl_a, 0x49, ANY, ANY, ANY)) {\n\t\tif (MATCH(pl_b, 0x49, ANY, ANY, ANY))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n\n}\n\nstatic inline bool match_tunnelbear_40(uint32_t payload, uint32_t len) {\n        if (!MATCH(payload, 0x40, ANY, ANY, ANY))\n                return false;\n        if (len != 26)\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_tunnelbear_38(uint32_t payload, uint32_t len) {\n        if (!MATCH(payload, 0x38, ANY, ANY, ANY))\n                return false;\n        if (len != 14 && len != 126 && len != 128)\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_wscribe_40(uint32_t payload, uint32_t len) {\n        if (!MATCH(payload, 0x40, ANY, ANY, ANY))\n                return false;\n        if (len != 98)\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_wscribe_38(uint32_t payload, uint32_t len) {\n        if (!MATCH(payload, 0x38, ANY, ANY, ANY))\n                return false;\n        if (len != 86)\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_openvpn_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* The payload matching alone isn't very strong, so I'm going to\n\t * add a port-based condition as well. Default port for OpenVPN\n\t * is UDP 1194 */\n\n\tif (data->server_port == 1194 || data->client_port == 1194) {\n                /* Just match the two-way stuff for now */\n                if (match_openvpn_handshake(data->payload[0],\n                                data->payload[1]))\n                        return true;\n\t}\n\n\n        /* These are based on traffic seen involving TunnelBear hosts */\n        if (match_tunnelbear_40(data->payload[0], data->payload_len[0])) {\n                if (match_tunnelbear_38(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_tunnelbear_40(data->payload[1], data->payload_len[1])) {\n                if (match_tunnelbear_38(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n        /* Similar for Windscribe */\n        if (data->server_port == 443 || data->client_port == 443) {\n                if (match_wscribe_40(data->payload[0], data->payload_len[0])) {\n                        if (match_wscribe_38(data->payload[1], data->payload_len[1]))\n                                return true;\n                }\n\n                if (match_wscribe_40(data->payload[1], data->payload_len[1])) {\n                        if (match_wscribe_38(data->payload[0], data->payload_len[0]))\n                                return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_openvpn_udp = {\n\tLPI_PROTO_UDP_OPENVPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"OpenVPN_UDP\",\n\t12,\n\tmatch_openvpn_udp\n};\n\nvoid register_openvpn_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_openvpn_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_orbit.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_orbit_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 0xaa, 0x20, ANY, ANY) && len == 36)\n                return true;\n        if (MATCH(payload, 0xaa, 0x10, ANY, ANY) && len == 27)\n                return true;\n        if (MATCH(payload, 0xaa, 0x18, ANY, ANY) && len == 27)\n                return true;\n        if (MATCH(payload, 0xaa, 0x28, ANY, ANY) && len == 120)\n                return true;\n        if (MATCH(payload, 0xab, ANY, 0x78, 0xda))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_orbit_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* There's no nice spec for the Orbit UDP protocol, so I'm just\n         * going to match based on evidence observed thus far */\n\n        if (!match_orbit_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_orbit_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\n\n}\n\nstatic lpi_module_t lpi_orbit_udp = {\n\tLPI_PROTO_UDP_ORBIT,\n\tLPI_CATEGORY_FILES,\n\t\"Orbit_UDP\",\n\t3,\n\tmatch_orbit_udp\n};\n\nvoid register_orbit_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_orbit_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_overwatch.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Not 100% confirmed, mainly because there is no trial or F2P version of\n * Overwatch to test against. Would be great if anyone out there who owns\n * Overwatch to confirm this for me :)\n */\n\nstatic inline bool match_owatch_cc(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xcc, 0x8e, 0x5f, 0x0d))\n                return true;\n        return false;\n}\n\nstatic inline bool match_owatch_df(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        if ((ntohl(payload) & 0xfffff000) == 0xdffcf000)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_overwatch(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_owatch_cc(data->payload[0], data->payload_len[0])) {\n                if (match_owatch_df(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_owatch_cc(data->payload[1], data->payload_len[1])) {\n                if (match_owatch_df(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_overwatch = {\n\tLPI_PROTO_UDP_OVERWATCH,\n\tLPI_CATEGORY_GAMING,\n\t\"Overwatch\",\n\t12,\n\tmatch_overwatch\n};\n\nvoid register_overwatch(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_overwatch, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_paladins.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pd_570(uint32_t payload, uint32_t len) {\n        if (len == 570 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_pd_46(uint32_t payload, uint32_t len) {\n\n        /* The first byte starts at 0x01 and increments for each\n         * subsequent flow */\n        if (len == 46 && MATCH(payload, ANY, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool port_range_check(uint16_t porta, uint16_t portb) {\n        if (porta >= 9000 && porta < 10000)\n                return true;\n\n        if (portb >= 9000 && portb < 10000)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_paladins(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!port_range_check(data->server_port, data->client_port))\n                return false;\n\n        if (match_pd_570(data->payload[0], data->payload_len[0])) {\n                if (match_pd_46(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_pd_570(data->payload[1], data->payload_len[1])) {\n                if (match_pd_46(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_paladins = {\n\tLPI_PROTO_UDP_PALADINS,\n\tLPI_CATEGORY_GAMING,\n\t\"Paladins\",\n\t203,\n\tmatch_paladins\n};\n\nvoid register_paladins(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_paladins, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_pando.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This seems to be a Pando thing - I've found libtorrent handshakes within\n * full payload captures of these packets that refer to Pando peer exchange.\n *\n * It may be a wider Bittorrent thing, but I haven't found any evidence to\n * suggest that any clients other than Pando use it */\n\nstatic inline bool match_pando_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"\\x00\\x00\\x00\\x09\", \"\\x00\\x00\\x00\\x09\"))\n                return true;\n\n        if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x09) &&\n                        data->payload_len[1] == 0)\n                return true;\n\n        if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x09) &&\n                        data->payload_len[0] == 0)\n                return true;\n\n        /* This is something I've observed going to hosts belonging to\n         * Pando */\n\n        if (match_str_both(data, \"UDPA\", \"UDPR\"))\n                return true;\n        if (match_str_both(data, \"UDPA\", \"UDPE\"))\n                return true;\n\tif (match_str_either(data, \"UDPA\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pando_udp = {\n\tLPI_PROTO_UDP_PANDO,\n\tLPI_CATEGORY_P2P,\n\t\"Pando_UDP\",\n\t10,\n\tmatch_pando_udp\n};\n\nvoid register_pando_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pando_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_panipani.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* https://play.google.com/store/apps/details?id=jp.colopl.pcat */\n\nstatic inline bool match_pani_42(uint32_t payload, uint32_t len) {\n\n        if (len == 40 && MATCH(payload, 0x42, 0x00, ANY, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_pani_4a(uint32_t payload, uint32_t len) {\n\n        if (len == 1051 && MATCH(payload, 0x4a, 0x80, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_panipani(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 7101, 7102 or 7103 */\n\n        if (match_pani_42(data->payload[0], data->payload_len[0])) {\n                if (match_pani_4a(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_pani_42(data->payload[1], data->payload_len[1])) {\n                if (match_pani_4a(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_panipani = {\n\tLPI_PROTO_UDP_PANIPANI,\n\tLPI_CATEGORY_GAMING,\n\t\"Panipani\",\n\t101,\n\tmatch_panipani\n};\n\nvoid register_panipani(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_panipani, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_planetside2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_planetside_35(uint32_t payload, uint32_t len) {\n        if (len != 35)\n                return false;\n\n        if (!MATCH(payload, 0x00, 0x01, 0x00, 0x00))\n                return false;\n\n        return true;\n\n}\n\nstatic inline bool match_planetside_21(uint32_t payload, uint32_t len) {\n        if (len != 21)\n                return false;\n\n        if (!MATCH(payload, 0x00, 0x02, ANY, ANY))\n                return false;\n\n        return true;\n\n}\n\n\nstatic inline bool match_planetside2(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_planetside_35(data->payload[0], data->payload_len[0])) {\n                if (match_planetside_21(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_planetside_35(data->payload[1], data->payload_len[1])) {\n                if (match_planetside_21(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_planetside2 = {\n\tLPI_PROTO_UDP_PLANETSIDE2,\n\tLPI_CATEGORY_GAMING,\n\t\"Planetside2\",\n\t17,\n\tmatch_planetside2\n};\n\nvoid register_planetside2(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_planetside2, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_portmap_rpc.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_portmap_rpc(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 111 && data->client_port != 111)\n                return false;\n\n        if (data->payload_len[0] > 0 && data->payload_len[1] > 0) {\n                if (data->payload[0] != data->payload[1])\n                        return false;\n        }\n\n        if (data->payload_len[0] == 46 || data->payload_len[1] == 46)\n                return true;\n        if (data->payload_len[0] == 40 || data->payload_len[1] == 40)\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_portmap_rpc = {\n\tLPI_PROTO_UDP_PORTMAP_RPC,\n\tLPI_CATEGORY_SERVICES,\n\t\"PortmapRPC\",\n\t220,\n\tmatch_portmap_rpc\n};\n\nvoid register_portmap_rpc(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_portmap_rpc, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_pplive.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool obs_pplive_req(uint32_t payload, uint32_t len) {\n\t/* There's always a 94 byte packet involved */\n        if (payload == 0)\n                return false;\n\tif (len == 94)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool obs_pplive_resp(uint32_t len, bool knownport) {\n\tif (len == 0 && knownport)\n\t\treturn true;\n\tif (len == 94)\n\t\treturn true;\n\tif (len == 49 && knownport)\n\t\treturn true;\n\treturn false;\n}\n\n\nstatic inline bool match_obscure_pplive(lpi_data_t *data) {\n\n\t/* This is pretty tough stuff to match - the 4 bytes of payload\n\t * is random, but the packet sizes seem consistent. \n\t *\n\t * DPI tools suggest this traffic is pplive, so we'll go with that\n\t * in the absence of any other documentation :/\n\t */\n        bool knownport = false;\n\n        /* Restrict non-94 byte responses to port 5041 */\n        if (data->server_port == 5041 || data->client_port == 5041)\n                knownport = true;\n\n\tif (obs_pplive_req(data->payload[0], data->payload_len[0]) && \n\t\t\tobs_pplive_resp(data->payload_len[1], knownport))\n\t\treturn true;\n\tif (obs_pplive_req(data->payload[1], data->payload_len[1]) && \n\t\t\tobs_pplive_resp(data->payload_len[0], knownport))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_pplive(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"\\xe9\\x03\\x41\\x01\", \"\\xe9\\x03\\x42\\x01\"))\n                return true;\n        if (match_str_both(data, \"\\xe9\\x03\\x41\\x01\", \"\\xe9\\x03\\x41\\x01\"))\n                return true;\n        if (match_str_either(data, \"\\xe9\\x03\\x41\\x01\")) {\n                if (data->payload_len[0] == 0 && data->payload_len[1] == 57)\n                        return true;\n                if (data->payload_len[1] == 0 && data->payload_len[0] == 57)\n                        return true;\n        }\n        /* According to a Chinese paper (Xiaona et al), this is a pattern\n         * for PPLive */\n        if (match_str_both(data, \"\\x1c\\x1c\\x32\\x01\", \"\\x1c\\x1c\\x32\\x01\"))\n                return true;\n\n\tif (match_obscure_pplive(data)) {\n\t\treturn true;\n\t}\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pplive = {\n\tLPI_PROTO_UDP_PPLIVE,\n\tLPI_CATEGORY_P2PTV,\n\t\"PPLive\",\n\t203,\n\tmatch_pplive\n};\n\nvoid register_pplive(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pplive, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ppstream.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n#include <stdio.h>\n\nstatic inline bool ppstream_pattern(uint32_t payload) {\n\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x00))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x22))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x23))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x32))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x46))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x47))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x49))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x4c))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x43, 0x4d))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x44, 0x73))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x44, 0xb2))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x44, 0xb5))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x55, 0x72))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x55, 0x75))\n\t\treturn true;\n\tif (MATCH(payload, ANY, ANY, 0x55, 0xb3))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_ppstream_payload(uint32_t payload, uint32_t len) {\n        uint16_t rep_len = 0;\n\tuint32_t swap = ntohl(payload);\n\n        if (len == 0)\n                return true;\n\n\t/* Seems to be used on start-up to check access to certain\n\t * servers owned by PPStream */\n\tif (MATCH(payload, 'e', 'c', 'h', 'o') && len == 5)\n\t\treturn true;\n\n        if (!ppstream_pattern(payload)) \n                return false;\n\n        /* First two bytes are either len or len - 4 */\n\n\trep_len = ntohs((uint16_t)(swap >> 16));\n\t\n        if (rep_len == len)\n                return true;\n        if (rep_len == len - 4)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_8480_ppstream(uint32_t payload, uint32_t len) {\n\n\n        if (len == 132 && MATCH(payload, 0x84, 0x80, 0xc0, 0xd1))\n                return true;\n        if (len == 132 && MATCH(payload, 0x84, 0x80, 0xd1, 0xc0))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_8580_ppstream(uint32_t payload, uint32_t len) {\n\n\n        if (len == 133 && MATCH(payload, 0x85, 0x80, 0xc1, 0xd0))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_1580_ppstream(uint32_t payload, uint32_t len) {\n\n        if (len == 24 && MATCH(payload, 0x15, 0x80, 0x40, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_8580_reply(uint32_t payload, uint32_t len) {\n\n        if (len < 134 || len > 151) {\n                return false;\n        }\n\n        if (MATCH(payload, ANY, 0x80, ANY, ANY)) {\n                return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_80_ppstream(uint32_t payload, uint32_t len) {\n\n        uint32_t hlen = ntohl(payload) >> 24;\n\n        if (MATCH(payload, ANY, 0x80, ANY, ANY)) {\n                if (len == hlen )\n                        return true;\n\n                /* There must be a minimum datagram size */\n                if (len == 24 && hlen < 24)\n                        return true;\n        }\n\n        return false;\n\n\n}\n\nstatic inline bool match_any84(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, ANY, 0x84, ANY, ANY)) {\n                if (len >= 1065 && len <= 1100)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_any80(uint32_t payload, uint32_t len) {\n\n        /* Only examples so far are 0x25806144, len=33 -- need to\n         * see more users to confirm if this is a constant payload */\n        if (MATCH(payload, ANY, 0x80, ANY, ANY)) {\n                if (len == 33)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ppstream(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_ppstream_payload(data->payload[0], data->payload_len[0])) {\n                if (match_ppstream_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_8480_ppstream(data->payload[0], data->payload_len[0])) {\n                if (MATCH(data->payload[1], ANY, 0x80, ANY, ANY))\n                        return true;\n        }\n\n        if (match_8480_ppstream(data->payload[1], data->payload_len[1])) {\n                if (MATCH(data->payload[0], ANY, 0x80, ANY, ANY))\n                        return true;\n        }\n\n        if (match_80_ppstream(data->payload[0], data->payload_len[0])) {\n                if (match_80_ppstream(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_any84(data->payload[0], data->payload_len[0])) {\n                if (match_any80(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_any80(data->payload[0], data->payload_len[0])) {\n                if (match_any84(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_8580_ppstream(data->payload[0], data->payload_len[0])) {\n                if (match_8580_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_8580_ppstream(data->payload[1], data->payload_len[1])) {\n                if (match_8580_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_1580_ppstream(data->payload[0], data->payload_len[0])) {\n                /* 8580 reply is intention here -- it's the same reply\n                 * pattern for both 1580 and 8580 */\n                if (match_8580_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_1580_ppstream(data->payload[1], data->payload_len[1])) {\n                if (match_8580_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        return false;\n\n\n}\n\nstatic lpi_module_t lpi_ppstream = {\n\tLPI_PROTO_UDP_PPSTREAM,\n\tLPI_CATEGORY_P2PTV,\n\t\"PPStream\",\n\t150,\n\tmatch_ppstream\n};\n\nvoid register_ppstream(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ppstream, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_probable_gnutella.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_probable_gnutella(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* XXX This could well be prone to false positives, so definitely\n         * check this one LAST */\n\n        if (data->payload_len[0] == 35 && data->payload_len[1] == 0)\n                return true;\n        if (data->payload_len[1] == 35 && data->payload_len[0] == 0)\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_probable_gnutella = {\n\tLPI_PROTO_UDP_GNUTELLA,\n\tLPI_CATEGORY_P2P,\n\t\"Gnutella_UDP\",\n\t255,\t/* This is a really bad rule - make it extremely low priority */\n\tmatch_probable_gnutella\n};\n\nvoid register_probable_gnutella(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_probable_gnutella, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ps4_remoteplay.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool valid_port(uint16_t porta, uint16_t portb) {\n\n        if (porta == 9296 || portb == 9296)\n                return true;\n        if (porta == 9297 || portb == 9297)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_ps4_remoteplay(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!valid_port(data->server_port, data->client_port))\n                return false;\n\n        /* Examples that I have are 88 bytes, but this probably depends on\n         * lengths of user and device names */\n        if (data->payload_len[0] != data->payload_len[1])\n                return false;\n\n        if (MATCH(data->payload[0], 0x01, 0x00, 0x00, 0x00)) {\n                if (MATCH(data->payload[1], 0x01, 0x00, 0x00, 0x00))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ps4_remoteplay = {\n\tLPI_PROTO_UDP_PS4_REMOTEPLAY,\n\tLPI_CATEGORY_GAMING,\n\t\"PS4_RemotePlay\",\n\t150,\n\tmatch_ps4_remoteplay\n};\n\nvoid register_ps4_remoteplay(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ps4_remoteplay, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_psn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_psn_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        /* Seen on udp port 3658 */\n        if (MATCH(payload, 0xff, 0x83, 0xff, 0xfe))\n                return true;\n        /* Seen on udp port 9306 */\n        if (MATCH(payload, 0xff, 0x83, 0xff, 0xfd))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_psn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_psn_payload(data->payload[0], data->payload_len[0])) {\n                if (match_psn_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_psn = {\n\tLPI_PROTO_UDP_PSN,\n\tLPI_CATEGORY_GAMING,\n\t\"PSN\",\n\t3,\n\tmatch_psn\n};\n\nvoid register_psn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_psn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_punkbuster.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Punkbuster: anti-cheating software for online games. Uses its own\n * protocol for keeping the local PB software up to date. */\n\nstatic inline bool match_pb_req(uint32_t payload, uint32_t len) {\n\n        /* length 60-65 bytes */\n        if (MATCH(payload, 'k', 'e', 'y', 0x20))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_pb_resp(uint32_t payload, uint32_t len) {\n\n        /* length 49-51 bytes */\n\n        if (MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_punkbuster(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_pb_req(data->payload[1], data->payload_len[1])) {\n                if (match_pb_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_pb_req(data->payload[0], data->payload_len[0])) {\n                if (match_pb_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_punkbuster = {\n\tLPI_PROTO_UDP_PUNKBUSTER,\n\tLPI_CATEGORY_GAMING,\n\t\"Punkbuster\",\n\t9,\n\tmatch_punkbuster\n};\n\nvoid register_punkbuster(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_punkbuster, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_pyzor.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_pyzor(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"User\", \"Code\"))\n                return true;\n        if (match_str_both(data, \"User\", \"Thre\"))\n                return true;\n        if (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n                if (match_str_either(data, \"User\"))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_pyzor = {\n\tLPI_PROTO_UDP_PYZOR,\n\tLPI_CATEGORY_ANTISPAM,\n\t\"Pyzor\",\n\t3,\n\tmatch_pyzor\n};\n\nvoid register_pyzor(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_pyzor, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_qq.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_qq_chat(lpi_data_t *data) {\n\n\t/* QQ 2006 has a version number of 0x0f5f */\n        if (match_str_both(data, \"\\x02\\x0f\\x5f\\x00\", \"\\x02\\x0f\\x5f\\x00\"))\n                return true;\n\n        if (match_str_either(data, \"\\x02\\x0f\\x5f\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_str_both(data, \"\\x02\\x01\\x00\\x00\", \"\\x02\\x01\\x00\\x00\")) {\n                if (data->payload_len[0] == 75 && data->payload_len[1] == 43)\n                        return true;\n\n                if (data->payload_len[1] == 75 && data->payload_len[0] == 43)\n                        return true;\n        }\n\n        if (match_str_both(data, \"\\x02\\x02\\x00\\x00\", \"\\x02\\x02\\x00\\x00\")) {\n                if (data->payload_len[0] == 83 && data->payload_len[1] == 43)\n                        return true;\n\n                if (data->payload_len[1] == 83 && data->payload_len[0] == 43)\n                        return true;\n        }\n\n        if (match_str_both(data, \"\\x02\\x03\\x00\\x00\", \"\\x02\\x03\\x00\\x00\")) {\n                if (data->payload_len[0] == 83 && data->payload_len[1] == 43)\n                        return true;\n\n                if (data->payload_len[1] == 83 && data->payload_len[0] == 43)\n                        return true;\n        }\n\n        if (data->payload[0] == data->payload[1]) {\n                if (!MATCH(data->payload[0], 0x02, ANY, ANY, ANY))\n                        return false;\n                if (data->server_port != 8000 && data->client_port != 8000)\n                        return false;\n                return true;\n        }\n\n\n\treturn false;\n}\n\nstatic inline bool match_qq_video(lpi_data_t *data) {\n\n        /* Observed when using the QQ app to make video calls */\n\n        if (match_str_both(data, \"\\x28\\x00\\x00\\x00\", \"\\x28\\x00\\x00\\x00\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_qq_length(uint32_t payload, uint32_t len) {\n\n    uint32_t plen = (ntohl(payload) >> 8) & 0xffff;\n\n    if (plen != len)\n\treturn false;\n\n    if (MATCH(payload, 0x02, ANY, ANY, ANY))\n\treturn true;\n    if (MATCH(payload, 0x3e, ANY, ANY, 0x02))\n\treturn true;\n\n    return false;\n\n}\n\nstatic inline bool match_qq(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_qq_chat(data))\n                return true;\n        if (match_qq_video(data))\n                return true;\n\n\tif ((data->payload[0] & 0xff000000) == (data->payload[1] & 0xff000000)) {\n\t    if (!match_qq_length(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\t    if (!match_qq_length(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\t    return true;\n\t}\n        return false;\n}\n\nstatic lpi_module_t lpi_qq = {\n\tLPI_PROTO_UDP_QQ,\n\tLPI_CATEGORY_CHAT,\n\t\"QQ\",\n\t23,\n\tmatch_qq\n};\n\nvoid register_qq(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qq, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_qqlive.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n#include <stdio.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_qqlive_p2p(uint32_t payload) {\n\n        if (MATCH(payload, 0x1a, 0x10, 0x01, 0x20))\n                return true;\n        return false;\n}\n\nstatic inline bool match_qqlive_p2p_fe0a(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xfe, 0x0a, 0x00, 0x00) && len == 13)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_qqlive(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n\t\tif (data->server_port == 53 || data->client_port == 53)\n\t\t\treturn false;\n\t}\n\n        if (match_qqlive_p2p(data->payload[0])) {\n                if (match_qqlive_p2p(data->payload[1]))\n                        return true;\n                if (match_qqlive_p2p_fe0a(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_qqlive_p2p(data->payload[1])) {\n                if (match_qqlive_p2p(data->payload[0]))\n                        return true;\n                if (match_qqlive_p2p_fe0a(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (!match_qqlive_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_qqlive_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n}\n\nstatic lpi_module_t lpi_qqlive = {\n\tLPI_PROTO_UDP_QQLIVE,\n\tLPI_CATEGORY_P2PTV,\n\t\"QQLive\",\n\t4,\n\tmatch_qqlive\n};\n\nvoid register_qqlive(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qqlive, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_qqpcmgr.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n#include <stdio.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Some sort of phone-home protocol mostly used by QQPCMgr, a \"security\"\n * program by QQ.\n *\n * Appears to occasionally be used by other QQ background processes, like\n * QQLive, but the background processes created by QQPCMgr uses this \n * protocol far more than anything else I've seen.\n */\n\nstatic inline bool match_qqpcmgr(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 8000 && data->client_port != 8000)\n\t    return false;\n\t\n\tif (!MATCH(data->payload[0], 0x00, 0x02, 0x00, ANY))\n\t    return false;\n\tif (!MATCH(data->payload[1], 0x00, 0x02, 0x00, ANY))\n\t    return false;\n\n\t/* Usually byte 4 matches for both payloads, but not always */\n\n        return true;\n}\n\nstatic lpi_module_t lpi_qqpcmgr = {\n\tLPI_PROTO_UDP_QQPCMGR,\n\tLPI_CATEGORY_SECURITY,\n\t\"QQPCMgr\",\n\t21,\n\tmatch_qqpcmgr\n};\n\nvoid register_qqpcmgr(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qqpcmgr, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_qqspeedmobile_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* QQ Speed (mobile version) -- Online Mario Kart clone */\n\nstatic inline bool match_speed_55(uint32_t payload, uint32_t len) {\n        if (len == 55 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_speed_57(uint32_t payload, uint32_t len) {\n        /* Payload itself is pretty random */\n        if (len == 57)\n                return true;\n        return false;\n}\n\nstatic inline bool match_qqspeedmobile_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_speed_55(data->payload[0], data->payload_len[0])) {\n                if (match_speed_57(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_speed_57(data->payload[0], data->payload_len[0])) {\n                if (match_speed_55(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_qqspeedmobile_udp = {\n\tLPI_PROTO_UDP_QQSPEEDMOBILE,\n\tLPI_CATEGORY_GAMING,\n\t\"QQSpeedMobile_UDP\",\n\t100,\n\tmatch_qqspeedmobile_udp\n};\n\nvoid register_qqspeedmobile_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qqspeedmobile_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_quake.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_quake_ping(lpi_data_t *data) {\n\n        /* The client appears to send a \"ping\" (which is not part of the\n         * documented Quake engine protocol). The server responds with a\n         * standard \"ffffffff\" packet */\n\n        if (MATCHSTR(data->payload[0], \"ping\") && data->payload_len[0] == 4) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[1] != 14)\n                        return false;\n                if (MATCHSTR(data->payload[1], \"\\xff\\xff\\xff\\xff\"))\n                        return true;\n                return false;\n        }\n\n        if (MATCHSTR(data->payload[1], \"ping\") && data->payload_len[1] == 4) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[0] != 14)\n                        return false;\n                if (MATCHSTR(data->payload[0], \"\\xff\\xff\\xff\\xff\"))\n                        return true;\n                return false;\n        }\n\n        return false;\n}\n\n\nstatic inline bool match_qlive_challenge(uint32_t payload, uint32_t len) {\n\n        /* Not sure whether this length can vary or not? */\n        if (len == 259)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_qlive_response(uint32_t payload, uint32_t len) {\n\n        /* Not sure whether this length can vary or not? */\n        if (len == 33 || len == 32 || len == 31 || len == 30)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_quake(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Trying to match generic Quake engine games - typically use port \n         * 27960 */\n\n        if (match_quake_ping(data))\n                return true;\n\n        if (!match_str_both(data, \"\\xff\\xff\\xff\\xff\", \"\\xff\\xff\\xff\\xff\"))\n                return false;\n        if (data->payload_len[0] == 16) {\n                if (data->payload_len[1] >= 51 && data->payload_len[1] <= 54)\n                        return true;\n\t\tif (data->payload_len[1] >= 30 && data->payload_len[1] <= 33)\n\t\t\treturn true;\n                if (data->server_port == 27960 || data->client_port == 27960) {\n                        if (data->payload_len[1] >= 800 && data->payload_len[1] <= 812)\n                                return true;\n                }\n\n        }\n        if (data->payload_len[1] == 16) {\n                if (data->payload_len[0] >= 51 && data->payload_len[0] <= 54)\n                        return true;\n\t\tif (data->payload_len[0] >= 30 && data->payload_len[0] <= 33)\n\t\t\treturn true;\n                if (data->server_port == 27960 || data->client_port == 27960) {\n                        if (data->payload_len[0] >= 800 && data->payload_len[0] <= 812)\n                                return true;\n                }\n        }\n\t\n\n        if (match_qlive_challenge(data->payload[0], data->payload_len[0])) {\n                if (match_qlive_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_qlive_challenge(data->payload[1], data->payload_len[1])) {\n                if (match_qlive_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_quake = {\n\tLPI_PROTO_UDP_QUAKE,\n\tLPI_CATEGORY_GAMING,\n\t\"Quake\",\n\t6,\n\tmatch_quake\n};\n\nvoid register_quake(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_quake, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_quic.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Based on both the QUIC spec: \n *   https://docs.google.com/document/d/1WJvyZflAO2pq77yOLbp9NsGjC1CHetAXV8I0fQe-B_U/edit\n * and traffic observed in the wild.\n */\n\nstatic inline bool match_quic_version(uint32_t payload) {\n\n        /* Public flags for a Version Negotiation packet must be\n         * 0x0d */\n        if (MATCH(payload, 0x0d, ANY, ANY, ANY)) {\n                return true;\n        }\n\n        /* 0x09 can also work in the case where there is no\n         * diversification nonce in the header */\n        if (MATCH(payload, 0x09, ANY, ANY, ANY)) {\n                return true;\n        }\n\n        /* Apparently 0x0c and 0x0e can also work here? */\n        if (MATCH(payload, 0x0c, ANY, ANY, ANY)) {\n                return true;\n        }\n\n        if (MATCH(payload, 0x0e, ANY, ANY, ANY)) {\n                return true;\n        }\n\n\n        return false;\n\n}\n\nstatic inline bool match_quic_response(uint32_t payload, uint32_t other) {\n\n        uint32_t seq8 = (ntohl(payload) >> 16) & 0xff;\n\n        /* Public flags are 0x00 for a packet with a single byte of\n         * sequence number and no connection id */\n        if (MATCH(payload, 0x00, ANY, ANY, ANY)) {\n                /* This *is* UDP, so we might miss some of the first\n                 * few datagrams... */\n                if (seq8 >= 1 && seq8 <= 10)\n                        return true;\n        }\n\n\n        /* Otherwise, connection IDs must match for both directions */\n        if (MATCH(payload, 0x0c, ANY, ANY, ANY)) {\n                if ((payload & 0xffffff00) == (other & 0xffffff00))\n                        return true;\n        }\n\n        if (MATCH(payload, 0x0e, ANY, ANY, ANY)) {\n                if ((payload & 0xffffff00) == (other & 0xffffff00))\n                        return true;\n        }\n\n        /* This is the 4 byte connection ID case */\n        if (MATCH(payload, 0x08, ANY, ANY, ANY)) {\n                if ((payload & 0xffffff00) == (other & 0xffffff00))\n                        return true;\n        }\n\n        /* This is the 4 byte diversification nonce case, with no other\n         * flags set. */\n        if (MATCH(payload, 0x04, ANY, ANY, ANY)) {\n                return true;\n        }\n\n\n        return false;\n\n}\n\nstatic inline bool match_quic_port(lpi_data_t *data) {\n        if (data->server_port == 443)\n                return true;\n        if (data->client_port == 443)\n                return true;\n\n        if (data->server_port == 80)\n                return true;\n        if (data->client_port == 80)\n                return true;\n\n        return false;\n}\n\n/* Match old Google QUIC versions */\nstatic inline bool match_old_gquic(lpi_data_t *data) {\n\n        if (match_quic_version(data->payload[0])) {\n                if (match_quic_response(data->payload[1], data->payload[0]))\n                        return true;\n        }\n\n        if (match_quic_version(data->payload[1])) {\n                if (match_quic_response(data->payload[0], data->payload[1]))\n                        return true;\n        }\n\n\n        /* Matches against an in-progress QUIC flow \n         * XXX not overly robust, may produce false positives... */\n        if (MATCH(data->payload[0], 0x10, ANY, ANY, ANY)) {\n                if (MATCH(data->payload[1], 0x0c, ANY, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[1], 0x1c, ANY, ANY, ANY))\n                        return true;\n        }\n\n        if (MATCH(data->payload[0], 0x00, ANY, ANY, ANY)) {\n                if (MATCH(data->payload[1], 0x0c, ANY, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[1], 0x1c, ANY, ANY, ANY))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x10, ANY, ANY, ANY)) {\n                if (MATCH(data->payload[0], 0x0c, ANY, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[0], 0x1c, ANY, ANY, ANY))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x00, ANY, ANY, ANY)) {\n                if (MATCH(data->payload[0], 0x0c, ANY, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[0], 0x1c, ANY, ANY, ANY))\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_05X_req(uint32_t payload, uint32_t len) {\n\n        if ((ntohl(payload) & 0xf0000000) != 0xc0000000) {\n                return false;\n        }\n        if (MATCH(payload, ANY, 0x51, 0x30, 0x35)) {\n                if (len == 42) {\n                        return true;\n                }\n\n                if (len == 1350 || len == 1330) {\n                        return true;\n                }\n        }\n\n        if (MATCH(payload, ANY, 0x54, 0x30, 0x35)) {\n                if (len == 1350 || len == 1330) {\n                        return true;\n                }\n        }\n\n        return false;\n}\n\nstatic inline bool match_05X_reply(uint32_t payload, uint32_t len,\n                uint32_t other) {\n\n        if ((ntohl(payload) & 0x00ff0000) != (ntohl(other) & 0x00ff0000)) {\n                return false;\n        }\n\n        if ((ntohl(payload) & 0xf0000000) == 0xc0000000) {\n                if (MATCH(payload, ANY, 0x51, 0x30, 0x35)) {\n                        if (len == 1350 || len == 1330) {\n                                return true;\n                        }\n                }\n\n                if (MATCH(payload, ANY, 0x54, 0x30, 0x35)) {\n                        if (len == 1350 || len == 1330) {\n                                return true;\n                        }\n                }\n        }\n\n        if ((ntohl(payload) & 0xff000000) == 0xd5000000) {\n                if (!MATCH(payload, ANY, 0x51, 0x30, 0x35)) {\n                        return false;\n                }\n\n                if (len == 1350 || len == 1330) {\n                        return true;\n                }\n        }\n\n        return false;\n}\n\nstatic inline bool match_req_q044(uint32_t payload, uint32_t len) {\n\n        if (MATCHSTR(payload, \"\\xffQ04\") && len == 1350) {\n                return true;\n        }\n\n        /* IPv6 */\n        if (MATCHSTR(payload, \"\\xffQ04\") && len == 1330) {\n                return true;\n        }\n        if (MATCH(payload, 0xc3, 'Q', '0', '4') &&\n                        (len == 36 || len == 1350 || len == 1330)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_reply_q044(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xff, 'Q', '0', '4')) {\n                return true;\n        }\n        if (MATCH(payload, 0xfd, 'Q', '0', '4')) {\n                return true;\n        }\n        if (MATCH(payload, 0xfc, 'Q', '0', '4')) {\n                return true;\n        }\n        if (MATCH(payload, 0xc3, 'Q', '0', '4')) {\n                return true;\n        }\n        if (MATCH(payload, 0xd3, 'Q', '0', '4')) {\n                return true;\n        }\n        if (MATCH(payload, 0xe3, 'Q', '0', '4')) {\n                return true;\n        }\n        return false;\n}\n\n\n\n/* IETF QUIC version 44, starting to be deployed by Google */\nstatic inline bool match_quic_044(lpi_data_t *data) {\n\n        if (match_req_q044(data->payload[0], data->payload_len[0])) {\n                if (match_reply_q044(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_req_q044(data->payload[1], data->payload_len[1])) {\n                if (match_reply_q044(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n        return false;\n}\n\nstatic inline bool match_quic_05X(lpi_data_t *data) {\n        if (match_05X_req(data->payload[0], data->payload_len[0])) {\n                if (match_05X_reply(data->payload[1], data->payload_len[1],\n                                data->payload[0])) {\n                        return true;\n                }\n        }\n\n        if (match_05X_req(data->payload[1], data->payload_len[1])) {\n                if (match_05X_reply(data->payload[0], data->payload_len[0],\n                                data->payload[1])) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_reply_fbquic(uint32_t payload, uint32_t len) {\n        if ((len >= 38 && len <= 50) || len == 1252 || len == 1232) {\n                if ((ntohl(payload) & 0xf0000000) != 0xc0000000) {\n                        return false;\n                }\n                if (MATCH(payload, ANY, 0xfa, 0xce, 0xb0)) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_req_fbquic(uint32_t payload, uint32_t len) {\n        if (len == 1232 || len == 1235) {\n                if ((ntohl(payload) & 0xf0000000) != 0xc0000000) {\n                        return false;\n                }\n                if (MATCH(payload, ANY, 0xfa, 0xce, 0xb0)) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_fb_quic(lpi_data_t *data) {\n        if (match_req_fbquic(data->payload[0], data->payload_len[0])) {\n                if (match_reply_fbquic(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        if (match_req_fbquic(data->payload[1], data->payload_len[1])) {\n                if (match_reply_fbquic(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_quic(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!match_quic_port(data))\n                return false;\n\n        /* Spec says that packets must not be larger than 1350 bytes */\n        if (data->payload_len[0] > 1350 || data->payload_len[1] > 1350)\n                return false;\n\n        if (match_quic_044(data)) {\n                return true;\n        }\n\n        if (match_quic_05X(data)) {\n                return true;\n        }\n\n        if (match_fb_quic(data)) {\n                return true;\n        }\n\n        if (match_old_gquic(data)) {\n                return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_quic = {\n\tLPI_PROTO_UDP_QUIC,\n\tLPI_CATEGORY_WEB,\n\t\"QUIC\",\n\t9,\n\tmatch_quic\n};\n\nvoid register_quic(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_quic, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_qvod_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_qvod_1(uint32_t payload, uint32_t len) {\n\n        if (len == 1 && MATCH(payload, 0x30, 0x00, 0x00, 0x00)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_qvod_13(uint32_t payload, uint32_t len) {\n\n        if (len == 13 && MATCH(payload, 0x00, 0x00, 0x00, 0x0d)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_qvod_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_qvod_13(data->payload[0], data->payload_len[0])) {\n                if (match_qvod_13(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_qvod_1(data->payload[0], data->payload_len[0])) {\n                if (match_qvod_13(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_qvod_1(data->payload[1], data->payload_len[1])) {\n                if (match_qvod_13(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_qvod_udp = {\n\tLPI_PROTO_UDP_QVOD,\n\tLPI_CATEGORY_P2P,\n\t\"QVOD_UDP\",\n\t201,\n\tmatch_qvod_udp\n};\n\nvoid register_qvod_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_qvod_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_radius.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_radius_request(uint32_t pload, uint32_t len) {\n\n\tuint32_t stated_len = 0;\n\n\tstated_len = ntohl(pload) & 0xffff;\n\tif (stated_len != len)\n\t\treturn false;\n\t\n\t/* Access-Request */\n\tif (MATCH(pload, 0x01, ANY, ANY, ANY))\n\t\treturn true;\n\t/* Accounting-Request */\n\tif (MATCH(pload, 0x04, ANY, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_radius_resp(uint32_t pload, uint32_t len) {\n\n\tuint32_t stated_len = 0;\n\n\tstated_len = ntohl(pload) & 0xffff;\n\tif (stated_len != len)\n\t\treturn false;\n\n\t/* Access-Accept */\t\n\tif (MATCH(pload, 0x02, ANY, ANY, ANY))\n\t\treturn true;\n\t/* Access-Reject */\n\tif (MATCH(pload, 0x03, ANY, ANY, ANY))\n\t\treturn true;\n\t/* Accounting-Response */\n\tif (MATCH(pload, 0x05, ANY, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic inline bool match_radius(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t//if (data->server_port != 1812 && data->client_port != 1812)\n\t//\treturn false;\n\n\t/* Second byte is the ID field, which must match for both payloads */\n\tif ((ntohl(data->payload[0]) & 0xff0000) != \n\t\t\t(ntohl(data->payload[1]) & 0xff0000))\n\t\treturn false;\n\n\tif (match_radius_request(data->payload[0], data->payload_len[0])) {\n\t\tif (match_radius_resp(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_radius_request(data->payload[1], data->payload_len[1])) {\n\t\tif (match_radius_resp(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_radius = {\n\tLPI_PROTO_UDP_RADIUS,\n\tLPI_CATEGORY_REMOTE,\n\t\"Radius\",\n\t14,\n\tmatch_radius\n};\n\nvoid register_radius(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_radius, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_raknet.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_raknet_out(uint32_t payload, uint32_t len) {\n\n\tif (MATCHSTR(payload, \"\\x05\\x00\\xff\\xff\"))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_raknet_in(uint32_t payload, uint32_t len) {\n\n\tif (len != 28)\n\t\treturn false;\n\tif (MATCHSTR(payload, \"\\x06\\x00\\xff\\xff\"))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_raknet(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_raknet_out(data->payload[0], data->payload_len[0])) {\n\t\tif (match_raknet_in(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\tif (match_raknet_out(data->payload[1], data->payload_len[1])) {\n\t\tif (match_raknet_in(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_raknet = {\n\tLPI_PROTO_UDP_RAKNET,\n\tLPI_CATEGORY_GAMING,\n\t\"Raknet\",\n\t7,\n\tmatch_raknet\n};\n\nvoid register_raknet(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_raknet, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ramseydash.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Gordon Ramsey Dash -- mobile game */\n\nstatic inline bool match_rdash_56da(uint32_t payload, uint32_t len) {\n\n        if (len == 24 && MATCH(payload, 0x56, 0xda, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_rdash_da57(uint32_t payload, uint32_t len) {\n\n        if (len >= 120 && len <= 320 && MATCH(payload, 0xda, 0x57, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_ramsey_dash(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_rdash_56da(data->payload[0], data->payload_len[0])) {\n                if (match_rdash_da57(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_rdash_56da(data->payload[1], data->payload_len[1])) {\n                if (match_rdash_da57(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ramsey_dash = {\n\tLPI_PROTO_UDP_RAMSEY_DASH,\n\tLPI_CATEGORY_GAMING,\n\t\"RamseyDash\",\n\t12,\n\tmatch_ramsey_dash\n};\n\nvoid register_ramsey_dash(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ramsey_dash, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_rdp_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_rdp_init(uint32_t payload, uint32_t len) {\n\n        if (len == 1232 && MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_rdp_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Seen both 3389 and 4732 used as ports */\n\n        if (match_rdp_init(data->payload[0], data->payload_len[0])) {\n                if (match_rdp_init(data->payload[1], data->payload_len[1]))\n                        return true;\n\n                if (data->server_port == 4732 || data->client_port == 4732) {\n                        if (data->payload[1] != 0 && data->payload_len[1] == 1232)\n                                return true;\n                }\n                if (data->server_port == 3389 || data->client_port == 3389) {\n                        if (data->payload[1] != 0 && data->payload_len[1] == 1232)\n                                return true;\n                }\n        }\n\n        if (match_rdp_init(data->payload[1], data->payload_len[1])) {\n                if (data->server_port == 4732 || data->client_port == 4732) {\n                        if (data->payload[0] != 0 && data->payload_len[0] == 1232)\n                                return true;\n                }\n                if (data->server_port == 3389 || data->client_port == 3389) {\n                        if (data->payload[0] != 0 && data->payload_len[0] == 1232)\n                                return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rdp_udp = {\n\tLPI_PROTO_UDP_RDP,\n\tLPI_CATEGORY_REMOTE,\n\t\"RDP_UDP\",\n\t200,\n\tmatch_rdp_udp\n};\n\nvoid register_rdp_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rdp_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_real.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_real(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* The Real Data Transport is not explicitly documented in full,\n         * but these packets seem to resemble those examples we have been able\n         * to find.\n         *\n         * https://protocol.helixcommunity.org/2005/devdocs/RDT_Feature_Level_30.txt\n         */\n\n        if (!match_str_both(data, \"\\x00\\xff\\x03\\x00\", \"\\x00\\xff\\x04\\x49\"))\n                return false;\n\n        if (data->payload_len[0] == 3 && data->payload_len[1] == 11)\n                return true;\n        if (data->payload_len[1] == 3 && data->payload_len[0] == 11)\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_real = {\n\tLPI_PROTO_UDP_REAL,\n\tLPI_CATEGORY_STREAMING,\n\t\"RealPlayer\",\n\t3,\n\tmatch_real\n};\n\nvoid register_real(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_real, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_risingstorm.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* More specifically, this rule is based off Rising Storm 2 but it'll\n * probably match other Tripwire games including the original.\n *\n * TBC against real game traffic, but that costs $$.\n * All servers contacted were labelled as RS2 on various server tracking\n * sites, so that's enough for me.\n */\n\nstatic inline bool match_rs_0080(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x80, 0x05, 0x20)) {\n                if (len == 10 || len == 17)\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_rs_00c0(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0xc0, ANY, 0x08)) {\n                if (len == 14)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_rs_0108(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x00, 0x01, 0x08)) {\n                if (len == 25 || len == 12)\n                        return true;\n        }\n        return false;\n}\n\nstatic inline bool match_risingstorm(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_rs_0080(data->payload[0], data->payload_len[0])) {\n                if (match_rs_0108(data->payload[1], data->payload_len[1]))\n                        return true;\n\n                if (match_rs_00c0(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_rs_0080(data->payload[1], data->payload_len[1])) {\n                if (match_rs_0108(data->payload[0], data->payload_len[0]))\n                        return true;\n\n                if (match_rs_00c0(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_risingstorm = {\n\tLPI_PROTO_UDP_RISING_STORM,\n\tLPI_CATEGORY_GAMING,\n\t\"RisingStorm\",\n\t12,\n\tmatch_risingstorm\n};\n\nvoid register_risingstorm(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_risingstorm, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_robocraft.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_robocraft_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x09, 0x0b, 0x00, 0x05))\n                return true;\n        if (MATCH(payload, 0x09, 0x0b, 0x07, 0xd0))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_robocraft_resp(uint32_t payload, uint32_t len) {\n\n        if (MATCHSTR(payload, \"\\x0a\\x00\\xff\\xff\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_robocraft(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_robocraft_req(data->payload[0], data->payload_len[0])) {\n                if (match_robocraft_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_robocraft = {\n\tLPI_PROTO_UDP_ROBOCRAFT,\n\tLPI_CATEGORY_GAMING,\n\t\"Robocraft\",\n\t5,\n\tmatch_robocraft\n};\n\nvoid register_robocraft(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_robocraft, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_rocket_league.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Not confirmed -- RL costs too much money -- but pretty certain */\n\nstatic inline bool match_rl_1d(uint32_t payload, uint32_t len) {\n\n        if (len == 115 && MATCH(payload, 0x1d, 0x01, 0x00, 0x00)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_rl_1c(uint32_t payload, uint32_t len) {\n\n        if (len == 93 && MATCH(payload, 0x1c, 0x01, 0x00, 0x00)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_rocket_league(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_rl_1d(data->payload[0], data->payload_len[0])) {\n                if (match_rl_1c(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_rl_1c(data->payload[0], data->payload_len[0])) {\n                if (match_rl_1d(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rocket_league = {\n\tLPI_PROTO_UDP_ROCKET_LEAGUE,\n\tLPI_CATEGORY_GAMING,\n\t\"RocketLeague\",\n\t175,\n\tmatch_rocket_league\n};\n\nvoid register_rocket_league(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rocket_league, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_rrshare.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* RRshare aka YYets aka Zimuzu  (app.zimuzu.tv) */\n\nstatic inline bool match_rr_short(uint32_t payload, uint32_t len) {\n        if (len == 43 && MATCH(payload, 0x00, 0x00, 0x00, ANY))\n                return true;\n        if (len == 43 && MATCH(payload, 0x15, 0x00, 0x00, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_rr_long(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x01, 0x02, 0x00, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_rr_05(uint32_t payload, uint32_t len) {\n        if (len == 0) {\n                return true;\n        }\n        if (MATCH(payload, 0x05, 0x00, 0x00, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_rrshare(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_rr_short(data->payload[0], data->payload_len[0])) {\n                if (match_rr_long(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_rr_short(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_rr_short(data->payload[1], data->payload_len[1])) {\n                if (match_rr_long(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_rr_long(data->payload[0], data->payload_len[0])) {\n                if (match_rr_05(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_rr_long(data->payload[1], data->payload_len[1])) {\n                if (match_rr_05(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rrshare = {\n\tLPI_PROTO_UDP_RRSHARE,\n\tLPI_CATEGORY_P2P,\n\t\"RRShare\",\n\t149,\n\tmatch_rrshare\n};\n\nvoid register_rrshare(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rrshare, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_rtcp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rtcp_payload(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (MATCH(payload, 0x81, 0xc8, 0x00, ANY))\n                return true;\n        if (MATCH(payload, 0x81, 0xc9, 0x00, ANY))\n                return true;\n        if (MATCH(payload, 0x80, 0xc9, 0x00, ANY))\n                return true;\n        if (MATCH(payload, 0x80, 0xc8, 0x00, ANY))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_rtcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Watch out for one-way DNS... */\n\tif (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n\t\tif (data->server_port == 53 || data->client_port == 53)\n\t\t\treturn false;\n\t}\n\n\tif (!match_rtcp_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_rtcp_payload(data->payload[1], data->payload_len[1]))\n                return false;\n        return true;\n\n}\n\nstatic lpi_module_t lpi_rtcp = {\n\tLPI_PROTO_UDP_RTCP,\n\tLPI_CATEGORY_VOIP,\n\t\"RTCP\",\n\t3,\n\tmatch_rtcp\n};\n\nvoid register_rtcp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rtcp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_rtmfp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rtmfp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* RTMFP is Adobe's proprietary P2P streaming protocol. There are two\n\t * stages - communicating with the Stratus servers and then talking\n\t * to the peers themselves */\n\n\t/* Basically we're matching pairs of packet sizes here - not very\n\t * reliable at all. Could be lots of false positives! */\n\n\t/* Hitting the Stratus servers */\n\tif (data->payload_len[0] == 100 && data->payload_len[1] == 180)\n\t\treturn true;\n\tif (data->payload_len[1] == 100 && data->payload_len[0] == 180)\n\t\treturn true;\n\n\t/* P2P */\n\tif (data->payload_len[0] == 228 && data->payload_len[1] == 68)\n\t\treturn true;\n\tif (data->payload_len[1] == 228 && data->payload_len[0] == 68)\n\t\treturn true;\n\tif (data->payload_len[0] == 68 && data->payload_len[1] == 68)\n\t\treturn true;\n\tif (data->payload_len[1] == 68 && data->payload_len[0] == 68)\n\t\treturn true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rtmfp = {\n\tLPI_PROTO_UDP_RTMFP,\n\tLPI_CATEGORY_STREAMING,\n\t\"RTMFP\",\n\t12,\n\tmatch_rtmfp\n};\n\nvoid register_rtmfp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rtmfp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_rtp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_rtp_payload(uint32_t payload, uint32_t len, \n\t\tuint32_t other_len) {\n\n\t/* This rule seems very weak -- maybe need to capture some known\n         * RTP traffic to try and strengthen it?\n         */\n\n        /* Be stricter about packet length when looking at one-way flows */\n\tif (other_len == 0) {\n\t\tif (len != 32 && len != 92 && len != 172 && \n                                len != 31 && len != 24)\n\t\t\treturn false;\n\t}\n\n\tif (MATCH(payload, 0x80, ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, 0x90, ANY, ANY, ANY))\n\t\treturn true;\n\tif (MATCH(payload, 0x91, ANY, ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_rtp_806d(uint32_t payload, uint32_t len) {\n\n        /* Common pattern we see on our local videoconf server */\n        if (len == 24 && MATCH(payload, 0x80, 0x6d, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_rtp_80c9(uint32_t payload, uint32_t len) {\n        if (len == 94 && MATCH(payload, 0x80, 0xc9, 0x00, 0x01))\n                return true;\n        return false;\n}\n\nstatic inline bool match_rtcp_report(uint32_t payload, uint32_t len) {\n        if (len == 16 && MATCH(payload, 0x81, 0xcd, 0x00, 0x03))\n                return true;\n        if (len == 20 && MATCH(payload, 0x81, 0xcd, 0x00, 0x03))\n                return true;\n        if (len == 32 && MATCH(payload, 0x81, 0xc9, 0x00, 0x07))\n                return true;\n        if (len == 36 && MATCH(payload, 0x81, 0xc9, 0x00, 0x07))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_stun_response(uint32_t payload, uint32_t len) {\n\n        uint32_t plen = ntohl(payload) & 0xffff;\n\t/* Many VOIP phones use STUN for NAT traversal, so the response to\n\t * outgoing RTP is often a STUN packet */\n\n\tif (len - 20 == plen && MATCH(payload, 0x00, 0x01, 0x00, ANY))\n\t\treturn true;\n        if (len == 12 && MATCH(payload, 0x00, 0x11, 0x00, 0x00))\n                return true;\n\n        /* Facebook-specific STUN? Message type 0x003 is not defined in\n         * any official STUN documentation */\n        if (len == 126 && MATCH(payload, 0x00, 0x03, 0x00, 0x6a))\n                return true;\n        if (len == 94 && MATCH(payload, 0x00, 0x03, 0x00, 0x4a))\n                return true;\n\n\treturn false;\n\n}\n\nstatic inline bool match_rtp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Watch out for one-way DNS... */\n\tif (data->client_port == 53 || data->client_port == 53) {\n\t\tif (data->payload_len[0] == 0 || data->payload_len[1] == 0)\n\t\t\treturn false;\n\t}\n\n        if (match_rtp_806d(data->payload[0], data->payload_len[0])) {\n                if (match_rtp_payload(data->payload[1], data->payload_len[1],\n                                data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_rtp_806d(data->payload[1], data->payload_len[1])) {\n                if (match_rtp_payload(data->payload[0], data->payload_len[0],\n                                data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_rtp_80c9(data->payload[0], data->payload_len[0])) {\n                if (match_stun_response(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_rtp_80c9(data->payload[1], data->payload_len[1])) {\n                if (match_stun_response(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\tif (match_rtp_payload(data->payload[0], data->payload_len[0], \n\t\t\tdata->payload_len[1])) {\n\t\tif (match_stun_response(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_rtp_payload(data->payload[1], data->payload_len[1], \n\t\t\t\tdata->payload_len[0])) {\n\t\t\tuint32_t a = ntohl(data->payload[0]) & 0xffff0000;\n\t\t\tuint32_t b = ntohl(data->payload[1]) & 0xffff0000;\n\n\t\t\tif (a == b)\n\t\t\t\treturn true;\n\t\t\treturn false;\n\t\t}\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\tif (match_rtp_payload(data->payload[1], data->payload_len[1], \n\t\t\tdata->payload_len[0])) {\n\t\tif (match_stun_response(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n        if (match_rtcp_report(data->payload[0], data->payload_len[0])) {\n                if (match_rtp_payload(data->payload[1], data->payload_len[1],\n                                data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_rtcp_report(data->payload[1], data->payload_len[1])) {\n                if (match_rtp_payload(data->payload[0], data->payload_len[0],\n                                data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rtp = {\n\tLPI_PROTO_UDP_RTP,\n\tLPI_CATEGORY_VOIP,\n\t\"RTP\",\n\t33,\n\tmatch_rtp\n};\n\nvoid register_rtp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rtp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_rulesofsurvival.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Rules of Survival -- battle royale from NetEase for mobile and PC */\n\n/* Based on PC version -- mobile may be different? */\n\nstatic inline bool match_ros_24(uint32_t payload, uint32_t len) {\n        if (len == 24 && MATCH(payload, 0x01, 0x00, 0x00, 0x0b)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_ros_32(uint32_t payload, uint32_t len) {\n        if (len == 32) {\n                /* Payload is seemingly random, so rule out common\n                 * patterns that are very unlikely to come up randomly.\n                 */\n                if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) {\n                        return false;\n                }\n                if (MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\")) {\n                        return false;\n                }\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_rulesofsurvival(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ros_24(data->payload[0], data->payload_len[0])) {\n                if (match_ros_32(data->payload[1], data->payload[1]))\n                        return true;\n        }\n\n        if (match_ros_24(data->payload[1], data->payload_len[1])) {\n                if (match_ros_32(data->payload[0], data->payload[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_rulesofsurvival = {\n\tLPI_PROTO_UDP_RULES_OF_SURVIVAL,\n\tLPI_CATEGORY_GAMING,\n\t\"RulesOfSurvival\",\n\t123,\n\tmatch_rulesofsurvival\n};\n\nvoid register_rulesofsurvival(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_rulesofsurvival, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_sanandreas_mp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Matches the GTA: San Andreas Multiplayer Mod -- http://www.sa-mp.com/ */\n\nstatic inline bool match_samp_request(uint32_t payload, uint32_t len) {\n        if (!MATCHSTR(payload, \"SAMP\"))\n                return false;\n        if (len != 71)\n                return false;\n        return true;\n\n}\n\nstatic inline bool match_samp_reply(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (!MATCHSTR(payload, \"SAMP\"))\n                return false;\n        if (len == 11 || len == 15)\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_ffs_req(uint32_t payload, uint32_t len) {\n        if (len != 4)\n                return false;\n        if (MATCH(payload, 0x40, 0xb1, 0xd1, 0xef))\n                return true;\n        return false;\n}\n\nstatic inline bool match_ffs_resp(uint32_t payload, uint32_t len) {\n        if (len != 2)\n                return false;\n        if (MATCH(payload, 0x16, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_sanandreas_mp(lpi_data_t *data, \n                lpi_module_t *mod UNUSED) {\n\n        if (match_samp_request(data->payload[0], data->payload_len[0])) {\n                if (match_samp_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        \n        if (match_samp_request(data->payload[1], data->payload_len[1])) {\n                if (match_samp_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        /* Traffic seen on port 7777 for a SA-MP server called\n         * Fight Fun Server (ff-server.com). */\n        if (match_ffs_req(data->payload[1], data->payload_len[1])) {\n                if (match_ffs_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_ffs_req(data->payload[0], data->payload_len[0])) {\n                if (match_ffs_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_sanandreas_mp = {\n\tLPI_PROTO_UDP_SANANDREAS,\n\tLPI_CATEGORY_GAMING,\n\t\"GTA_SanAndreas_Multiplayer\",\n\t8,\n\tmatch_sanandreas_mp\n};\n\nvoid register_sanandreas_mp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_sanandreas_mp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_second_life.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_second_life_req(uint32_t payload, uint32_t len) {\n\n\tif (len != 46 && len != 54)\n\t\treturn false;\n\tif (!MATCH(payload, 0x40, 0x00, 0x00, 0x00))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_second_life(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Haven't actually seen any legit 2-way SecondLife exchanges, so\n\t * only speculating based on my interpretation of the specs\n\t *\n\t * http://wiki.secondlife.com/wiki/Packet_Layout\n\t */\n\n\tif (match_second_life_req(data->payload[0], data->payload_len[0])) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t\tif (MATCH(data->payload[1], ANY, 0x00, 0x00, 0x00)) {\n\t\t\tif (data->payload_len[1] < 15)\n\t\t\t\treturn false;\n                        return true;\n\t\t}\n\t}\n\n\tif (match_second_life_req(data->payload[1], data->payload_len[1])) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (MATCH(data->payload[0], ANY, 0x00, 0x00, 0x00)) {\n\t\t\tif (data->payload_len[0] < 15)\n\t\t\t\treturn false;\n                        return true;\n\t\t}\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_second_life = {\n\tLPI_PROTO_UDP_SECONDLIFE,\n\tLPI_CATEGORY_GAMING,\n\t\"SecondLife_UDP\",\n\t6,\n\tmatch_second_life\n};\n\nvoid register_second_life_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_second_life, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_serialnumberd.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_serialnumberd(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tif (MATCHSTR(data->payload[0], \"SNQU\")) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCHSTR(data->payload[1], \"SNRE\"))\n                        return true;\n        }\n\n        if (MATCHSTR(data->payload[1], \"SNQU\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (MATCHSTR(data->payload[0], \"SNRE\"))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_serialnumberd = {\n\tLPI_PROTO_UDP_SERIALNUMBERD,\n\tLPI_CATEGORY_SERVICES,\n\t\"Serialnumberd\",\n\t3,\n\tmatch_serialnumberd\n};\n\nvoid register_serialnumberd(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_serialnumberd, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_sip.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sip_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_chars_either(data, 'S', 'I', 'P', ANY))\n                return true;\n\n\tif (match_str_either(data, \"BYE \"))\n\t\treturn true;\n\n        if (match_str_either(data, \"OPTI\") &&\n                        (data->payload_len[0] == 0 ||\n                        data->payload_len[1] == 0))\n                return true;\n        \n\tif (match_str_either(data, \"INVI\") &&\n                        (data->payload_len[0] == 0 ||\n                        data->payload_len[1] == 0))\n                return true;\n\n\tif (match_str_both(data, \"NOTI\", \"OPTI\"))\n\t\treturn true;\n\tif (match_str_both(data, \"OPTI\", \"REGI\"))\n\t\treturn true;\n\tif (match_str_both(data, \"NOTI\", \"REGI\"))\n\t\treturn true;\n\tif (match_str_both(data, \"NOTI\", \"INVI\"))\n\t\treturn true;\n\tif (match_str_either(data, \"REGI\") && \n                        (data->payload_len[0] == 0 ||\n                        data->payload_len[1] == 0))\n                return true;\n\tif (match_str_either(data, \"SUBS\")) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_sip_udp = {\n\tLPI_PROTO_UDP_SIP,\n\tLPI_CATEGORY_VOIP,\n\t\"SIP_UDP\",\n\t2,\n\tmatch_sip_udp\n};\n\nvoid register_sip_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_sip_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_skype.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_skype_rule1(lpi_data_t *data) {\n\n        /* This is one method for matching skype traffic - turns out there\n         * are other forms as well... */\n\n        /* The third byte is always 0x02 in Skype UDP traffic - if we have\n         * payload in both directions we can probably match on that alone */\n\n\tuint32_t payload0 = ntohl(data->payload[0]);\n\tuint32_t payload1 = ntohl(data->payload[1]);\n\n\n        if (data->payload_len[0] > 0 && data->payload_len[1] > 0) {\n                if ((payload0 & 0x0000ff00) != 0x00000200)\n                        return false;\n                if ((payload1 & 0x0000ff00) != 0x00000200)\n                        return false;\n                return true;\n        }\n\n        /* Probes with no responses are trickier - likelihood of a random\n         * packet having 0x02 as the third byte is not small, so we'll try\n         * and filter on packet size too */\n\n        if (data->payload_len[0] >= 18 && data->payload_len[0] <= 137 ) {\n                if ((payload0 & 0x0000ff00) == 0x00000200)\n                        return true;\n        }\n        if (data->payload_len[1] >= 18 && data->payload_len[1] <= 137 ) {\n                if ((payload1 & 0x0000ff00) == 0x00000200)\n                        return true;\n        }\n\n        return false;\n}\n\n\nstatic inline bool match_skype_U1(uint32_t payload, uint32_t len) {\n\n        if (len < 18)\n                return false;\n        if ((ntohl(payload) & 0x0000ff00) == 0x00000200)\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_skype_U2(uint32_t payload, uint32_t len) {\n\n        if (len != 11)\n                return false;\n        if ((ntohl(payload) & 0x00000f00) == 0x00000500)\n                return true;\n        if ((ntohl(payload) & 0x00000f00) == 0x00000700)\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_skype_rule2(lpi_data_t *data) {\n\n        /* What we're looking for here is a initiating message (called U1)\n         * matched with a response (called U2).\n         *\n         * The first two bytes of U1 and U2 must match.\n         *\n         * The third byte of U1 is always 0x02 (as with rule 1)\n         * \n         * The lower four bits of the third byte of U2 is always either 0x05\n         * or 0x07\n         *\n         * The length of U2 is always 11 bytes.\n         *\n         * The length of U1 is always between 18 and 31 bytes.\n         */\n\n        if ((ntohl(data->payload[0]) & 0xffff0000) != \n\t\t\t(ntohl(data->payload[1]) & 0xffff0000))\n                return false;\n\n        if (match_skype_U1(data->payload[0], data->payload_len[0])) {\n                if (match_skype_U2(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_skype_U1(data->payload[1], data->payload_len[1])) {\n                if (match_skype_U2(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        return false;\n}\n\n\nstatic inline bool match_meeting_stun_request(uint32_t payload, uint32_t len) {\n\n        if ((ntohl(payload) & 0xffff) != len - 4)\n                return false;\n\n        /* Checking for 0xff + ANY bytes is hard :( */\n        if ((ntohl(payload) & 0xff000000) != 0xff000000)\n                return false;\n\n        if (MATCH(payload, ANY, 0x10, ANY, ANY))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_meeting_stun_reply(uint32_t payload, uint32_t len) {\n\n        if ((ntohl(payload) & 0xffff) != len - 20)\n                return false;\n\n        if (MATCH(payload, 0x00, 0x01, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x01, ANY, ANY))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_skype_meeting_broadcast(lpi_data_t *data) {\n        /* This protocol is a LOT like STUN, but isn't really STUN. */\n\n        /* TODO get hold of skype for business and double check this */\n\n        if (match_meeting_stun_request(data->payload[0], data->payload_len[0]))\n        {\n                if (match_meeting_stun_reply(data->payload[1],\n                                        data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_meeting_stun_request(data->payload[1], data->payload_len[1]))\n        {\n                if (match_meeting_stun_reply(data->payload[0],\n                                        data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n        return false;\n}\n\nstatic inline bool match_skype(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_skype_rule1(data))\n                return true;\n        if (match_skype_rule2(data))\n                return true;\n\n\n        if (match_skype_meeting_broadcast(data))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_skype = {\n\tLPI_PROTO_UDP_SKYPE,\n\tLPI_CATEGORY_VOIP,\n\t\"Skype\",\n\t105,\t/* The Skype rules aren't strong, so have a low priority */\n\tmatch_skype\n};\n\nvoid register_skype(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_skype, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_slp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_slp_req(uint32_t payload, uint32_t len) {\n\n        /* According to RFC 2608, the 3rd and 4th bytes should be the \n         * length (including the SLP header). This doesn't appear to be the\n         * case with any of the port 427 traffic I've seen, so either I'm\n         * wrong or people fail at following RFCs */\n\n        if (MATCH(payload, 0x02, 0x01, 0x00, 0x00) && len == 49) {\n                return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_slp_resp(uint32_t payload, uint32_t len) {\n\n        /* I haven't actually observed any responses yet, so just going\n         * on what the spec says :/ */\n\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 0x02, 0x02, ANY, ANY)) {\n                return true;\n        }\n\n        return false;\n}\n\n\nstatic inline bool match_slp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 427 && data->client_port != 427)\n                return false;\n\n        if (match_slp_req(data->payload[0], data->payload_len[0])) {\n                if (match_slp_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n                return false;\n        }\n\n        if (match_slp_req(data->payload[1], data->payload_len[1])) {\n                if (match_slp_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n                return false;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_slp = {\n\tLPI_PROTO_UDP_SLP,\n\tLPI_CATEGORY_SERVICES,\n\t\"SLP\",\n\t5,\n\tmatch_slp\n};\n\nvoid register_slp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_slp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_smite.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_smite(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        \n        if (MATCH(data->payload[0], 0x01, 0x14, 0x00, 0x00)) {\n                if (MATCH(data->payload[1], 0x01, 0x14, 0x00, 0x00)) {\n                       return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_smite = {\n\tLPI_PROTO_UDP_SMITE,\n\tLPI_CATEGORY_GAMING,\n\t\"Smite\",\n\t55,\n\tmatch_smite\n};\n\nvoid register_smite(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_smite, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_snapvpn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_snap_query(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, '2', '7', '3', 'P') && len < 50)\n                return true;\n        return false;\n}\n\nstatic inline bool match_snap_fail(uint32_t payload, uint32_t len) {\n        /* Saw this a lot when failing to connect to the server */\n        if (len == 14 && MATCH(payload, 0x0a, ANY, ANY, ANY))\n                return true;\n        return false;\n}\n\nstatic inline bool match_snapvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Ports 21, 25, 109, 119 */\n\n        if (match_snap_query(data->payload[0], data->payload_len[0])) {\n                if (match_snap_query(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_snap_fail(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_snap_query(data->payload[1], data->payload_len[1])) {\n                if (match_snap_fail(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_snapvpn = {\n\tLPI_PROTO_UDP_SNAPVPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"SnapVPN\",\n\t25,\n\tmatch_snapvpn\n};\n\nvoid register_snapvpn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_snapvpn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_snmp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_snmp_payload(uint32_t payload, uint32_t len) {\n\n        /* SNMP is BER encoded, which is an ass to decode */\n        uint8_t snmplen = 0;\n        uint8_t *byte;\n\n\tif (len == 0)\n\t\treturn true;\n\n        /* Must be a SEQUENCE */\n        if (!MATCH(payload, 0x30, ANY, ANY, ANY))\n                return false;\n\n        byte = ((uint8_t *)&payload) + 1;\n\n        if (*byte< 0x80) {\n                snmplen = *byte;\n\n                if (!MATCH(payload, 0x30, ANY, 0x02, 0x01))\n                        return false;\n                if (len - 2 != snmplen)\n                        return false;\n                return true;\n        }\n\n        if (*byte == 0x81) {\n                snmplen = *(byte + 1);\n\n                if (!MATCH(payload, 0x30, 0x81, ANY, 0x02))\n                        return false;\n                if (len - 3 != snmplen)\n                        return false;\n                return true;\n        }\n\n        if (*byte == 0x82) {\n                uint16_t longlen = *((uint16_t *)(byte + 1));\n\n                if (len - 4 != ntohs(longlen))\n                        return false;\n                return true;\n        }\n\n        return false;\n\n}\n\n\nstatic inline bool match_snmp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_snmp_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_snmp_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\n\n}\n\nstatic lpi_module_t lpi_snmp = {\n\tLPI_PROTO_UDP_SNMP,\n\tLPI_CATEGORY_MONITORING,\n\t\"SNMP\",\n\t3,\n\tmatch_snmp\n};\n\nvoid register_snmp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_snmp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_sopcast.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sopcast_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xff, 0xff, 0x01, ANY)) {\n                if (len == 52)\n                        return true;\n        }\n\n        return false;\n}\n\nstatic inline bool match_sopcast_reply(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, ANY, 0x02, ANY)) {\n                if (len == 80)\n                        return true;\n        }\n        if (MATCH(payload, 0x00, ANY, 0x01, ANY)) {\n                if (len == 60)\n                        return true;\n        }\n\n        return false;\n}\n\n\nstatic inline bool match_sopcast(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif ((data->payload[0] & 0xff000000) != (data->payload[1] & 0xff000000))\n                return false;\n\n        if (match_sopcast_req(data->payload[0], data->payload_len[0])) {\n                if (match_sopcast_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_sopcast_req(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_sopcast_req(data->payload[1], data->payload_len[1])) {\n                if (match_sopcast_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_sopcast_req(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_sopcast = {\n\tLPI_PROTO_UDP_SOPCAST,\n\tLPI_CATEGORY_P2PTV,\n\t\"Sopcast\",\n\t5,\n\tmatch_sopcast\n};\n\nvoid register_sopcast(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_sopcast, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_spamfighter.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_spamfighter(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"DISC\"))\n\t\treturn true;\n\tif (match_str_either(data, \"SCP\\x03\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_spamfighter = {\n\tLPI_PROTO_UDP_SPAMFIGHTER,\n\tLPI_CATEGORY_ANTISPAM,\n\t\"SpamFighter\",\n\t3,\n\tmatch_spamfighter\n};\n\nvoid register_spamfighter(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_spamfighter, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_spotify_bcast.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Protocol used by Spotify to find other clients on the local network */\n\nstatic inline bool match_spotify_bcast(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\tif (!match_str_either(data, \"Spot\"))\n\t\treturn false;\n\t\n\tif (data->server_port != 57621 || data->client_port != 57621)\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_spotify_bcast = {\n\tLPI_PROTO_UDP_SPOTIFY_BROADCAST,\n\tLPI_CATEGORY_BROADCAST,\n\t\"SpotifyBroadcast\",\n\t14,\n\tmatch_spotify_bcast\n};\n\nvoid register_spotify_bcast(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_spotify_bcast, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_sql_worm.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sql_worm(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* The recipient does not reply (with any luck!) */\n        if (data->payload_len[0] > 0 && data->payload_len[1] > 0)\n                return false;\n\n        if (match_chars_either(data, 0x04, 0x01, 0x01, 0x01))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_sql_worm = {\n\tLPI_PROTO_UDP_SQLEXP,\n\tLPI_CATEGORY_MALWARE,\n\t\"SQLExp\",\n\t10,\n\tmatch_sql_worm\n};\n\nvoid register_sql_worm(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_sql_worm, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ssdp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ssdp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"M-SE\"))\n                return true;\n\n\tif (match_str_either(data, \"NOTI\")) {\n\t\tif (data->server_port != 1900)\n\t\t\treturn false;\n\t\tif (data->client_port != 1900)\n\t\t\treturn false;\n\t\treturn true;\n\t}\n\n        /* Check for SSDP reflection attacks */\n\tif (match_str_either(data, \"HTTP\")) {\n\t\t/* usually only the source port is 1900 */\n                if (data->server_port != 1900 && data->client_port != 1900)\n\t\t\treturn false;\n\n                /* the request usually has a spoofed address so we won't\n                 * payload in one direction */\n                if (data->payload_len[0] != 0 && data->payload_len[0] != 0)\n                        return false;\n\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ssdp = {\n\tLPI_PROTO_UDP_SSDP,\n\tLPI_CATEGORY_SERVICES,\n\t\"SSDP\",\n\t5,\n\tmatch_ssdp\n};\n\nvoid register_ssdp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ssdp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_starcitizen.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sc_13(uint32_t payload, uint32_t len) {\n\n        if (len == 13 && MATCH(payload, 0x43, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_sc_67(uint32_t payload, uint32_t len) {\n\n        if (len == 67 && MATCH(payload, 0x43, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_starcitizen(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 64090 */\n        if (match_sc_13(data->payload[0], data->payload_len[0])) {\n                if (match_sc_13(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_sc_67(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_sc_13(data->payload[1], data->payload_len[1])) {\n                if (match_sc_67(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_starcitizen = {\n\tLPI_PROTO_UDP_STARCITIZEN,\n\tLPI_CATEGORY_GAMING,\n\t\"StarCitizen\",\n\t39,\n\tmatch_starcitizen\n};\n\nvoid register_starcitizen(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_starcitizen, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_starcraft.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_sc_message(uint32_t payload, uint32_t len) {\n\n        /* http://forum.valhallalegends.com/index.php?topic=17702.0 */\n\n        /* Starcraft header is 16 bytes - most bodies are either one or\n         * two bytes */\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 16)\n                return true;\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 17)\n                return true;\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 18)\n                return true;\n\n        /* 34 also seems possible */\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 34)\n                return true;\n\n\n        return false;\n}\n\nstatic inline bool match_sc_remaster_01(uint32_t payload, uint32_t len) {\n        /* New protocol that has been implemented as part of the\n         * remaster.\n         */\n\tif (len == 0)\n\t\treturn true;\n        if (len < 50 && MATCH(payload, 0x08, 0x01, 0x12, 0x14))\n                return true;\n        if (len < 50 && MATCH(payload, 0x08, 0x01, 0x12, 0x10))\n                return true;\n        if (len < 50 && MATCH(payload, 0x08, 0x01, 0x12, 0x11))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_sc_remaster_02(uint32_t payload, uint32_t len) {\n        /* New protocol that has been implemented as part of the\n         * remaster.\n         */\n        if (len < 50 && MATCH(payload, 0x08, 0x02, 0x12, 0x18))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_starcraft(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 6112 && data->client_port != 6112)\n                return false;\n\n        if (match_sc_remaster_01(data->payload[0], data->payload_len[0])) {\n                if (match_sc_remaster_01(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_sc_remaster_02(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_sc_remaster_01(data->payload[1], data->payload_len[1])) {\n                if (match_sc_remaster_01(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_sc_remaster_02(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (!match_sc_message(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_sc_message(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n\t\n\n}\n\nstatic lpi_module_t lpi_starcraft = {\n\tLPI_PROTO_UDP_STARCRAFT,\n\tLPI_CATEGORY_GAMING,\n\t\"Starcraft\",\n\t4,\n\tmatch_starcraft\n};\n\nvoid register_starcraft(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_starcraft, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_starleaf.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_slp(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 9)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_starleaf(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Restrict to port 24704 */\n        if (data->server_port != 24704 && data->client_port != 24704)\n                return false;\n\n        if (match_slp(data->payload[0], data->payload_len[0])) {\n                if (match_slp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_starleaf = {\n\tLPI_PROTO_UDP_STARLEAF,\n\tLPI_CATEGORY_VOIP,\n\t\"StarLeaf\",\n\t122,\n\tmatch_starleaf\n};\n\nvoid register_starleaf(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_starleaf, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_steam.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_39_request(uint32_t payload, uint32_t len) {\n\n\tif (len != 4)\n\t\treturn false;\n\tif (!MATCH(payload, 0x39, 0x18, 0x00, 0x00))\n\t\treturn false;\n\t\n\treturn true;\n\n}\n\nstatic inline bool match_3a_response(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\n\tif (len != 8)\n\t\treturn false;\n\tif (!MATCH(payload, 0x3a, 0x18, 0x00, 0x00))\n\t\treturn false;\n\t\n\treturn true;\n\n}\n\nstatic inline bool match_steam_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Master Server Queries begin with 31 ff 30 2e\n         *\n         * NOTE: the ff byte can vary depending on the region that the user\n         * is querying for, but ff is the \"all regions\" option and is the\n         * typical default. \n         */\n        if (match_str_either(data, \"\\x31\\xff\\x30\\x2e\")\n                        && match_str_either(data, \"\\xff\\xff\\xff\\xff\")) {\n                return true;\n        }\n\n        /* Server Info queries are always 53 bytes and begin with ff ff ff ff.\n         * The reply also begins with ff ff ff ff but can vary in size */\n\n        if (MATCHSTR(data->payload[0], \"\\xff\\xff\\xff\\xff\") &&\n                data->payload_len[0] == 25 &&\n                (MATCHSTR(data->payload[1], \"\\xff\\xff\\xff\\xff\") ||\n                data->payload_len[1] == 0)) {\n\n                return true;\n        }\n\n        if (MATCHSTR(data->payload[1], \"\\xff\\xff\\xff\\xff\") &&\n                data->payload_len[1] == 25 &&\n                (MATCHSTR(data->payload[0], \"\\xff\\xff\\xff\\xff\") ||\n                data->payload_len[0] == 0)) {\n\n                return true;\n        }\n\n\t/* This stuff is definitely related to Steam or some game played\n\t * over Steam - need to look into this more at some point */\n\n\tif (match_39_request(data->payload[0], data->payload_len[0])) {\n\t\tif (match_3a_response(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_39_request(data->payload[1], data->payload_len[1])) {\n\t\tif (match_3a_response(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\t\n\treturn false;\n}\n\nstatic lpi_module_t lpi_steam_udp = {\n\tLPI_PROTO_UDP_STEAM,\n\tLPI_CATEGORY_GAMING,\n\t\"Steam_UDP\",\n\t4,\n\tmatch_steam_udp\n};\n\nvoid register_steam_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_steam_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_steam_inhomebroadcast.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_steam_inhomebroadcast_ports(uint16_t porta, uint16_t portb) {\n\tif (porta == 27036 && portb == 27036)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_steam_inhomebroadcast(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!match_steam_inhomebroadcast_ports(data->server_port, data->client_port))\n\t\treturn false;\n\n    if (data->payload_len[0] == 0 || data->payload_len[1] == 0) {\n        if (match_str_both(data, \"\\xff\\xff\\xff\\xff\", \"\\x00\\x00\\x00\\x00\"))\n            return true;    \n    }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_steam_inhomebroadcast = {\n\tLPI_PROTO_UDP_STEAM_INHOMEBROADCAST,\n\tLPI_CATEGORY_GAMING,\n\t\"Steam_InHome_Broadcast\",\n\t9,\n\tmatch_steam_inhomebroadcast\n};\n\nvoid register_steam_inhomebroadcast(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_steam_inhomebroadcast, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_steam_localbroadcast.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This protocol is something I observed on a laptop running a Steam client.\n * It just constantly spams 255.255.255.255 with these packets and I found\n * some references to Steam when trying to find out what it was, e.g.\n * http://ask.wireshark.org/questions/11566/possible-malware-on-network\n *\n */\n\nstatic inline bool match_steam_ports(uint16_t port_a, uint16_t port_b) {\n\t\n\tif (port_a == 10007 || port_b == 10007)\n\t\treturn true;\n\tif (port_a == 10019 || port_b == 10019)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_steam_request(uint32_t payload, uint32_t len) {\n\n\tif (len != 128)\n\t\treturn false;\n\tif (MATCHSTR(payload, \"\\x00\\xff\\x00\\x00\"))\n\t\treturn true;\n\tif (MATCHSTR(payload, \"\\xf0\\xff\\x00\\x00\"))\n\t\treturn true;\n\n\treturn false;\n}\n\t\n\nstatic inline bool match_steam_reply(uint32_t payload, uint32_t len) {\n\n\t/* Not seen a valid reply yet, so just check for no reply */\n\tif (len == 0)\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_steam_localbroadcast(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\tif (!match_steam_ports(data->server_port, data->client_port)) {\n\t\treturn false;\n\t}\n\n\tif (match_steam_request(data->payload[0], data->payload_len[0])) {\n\t\tif (match_steam_reply(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_steam_request(data->payload[1], data->payload_len[1])) {\n\t\tif (match_steam_reply(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_steam_localbroadcast = {\n\tLPI_PROTO_UDP_STEAM_LOCALBROADCAST,\n\tLPI_CATEGORY_BROADCAST,\n\t\"SteamLocalBroadcast\",\n\t16,\n\tmatch_steam_localbroadcast\n};\n\nvoid register_steam_localbroadcast(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_steam_localbroadcast, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_steamfriends.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_steamfriends(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \"VS01\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_steamfriends = {\n\tLPI_PROTO_UDP_STEAM_FRIENDS,\n\tLPI_CATEGORY_GAMING,\n\t\"Steam_Friends\",\n\t3,\n\tmatch_steamfriends\n};\n\nvoid register_steamfriends(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_steamfriends, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_storm_worm.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_storm_worm(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This pattern is observed on ports 4000, 7871 and 11271 which are\n         * all known port numbers for this trojan */\n\n        if (MATCH(data->payload[0], 0xe3, 0x1b, 0xd6, 0x21)) {\n                if (data->payload_len[0] != 4)\n                        return false;\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCH(data->payload[1], 0xe3, 0x0c, 0x66, 0xe6))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0xe3, 0x1b, 0xd6, 0x21)) {\n                if (data->payload_len[1] != 4)\n                        return false;\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (MATCH(data->payload[0], 0xe3, 0x0c, 0x66, 0xe6))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_storm_worm = {\n\tLPI_PROTO_UDP_STORM_WORM,\n\tLPI_CATEGORY_MALWARE,\n\t\"StormWorm\",\n\t10,\n\tmatch_storm_worm\n};\n\nvoid register_storm_worm(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_storm_worm, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_stun.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic bool match_facetime_stun_request(uint32_t payload, uint32_t len) {\n\n        /* Bytes 3 and 4 are the Message Length - the STUN header */\n        if ((ntohl(payload) & 0x0000ffff) != len - 20)\n                return false;\n\n        if (MATCH(payload, 0x0f, 0xe0, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x0f, 0xe1, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x0f, 0xe4, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic bool match_facetime_stun_response(uint32_t payload, uint32_t len) {\n\n        /* Bytes 3 and 4 are the Message Length - the STUN header */\n        if ((ntohl(payload) & 0x0000ffff) != len - 20)\n                return false;\n\n        if (MATCH(payload, 0x0e, 0xe0, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x0e, 0xe1, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x0e, 0xe4, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic bool match_skype_stun_request(uint32_t payload, uint32_t len) {\n\n        /* Bytes 3 and 4 are the Message Length - the STUN header */\n        if ((ntohl(payload) & 0x0000ffff) != len - 20)\n                return false;\n\n        /* These flows start with an Allocate Request */\n        if (MATCH(payload, 0x00, 0x03, ANY, ANY))\n                return true;\n\n        return false;\n\n}\n\nstatic bool match_stun_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n\n        /* Bytes 3 and 4 are the Message Length - the STUN header */\n        if ((ntohl(payload) & 0x0000ffff) != len - 20)\n                return false;\n\n        if (MATCH(payload, 0x00, 0x01, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x01, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x11, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x00, 0x03, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x03, ANY, ANY))\n                return true;\n        if (MATCH(payload, 0x01, 0x13, ANY, ANY))\n                return true;\n\n        /* Data Indication message (used by Skype) */\n        if (MATCH(payload, 0x01, 0x15, ANY, ANY))\n                return true;\n\n        return false;\n\n}\n\n\nstatic inline bool match_stun(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This seems to be a special response containing a STUN token\n         *\n         * Not very well-documented though :(\n         */\n\n        if (match_str_either(data, \"RSP/\"))\n                return true;\n\n        if (match_stun_payload(data->payload[0], data->payload_len[0])) {\n                if (match_stun_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_facetime_stun_request(data->payload[0], data->payload_len[0]))\n        {\n                if ((data->payload[0] & 0xff0000) ==\n                                (data->payload[1] & 0xff0000) && \n                                match_facetime_stun_response(data->payload[1],\n                                        data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_facetime_stun_request(data->payload[1], data->payload_len[1]))\n        {\n                /* Byte 2 must match for both directions */\n                if ((data->payload[0] & 0xff0000) ==\n                                (data->payload[1] & 0xff0000) && \n                                match_facetime_stun_response(data->payload[0],\n                                        data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_stun = {\n\tLPI_PROTO_UDP_STUN,\n\tLPI_CATEGORY_NAT,\n\t\"STUN\",\n\t3,\n\tmatch_stun\n};\n\nvoid register_stun(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_stun, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_syslog.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_syslog_payload(uint32_t pload) {\n\n\t/* Syslog starts with <PRI>, where PRI is a number between 0 and 191 */\n\n\tif (MATCH(pload, '<', ANY, '>', ANY))\n\t\treturn true;\n\tif (MATCH(pload, '<', ANY, ANY, '>'))\n\t\treturn true;\n\tif (MATCH(pload, '<', '1', ANY, ANY))\n\t\treturn true;\n\n\treturn false;\n\t\n\n}\n\nstatic inline bool match_syslog(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 514 && data->client_port != 514)\n\t\treturn false;\n\n\tif (data->payload_len[0] == 0) {\n\t\tif (match_syslog_payload(data->payload[1]))\n\t\t\treturn true;\n\t}\n\n\tif (data->payload_len[1] == 0) {\n\t\tif (match_syslog_payload(data->payload[0]))\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_syslog = {\n\tLPI_PROTO_UDP_SYSLOG,\n\tLPI_CATEGORY_LOGGING,\n\t\"Syslog\",\n\t6,\n\tmatch_syslog\n};\n\nvoid register_syslog(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_syslog, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_talesrunner_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tr_1b(uint32_t payload, uint32_t len) {\n        if (len == 8 && MATCH(payload, 0x1b, 0x00, 0xb2, 0x1a))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tr_1e(uint32_t payload, uint32_t len) {\n        if (len == 8 && MATCH(payload, 0x1e, 0x00, 0x6b, 0x51))\n                return true;\n        return false;\n}\n\nstatic inline bool match_talesrunner_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (MATCH(data->payload[0], 0x1d, 0x00, 0x67, 0x01)) {\n                if (MATCH(data->payload[1], 0x1d, 0x00, 0x61, 0x01)) {\n\n                        /* One of the packets is always 8 bytes */\n                        if (data->payload_len[0] == 8 ||\n                                        data->payload_len[1] == 8) {\n                                return true;\n                        }\n                }\n        }\n\n        if (match_tr_1b(data->payload[0], data->payload_len[0])) {\n                if (match_tr_1b(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n        if (match_tr_1e(data->payload[0], data->payload_len[0])) {\n                if (match_tr_1e(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_talesrunner_udp = {\n\tLPI_PROTO_UDP_TALESRUNNER,\n\tLPI_CATEGORY_GAMING,\n\t\"TalesrunnerUDP\",\n\t59,\n\tmatch_talesrunner_udp\n};\n\nvoid register_talesrunner_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_talesrunner_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_teamspeak.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ts3_req(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 'T', 'S', '3', 'I'))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_ts3_resp(uint32_t payload, uint32_t len,\n                uint16_t porta, uint16_t portb) {\n        if (len == 0)\n                return true;\n\n        if (MATCH(payload, 'T', 'S', '3', 'I'))\n                return true;\n\n        /* Seem to get some encrypted responses, but the only ones I've \n         * seen so far are either 181 or 182 bytes. Enforce the expected\n         * TeamSpeak port in this case, just to be safe.\n         */\n        if ((len >= 180 && len <= 182) && (porta == 9987 || portb == 9987))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_teamspeak(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Teamspeak version 2 */\n        if (match_str_both(data, \"\\xf4\\xbe\\x03\\x00\", \"\\xf4\\xbe\\x03\\x00\"))\n                return true;\n        /* Teamspeak version 3 */\n        if (match_ts3_req(data->payload[0], data->payload_len[0])) {\n                if (match_ts3_resp(data->payload[1], data->payload_len[1],\n                                data->server_port, data->client_port))\n                        return true;\n        }\n\n        if (match_ts3_req(data->payload[1], data->payload_len[1])) {\n                if (match_ts3_resp(data->payload[0], data->payload_len[0],\n                                data->server_port, data->client_port))\n                        return true;\n        }\n\n\t/* Not sure what this is, but it goes to a teamspeak.org server */\n\tif (match_str_either(data, \"\\x07Pri\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_teamspeak = {\n\tLPI_PROTO_UDP_TEAMSPEAK,\n\tLPI_CATEGORY_VOIP,\n\t\"TeamSpeak\",\n\t3,\n\tmatch_teamspeak\n};\n\nvoid register_teamspeak(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_teamspeak, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_teamviewer.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tv_payload(uint32_t payload, uint32_t len) {\n\n\tif (len == 0)\n\t\treturn true;\n\tif (len != 88)\n\t\treturn false;\n\tif (!MATCH(payload, ANY, ANY, ANY, 0x17))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_teamviewer_classic_udp(lpi_data_t *data) {\n\n\tif (!match_tv_payload(data->payload[0], data->payload_len[0]))\n\t\treturn false;\n\tif (!match_tv_payload(data->payload[1], data->payload_len[1]))\n\t\treturn false;\n\n\treturn true;\n}\n\nstatic inline bool match_teamviewer_96(uint32_t payload, uint32_t len) {\n        if (len == 0)\n                return true;\n        if (len == 96 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tv_1024(uint32_t payload, uint32_t len) {\n        if (len == 1024 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tv_48(uint32_t payload, uint32_t len) {\n        if (len == 48 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_teamviewer_udp(lpi_data_t *data, lpi_module_t *module UNUSED) {\n\n        if (match_teamviewer_classic_udp(data))\n                return true;\n\n        if (match_teamviewer_96(data->payload[0], data->payload_len[0])) {\n                if (match_teamviewer_96(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (data->server_port == 5938 || data->client_port == 5938) {\n                if (match_tv_1024(data->payload[0], data->payload_len[0])) {\n                        if (match_tv_48(data->payload[1], data->payload_len[1]))\n                                return true;\n                }\n                if (match_tv_1024(data->payload[1], data->payload_len[1])) {\n                        if (match_tv_48(data->payload[0], data->payload_len[0]))\n                                return true;\n                }\n        }\n        return false;\n}\n\nstatic lpi_module_t lpi_teamviewer = {\n\tLPI_PROTO_UDP_TEAMVIEWER,\n\tLPI_CATEGORY_REMOTE,\n\t\"TeamViewer_UDP\",\n\t115,\n\tmatch_teamviewer_udp\n};\n\nvoid register_teamviewer_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_teamviewer, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_teredo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic bool match_teredo_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (MATCH(payload, 0x00, 0x01, 0x00, 0x00)) {\n                if (len == 61 || len == 109 || len == 77)\n                        return true;\n        }\n\n        /* Matching v6 traffic */\n        if (MATCH(payload, 0x60, 0x00, 0x00, 0x00) && len >= 4) {\n                return true;\n        }\n\n        /* We also see this in flows that have the same 5 tuple as other\n         * Teredo flows */\n\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return false;\n\n        if (len == 48 && MATCH(payload, 0x00, 0x00, ANY, ANY))\n                return true;\n\n\n        return false;\n\n}\n\n\nstatic inline bool match_teredo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port == 53 || data->client_port == 53) {\n\t\tif (data->payload_len[0] == 0)\n\t                return false;\n\t\tif (data->payload_len[1] == 0)\n\t                return false;\n\t}\n\n        if (!match_teredo_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_teredo_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        return true;\n}\n\nstatic lpi_module_t lpi_teredo = {\n\tLPI_PROTO_UDP_TEREDO,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"Teredo\",\n\t6,\n\tmatch_teredo\n};\n\nvoid register_teredo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_teredo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_tf2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tf2_20(uint32_t payload, uint32_t len) {\n        if (len == 20 && MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tf2_39(uint32_t payload, uint32_t len) {\n        if (len == 39 && MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return true;\n        return false;\n}\n\nstatic inline bool is_okport(lpi_data_t *data) {\n        if (data->server_port == 27015 && data->client_port == 27015)\n                return true;\n        if (data->server_port == 27005 || data->client_port == 27005)\n                return true;\n        return false;\n}\n\nstatic inline bool match_tf2(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (!is_okport(data))\n                return false;\n\n        if (match_tf2_20(data->payload[0], data->payload_len[0])) {\n                if (match_tf2_39(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_tf2_20(data->payload[1], data->payload_len[1])) {\n                if (match_tf2_39(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tf2 = {\n\tLPI_PROTO_UDP_TF2,\n\tLPI_CATEGORY_GAMING,\n\t\"TeamFortress2\",\n\t100,\n\tmatch_tf2\n};\n\nvoid register_tf2(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tf2, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_tftp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tftp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Read request */\n        if (MATCH(data->payload[0], 0x00, 0x01, ANY, ANY)) {\n                if (data->server_port != 69 && data->client_port != 69)\n                        return false;\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCH(data->payload[1], 0x00, 0x03, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[1], 0x00, 0x05, ANY, ANY))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x00, 0x01, ANY, ANY)) {\n                if (data->server_port != 69 && data->client_port != 69)\n                        return false;\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (MATCH(data->payload[0], 0x00, 0x03, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[0], 0x00, 0x05, ANY, ANY))\n                        return true;\n        }\n\n        /* Write request */\n        if (MATCH(data->payload[0], 0x00, 0x02, ANY, ANY)) {\n                if (data->server_port != 69 && data->client_port != 69)\n                        return false;\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCH(data->payload[1], 0x00, 0x04, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[1], 0x00, 0x05, ANY, ANY))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x00, 0x02, ANY, ANY)) {\n                if (data->server_port != 69 && data->client_port != 69)\n                        return false;\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (MATCH(data->payload[0], 0x00, 0x04, ANY, ANY))\n                        return true;\n                if (MATCH(data->payload[0], 0x00, 0x05, ANY, ANY))\n                        return true;\n        }\n\n\t/* Some systems will switch to a different port for the file \n         * transfer itself, so the request is in a different flow */\n        if (MATCH(data->payload[0], 0x00, 0x03, 0x00, 0x01)) {\n                if (data->payload_len[1] == 0)\n                        return true;\n                if (MATCH(data->payload[1], 0x00, 0x05, ANY, ANY))\n                        return true;\n\n                /* Acks (0x04) must be 4 bytes */\n                if (data->payload_len[1] != 4)\n                        return false;\n                if (MATCH(data->payload[1], 0x00, 0x04, 0x00, 0x01))\n                        return true;\n        }\n\n        if (MATCH(data->payload[1], 0x00, 0x03, 0x00, 0x01)) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (MATCH(data->payload[0], 0x00, 0x05, ANY, ANY))\n                        return true;\n\n                /* Acks (0x04) must be 4 bytes */\n                if (data->payload_len[0] != 4)\n                        return false;\n                if (MATCH(data->payload[0], 0x00, 0x04, 0x00, 0x01))\n                        return true;\n        }\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tftp = {\n\tLPI_PROTO_UDP_TFTP,\n\tLPI_CATEGORY_FILES,\n\t\"TFTP\",\n\t5,\n\tmatch_tftp\n};\n\nvoid register_tftp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tftp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_thecrew.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_thecrew_hello(uint32_t payload, uint32_t len) {\n\n        if (MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\")) {\n                if (len == 50)\n                        return true;\n                if (len == 39)\n                        return true;\n                if (len == 60)\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_thecrew(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 3001 && data->client_port != 3001 &&\n                        data->server_port != 10000 &&\n                        data->client_port != 10000) {\n                return false;\n        }\n\n        if (match_thecrew_hello(data->payload[0], data->payload_len[0])) {\n                if (match_thecrew_hello(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_thecrew = {\n\tLPI_PROTO_UDP_THE_CREW,\n\tLPI_CATEGORY_GAMING,\n\t\"TheCrew\",\n\t75,\n\tmatch_thecrew\n};\n\nvoid register_thecrew(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_thecrew, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_thq.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_thq(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* I *suspect* this is the protocol used by RTS games released by\n         * THQ - haven't been able to confirm for sure, though\n         *\n         * Most traffic is on port 6112, which is used by Blizzard and THQ\n         * games, but we already have rules for most Blizzard stuff */\n\n        /* The ANY byte also matches the packet length - 17, if we need \n         * further matching rules */\n        if (data->payload_len[0] != 0 &&\n                        !MATCH(data->payload[0], 'Q', 'N', 'A', ANY))\n                return false;\n        if (data->payload_len[1] != 0 &&\n                        !MATCH(data->payload[1], 'Q', 'N', 'A', ANY))\n                return false;\n\n        return true;\n\n}\n\nstatic lpi_module_t lpi_thq = {\n\tLPI_PROTO_UDP_THQ,\n\tLPI_CATEGORY_GAMING,\n\t\"THQ\",\n\t3,\n\tmatch_thq\n};\n\nvoid register_thq(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_thq, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_torchlight2.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_tl2_00(uint32_t payload, uint32_t len) {\n\n        if (len == 13 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_tl2_01(uint32_t payload, uint32_t len) {\n\n        if (len == 13 && MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_torchlight2(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_tl2_00(data->payload[0], data->payload_len[0])) {\n                if (match_tl2_01(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_tl2_00(data->payload[1], data->payload_len[1])) {\n                if (match_tl2_01(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_torchlight2 = {\n\tLPI_PROTO_UDP_TORCHLIGHT2,\n\tLPI_CATEGORY_GAMING,\n\t\"Torchlight2\",\n\t201,\n\tmatch_torchlight2\n};\n\nvoid register_torchlight2(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_torchlight2, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_tox.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Open source encrypted skype replacement */\n\nstatic inline bool match_tox_get(uint32_t payload, uint32_t len) {\n\n        if (len == 113 && MATCH(payload, 0x02, ANY, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_tox_reply(uint32_t payload, uint32_t len) {\n        \n        /* Not sure on these length restrictions */\n        if (len == 238 && MATCH(payload, 0x04, ANY, ANY, ANY))\n                return true;\n        if (len == 354 && MATCH(payload, 0x83, ANY, ANY, ANY))\n                return true;\n        if (len == 387 && MATCH(payload, 0x82, ANY, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_tox(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 33445 && data->client_port != 33445) {\n                return false;\n        }\n\n        if (match_tox_get(data->payload[0], data->payload_len[0])) {\n                if (match_tox_reply(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n        if (match_tox_get(data->payload[1], data->payload_len[1])) {\n                if (match_tox_reply(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tox = {\n\tLPI_PROTO_UDP_TOX,\n\tLPI_CATEGORY_CHAT,\n\t\"ToxUDP\",\n\t110,\n\tmatch_tox\n};\n\nvoid register_tox(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tox, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_traceroute.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ea_traceroute(uint32_t payload, uint32_t len) {\n\n\tif (len != 42)\n\t\treturn false;\n\tif (!MATCH(payload, 'P', 'a', 't', 'h'))\n\t\treturn false;\n\treturn true;\n\n}\n\nstatic inline bool match_planetlab_traceroute(uint32_t payload, uint32_t len) {\n\tif (len != 82)\n\t\treturn false;\n\tif (!MATCH(payload, '@', 'A', 'B', 'C'))\n\t\treturn false;\n\treturn true;\n}\n\nstatic inline bool match_traceroute(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* The iVMG people put payload in their traceroute packets that\n         * we can easily identify */\n\n        if (match_str_either(data, \"iVMG\"))\n                return true;\n\n\t/* Spammy traceroute observed coming from EA servers */\n\tif (match_ea_traceroute(data->payload[0], data->payload_len[0])) {\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\t\n\tif (match_ea_traceroute(data->payload[1], data->payload_len[1])) {\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n\t/* This seems to be a traceroute sent from planetlab nodes */\n\tif (match_planetlab_traceroute(data->payload[0], data->payload_len[0]))\n\t{\n\t\tif (data->payload_len[1] == 0)\n\t\t\treturn true;\n\t}\n\n\tif (match_planetlab_traceroute(data->payload[1], data->payload_len[1]))\n\t{\n\t\tif (data->payload_len[0] == 0)\n\t\t\treturn true;\n\t}\n\n\n\tif (data->payload_len[0] == 0) {\n\t\tif (!MATCH(data->payload[1], ANY, ANY, 0x00, 0x00))\n\t\t\treturn false;\n\t\tif (data->payload_len[1] != 16 && data->payload_len[1] != 8)\n\t\t\treturn false;\n\t\tif (data->server_port != 33435 && data->client_port != 33435)\n\t\t\treturn false;\n\t\treturn true;\n\t}\n\n\tif (data->payload_len[1] == 0) {\n\t\tif (!MATCH(data->payload[0], ANY, ANY, 0x00, 0x00))\n\t\t\treturn false;\n\t\tif (data->payload_len[0] != 16 && data->payload_len[1] != 8)\n\t\t\treturn false;\n\t\tif (data->server_port != 33435 && data->client_port != 33435)\n\t\t\treturn false;\n\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_traceroute = {\n\tLPI_PROTO_UDP_TRACEROUTE,\n\tLPI_CATEGORY_MONITORING,\n\t\"Traceroute_UDP\",\n\t2,\n\tmatch_traceroute\n};\n\nvoid register_traceroute(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_traceroute, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_tremulous.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tremulous(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (!MATCH(data->payload[0], 0xff, 0xff, 0xff, 0xff)) {\n                if (data->payload_len[0] != 0)\n                        return false;\n        }\n        if (!MATCH(data->payload[1], 0xff, 0xff, 0xff, 0xff)) {\n                if (data->payload_len[1] != 0)\n                        return false;\n        }\n\n        /* Not super confident that this won't match other traffic, so\n         * added a port rule here */\n        if (data->server_port != 30710 && data->client_port != 30710 &&\n                        data->client_port != 30711 &&\n                        data->server_port != 30711) {\n                return false;\n        }\n\n\n        if (data->payload_len[0] >= 20 && data->payload_len[0] <= 24) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[1] >= 20 && data->payload_len[1] <= 24) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[0] >= 116 && data->payload_len[0] <= 119) {\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[1] >= 116 && data->payload_len[1] <= 119) {\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n        if (data->payload_len[0] == 37) {\n                if (data->payload_len[1] == 98)\n                        return true;\n        }\n        if (data->payload_len[1] == 37) {\n                if (data->payload_len[0] == 98)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tremulous = {\n\tLPI_PROTO_UDP_TREMULOUS,\n\tLPI_CATEGORY_GAMING,\n\t\"Tremulous\",\n\t7,\n\tmatch_tremulous\n};\n\nvoid register_tremulous(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tremulous, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_turbovpn.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_gene(uint32_t payload, uint32_t len) {\n\n        /* Range of packet sizes, but always fairly small */\n        if (MATCH(payload, 'G', 'E', 'N', 'E')) {\n                if (len >= 15 && len <= 50)\n                        return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_turbovpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_gene(data->payload[0], data->payload_len[0])) {\n                if (match_gene(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_turbovpn = {\n\tLPI_PROTO_UDP_TURBOVPN,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"TurboVPN\",\n\t10,\n\tmatch_turbovpn\n};\n\nvoid register_turbovpn(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_turbovpn, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_tvants.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_tvants(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"\\x04\\x00\\x05\\x00\", \"\\x04\\x00\\x05\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x04\\x00\\x07\\x00\", \"\\x04\\x00\\x05\\x00\"))\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_tvants = {\n\tLPI_PROTO_UDP_TVANTS,\n\tLPI_CATEGORY_P2PTV,\n\t\"TVants\",\n\t5,\n\tmatch_tvants\n};\n\nvoid register_tvants(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_tvants, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ubisoft_games.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* A variety of Ubisoft games seem to use a similar protocol for\n * multiplayer. Usually seen on UDP port 3074, but not always.\n */\n\nstatic inline bool match_ubisoft_pat(uint32_t payload, uint32_t len) {\n\n        if (len == 71 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_ubisoft_games(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ubisoft_pat(data->payload[0], data->payload_len[0])) {\n                if (match_ubisoft_pat(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ubisoft_games = {\n\tLPI_PROTO_UDP_UBISOFT_GAMES,\n\tLPI_CATEGORY_GAMING,\n\t\"UbisoftGames\",\n\t199,\n\tmatch_ubisoft_games\n};\n\nvoid register_ubisoft_games(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ubisoft_games, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_umeye.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Umeye itself seems to be a cloud platform for streaming, but it seems\n * to be most commonly used in concert with home surveillance cameras\n * to allow users to check their cameras remotely.\n */\n\nstatic inline bool match_umeye_shake(uint32_t payload, uint32_t len) {\n\n        if (len == 164 && MATCHSTR(payload, \"\\xc1\\xef\\xab\\xff\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_umeye(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_umeye_shake(data->payload[0], data->payload_len[0])) {\n                if (match_umeye_shake(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_umeye = {\n\tLPI_PROTO_UDP_UMEYE,\n\tLPI_CATEGORY_IPCAMERAS,\n\t\"Umeye\",\n\t101,\n\tmatch_umeye\n};\n\nvoid register_umeye(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_umeye, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_unreal.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_unreal_query(uint32_t payload, uint32_t len) {\n\n        /* UT2004 retail is 0x80, demo is 0x7f */\n\n        /* Queries are 5 bytes */\n        if (len != 5)\n                return false;\n        if (MATCH(payload, 0x80, 0x00, 0x00, 0x00))\n                return true;\n        if (MATCH(payload, 0x7f, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n\n}\n\n\nstatic inline bool match_unreal(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* http://www.unrealadmin.org/forums/showthread.php?p=56944 */\n\n        if (match_unreal_query(data->payload[0], data->payload_len[0])) {\n                if (MATCH(data->payload[1], 0x80, 0x00, 0x00, 0x00))\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n        if (match_unreal_query(data->payload[1], data->payload_len[1])) {\n                if (MATCH(data->payload[0], 0x80, 0x00, 0x00, 0x00))\n                        return true;\n                if (data->payload_len[0] == 0)\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_unreal = {\n\tLPI_PROTO_UDP_UNREAL,\n\tLPI_CATEGORY_GAMING,\n\t\"Unreal\",\n\t5,\n\tmatch_unreal\n};\n\nvoid register_unreal(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_unreal, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_ventrilo.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_ventrilo(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* We see this on port 6100, so I'm assuming it is the UDP\n         * Ventrilo protocol. No real documentation of it to confirm,\n         * though */\n\n        if (!(match_str_both(data, \"\\x00\\x00\\x00\\x00\", \"\\x00\\x00\\x00\\x00\")))\n                return false;\n\n        if (data->payload_len[0] == 108 && data->payload_len[1] == 132)\n                return true;\n        if (data->payload_len[1] == 108 && data->payload_len[0] == 132)\n                return true;\n        if (data->payload_len[0] == 52 && data->payload_len[1] == 196)\n                return true;\n        if (data->payload_len[1] == 52 && data->payload_len[0] == 196)\n                return true;\n\t\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_ventrilo = {\n\tLPI_PROTO_UDP_VENTRILO,\n\tLPI_CATEGORY_VOIP,\n\t\"Ventrilo_UDP\",\n\t5,\n\tmatch_ventrilo\n};\n\nvoid register_ventrilo(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_ventrilo, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_viber.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Thanks to Remy Mudingay for providing traces to identify this protocol */\n\nstatic inline bool match_viber_request(uint32_t payload, uint32_t plen) {\n\tif (plen != 12 && plen != 16)\n\t\treturn false;\n\tif (MATCH(payload, ANY, ANY, 0x03, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_viber_response(uint32_t payload, uint32_t plen) {\n\tif (plen == 0)\n\t\treturn true;\n\tif (plen != 12)\n\t\treturn false;\n\tif (MATCH(payload, ANY, ANY, 0x04, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_viber_aws0c(uint32_t payload, uint32_t plen) {\n\n\tif (MATCH(payload, ANY, ANY, 0x0c, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_viber_aws01(uint32_t payload, uint32_t plen) {\n\n\tif (MATCH(payload, ANY, ANY, 0x01, 0x00))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool same_viber_id(uint32_t pl_a, uint32_t pl_b) {\n\n\tif ((pl_a & 0xffff) == (pl_b & 0xffff))\n\t\treturn true;\n\treturn false;\n\n}\n\nstatic inline bool match_viber_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* These rules target the little 12 byte exchanges that go on */\n\tif (match_viber_request(data->payload[0], data->payload_len[0])) {\n\t\tif (match_viber_response(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t\tif (match_viber_request(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\tif (match_viber_request(data->payload[1], data->payload_len[1])) {\n\t\tif (match_viber_response(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t\tif (match_viber_request(data->payload[0], data->payload_len[0]))\n\t\t\treturn true;\n\t}\n\n\t/* This targets the viber flow that goes to the AWS server */\n\tif (match_viber_aws0c(data->payload[0], data->payload_len[0])) {\n\t\tif (match_viber_aws01(data->payload[1], data->payload_len[1])) \n\t\t{\n\t\t\tif (same_viber_id(data->payload[0], data->payload[1]))\n\t\t\t\treturn true;\n\t\t}\n\t}\n\n\tif (match_viber_aws0c(data->payload[1], data->payload_len[1])) {\n\t\tif (match_viber_aws01(data->payload[0], data->payload_len[0])) \n\t\t{\n\t\t\tif (same_viber_id(data->payload[0], data->payload[1]))\n\t\t\t\treturn true;\n\t\t}\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_viber_udp = {\n\tLPI_PROTO_UDP_VIBER,\n\tLPI_CATEGORY_VOIP,\n\t\"Viber_UDP\",\n\t18,\n\tmatch_viber_udp\n};\n\nvoid register_viber_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_viber_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_vivox.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_vivox_request(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x80, 0x7f, 0x00, 0x00) && len == 112)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_vivox_reply(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x80, 0x7f, 0x00, 0x00) && len == 99)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_vivox_stun(uint32_t payload, uint32_t len) {\n\n        /* Vivox mixes a whole bunch of RTP(?) and STUN together\n         * when it starts up, so sometimes the STUN replies arrive\n         * first. */\n        if (MATCH(payload, 0x01, 0x01, 0x00, 0x70) && len == 132)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_vivox(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_vivox_request(data->payload[0], data->payload_len[0])) {\n                if (match_vivox_stun(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_vivox_reply(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n        if (match_vivox_request(data->payload[1], data->payload_len[1])) {\n                if (match_vivox_stun(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_vivox_reply(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\t/* Seen this to Vivox servers, so I'm going to make the logical\n         * assumption */\n        if (!match_str_both(data, \"\\x80\\x6f\\x00\\x00\", \"\\x80\\x6f\\x00\\x01\"))\n                return false;\n\n        if (data->payload_len[0] == 108 || data->payload_len[1] == 108)\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vivox = {\n\tLPI_PROTO_UDP_VIVOX,\n\tLPI_CATEGORY_VOIP,\n\t\"Vivox\",\n\t5,\n\tmatch_vivox\n};\n\nvoid register_vivox(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vivox, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_vpnmaster.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* VPN Proxy Master-Free security -- free android VPN via China */\n\nstatic inline bool match_ce7(uint32_t payload, uint32_t len) {\n\n        if (len == 30 && MATCH(payload, 'C', 'E', '7', 'E'))\n                return true;\n        if (len == 29 && MATCH(payload, 'C', 'E', '7', 0x05))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_7b(uint32_t payload, uint32_t len) {\n\n        if (len == 14 && MATCH(payload, 0x7b, ANY, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_vpnmaster(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_ce7(data->payload[0], data->payload_len[0])) {\n                if (match_7b(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_ce7(data->payload[0], data->payload_len[0])) {\n                if (match_7b(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vpnmaster = {\n\tLPI_PROTO_UDP_VPNMASTER,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"VPNMaster\",\n\t5,\n\tmatch_vpnmaster\n};\n\nvoid register_vpnmaster(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vpnmaster, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_vpnrobot_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_umxw(uint32_t payload) {\n        if (MATCH(payload, 'U', 'M', 'X', 'W'))\n                return true;\n        return false;\n}\n\nstatic inline bool match_robot_fail(uint32_t payload, uint32_t len) {\n\n        if (len == 14) {\n                if (MATCH(payload, 0x6d, ANY, ANY, ANY))\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_vpnrobot_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_umxw(data->payload[0])) {\n                if (match_umxw(data->payload[1]))\n                        return true;\n                if (match_robot_fail(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_umxw(data->payload[1])) {\n                if (match_robot_fail(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vpnrobot_udp = {\n\tLPI_PROTO_UDP_VPNROBOT,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"VPNRobot\",\n\t15,\n\tmatch_vpnrobot_udp\n};\n\nvoid register_vpnrobot_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vpnrobot_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_vxworks_exploit.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* VxWorks exposes a system-level debugger over UDP port 17185 which can be\n * exploited remotely. Most traffic I've seen trying to access this port is\n * actually critical.io poking around looking for vulnerable machines in the\n * interests of finding ISPs that are putting their customers at risk.\n *\n * So if you see this traffic, it is not necessarily bad (as long as the \n * recipient is not responding to the probe packet!).\n */\n\nstatic inline bool match_vxworks_exploit(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (data->server_port != 17185 && data->client_port != 17185)\n\t\treturn false;\n\n\t/* Payload sent by critical.io */\n\tif (MATCH(data->payload[0], 0x1a, 0x09, 0xfa, 0xba)) {\n\t\tif (data->payload_len[0] == 64)\n\t\t\treturn true;\n\t}\n\n\tif (MATCH(data->payload[1], 0x1a, 0x09, 0xfa, 0xba)) {\n\t\tif (data->payload_len[1] == 64)\n\t\t\treturn true;\n\t}\n\treturn false;\n}\n\nstatic lpi_module_t lpi_vxworks_exploit = {\n\tLPI_PROTO_UDP_VXWORKS_EXPLOIT,\n\tLPI_CATEGORY_MALWARE,\n\t\"VxWorks_Exploit\",\n\t14,\n\tmatch_vxworks_exploit\n};\n\nvoid register_vxworks_exploit(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_vxworks_exploit, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_warthunder.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* MMO game from Gaijin Entertainment. Uses UDP ports 20010+ */\n\nstatic inline bool match_warthunder_req(uint32_t payload, uint32_t len) {\n\n        if (len == 52 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x0a\"))\n                return true;\n        if (len == 52 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x0b\"))\n                return true;\n        if (len == 52 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x05\"))\n                return true;\n        if (len == 52 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x04\"))\n                return true;\n        if (len == 52 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x14\"))\n                return true;\n        if (len == 52 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x03\"))\n                return true;\n        if (len == 53 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x04\"))\n                return true;\n        if (len == 53 && MATCHSTR(payload, \"\\xcf\\xff\\x00\\x05\"))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_warthunder_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 48 && MATCH(payload, 0xc0, 0x00, ANY, ANY))\n                return true;\n        if (len == 49 && MATCH(payload, 0xc0, 0x00, ANY, ANY))\n                return true;\n        if (len == 52 && MATCH(payload, 0xc0, 0x00, ANY, ANY))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_warthunder(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_warthunder_req(data->payload[1], data->payload_len[1])){\n                if (match_warthunder_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_warthunder_req(data->payload[0], data->payload_len[0])){\n                if (match_warthunder_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_warthunder = {\n\tLPI_PROTO_UDP_WARTHUNDER,\n\tLPI_CATEGORY_GAMING,\n\t\"WarThunder\",\n\t9,\n\tmatch_warthunder\n};\n\nvoid register_warthunder(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_warthunder, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_webex.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_webex_req(uint32_t payload, uint32_t len) {\n\n        if (len == 8 && MATCH(payload, 0x01, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_webex_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 8 && MATCH(payload, 0x02, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_webex(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Port 9000 */\n\n        if (data->server_port != 9000 && data->client_port != 9000)\n                return false;\n\n        if (match_webex_req(data->payload[0], data->payload_len[0])) {\n                if (match_webex_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_webex_req(data->payload[1], data->payload_len[1])) {\n                if (match_webex_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_webex = {\n\tLPI_PROTO_UDP_WEBEX,\n\tLPI_CATEGORY_VOIP,\n\t\"Webex\",\n\t100,\n\tmatch_webex\n};\n\nvoid register_webex(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_webex, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_wechat_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Thanks to http://www.cse.cuhk.edu.hk/~pclee/www/pubs/iwqos15chatdissect.pdf\n * for helping confirm this rule */\n\nstatic inline bool match_wechat_uplink_hb(uint32_t payload, uint32_t len) {\n\n        /* Byte 3 appears to be a length indicator */\n        if (MATCH(payload, 0xd1, 0x0a, 0x2e, 0x0a))\n                return true;\n        if (MATCH(payload, 0xd1, 0x0a, 0x2d, 0x0a))\n                return true;\n        if (MATCH(payload, 0xd1, 0x0a, 0x2c, 0x0a))\n                return true;\n        if (MATCH(payload, 0xd1, 0x0a, 0x1e, 0x0a))\n                return true;\n        if (MATCH(payload, 0xd1, 0x0a, 0x1d, 0x0a))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_wechat_downlink_hb(uint32_t payload, uint32_t len) {\n\n        /* Byte 3 appears to be a length indicator */\n        if (MATCHSTR(payload, \"\\xd1\\x0a\\x2b\\x0a\"))\n                return true;\n        if (MATCHSTR(payload, \"\\xd1\\x0a\\x2a\\x0a\"))\n                return true;\n        if (MATCHSTR(payload, \"\\xd1\\x0a\\x2d\\x0a\"))\n                return true;\n        if (MATCHSTR(payload, \"\\xd1\\x0a\\x29\\x0a\"))\n                return true;\n\n        return false;\n\n}\n\nstatic inline bool match_wechat_voip_a175(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 75)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_wechat_voip_a192(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 92)\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_wechat_voip_a396(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\tif (len == 96 && MATCH(payload, 0xa3, ANY, ANY, ANY))\n\t\treturn true;\n\tif (len == 95 && MATCH(payload, 0xa3, ANY, ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_wechat_voip_d6200(uint32_t payload, uint32_t len) {\n\tif (len == 200 && MATCH(payload, 0xd6, ANY, ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_wechat_voip_d591(uint32_t payload, uint32_t len) {\n\n        if (len < 89 || len > 91)\n                return false;\n\n\tif (MATCH(payload, 0xd5, ANY, ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_wechat_voip_d5104(uint32_t payload, uint32_t len) {\n\n        if (len < 103 || len > 104)\n                return false;\n\tif (MATCH(payload, 0xd5, ANY, ANY, ANY))\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_wechat_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_wechat_uplink_hb(data->payload[0], data->payload_len[0])) {\n                if (match_wechat_downlink_hb(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wechat_uplink_hb(data->payload[1], data->payload_len[1])) {\n                if (match_wechat_downlink_hb(data->payload[0],\n                                data->payload_len[0]))\n                        return true;\n        }\n\n\t/* Lots of different patterns seen when using WeChat to make a voice\n\t * or video call.\n\t */\n        \n        if (match_wechat_voip_a396(data->payload[0], data->payload_len[0])) {\n                if (match_wechat_voip_a396(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wechat_voip_d6200(data->payload[0], data->payload_len[0])) {\n                if (match_wechat_voip_d6200(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n        }\n        \n\tif (match_wechat_voip_d591(data->payload[0], data->payload_len[0])) {\n                if (match_wechat_voip_d5104(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n        }\n\n\tif (match_wechat_voip_d591(data->payload[1], data->payload_len[1])) {\n                if (match_wechat_voip_d5104(data->payload[0],\n                                data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_wechat_voip_a192(data->payload[0], data->payload_len[0])) {\n                if (match_wechat_voip_a175(data->payload[1],\n                                data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_wechat_voip_a192(data->payload[1], data->payload_len[1])) {\n                if (match_wechat_voip_a175(data->payload[0],\n                                data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_wechat_udp = {\n\tLPI_PROTO_UDP_WECHAT,\n\tLPI_CATEGORY_CHAT,\n\t\"WeChat_UDP\",\n\t20,\n\tmatch_wechat_udp\n};\n\nvoid register_wechat_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wechat_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_winmessage.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/*\n * This covers Windows messenger spam over UDP \n *\n * Ref: http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm\n */\n\nstatic inline bool match_winmessage(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\tif (match_str_both(data, \"\\x04\\x00\\x28\\x00\", \"\\x04\\x02\\x08\\x00\"))\n                return true;\n\n        if (match_str_either(data, \"\\x04\\x00\\x28\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_winmessage = {\n\tLPI_PROTO_UDP_WIN_MESSAGE,\n\tLPI_CATEGORY_MALWARE,\n\t\"WindowsMessenger\",\n\t10,\n\tmatch_winmessage\n};\n\nvoid register_winmessage(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_winmessage, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_wireguard.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_wg_first(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x01, 0x00, 0x00, 0x00) && len == 148) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_wg_second(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x02, 0x00, 0x00, 0x00) && len == 92) {\n                return true;\n        }\n        return false;\n}\n\n\nstatic inline bool match_wg_midsession(uint32_t payload, uint32_t len) {\n        /* Not a very strong rule, but should only matter if the initial\n         * packets go missing.\n         */\n        if (MATCH(payload, 0x04, 0x00, 0x00, 0x00)) {\n                if (len >= 92 && len <= 512) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_wireguard(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_wg_first(data->payload[0], data->payload_len[0])) {\n                if (match_wg_second(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n                if (match_wg_midsession(data->payload[1],\n                                data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_wg_first(data->payload[1], data->payload_len[1])) {\n                if (match_wg_second(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n                if (match_wg_midsession(data->payload[0],\n                                data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n        if (match_wg_second(data->payload[0], data->payload_len[0])) {\n                if (match_wg_midsession(data->payload[1],\n                                data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_wg_second(data->payload[1], data->payload_len[1])) {\n                if (match_wg_midsession(data->payload[0],\n                                data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n        if (match_wg_midsession(data->payload[0], data->payload_len[0])) {\n                if (match_wg_midsession(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_wireguard = {\n\tLPI_PROTO_UDP_WIREGUARD,\n\tLPI_CATEGORY_TUNNELLING,\n\t\"WireGuard\",\n\t201,\n\tmatch_wireguard\n};\n\nvoid register_wireguard(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wireguard, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_wolfet.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_wolf_payload(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (!MATCHSTR(payload, \"\\xff\\xff\\xff\\xff\"))\n                return false;\n        return true;\n\n}\n\n\nstatic inline bool match_wolf_et(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Limit to port 27960 for now */\n        if (data->server_port != 27960 && data->client_port != 27960)\n                return false;\n\n\tif (!match_wolf_payload(data->payload[0], data->payload_len[0]))\n                return false;\n        if (!match_wolf_payload(data->payload[1], data->payload_len[1]))\n                return false;\n\n        /* getinfo packet is always 15 bytes, the other is always 250-350 */\n        if (data->payload_len[0] == 15) {\n                if (data->payload_len[1] == 0 || (data->payload_len[1] >= 250\n                                && data->payload_len[1] < 350))\n                        return true;\n        }\n\n        if (data->payload_len[1] == 15) {\n                if (data->payload_len[0] == 0 || (data->payload_len[0] >= 250\n                                && data->payload_len[0] < 350))\n                        return true;\n        }\n\n        /* getservers packets are 17 bytes, response may vary a lot (?) */\n        if (data->payload_len[0] == 17)\n                return true;\n        if (data->payload_len[1] == 17)\n                return true;\n\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_wolfet = {\n\tLPI_PROTO_UDP_WOLF_ET,\n\tLPI_CATEGORY_GAMING,\n\t\"WolfensteinEnemyTerritory\",\n\t50,\t/* Must be lower priority than Call of Duty */\n\tmatch_wolf_et\n};\n\nvoid register_wolfet(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_wolfet, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_worm_22105.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_worm_22105(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_either(data, \" VRV\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_worm_22105 = {\n\tLPI_PROTO_UDP_WORM_22105,\n\tLPI_CATEGORY_MALWARE,\n\t\"Worm_22105\",\n\t10,\n\tmatch_worm_22105\n};\n\nvoid register_worm_22105(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_worm_22105, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_xfire_p2p.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_xfire_p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\tif (match_str_both(data, \"SC01\", \"CK01\"))\n                return true;\n        if (match_str_either(data, \"MC01\"))\n                return true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_xfire_p2p = {\n\tLPI_PROTO_UDP_XFIRE_P2P,\n\tLPI_CATEGORY_P2P,\n\t\"Xfire_P2P\",\n\t3,\n\tmatch_xfire_p2p\n};\n\nvoid register_xfire_p2p(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xfire_p2p, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_xlsp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_xlsp_payload(uint32_t payload, uint32_t len,\n                uint32_t other_len, lpi_data_t *data) {\n\n        /* This is almost all based on observing traffic on port 3074. Not\n         * very scientific, but seems more or less right */\n\n        /* TODO: come up with a cleaner matching module */\n\n        /* We've only ever seen a few of the packet sizes in one-way flows,\n         * so let's not match any of the others if there is no response */\n        if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) {\n                if (len == 139)\n                        return true;\n                if (len == 122)\n                        return true;\n                if (len == 156)\n                        return true;\n                if (len == 82)\n                        return true;\n                if (len == 50)\n                        return true;\n                if (len == 83)\n                        return true;\n                if (len == 43)\n                        return true;\n                if (len == 75)\n                        return true;\n                if (len == 120 && other_len != 0)\n                        return true;\n                if (len == 91 && other_len != 0)\n                        return true;\n                if (len == 0 && other_len != 0)\n                        return true;\n                if ((len == 90 || len == 172) && other_len == 138)\n                        return true;\n                if (len == 138 && (other_len == 90 || other_len == 172))\n                        return true;\n                if (len == 65 && other_len == 65)\n                        return true;\n                if ((len == 148  || len == 149) &&\n                                (other_len == 115 || other_len == 116))\n                        return true;\n                if ((len == 115  || len == 116) &&\n                                (other_len == 148 || other_len == 149))\n                        return true;\n\n        }\n\n        if (len == 24) {\n\t\t/* Employ port number restriction because these rules are weak\n\t\t */\n\t\tif (data->server_port != 3074 && data->client_port != 3074)\n\t\t\treturn false;\n                if (MATCH(payload, 0x0d, ANY, ANY, ANY))\n                        return true;\n                if (MATCH(payload, 0x80, ANY, ANY, ANY))\n                        return true;\n\n        }\n\n\tif (len == 16) {\n\t\tif (MATCH(payload, 0x01, 0x02, 0x00, 0x00))\n\t\t\treturn true;\n\t}\n\t\n\tif (len == 32) {\n\t\t/* Employ port number restriction because these rules are weak\n\t\t */\n\t\tif (data->server_port != 3074 && data->client_port != 3074)\n\t\t\treturn false;\n\t\tif (MATCH(payload, 0x06, 0x02, ANY, ANY))\n\t\t\treturn true;\n\t\tif (MATCH(payload, 0xcd, ANY, ANY, ANY))\n\t\t\treturn true;\n\t}\n\n\tif (len == 17) {\n\t\t/* Employ port number restriction because these rules are weak\n\t\t */\n\t\tif (data->server_port != 3074 && data->client_port != 3074)\n\t\t\treturn false;\n\t\tif (MATCH(payload, 0x28, ANY, ANY, ANY))\n\t\t\treturn true;\n\t}\n\t\n\tif (len == 287 || len == 1336 || len == 1011)  {\n\t\t/* Employ port number restriction because these rules are weak\n\t\t */\n\t\tif (data->server_port != 3074 && data->client_port != 3074)\n\t\t\treturn false;\n\t\tif (other_len != 0)\n\t\t\treturn false;\n\t\tif (MATCH(payload, 0x00, 0x00, 0x00, 0x00))\n\t\t\treturn true;\n\n\t}\n\t\t\t\n\tif (len == 26) {\n\t\tif (MATCH(payload, 0x29, ANY, 0x00, 0x00))\n\t\t\treturn true;\n\t}\n\n        if (len == 29) {\n                if (MATCH(payload, 0x0a, 0x02, 0x00, ANY))\n                        return true;\n                if (MATCH(payload, 0x0b, 0x02, 0x00, ANY))\n                        return true;\n                if (MATCH(payload, 0x0c, 0x02, 0x00, ANY))\n                        return true;\n                if (MATCH(payload, 0x0d, 0x02, 0x00, ANY))\n                        return true;\n                if (MATCH(payload, 0x0e, 0x02, 0x00, ANY))\n                        return true;\n        }\n\n\n        return false;\n\n}\n\n\nstatic inline bool match_xlsp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* Had a few false matches against DNS traffic in the past, so\n\t * rule out port 53 traffic */\n\tif (data->server_port == 53 || data->client_port == 53)\n\t\treturn false;\n\n        /* Unlike other combos, 1336 and 287 (or rarely 286) only go with\n         * each other \n         *\n         * 1011 (or rarely 1010) is also a possible response */\n        if (match_str_both(data, \"\\x00\\x00\\x00\\x00\", \"\\x00\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 1336) {\n                        if (data->payload_len[1] == 287)\n                                return true;\n                        if (data->payload_len[1] == 1011)\n                                return true;\n                        if (data->payload_len[1] == 286)\n                                return true;\n                        if (data->payload_len[1] == 1010)\n                                return true;\n                        if (data->payload_len[1] == 1003)\n                                return true;\n                        if (data->payload_len[1] == 1026)\n                                return true;\n                        if (data->payload_len[1] == 1027)\n                                return true;\n                        if (data->payload_len[1] == 1331)\n                                return true;\n                }\n                if (data->payload_len[1] == 1336) {\n                        if (data->payload_len[0] == 287)\n                                return true;\n                        if (data->payload_len[0] == 1011)\n                                return true;\n                        if (data->payload_len[0] == 286)\n                                return true;\n                        if (data->payload_len[0] == 1010)\n                                return true;\n                        if (data->payload_len[0] == 1003)\n                                return true;\n                        if (data->payload_len[0] == 1026)\n                                return true;\n                        if (data->payload_len[0] == 1027)\n                                return true;\n                        if (data->payload_len[0] == 1331)\n                                return true;\n                }\n\n                /* This is something to do with PunkBuster? */\n                if (data->payload_len[0] == 4) {\n                        if (data->payload_len[1] == 4)\n                                return true;\n                }\n                if (data->payload_len[1] == 4) {\n                        if (data->payload_len[0] == 4)\n                                return true;\n                }\n        }\n\n\n        /* Enforce port 3074 being involved, to reduce false positive rate for\n         * one-way transactions */\n\n        if (match_str_either(data, \"\\xff\\xff\\xff\\xff\")) {\n                if (data->server_port != 3074 && data->client_port != 3074)\n                        return false;\n                if (data->payload_len[0] == 14 && data->payload_len[1] == 0)\n                        return true;\n                if (data->payload_len[1] == 14 && data->payload_len[0] == 0)\n                        return true;\n        }\n\n        /* We could also enforce the port number here too, but we still see a \n         * lot of one-way traffic that matches these rules on other ports.\n         * I'm pretty confident it is XLSP, but this should be watched\n         * closely to make sure it isn't overmatching */\n\n        if (!match_xlsp_payload(data->payload[0], data->payload_len[0],\n                        data->payload_len[1], data))\n                return false;\n        if (!match_xlsp_payload(data->payload[1], data->payload_len[1],\n                        data->payload_len[0], data))\n                return false;\n\n        return true;\n\n}\n\n\nstatic lpi_module_t lpi_xlsp = {\n\tLPI_PROTO_UDP_XLSP,\n\tLPI_CATEGORY_GAMING,\n\t\"XboxLive_UDP\",\n\t180,\n\tmatch_xlsp\n};\n\nvoid register_xlsp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xlsp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_xunlei.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool xunlei_32(uint32_t payload, uint32_t len) {\n\tif (len == 0)\n\t\treturn true;\n\n\tif (!MATCH(payload, 0x32, 0x00, 0x00, 0x00))\n\t\treturn false;\n\n\tif (len == 29)\n\t\treturn true;\n\tif (len == 31)\n\t\treturn true;\n\treturn false;\n}\n\nstatic inline bool match_shuijing_3b_other(uint32_t payload, uint32_t len) {\n        if (!MATCH(payload, 0x3b, 0x00, 0x00, 0x00))\n                return false;\n\tif (len == 31 || len == 29 || len == 42)\n\t\treturn true;\n        return false;\n}\n\nstatic inline bool match_shuijing_32(uint32_t payload, uint32_t len) {\n        if (len == 31 && MATCH(payload, 0x32, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 29 && MATCH(payload, 0x32, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 42 && MATCH(payload, 0x32, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_shuijing_3b(uint32_t payload, uint32_t len) {\n        if (len == 33 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 31 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 29 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00))\n                return true;\n        if (len == 13 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\n\nstatic inline bool match_xunlei_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        /* Shuijing = \"Thunder Crystal\", a P2P CDN approach used by Xunlei.\n         * Uses UDP port 4693 normally */\n\n        if (match_shuijing_3b(data->payload[0], data->payload_len[0])) {\n                if (match_shuijing_3b_other(data->payload[1], data->payload_len[1]))\n                        return true;\n                if (match_shuijing_32(data->payload[1], data->payload_len[1]))\n                        return true;\n\n        }\n        \n        if (match_shuijing_3b(data->payload[1], data->payload_len[1])) {\n                if (match_shuijing_3b_other(data->payload[0], data->payload_len[0]))\n                        return true;\n                if (match_shuijing_32(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\n        /* Traffic seen while operating the Thunder client, not sure on exact\n         * purpose but can lead to large flows. Rule is not very strong, since\n         * the payload seems random.\n         */\n        if (data->server_port == 12345 || data->client_port == 12345) {\n                if (data->payload[0] != 0 && data->payload[1] != 0) {\n                        if (data->payload_len[0] >= 39) {\n                                if (data->payload_len[0] <= 43) {\n                                        if (data->payload_len[1] >= 39) {\n                                                if (data->payload_len[1] <= 43)\n                                                        return true;\n                                        }\n                                }\n                        }\n                }\n        }\n\n        if (match_str_both(data, \"\\x32\\x00\\x00\\x00\", \"\\x32\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x36\\x00\\x00\\x00\", \"\\x36\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x35\\x00\\x00\\x00\", \"\\x35\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x35\\x00\\x00\\x00\", \"\\x28\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x35\\x00\\x00\\x00\", \"\\x29\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x34\\x00\\x00\\x00\", \"\\x34\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x34\\x00\\x00\\x00\", \"\\x29\\x00\\x00\\x00\"))\n                return true;\n        if (match_str_both(data, \"\\x33\\x00\\x00\\x00\", \"\\x33\\x00\\x00\\x00\"))\n                return true;\n\n\tif (xunlei_32(data->payload[0], data->payload_len[0])) {\n\t\tif (xunlei_32(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\t/* Require port 3076 for now, as all these rules are based on\n         * traffic seen on port 3076 */\n        if (data->server_port != 3076 && data->client_port != 3076)\n                return false;\n\n\t\n        if (match_str_either(data, \"\\x36\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n        if (match_str_either(data, \"\\x35\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n        if (match_str_either(data, \"\\x34\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n        if (match_str_either(data, \"\\x33\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n        if (match_str_either(data, \"\\x29\\x00\\x00\\x00\")) {\n                if (data->payload_len[0] == 0)\n                        return true;\n                if (data->payload_len[1] == 0)\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_xunlei_udp = {\n\tLPI_PROTO_UDP_XUNLEI,\n\tLPI_CATEGORY_P2P,\n\t\"Xunlei_UDP\",\n\t203,\n\tmatch_xunlei_udp\n};\n\nvoid register_xunlei_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xunlei_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_xunlei_jsq.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* JSQ: a game accelerator service offered by Xunlei. \n *\n * The actual accelerator service itself is VIP-only (i.e. pay for it),\n * but the log in, server querying etc, will still work for free so that's\n * mostly what we're matching here.\n *\n */\n\nstatic inline bool match_jsq_req(uint32_t payload, uint32_t len) {\n\n        if (len != 150 && (len < 77 || len > 80))\n                return false;\n\n        if (MATCH(payload, 0x64, 0x00, 0x00, 0x00))\n                return true;\n\n        return false;\n}\n\nstatic inline bool match_jsq_resp(uint32_t payload, uint32_t len) {\n\n        if (len == 0)\n                return true;\n        if (len != 40)\n                return false;\n\n        if (MATCH(payload, 0x64, 0x00, 0x00, 0x00))\n                return true;\n        return false;\n}\n\nstatic inline bool match_xunlei_jsq(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8080 && data->client_port != 8080) {\n                return false;\n        }\n\n        if (match_jsq_req(data->payload[0], data->payload_len[0])) {\n                if (match_jsq_resp(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_jsq_req(data->payload[1], data->payload_len[1])) {\n                if (match_jsq_resp(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_xunlei_jsq = {\n\tLPI_PROTO_UDP_XUNLEI_JSQ,\n\tLPI_CATEGORY_GAMING,\n\t\"XunleiJSQ\",\n\t25,\n\tmatch_xunlei_jsq\n};\n\nvoid register_xunlei_jsq(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xunlei_jsq, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_xunyou.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_xunyou(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (data->server_port != 8000 && data->client_port != 8000)\n                return false;\n\n        if (data->payload[0] != 0)\n                return false;\n        if (data->payload[1] != 0)\n                return false;\n\n        if (data->payload_len[0] != 2)\n                return false;\n        if (data->payload_len[1] != 2)\n                return false;\n\n\treturn true;\n}\n\nstatic lpi_module_t lpi_xunyou = {\n\tLPI_PROTO_UDP_XUNYOU,\n\tLPI_CATEGORY_GAMING,\n\t\"Xunyou\",\n\t210,\n\tmatch_xunyou\n};\n\nvoid register_xunyou(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_xunyou, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_youdao_dict.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_youdao_dict(lpi_data_t *data, \n\t\tlpi_module_t *mod UNUSED) {\n\n\t/* All signs point to this being the protocol used by Youdao \n\t * Dictionary software\n\t *\n\t * Can force a check for port 2000 if need be */\n\tif (match_str_both(data, \"type\", \"\\x1f\\x8b\\x08\\x00\"))\n\t\treturn true;\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_youdao_dict = {\n\tLPI_PROTO_UDP_YOUDAO_DICT,\n\tLPI_CATEGORY_TRANSLATION,\n\t\"YoudaoDict\",\n\t10,\n\tmatch_youdao_dict\n};\n\nvoid register_youdao_dict(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_youdao_dict, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_youku.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\nstatic inline bool match_youku_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* This took a lot of detective work and liberal use of Google\n\t * translate to figure out what this protocol this pattern matched */\n\n\tif (match_youku_payload(data->payload[0], data->payload_len[0])) {\n\t\tif (match_youku_payload(data->payload[1], data->payload_len[1]))\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_youku = {\n\tLPI_PROTO_UDP_YOUKU,\n\tLPI_CATEGORY_STREAMING,\n\t\"Youku_UDP\",\n\t4,\n\tmatch_youku_udp\n};\n\nvoid register_youku_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_youku, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_yuanfudao.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* Unable to confirm because yuanfudao requires a Chinese mobile number */\n\nstatic inline bool match_yuan_7b(uint32_t payload, uint32_t len) {\n        if (len == 33 && MATCH(payload, 0x80, 0x7b, 0x00, 0x00)) {\n                return true;\n        }\n        return false;\n}\n\nstatic inline bool match_yuan_7c(uint32_t payload, uint32_t len) {\n        if (len == 32 || len == 48 || len == 60) {\n                if (MATCH(payload, 0x80, 0x7c, 0x00, 0x00)) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_yuanfudao(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_yuan_7b(data->payload[0], data->payload_len[0])) {\n                if (match_yuan_7c(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_yuan_7b(data->payload[1], data->payload_len[1])) {\n                if (match_yuan_7c(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_yuanfudao = {\n\tLPI_PROTO_UDP_YUANFUDAO,\n\tLPI_CATEGORY_STREAMING,\n\t\"Yuanfudao\",\n\t79,\n\tmatch_yuanfudao\n};\n\nvoid register_yuanfudao(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_yuanfudao, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_yy_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n\n/* YY Live Streaming from China */\n/* Unfortunately YY uses a 4 byte length field (albeit in little endian\n * byte order) so there's a good chance this rule will get a few FPs :/\n */\nstatic inline bool match_yy_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_yy_payload(data->payload[0], data->payload_len[0])) {\n                if (match_yy_payload(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_yy_udp = {\n\tLPI_PROTO_UDP_YY,\n\tLPI_CATEGORY_STREAMING,\n\t\"YY_UDP\",\n\t200,\n\tmatch_yy_udp\n};\n\nvoid register_yy_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_yy_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_zalo_call.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_zalo_pat(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x01, 0x01, 0x00, 0x00)) {\n                if (len == 26 || len == 27)\n                        return true;\n                if (len == 34)\n                        return true;\n                if (len == 42)\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_zalo_185(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x01, 0x01, 0x00, 0x00)) {\n                if (len >= 180 && len <= 185) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_zalo_56(uint32_t payload, uint32_t len) {\n        if (MATCH(payload, 0x02, 0x01, 0x00, 0x00)) {\n                if (len >= 52 && len <= 56) {\n                        return true;\n                }\n        }\n        return false;\n}\n\nstatic inline bool match_zalo_call(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_zalo_pat(data->payload[0], data->payload_len[0])) {\n                if (match_zalo_pat(data->payload[1], data->payload_len[1])) {\n                        if (data->payload_len[0] == data->payload_len[1])\n                                return true;\n                }\n        }\n\n        if (match_zalo_185(data->payload[0], data->payload_len[0])) {\n                if (match_zalo_56(data->payload[1], data->payload_len[1])) {\n                        return true;\n                }\n        }\n\n        if (match_zalo_185(data->payload[1], data->payload_len[1])) {\n                if (match_zalo_56(data->payload[0], data->payload_len[0])) {\n                        return true;\n                }\n        }\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_zalo_call = {\n\tLPI_PROTO_UDP_ZALO_CALL,\n\tLPI_CATEGORY_VOIP,\n\t\"ZaloVideoCall\",\n\t199,\n\tmatch_zalo_call\n};\n\nvoid register_zalo_call(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_zalo_call, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_zeroaccess_udp.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\n/* This protocol is used by the ZeroAccess Trojan for P2P communication\n * between infected hosts.\n *\n * http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf\n */\n\nstatic inline bool using_zeroaccess_port(lpi_data_t *data) {\n\n\tswitch(data->server_port) {\n\t\tcase 16464:\n\t\tcase 16465:\n\t\tcase 16470:\n\t\tcase 16471:\n\t\t\treturn true;\n\t}\n\n\tswitch(data->client_port) {\n\t\tcase 16464:\n\t\tcase 16465:\n\t\tcase 16470:\n\t\tcase 16471:\n\t\t\treturn true;\n\t}\n\n\treturn false;\n}\n\nstatic inline bool match_zeroaccess_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n\t/* ZeroAccess uses specific ports for talking to peers */\n\tif (!using_zeroaccess_port(data)) {\n\t\treturn false;\n\t}\n\n\t/* The infected host always sends a 16 byte UDP packet to the\n\t * peer  - the response packet size is based solely on what we've\n\t * observed in the wild.\n\t *\n\t * Since both payloads begin with a 32 byte checksum, we can't\n\t * do much based on payload patterns */\n\n\t/* Pretty unlikely that the CRC will be exactly 0, but 0 is a\n\t * common payload for other UDP protocols */\n\tif (data->payload[0] == 0 && data->payload_len[0] != 0)\n\t\treturn false;\n\tif (data->payload[1] == 0 && data->payload_len[1] != 0)\n\t\treturn false;\n\n\tif (data->payload_len[0] == 16) {\n\t\tif (data->payload_len[1] == 848)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 988)\n\t\t\treturn true;\n\t\tif (data->payload_len[1] == 568)\n\t\t\treturn true;\n\n\t\t/* If no response, lets at least force it to be on the\n\t\t * default port before reporting a match */\n\t\tif (data->payload_len[1] == 0) {\n\t\t\tif (data->server_port == 16464)\n\t\t\t\treturn true;\n\t\t\tif (data->client_port == 16464)\n\t\t\t\treturn true;\n\t\t}\n\t}\n\tif (data->payload_len[1] == 16) {\n\t\tif (data->payload_len[0] == 848)\n\t\t\treturn true;\n\t\tif (data->payload_len[0] == 988)\n\t\t\treturn true;\n\t\tif (data->payload_len[0] == 568)\n\t\t\treturn true;\n\n\t\t/* If no response, lets at least force it to be on the\n\t\t * default port before reporting a match */\n\t\tif (data->payload_len[0] == 0) {\n\t\t\tif (data->server_port == 16464)\n\t\t\t\treturn true;\n\t\t\tif (data->client_port == 16464)\n\t\t\t\treturn true;\n\t\t}\n\t}\n\n\treturn false;\n}\n\nstatic lpi_module_t lpi_zeroaccess_udp = {\n\tLPI_PROTO_UDP_ZEROACCESS,\n\tLPI_CATEGORY_MALWARE,\n\t\"ZeroAccess_UDP\",\n\t40,\n\tmatch_zeroaccess_udp\n};\n\nvoid register_zeroaccess_udp(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_zeroaccess_udp, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/lpi_zoom.cc",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n#include <string.h>\n\n#include \"libprotoident.h\"\n#include \"proto_manager.h\"\n#include \"proto_common.h\"\n\nstatic inline bool match_zoom_01(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x01, 0x00, 0x02, ANY)) {\n                if (len == 107 || len == 109 || len == 169)\n                        return true;\n        }\n        if (MATCH(payload, 0x01, 0x00, 0x03, ANY)) {\n                if (len == 187 || len == 185 || len == 123 || len == 125) {\n                        return true;\n                }\n        }\n        if (MATCH(payload, 0x01, 0x00, 0x6c, 0x00) && len == 111)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_zoom_02(uint32_t payload, uint32_t len) {\n\n        if (MATCH(payload, 0x02, 0x00, 0x01, ANY) && len == 35)\n                return true;\n        if (MATCH(payload, 0x02, 0x00, 0x03, ANY) && len == 105)\n                return true;\n        if (MATCH(payload, 0x02, 0x00, 0x03, ANY) && len == 43)\n                return true;\n        if (MATCH(payload, 0x02, 0x00, 0x22, 0x00) && len == 37)\n                return true;\n        if (MATCH(payload, 0x02, 0x00, 0x24, 0x00) && len == 39)\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_zoom_05(uint32_t payload) {\n        if (MATCH(payload, 0x05, 0x10, 0x01, 0x00))\n                return true;\n        if (MATCH(payload, 0x05, 0x0f, 0x01, 0x00))\n                return true;\n        if (MATCH(payload, 0x05, 0x15, 0x01, 0x00))\n                return true;\n        return false;\n\n}\n\nstatic inline bool match_zoom_stream_hello(uint32_t payload, uint32_t len) {\n\n        /* Seen 72, 85 and 86 so far */\n        if (len >= 72 && len <= 90) {\n                if (MATCH(payload, 0x1f, 0x01, 0x01, 0x00))\n                        return true;\n        }\n        return false;\n\n}\n\nstatic inline bool match_zoom_manager(lpi_data_t *data) {\n\n        if (data->server_port != 8801 && data->client_port != 8801) {\n                return false;\n        }\n\n        /* Byte 4 must match in both directions */\n        if ((data->payload[0] & 0xff000000) != (data->payload[1] & 0xff000000))\n                return false;\n\n        if (match_zoom_01(data->payload[0], data->payload_len[0])) {\n                if (match_zoom_02(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        if (match_zoom_01(data->payload[1], data->payload_len[1])) {\n                if (match_zoom_02(data->payload[0], data->payload_len[0]))\n                        return true;\n        }\n\n        if (match_zoom_05(data->payload[0]) && match_zoom_05(data->payload[1]))\n                return true;\n\n\treturn false;\n}\n\nstatic inline bool match_zoom_stream(lpi_data_t *data) {\n\n        if (match_zoom_stream_hello(data->payload[0], data->payload_len[0])) {\n                if (match_zoom_stream_hello(data->payload[1], data->payload_len[1]))\n                        return true;\n        }\n\n        return false;\n\n}\n\nstatic inline bool match_zoom(lpi_data_t *data, lpi_module_t *mod UNUSED) {\n\n        if (match_zoom_manager(data))\n                return true;\n\n        if (match_zoom_stream(data))\n                return true;\n\n        return false;\n}\n\nstatic lpi_module_t lpi_zoom = {\n\tLPI_PROTO_UDP_ZOOM,\n\tLPI_CATEGORY_VOIP,\n\t\"Zoom\",\n\t5,\n\tmatch_zoom\n};\n\nvoid register_zoom(LPIModuleMap *mod_map) {\n\tregister_protocol(&lpi_zoom, mod_map);\n}\n\n"
  },
  {
    "path": "lib/udp/udp_protocols.h",
    "content": "/*\n *\n * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.\n * All rights reserved.\n *\n * This file is part of libprotoident.\n *\n * This code has been developed by the University of Waikato WAND\n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU Lesser General Public License as published by\n * the Free Software Foundation; either version 3 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU Lesser General Public License for more details.\n *\n * You should have received a copy of the GNU Lesser General Public License\n * along with this program.  If not, see <http://www.gnu.org/licenses/>.\n *\n *\n */\n\n\n#ifndef UDP_PROTOCOLS_H_\n#define UDP_PROTOCOLS_H_\n\n#include \"proto_manager.h\"\n\nvoid register_360cn(LPIModuleMap *mod_map);\nvoid register_360p2p(LPIModuleMap *mod_map);\nvoid register_aachen_udp(LPIModuleMap *mod_map);\nvoid register_acercloud(LPIModuleMap *mod_map);\nvoid register_akamai(LPIModuleMap *mod_map);\nvoid register_akamai_transfer(LPIModuleMap *mod_map);\nvoid register_amanda(LPIModuleMap *mod_map);\nvoid register_apple_facetime_init(LPIModuleMap *mod_map);\nvoid register_ard(LPIModuleMap *mod_map);\nvoid register_ares_udp(LPIModuleMap *mod_map);\nvoid register_arksurvival(LPIModuleMap *mod_map);\nvoid register_arma_server(LPIModuleMap *mod_map);\nvoid register_arma3_server(LPIModuleMap *mod_map);\nvoid register_artcp(LPIModuleMap *mod_map);\nvoid register_assettocorsa(LPIModuleMap *mod_map);\nvoid register_avast_secure_dns(LPIModuleMap *mod_map);\nvoid register_backweb(LPIModuleMap *mod_map);\nvoid register_bacnet(LPIModuleMap *mod_map);\nvoid register_baiduyun_p2p(LPIModuleMap *mod_map);\nvoid register_baofeng_udp(LPIModuleMap *mod_map);\nvoid register_battlefield(LPIModuleMap *mod_map);\nvoid register_bjnp(LPIModuleMap *mod_map);\nvoid register_bmdp(LPIModuleMap *mod_map);\nvoid register_btsync_udp(LPIModuleMap *mod_map);\nvoid register_cacaoweb_udp(LPIModuleMap *mod_map);\nvoid register_callofduty(LPIModuleMap *mod_map);\nvoid register_canon_mfnp(LPIModuleMap *mod_map);\nvoid register_chargen_exploit(LPIModuleMap *mod_map);\nvoid register_checkpoint_rdp(LPIModuleMap *mod_map);\nvoid register_chivalry(LPIModuleMap *mod_map);\nvoid register_ethernetip_udp(LPIModuleMap *mod_map);\nvoid register_cip_io(LPIModuleMap *mod_map);\nvoid register_cirn(LPIModuleMap *mod_map);\nvoid register_cisco_ipsec(LPIModuleMap *mod_map);\nvoid register_cisco_sslvpn(LPIModuleMap *mod_map);\nvoid register_classin_udp(LPIModuleMap *mod_map);\nvoid register_cloudflare_warp(LPIModuleMap *mod_map);\nvoid register_codmobile(LPIModuleMap *mod_map);\nvoid register_combatarms(LPIModuleMap *mod_map);\nvoid register_combatarms_p2p(LPIModuleMap *mod_map);\nvoid register_contract_wars(LPIModuleMap *mod_map);\nvoid register_crossfire(LPIModuleMap *mod_map);\nvoid register_crossout(LPIModuleMap *mod_map);\nvoid register_csgo(LPIModuleMap *mod_map);\nvoid register_csoriginal(LPIModuleMap *mod_map);\nvoid register_dahua(LPIModuleMap *mod_map);\nvoid register_db2(LPIModuleMap *mod_map);\nvoid register_dcc_udp(LPIModuleMap *mod_map);\nvoid register_demonware(LPIModuleMap *mod_map);\nvoid register_destiny_udp(LPIModuleMap *mod_map);\nvoid register_dhcp(LPIModuleMap *mod_map);\nvoid register_dht_dict(LPIModuleMap *mod_map);\nvoid register_dht_other(LPIModuleMap *mod_map);\nvoid register_diablo2(LPIModuleMap *mod_map);\nvoid register_dianping_udp(LPIModuleMap *mod_map);\nvoid register_dianshijia(LPIModuleMap *mod_map);\nvoid register_directconnect_udp(LPIModuleMap *mod_map);\nvoid register_discord(LPIModuleMap *mod_map);\nvoid register_dns_udp(LPIModuleMap *mod_map);\nvoid register_dota2(LPIModuleMap *mod_map);\nvoid register_doyo(LPIModuleMap *mod_map);\nvoid register_driveshare(LPIModuleMap *mod_map);\nvoid register_dtls(LPIModuleMap *mod_map);\nvoid register_emule_udp(LPIModuleMap *mod_map);\nvoid register_emule_weak_udp(LPIModuleMap *mod_map);\nvoid register_epson(LPIModuleMap *mod_map);\nvoid register_eso(LPIModuleMap *mod_map);\nvoid register_esp_encap(LPIModuleMap *mod_map);\nvoid register_eye_udp(LPIModuleMap *mod_map);\nvoid register_fasp(LPIModuleMap *mod_map);\nvoid register_feitwo(LPIModuleMap *mod_map);\nvoid register_forticlient_sslvpn(LPIModuleMap *mod_map);\nvoid register_fortinet(LPIModuleMap *mod_map);\nvoid register_foscam(LPIModuleMap *mod_map);\nvoid register_freechal(LPIModuleMap *mod_map);\nvoid register_freefire(LPIModuleMap *mod_map);\nvoid register_funshion_udp(LPIModuleMap *mod_map);\nvoid register_gamespy(LPIModuleMap *mod_map);\nvoid register_ganglia(LPIModuleMap *mod_map);\nvoid register_gangsofspace(LPIModuleMap *mod_map);\nvoid register_garena(LPIModuleMap *mod_map);\nvoid register_gearsofwar(LPIModuleMap *mod_map);\nvoid register_gnutella_udp(LPIModuleMap *mod_map);\nvoid register_gnutella2_udp(LPIModuleMap *mod_map);\nvoid register_gnutella_weak(LPIModuleMap *mod_map);\nvoid register_gotomeeting(LPIModuleMap *mod_map);\nvoid register_gprs_tunnel(LPIModuleMap *mod_map);\nvoid register_gsm(LPIModuleMap *mod_map);\nvoid register_h1z1(LPIModuleMap *mod_map);\nvoid register_halflife(LPIModuleMap *mod_map);\nvoid register_haloonline(LPIModuleMap *mod_map);\nvoid register_hamachi_udp(LPIModuleMap *mod_map);\nvoid register_heliborne(LPIModuleMap *mod_map);\nvoid register_heroesevolved(LPIModuleMap *mod_map);\nvoid register_heroes_generals(LPIModuleMap *mod_map);\nvoid register_hollachat(LPIModuleMap *mod_map);\nvoid register_hots(LPIModuleMap *mod_map);\nvoid register_icp(LPIModuleMap *mod_map);\nvoid register_imesh_udp(LPIModuleMap *mod_map);\nvoid register_ipmsg(LPIModuleMap *mod_map);\nvoid register_ipv6_udp(LPIModuleMap *mod_map);\nvoid register_isakmp(LPIModuleMap *mod_map);\nvoid register_jedi_academy(LPIModuleMap *mod_map);\nvoid register_jedi_udp(LPIModuleMap *mod_map);\nvoid register_kademlia(LPIModuleMap *mod_map);\nvoid register_kankan(LPIModuleMap *mod_map);\nvoid register_kaspersky_udp(LPIModuleMap *mod_map);\nvoid register_kazaa(LPIModuleMap *mod_map);\nvoid register_kingofglory_udp(LPIModuleMap *mod_map);\nvoid register_kugou(LPIModuleMap *mod_map);\nvoid register_l2tp(LPIModuleMap *mod_map);\nvoid register_lansync_udp(LPIModuleMap *mod_map);\nvoid register_ldap_ad(LPIModuleMap *mod_map);\nvoid register_line_udp(LPIModuleMap *mod_map);\nvoid register_linkproof(LPIModuleMap *mod_map);\nvoid register_loadout(LPIModuleMap *mod_map);\nvoid register_lol(LPIModuleMap *mod_map);\nvoid register_mdns(LPIModuleMap *mod_map);\nvoid register_merakicloud(LPIModuleMap *mod_map);\nvoid register_moh(LPIModuleMap *mod_map);\nvoid register_moonhunters(LPIModuleMap *mod_map);\nvoid register_mp2p_udp(LPIModuleMap *mod_map);\nvoid register_msn_cache(LPIModuleMap *mod_map);\nvoid register_msn_video(LPIModuleMap *mod_map);\nvoid register_msoffice_mac(LPIModuleMap *mod_map);\nvoid register_mta(LPIModuleMap *mod_map);\nvoid register_mystery_05(LPIModuleMap *mod_map);\nvoid register_mystery_0660(LPIModuleMap *mod_map);\nvoid register_mystery_0d(LPIModuleMap *mod_map);\nvoid register_mystery_45(LPIModuleMap *mod_map);\nvoid register_mystery_61_72(LPIModuleMap *mod_map);\nvoid register_mystery_8000_udp(LPIModuleMap *mod_map);\nvoid register_mystery_99(LPIModuleMap *mod_map);\nvoid register_mystery_e9(LPIModuleMap *mod_map);\nvoid register_mystery_qq(LPIModuleMap *mod_map);\nvoid register_n2ping(LPIModuleMap *mod_map);\nvoid register_natpmp(LPIModuleMap *mod_map);\nvoid register_netbios_udp(LPIModuleMap *mod_map);\nvoid register_netcat_cctv_udp(LPIModuleMap *mod_map);\nvoid register_netcore_scan(LPIModuleMap *mod_map);\nvoid register_netflow(LPIModuleMap *mod_map);\nvoid register_newerth(LPIModuleMap *mod_map);\nvoid register_nintendo(LPIModuleMap *mod_map);\nvoid register_noction(LPIModuleMap *mod_map);\nvoid register_noe(LPIModuleMap *mod_map);\nvoid register_norton(LPIModuleMap *mod_map);\nvoid register_ntp(LPIModuleMap *mod_map);\nvoid register_ntp_reflect(LPIModuleMap *mod_map);\nvoid register_nwn(LPIModuleMap *mod_map);\nvoid register_nvidia_gamestream(LPIModuleMap *mod_map);\nvoid register_opaserv(LPIModuleMap *mod_map);\nvoid register_openvpn_udp(LPIModuleMap *mod_map);\nvoid register_orbit_udp(LPIModuleMap *mod_map);\nvoid register_overwatch(LPIModuleMap *mod_map);\nvoid register_paladins(LPIModuleMap *mod_map);\nvoid register_pando_udp(LPIModuleMap *mod_map);\nvoid register_panipani(LPIModuleMap *mod_map);\nvoid register_planetside2(LPIModuleMap *mod_map);\nvoid register_portmap_rpc(LPIModuleMap *mod_map);\nvoid register_pplive(LPIModuleMap *mod_map);\nvoid register_ppstream(LPIModuleMap *mod_map);\nvoid register_probable_gnutella(LPIModuleMap *mod_map);\nvoid register_ps4_remoteplay(LPIModuleMap *mod_map);\nvoid register_psn(LPIModuleMap *mod_map);\nvoid register_punkbuster(LPIModuleMap *mod_map);\nvoid register_pyzor(LPIModuleMap *mod_map);\nvoid register_qq(LPIModuleMap *mod_map);\nvoid register_qqlive(LPIModuleMap *mod_map);\nvoid register_qqpcmgr(LPIModuleMap *mod_map);\nvoid register_qqspeedmobile_udp(LPIModuleMap *mod_map);\nvoid register_quake(LPIModuleMap *mod_map);\nvoid register_quic(LPIModuleMap *mod_map);\nvoid register_qvod_udp(LPIModuleMap *mod_map);\nvoid register_radius(LPIModuleMap *mod_map);\nvoid register_ramsey_dash(LPIModuleMap *mod_map);\nvoid register_rdp_udp(LPIModuleMap *mod_map);\nvoid register_real(LPIModuleMap *mod_map);\nvoid register_risingstorm(LPIModuleMap *mod_map);\nvoid register_raknet(LPIModuleMap *mod_map);\nvoid register_robocraft(LPIModuleMap *mod_map);\nvoid register_rocket_league(LPIModuleMap *mod_map);\nvoid register_rrshare(LPIModuleMap *mod_map);\nvoid register_rtcp(LPIModuleMap *mod_map);\nvoid register_rtmfp(LPIModuleMap *mod_map);\nvoid register_rtp(LPIModuleMap *mod_map);\nvoid register_rulesofsurvival(LPIModuleMap *mod_map);\nvoid register_sanandreas_mp(LPIModuleMap *mod_map);\nvoid register_second_life_udp(LPIModuleMap *mod_map);\nvoid register_serialnumberd(LPIModuleMap *mod_map);\nvoid register_sip_udp(LPIModuleMap *mod_map);\nvoid register_skype(LPIModuleMap *mod_map);\nvoid register_slp(LPIModuleMap *mod_map);\nvoid register_smite(LPIModuleMap *mod_map);\nvoid register_snapvpn(LPIModuleMap *mod_map);\nvoid register_snmp(LPIModuleMap *mod_map);\nvoid register_sopcast(LPIModuleMap *mod_map);\nvoid register_spamfighter(LPIModuleMap *mod_map);\nvoid register_spotify_bcast(LPIModuleMap *mod_map);\nvoid register_sql_worm(LPIModuleMap *mod_map);\nvoid register_ssdp(LPIModuleMap *mod_map);\nvoid register_starcitizen(LPIModuleMap *mod_map);\nvoid register_starcraft(LPIModuleMap *mod_map);\nvoid register_starleaf(LPIModuleMap *mod_map);\nvoid register_steamfriends(LPIModuleMap *mod_map);\nvoid register_steam_inhomebroadcast(LPIModuleMap *mod_map);\nvoid register_steam_localbroadcast(LPIModuleMap *mod_map);\nvoid register_steam_udp(LPIModuleMap *mod_map);\nvoid register_storm_worm(LPIModuleMap *mod_map);\nvoid register_stun(LPIModuleMap *mod_map);\nvoid register_syslog(LPIModuleMap *mod_map);\nvoid register_talesrunner_udp(LPIModuleMap *mod_map);\nvoid register_teamspeak(LPIModuleMap *mod_map);\nvoid register_teamviewer_udp(LPIModuleMap *mod_map);\nvoid register_teredo(LPIModuleMap *mod_map);\nvoid register_tf2(LPIModuleMap *mod_map);\nvoid register_tftp(LPIModuleMap *mod_map);\nvoid register_thecrew(LPIModuleMap *mod_map);\nvoid register_thq(LPIModuleMap *mod_map);\nvoid register_torchlight2(LPIModuleMap *mod_map);\nvoid register_tox(LPIModuleMap *mod_map);\nvoid register_traceroute(LPIModuleMap *mod_map);\nvoid register_tremulous(LPIModuleMap *mod_map);\nvoid register_turbovpn(LPIModuleMap *mod_map);\nvoid register_tvants(LPIModuleMap *mod_map);\nvoid register_ubisoft_games(LPIModuleMap *mod_map);\nvoid register_udp_no_payload(LPIModuleMap *mod_map);\nvoid register_umeye(LPIModuleMap *mod_map);\nvoid register_unreal(LPIModuleMap *mod_map);\nvoid register_ventrilo(LPIModuleMap *mod_map);\nvoid register_viber_udp(LPIModuleMap *mod_map);\nvoid register_vivox(LPIModuleMap *mod_map);\nvoid register_vpnmaster(LPIModuleMap *mod_map);\nvoid register_vpnrobot_udp(LPIModuleMap *mod_map);\nvoid register_vxworks_exploit(LPIModuleMap *mod_map);\nvoid register_warthunder(LPIModuleMap *mod_map);\nvoid register_webex(LPIModuleMap *mod_map);\nvoid register_wechat_udp(LPIModuleMap *mod_map);\nvoid register_winmessage(LPIModuleMap *mod_map);\nvoid register_wireguard(LPIModuleMap *mod_map);\nvoid register_wolfet(LPIModuleMap *mod_map);\nvoid register_worm_22105(LPIModuleMap *mod_map);\nvoid register_xfire_p2p(LPIModuleMap *mod_map);\nvoid register_xlsp(LPIModuleMap *mod_map);\nvoid register_xunlei_jsq(LPIModuleMap *mod_map);\nvoid register_xunlei_udp(LPIModuleMap *mod_map);\nvoid register_xunyou(LPIModuleMap *mod_map);\nvoid register_youdao_dict(LPIModuleMap *mod_map);\nvoid register_youku_udp(LPIModuleMap *mod_map);\nvoid register_yuanfudao(LPIModuleMap *mod_map);\nvoid register_yy_udp(LPIModuleMap *mod_map);\nvoid register_zalo_call(LPIModuleMap *mod_map);\nvoid register_zeroaccess_udp(LPIModuleMap *mod_map);\nvoid register_zoom(LPIModuleMap *mod_map);\n#endif\n"
  },
  {
    "path": "rpm/libprotoident.spec",
    "content": "Name:           libprotoident\nVersion:        2.0.15\nRelease:        2%{?dist}\nSummary:        C/C++ Library for performing lightweight traffic classification\n\nLicense:        LGPLv3\nURL:            https://github.com/wanduow/libprotoident\nSource0:        https://github.com/wanduow/libprotoident/archive/%{version}.tar.gz\n\nBuildRequires: gcc\nBuildRequires: gcc-c++\nBuildRequires: make\nBuildRequires: libtrace4-devel\nBuildRequires: libflowmanager-devel\n\nProvides: libprotoident\n\n%description\nlibprotoident is a library that can perform traffic classification\non each network flow observed via a packet capture process (including\npcap trace files and many common live packet capture approaches).\nThe classification is performed by examining the packet headers and\nfirst four bytes of application payload only, so can be used in\nenvironments where full payload capture is not possible.\n\nlibprotoident is developed by the WAND Network Research Group at Waikato\nUniversity in New Zealand.\n\n%package        devel\nSummary:        Development files for %{name}\nRequires:       %{name}%{?_isa} = %{version}-%{release}\n\n%description devel\nThe %{name}-devel package contains libraries and header files for\ndeveloping applications that use %{name}.\n\n%package        tools\nSummary:        Example software utilities for %{name}\nRequires:       %{name}%{?_isa} = %{version}-%{release}\n\n%description tools\nThe %{name}-tools package contains example utilities that make use of the\n%{name} library.\n\n%prep\n%setup -q -n libprotoident-%{version}\n\n%build\n%configure --disable-static\nmake %{?_smp_mflags}\n\n\n%install\nrm -rf $RPM_BUILD_ROOT\n%make_install\nfind $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'\n\n%post -p /sbin/ldconfig\n\n%postun -p /sbin/ldconfig\n\n%files\n%license COPYING\n%{_libdir}/libprotoident.so.*\n\n%files devel\n%{_includedir}/libprotoident*\n%{_libdir}/libprotoident.so\n\n%files tools\n%{_bindir}/*\n%{_mandir}/man1/*\n\n%changelog\n* Mon Mar 29 2021 Shane Alcock <shane.alcock@waikato.ac.nz> - 2.0.15-2\n- Rebuild package to be compatible with latest libtrace\n\n* Thu Nov 12 2020 Shane Alcock <shane.alcock@waikato.ac.nz> - 2.0.15-1\n- First libprotoident RPM package\n"
  },
  {
    "path": "rpmpkg-build.sh",
    "content": "#!/bin/bash\n\nset -x -e -o pipefail\n\nexport QA_RPATHS=$[ 0x0001 ]\nSOURCENAME=`echo ${GITHUB_REF##*/} | cut -d '-' -f 1`\n\n./bootstrap.sh && ./configure && make dist\ncp libprotoident-*.tar.gz ~/rpmbuild/SOURCES/${SOURCENAME}.tar.gz\ncp rpm/libprotoident.spec ~/rpmbuild/SPECS/\n\ncd ~/rpmbuild && rpmbuild -bb --define \"debug_package %{nil}\" SPECS/libprotoident.spec\n\n\n"
  },
  {
    "path": "rpmpkg-setup.sh",
    "content": "#!/bin/bash\nset -x -e -o pipefail\n\n\nDISTRO=fedora\nif [ \"$1\" = \"centos:8\" ]; then\n        DISTRO=centos\nfi\n\nif [ \"$1\" = \"centos:7\" ]; then\n        DISTRO=centos\nfi\n\nmkdir -p /run/user/${UID}\nchmod 0700 /run/user/${UID}\nyum install -y wget make gcc\n\ncurl -1sLf \\\n  'https://dl.cloudsmith.io/public/wand/libwandio/cfg/setup/bash.rpm.sh' \\\n    | bash\n\ncurl -1sLf \\\n  'https://dl.cloudsmith.io/public/wand/libwandder/cfg/setup/bash.rpm.sh' \\\n    | bash\n\ncurl -1sLf \\\n  'https://dl.cloudsmith.io/public/wand/libtrace/cfg/setup/bash.rpm.sh' \\\n    | bash\n\ncurl -1sLf \\\n  'https://dl.cloudsmith.io/public/wand/libflowmanager/cfg/setup/bash.rpm.sh' \\\n    | bash\n\nyum update -y\n\nif [ \"$1\" = \"centos:8\" ]; then\n        yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm || true\n        dnf install -y 'dnf-command(config-manager)' || true\n        yum config-manager --set-enabled PowerTools || true\n        yum config-manager --set-enabled powertools || true\nfi\n\nif [ \"$1\" = \"centos:7\" ]; then\n        yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm || true\nfi\n\nif [[ \"$1\" =~ fedora* ]]; then\n        dnf install -y rpm-build rpmdevtools 'dnf-command(builddep)' which\n        dnf group install -y \"C Development Tools and Libraries\"\n        dnf builddep -y rpm/libprotoident.spec\nelse\n        yum install -y rpm-build yum-utils rpmdevtools which\n        yum groupinstall -y 'Development Tools'\n        yum-builddep -y rpm/libprotoident.spec\nfi\n\nrpmdev-setuptree\n"
  },
  {
    "path": "test/lpi_test_results",
    "content": "HTTP 69.105.38.213 42.172.118.65 3540 443 6 1168819201.135 158 0 48545450 HTTP 53 00000000 .... 0 \nHTTPS 69.105.38.213 42.172.118.67 3541 443 6 1168819201.165 7 0 15030100 .... 7 00000000 .... 0 \nNo_Payload 69.105.38.213 42.172.118.66 3542 443 6 1168819201.185 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.38.213 42.172.118.65 3543 443 6 1168819201.204 158 0 48545450 HTTP 53 00000000 .... 0 \nHTTP 61.27.66.223 69.105.13.23 1362 80 6 1168819201.076 450 430 48545450 HTTP 450 47455420 GET. 430 \nHTTP 61.24.28.192 69.105.13.23 50078 80 6 1168819201.160 589 278 48545450 HTTP 589 47455420 GET. 278 \nHTTP 69.105.2.222 42.135.12.22 37494 80 6 1168819201.222 249 782 48545450 HTTP 249 47455420 GET. 782 \nHTTP 255.241.81.173 69.105.13.23 50388 80 6 1168819201.027 10676 320 48545450 HTTP 1380 47455420 GET. 320 \nHTTP 42.187.208.120 69.105.13.23 1230 80 6 1168819201.216 1740 203 48545450 HTTP 1380 47455420 GET. 203 \nHTTP 61.27.66.223 69.105.13.23 1364 80 6 1168819201.254 457 430 48545450 HTTP 457 47455420 GET. 430 \nHTTP 61.24.28.192 69.105.13.23 50079 80 6 1168819201.327 385 282 48545450 HTTP 385 47455420 GET. 282 \nHTTP 255.241.81.173 69.105.13.23 50389 80 6 1168819201.335 225 396 48545450 HTTP 225 47455420 GET. 396 \nHTTP 50.60.128.26 69.105.13.23 49168 80 6 1168819201.566 1239 302 48545450 HTTP 1239 47455420 GET. 302 \nHTTP 69.105.2.222 42.135.12.22 51143 80 6 1168819201.535 249 767 48545450 HTTP 249 47455420 GET. 767 \nHTTP 69.105.2.222 42.66.23.42 33062 80 6 1168819201.172 4831 386 48545450 HTTP 1380 47455420 GET. 386 \nHTTP 69.105.2.156 42.135.12.22 43976 80 6 1168819201.566 2148 1682 48545450 HTTP 1368 47455420 GET. 1368 \nHTTP 255.241.81.173 69.105.13.23 50390 80 6 1168819201.505 225 400 48545450 HTTP 225 47455420 GET. 400 \nHTTP 69.105.207.210 43.196.4.116 56144 80 6 1168819201.099 27333 1178 48545450 HTTP 1368 47455420 GET. 571 \nHTTP 69.105.2.222 42.66.23.42 54460 80 6 1168819201.248 3671 392 48545450 HTTP 1380 47455420 GET. 392 \nHTTP 61.24.28.192 69.105.13.23 50080 80 6 1168819201.492 7102 293 48545450 HTTP 1380 47455420 GET. 293 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50626 6 1168819201.024 1256 4830 47455420 GET. 1256 48545450 HTTP 392 \nHTTP 69.105.2.156 68.75.61.253 58721 80 6 1168819201.707 280 755 48545450 HTTP 280 47455420 GET. 755 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50627 6 1168819201.088 1262 3670 47455420 GET. 1262 48545450 HTTP 391 \nHTTP 69.105.207.210 43.196.35.168 56147 80 6 1168819201.795 261 637 48545450 HTTP 261 47455420 GET. 637 \nHTTP 255.241.81.173 69.105.13.23 50391 80 6 1168819201.669 225 401 48545450 HTTP 225 47455420 GET. 401 \nHTTP 69.105.2.156 140.151.237.178 33454 80 6 1168819201.557 1424 1462 48545450 HTTP 1356 47455420 GET. 1368 \nHTTP 255.241.81.173 69.105.13.23 50392 80 6 1168819201.834 224 397 48545450 HTTP 224 47455420 GET. 397 \nHTTP 69.105.2.222 42.135.12.22 35425 80 6 1168819201.093 247 783 48545450 HTTP 247 47455420 GET. 783 \nHTTP 69.105.166.211 43.203.57.1 39658 80 6 1168819201.918 164 616 48545450 HTTP 113 47455420 GET. 616 \nHTTP 69.105.166.211 42.45.160.211 39659 80 6 1168819202.012 146 560 48545450 HTTP 146 47455420 GET. 560 \nHTTP 61.24.28.192 69.105.13.23 50081 80 6 1168819201.737 10324 293 48545450 HTTP 1380 47455420 GET. 293 \nHTTP 69.105.166.211 42.45.160.211 39660 80 6 1168819202.069 147 396 48545450 HTTP 147 47455420 GET. 396 \nHTTP 255.241.81.173 69.105.13.23 50393 80 6 1168819201.998 224 399 48545450 HTTP 224 47455420 GET. 399 \nHTTP 69.105.166.211 42.45.160.211 39661 80 6 1168819202.115 147 394 48545450 HTTP 147 47455420 GET. 394 \nHTTP 69.105.166.211 42.45.160.211 39662 80 6 1168819202.139 147 395 48545450 HTTP 147 47455420 GET. 395 \nHTTP 69.105.2.222 42.135.12.22 38122 80 6 1168819201.335 739 777 48545450 HTTP 739 47455420 GET. 777 \nHTTP 69.105.166.211 42.45.160.211 39663 80 6 1168819202.219 147 395 48545450 HTTP 147 47455420 GET. 395 \nHTTP 49.26.100.21 69.105.203.31 30715 80 6 1168819201.634 2505 319 48545450 HTTP 1380 47455420 GET. 319 \nHTTP 69.105.166.211 42.45.160.211 39664 80 6 1168819202.272 146 396 48545450 HTTP 146 47455420 GET. 396 \nHTTP 69.105.2.222 42.66.23.42 41437 80 6 1168819201.911 787 396 48545450 HTTP 713 47455420 GET. 396 \nHTTP 69.105.2.222 42.66.23.42 52211 80 6 1168819201.990 767 400 48545450 HTTP 693 47455420 GET. 400 \nHTTP 69.105.2.156 42.135.12.22 33524 80 6 1168819201.672 2861 1682 48545450 HTTP 1368 47455420 GET. 1368 \nHTTP 61.24.28.192 69.105.13.23 50082 80 6 1168819202.071 14161 293 48545450 HTTP 1380 47455420 GET. 293 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50628 6 1168819201.740 1266 786 47455420 GET. 1266 48545450 HTTP 390 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50629 6 1168819201.834 1270 766 47455420 GET. 1270 48545450 HTTP 390 \nHTTP 69.105.166.211 43.203.57.1 39665 80 6 1168819202.365 164 620 48545450 HTTP 113 47455420 GET. 620 \nHTTP 69.105.166.211 42.45.160.211 39666 80 6 1168819202.382 146 396 48545450 HTTP 146 47455420 GET. 396 \nHTTP 61.24.28.192 69.105.13.23 50083 80 6 1168819202.382 10676 293 48545450 HTTP 1380 47455420 GET. 293 \nHTTP 69.105.166.211 43.203.57.1 39668 80 6 1168819202.690 164 622 48545450 HTTP 113 47455420 GET. 622 \nSMTP 192.163.40.130 69.105.2.89 62927 25 6 1168819201.178 315 1465 32323020 220. 38 45484c4f EHLO 50 \nHTTP 255.241.81.173 69.105.13.23 50394 80 6 1168819202.167 61259 396 48545450 HTTP 1380 47455420 GET. 396 \nHTTP 69.105.166.211 42.45.160.211 39669 80 6 1168819202.719 1443 328 48545450 HTTP 1380 47455420 GET. 328 \nHTTP 49.26.100.21 69.105.203.31 30714 80 6 1168819201.634 9900 319 48545450 HTTP 1380 47455420 GET. 319 \nHTTP 61.24.28.192 69.105.13.23 50084 80 6 1168819202.692 761 280 48545450 HTTP 761 47455420 GET. 280 \nHTTP 69.105.2.222 42.66.23.42 50195 80 6 1168819202.562 1735 390 48545450 HTTP 1380 47455420 GET. 390 \nHTTP 255.241.81.173 69.105.13.23 50395 80 6 1168819202.794 224 396 48545450 HTTP 224 47455420 GET. 396 \nHTTP 255.241.81.173 69.105.13.23 50396 80 6 1168819202.813 224 401 48545450 HTTP 224 47455420 GET. 401 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50630 6 1168819202.419 1260 1734 47455420 GET. 1260 48545450 HTTP 391 \nHTTP 69.105.2.222 42.66.23.42 59418 80 6 1168819202.637 1733 392 48545450 HTTP 1380 47455420 GET. 392 \nHTTP 44.44.186.14 69.105.203.84 57293 80 6 1168819201.758 42225 266 48545450 HTTP 1380 47455420 GET. 266 \nHTTP 61.24.28.192 69.105.13.23 50070 80 6 1168819202.849 1200 284 48545450 HTTP 1200 47455420 GET. 284 \nHTTP 61.24.28.192 69.105.13.23 50085 80 6 1168819202.870 1239 284 48545450 HTTP 1239 47455420 GET. 284 \nHTTP 50.60.128.26 69.105.13.23 49154 80 6 1168819203.086 391 302 48545450 HTTP 391 47455420 GET. 302 \nHTTP 69.105.166.211 43.203.57.1 39671 80 6 1168819203.054 164 617 48545450 HTTP 113 47455420 GET. 617 \nHTTP 50.60.128.26 69.105.13.23 49193 80 6 1168819203.107 496 299 48545450 HTTP 496 47455420 GET. 299 \nHTTP 50.60.128.26 69.105.13.23 49195 80 6 1168819203.131 522 304 48545450 HTTP 522 47455420 GET. 304 \nHTTP 69.105.166.211 43.203.57.1 39672 80 6 1168819203.102 164 617 48545450 HTTP 113 47455420 GET. 617 \nHTTP 255.241.81.173 69.105.13.23 50397 80 6 1168819202.998 1740 219 48545450 HTTP 1380 47455420 GET. 219 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50631 6 1168819202.423 1262 1732 47455420 GET. 1262 48545450 HTTP 391 \nHTTP 255.241.81.173 69.105.13.23 50398 80 6 1168819203.021 225 405 48545450 HTTP 225 47455420 GET. 405 \nHTTP 50.60.128.26 69.105.13.23 49198 80 6 1168819203.180 225 395 48545450 HTTP 225 47455420 GET. 395 \nHTTP 69.105.207.210 197.120.55.199 56150 80 6 1168819202.936 1500 1510 48545450 HTTP 1368 47455420 GET. 1368 \nHTTP 61.24.28.192 69.105.13.23 50087 80 6 1168819203.128 391 284 48545450 HTTP 391 47455420 GET. 284 \nHTTP 255.241.81.173 69.105.13.23 50399 80 6 1168819203.164 225 409 48545450 HTTP 225 47455420 GET. 409 \nHTTP 255.241.81.173 69.105.13.23 50400 80 6 1168819203.191 225 414 48545450 HTTP 225 47455420 GET. 414 \nSMTP 192.92.41.11 69.105.2.232 4591 25 6 1168819202.446 65 7 32323020 220. 38 45484c4f EHLO 7 \nHTTP 69.105.166.211 43.203.57.1 39674 80 6 1168819203.342 164 622 48545450 HTTP 113 47455420 GET. 622 \nSMTP 43.94.176.178 69.105.2.232 33986 25 6 1168819201.821 340 116361 32323020 220. 38 45484c4f EHLO 25 \nHTTP 69.105.2.222 42.135.12.22 58067 80 6 1168819203.346 249 778 48545450 HTTP 249 47455420 GET. 778 \nHTTP 255.241.81.173 69.105.13.23 50401 80 6 1168819203.330 225 408 48545450 HTTP 225 47455420 GET. 408 \nHTTP 43.82.63.173 69.105.13.23 2457 80 6 1168819203.416 12070 273 48545450 HTTP 1380 47455420 GET. 273 \nHTTP 255.241.81.173 69.105.13.23 50402 80 6 1168819203.360 225 405 48545450 HTTP 225 47455420 GET. 405 \nHTTP 69.105.2.222 42.66.23.42 44762 80 6 1168819203.153 1696 394 48545450 HTTP 1380 47455420 GET. 394 \nHTTP 69.105.197.19 59.103.17.103 50525 80 6 1168819203.451 149 142 48545450 HTTP 149 47455420 GET. 63 \nHTTP 61.24.28.192 69.105.13.23 50088 80 6 1168819203.287 12070 251 48545450 HTTP 1380 47455420 GET. 251 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50632 6 1168819203.011 1264 1695 47455420 GET. 1264 48545450 HTTP 391 \nHTTP 69.105.197.19 59.103.17.103 50526 80 6 1168819203.557 145 138 48545450 HTTP 145 47455420 GET. 59 \nHTTP 69.105.2.222 42.66.23.42 35107 80 6 1168819203.305 1746 395 48545450 HTTP 1380 47455420 GET. 395 \nHTTP 69.105.2.222 42.135.12.22 38820 80 6 1168819203.490 3808 705 48545450 HTTP 1368 47455420 GET. 705 \nHTTP 43.82.63.173 69.105.13.23 2458 80 6 1168819203.597 227 385 48545450 HTTP 227 47455420 GET. 385 \nHTTP 43.82.63.173 69.105.13.23 2459 80 6 1168819203.605 226 385 48545450 HTTP 226 47455420 GET. 385 \nHTTP 69.105.2.222 42.135.12.22 44343 80 6 1168819203.231 249 773 48545450 HTTP 249 47455420 GET. 773 \nHTTP 69.105.197.19 59.103.17.103 50527 80 6 1168819203.626 148 146 48545450 HTTP 148 47455420 GET. 67 \nHTTP 255.241.81.173 69.105.13.23 50403 80 6 1168819203.514 225 405 48545450 HTTP 225 47455420 GET. 405 \nHTTP 61.24.28.192 69.105.13.23 50086 80 6 1168819203.076 61259 279 48545450 HTTP 1380 47455420 GET. 279 \nHTTP 43.82.63.173 69.105.13.23 2460 80 6 1168819203.640 227 383 48545450 HTTP 227 47455420 GET. 383 \nHTTP 69.105.197.19 59.103.17.103 50528 80 6 1168819203.664 145 142 48545450 HTTP 145 47455420 GET. 63 \nHTTP 43.82.63.173 69.105.13.23 2461 80 6 1168819203.667 225 390 48545450 HTTP 225 47455420 GET. 390 \nHTTP 43.82.63.173 69.105.13.23 2462 80 6 1168819203.702 225 402 48545450 HTTP 225 47455420 GET. 402 \nHTTP 69.105.197.19 59.103.17.103 50529 80 6 1168819203.706 148 145 48545450 HTTP 148 47455420 GET. 66 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50633 6 1168819203.165 1265 1745 47455420 GET. 1265 48545450 HTTP 391 \nHTTP 61.24.28.192 69.105.13.23 50089 80 6 1168819203.624 522 286 48545450 HTTP 522 47455420 GET. 286 \nRazor 197.99.150.3 69.105.197.16 2703 48967 6 1168819203.060 29 117 613d6726 a=g& 12 736e3d44 sn=D 35 \nHTTP 43.82.63.173 69.105.13.23 2464 80 6 1168819203.750 227 379 48545450 HTTP 227 47455420 GET. 379 \nHTTP 43.82.63.173 69.105.13.23 2463 80 6 1168819203.725 42927 298 48545450 HTTP 1380 47455420 GET. 298 \nRazor 197.99.150.3 69.105.2.155 2703 33279 6 1168819203.088 29 117 613d6726 a=g& 12 736e3d44 sn=D 35 \nHTTP 61.24.28.192 69.105.13.23 50090 80 6 1168819203.676 496 281 48545450 HTTP 496 47455420 GET. 281 \nHTTP 43.82.63.173 69.105.13.23 2465 80 6 1168819203.830 226 390 48545450 HTTP 226 47455420 GET. 390 \nHTTP 43.82.63.173 69.105.13.23 2466 80 6 1168819203.852 224 385 48545450 HTTP 224 47455420 GET. 385 \nHTTP 43.82.63.173 69.105.13.23 2467 80 6 1168819203.883 225 379 48545450 HTTP 225 47455420 GET. 379 \nHTTP 43.82.63.173 69.105.13.23 2468 80 6 1168819203.895 226 381 48545450 HTTP 226 47455420 GET. 381 \nSMTP 193.132.251.169 69.105.2.232 51073 25 6 1168819201.628 357 108 32323020 220. 38 45484c4f EHLO 44 \nHTTP 43.82.63.173 69.105.13.23 2469 80 6 1168819203.931 225 398 48545450 HTTP 225 47455420 GET. 398 \nHTTP 43.82.63.173 69.105.13.23 2470 80 6 1168819203.957 226 378 48545450 HTTP 226 47455420 GET. 378 \nHTTP 61.24.28.192 69.105.13.23 50092 80 6 1168819203.835 1583 272 48545450 HTTP 1380 47455420 GET. 272 \nHTTP 50.60.128.26 69.105.13.23 49207 80 6 1168819203.991 225 400 48545450 HTTP 225 47455420 GET. 400 \nNo_Payload 69.105.197.22 34.181.123.167 59351 113 6 1168819203.487 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 43.82.63.173 69.105.13.23 2471 80 6 1168819203.981 225 383 48545450 HTTP 225 47455420 GET. 383 \nHTTP 61.24.28.192 69.105.13.23 50091 80 6 1168819203.780 10329 271 48545450 HTTP 1380 47455420 GET. 271 \nHTTP 69.105.2.222 42.66.23.42 34544 80 6 1168819203.747 1271 401 48545450 HTTP 1197 47455420 GET. 401 \nNo_Payload 69.105.197.22 34.181.123.167 42334 113 6 1168819203.642 0 0 00000000 .... 0 00000000 .... 0 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50634 6 1168819203.606 1271 1270 47455420 GET. 1271 48545450 HTTP 390 \nHTTP 69.105.2.222 42.66.23.42 42954 80 6 1168819203.905 1411 387 48545450 HTTP 1337 47455420 GET. 387 \nHTTP 61.24.28.192 69.105.13.23 50093 80 6 1168819204.000 7192 269 48545450 HTTP 1380 47455420 GET. 269 \nSMTP 193.132.251.169 69.105.2.232 51079 25 6 1168819202.592 357 108 32323020 220. 38 45484c4f EHLO 44 \nHTTP 61.24.28.192 69.105.13.23 50094 80 6 1168819204.101 6574 265 48545450 HTTP 1380 47455420 GET. 265 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50635 6 1168819203.761 1256 1410 47455420 GET. 1256 48545450 HTTP 390 \nHTTP 61.24.28.192 69.105.13.23 50095 80 6 1168819204.237 371 267 48545450 HTTP 371 47455420 GET. 267 \nHTTP 39.171.180.203 56.147.60.139 59590 80 6 1168819201.211 806 2732 48545450 HTTP 422 47455420 GET. 1351 \nHTTP 61.24.28.192 69.105.13.23 50096 80 6 1168819204.344 467 278 48545450 HTTP 467 47455420 GET. 278 \nHTTP 50.60.128.26 69.105.13.23 49212 80 6 1168819204.479 225 382 48545450 HTTP 225 47455420 GET. 382 \nHTTP 58.90.180.7 69.105.13.23 3216 80 6 1168819201.553 226 310 48545450 HTTP 226 47455420 GET. 310 \nHTTP 39.171.180.203 43.26.228.234 4066 80 6 1168819204.484 405 858 48545450 HTTP 405 47455420 GET. 858 \nHTTP 49.26.100.21 69.105.203.31 30713 80 6 1168819201.630 121763 313 48545450 HTTP 1380 47455420 GET. 313 \nHTTP 50.60.128.26 69.105.13.23 49214 80 6 1168819204.506 225 394 48545450 HTTP 225 47455420 GET. 394 \nHTTP 58.90.180.7 69.105.13.23 3217 80 6 1168819201.943 226 310 48545450 HTTP 226 47455420 GET. 310 \nHTTP 69.105.207.210 38.155.150.139 56148 80 6 1168819202.104 137 545 48545450 HTTP 137 47455420 GET. 545 \nHTTP 61.24.28.192 69.105.13.23 50097 80 6 1168819204.396 773 268 48545450 HTTP 773 47455420 GET. 268 \nSMTP 213.232.228.16 69.105.2.89 3604 25 6 1168819202.491 395 109 32323020 220. 38 45484c4f EHLO 48 \nHTTP 50.60.128.26 69.105.13.23 49171 80 6 1168819201.637 75059 297 48545450 HTTP 1380 47455420 GET. 297 \nRazor 197.99.150.3 69.105.2.232 2703 52428 6 1168819203.857 29 117 613d6726 a=g& 12 736e3d44 sn=D 35 \nRazor 197.99.150.3 69.105.2.155 2703 33283 6 1168819203.861 29 117 613d6726 a=g& 12 736e3d44 sn=D 35 \nNo_Payload 50.105.44.11 69.105.144.66 51000 80 6 1168819201.445 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 43.82.22.227 69.105.166.144 3627 135 6 1168819201.485 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.32.147 209.115.210.85 4662 63050 6 1168819201.655 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.230.150 215.8.24.93 1378 7961 6 1168819201.692 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.230.150 195.192.73.13 1381 5522 6 1168819201.793 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.40.14 210.206.213.132 2845 58716 6 1168819201.822 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.156 44.136.40.214 47758 80 6 1168819202.031 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 40.226.64.253 69.105.221.32 3594 8532 6 1168819202.147 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.156 42.135.12.22 37950 80 6 1168819202.191 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.40.14 208.99.97.166 2852 6881 6 1168819202.259 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 143.192.185.25 69.105.230.150 4416 7226 6 1168819202.285 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.222 42.135.12.22 48557 80 6 1168819202.294 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 43.205.240.253 69.105.13.23 2113 389 6 1168819202.350 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.40.14 204.165.104.105 2854 57977 6 1168819202.369 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.156 42.135.12.22 53091 80 6 1168819202.382 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 53.124.123.22 69.105.198.83 55050 8080 6 1168819202.384 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.230.150 61.86.232.141 1380 11883 6 1168819202.397 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.230.150 59.121.65.165 1383 26284 6 1168819202.497 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.54.27 168.110.170.169 3528 35095 6 1168819202.640 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.230.150 58.216.221.222 2929 1274 6 1168819202.732 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.2.156 199.243.87.232 42343 80 6 1168819202.134 3469 515 48545450 HTTP 1380 47455420 GET. 515 \nNo_Payload 40.116.114.47 39.171.178.209 1088 135 6 1168819202.880 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 213.229.187.254 69.105.144.67 3129 9990 6 1168819203.040 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 255.241.72.45 69.105.167.158 50702 8080 6 1168819203.128 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.40.14 212.75.92.249 2847 6881 6 1168819203.134 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.2.156 42.135.12.22 35736 80 6 1168819202.723 2600 1682 48545450 HTTP 1368 47455420 GET. 1368 \nNo_Payload 202.4.202.110 69.105.159.221 44493 80 6 1168819203.319 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.40.14 214.22.233.15 2848 6881 6 1168819203.353 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 213.160.138.228 39.171.178.236 4216 135 6 1168819203.535 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 213.171.117.61 39.171.180.64 3376 139 6 1168819203.614 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.230.150 59.249.110.59 4569 21253 6 1168819203.621 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.222 42.135.12.22 48724 80 6 1168819203.640 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.54.27 40.122.148.65 3530 7331 6 1168819203.688 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.197.19 59.103.17.103 50530 80 6 1168819203.755 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.2.158 56.147.60.139 41907 80 6 1168819201.877 363 1492 48545450 HTTP 363 504f5354 POST 1380 \nNo_Payload 39.171.180.67 199.3.190.9 2967 52274 6 1168819203.959 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.40.14 199.67.131.1 2853 6881 6 1168819204.009 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.198.215 69.241.82.212 2967 2515 6 1168819204.089 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 59.113.121.94 69.105.230.150 2353 1331 6 1168819204.269 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 168.70.248.52 39.171.178.151 4055 139 6 1168819201.354 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 50.60.128.26 69.105.13.23 49210 80 6 1168819204.208 1545 298 48545450 HTTP 1380 47455420 GET. 298 \nNo_Payload 193.202.51.30 69.105.2.232 2703 59660 6 1168819204.468 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 193.202.51.30 69.105.2.155 2703 38111 6 1168819204.483 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.222 42.66.23.42 45655 80 6 1168819204.503 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 143.219.132.229 69.105.230.150 62868 7226 6 1168819201.504 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 81.221.140.10 69.105.157.97 1525 139 6 1168819204.517 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 193.202.51.30 69.105.2.155 2703 38112 6 1168819204.535 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 197.99.150.3 69.105.197.16 2703 48977 6 1168819204.554 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 197.99.150.3 69.105.2.155 2703 33288 6 1168819204.578 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.166.211 199.79.21.102 39683 80 6 1168819204.586 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 61.24.28.192 69.105.13.23 50098 80 6 1168819204.501 633 277 48545450 HTTP 633 47455420 GET. 277 \nNo_Payload 69.105.207.210 38.155.150.139 56153 80 6 1168819204.605 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.228.124 62.151.12.159 4662 1258 6 1168819204.606 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.54.27 57.91.211.158 3529 16414 6 1168819201.678 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.222 42.135.12.22 51369 80 6 1168819201.625 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 50.60.128.26 69.105.13.23 49218 80 6 1168819204.628 1599 307 48545450 HTTP 1380 47455420 GET. 307 \nHTTP 50.60.128.26 69.105.13.23 49219 80 6 1168819204.629 1487 311 48545450 HTTP 1380 47455420 GET. 311 \nHTTP 69.105.207.210 43.196.35.173 56145 80 6 1168819201.352 8144 567 48545450 HTTP 1368 47455420 GET. 567 \nHTTPS 69.105.166.81 50.61.130.251 2225 443 6 1168819201.653 6500 599 16030100 .... 1260 16030100 .... 110 \nHTTP 69.105.166.211 56.147.60.130 39657 80 6 1168819201.313 3518 819 48545450 HTTP 451 47455420 GET. 410 \nHTTP 69.105.2.156 106.181.195.94 39160 80 6 1168819201.560 1552 450 48545450 HTTP 273 47455420 GET. 450 \nHTTP 69.105.166.211 56.147.60.135 39656 80 6 1168819201.202 8038 819 48545450 HTTP 1380 47455420 GET. 410 \nHTTPS 50.60.128.108 69.105.2.197 39479 443 6 1168819202.263 775 650 16030000 .... 146 16030000 .... 102 \nHTTP 69.105.2.156 106.181.195.94 42149 80 6 1168819201.560 4181 1800 48545450 HTTP 272 47455420 GET. 450 \nHTTP 69.105.2.156 212.92.122.226 60856 80 6 1168819201.577 8836 295 48545450 HTTP 1380 47455420 GET. 295 \nNo_Payload 143.102.194.141 69.105.2.89 58794 25 6 1168819201.499 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.156 199.243.87.232 56280 80 6 1168819202.644 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 69.105.2.156 198.56.122.188 57562 80 6 1168819202.770 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.2.156 200.12.228.63 33145 80 6 1168819201.975 946 482 48545450 HTTP 946 47455420 GET. 482 \nPOP3 69.105.197.38 59.103.27.16 56293 110 6 1168819202.911 2340 657 2b4f4b20 +OK. 82 43415041 CAPA 6 \nNo_Payload 69.105.2.156 42.135.12.22 41183 80 6 1168819203.291 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 61.97.203.29 69.105.2.89 2008 25 6 1168819202.695 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.2.156 106.181.195.94 39464 80 6 1168819201.890 67887 398 48545450 HTTP 295 47455420 GET. 398 \nBitTorrent 69.105.230.150 254.151.186.50 1382 23352 6 1168819202.195 0 68 00000000 .... 0 13426974 .Bit 68 \nSMTP 214.70.45.73 69.105.2.89 4685 25 6 1168819201.286 213 119 32323020 220. 38 45484c4f EHLO 49 \nSMTP 92.222.61.188 69.105.2.232 4393 25 6 1168819201.074 213 105 32323020 220. 38 45484c4f EHLO 37 \nSMTP 143.194.127.77 69.105.2.232 1553 25 6 1168819201.648 76 100 32323020 220. 38 48454c4f HELO 22 \nBitTorrent 69.105.230.150 142.212.118.180 1379 25492 6 1168819202.095 0 68 00000000 .... 0 13426974 .Bit 68 \nNo_Payload 211.0.121.23 69.105.2.89 3681 25 6 1168819203.308 0 0 00000000 .... 0 00000000 .... 0 \nSMTP 209.18.37.173 69.105.2.89 2780 25 6 1168819202.279 213 112 32323020 220. 38 45484c4f EHLO 47 \nNo_Payload 211.8.2.196 69.105.2.89 3424 25 6 1168819203.763 0 0 00000000 .... 0 00000000 .... 0 \nHTTPS 69.105.207.210 56.147.60.240 56149 443 6 1168819202.915 2215 1780 16030100 .... 1380 16030100 .... 116 \nNo_Payload 215.203.191.54 69.105.2.232 3877 25 6 1168819203.846 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.166.211 197.132.132.23 39675 80 6 1168819203.386 173 557 48545450 HTTP 173 47455420 GET. 557 \nNo_Payload 69.105.38.213 42.172.118.66 3545 443 6 1168819203.836 0 0 00000000 .... 0 00000000 .... 0 \nHTTPS 69.105.207.210 197.120.58.3 56151 443 6 1168819203.243 6204 1793 16030100 .... 1070 16030100 .... 120 \nHTTPS 69.105.38.213 42.172.118.67 3544 443 6 1168819201.217 881 680 16030101 .... 352 802c0103 .,.. 46 \nNo_Payload 218.25.239.167 69.105.2.232 3083 25 6 1168819203.449 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 168.88.184.178 69.105.2.89 2920 25 6 1168819202.956 0 0 00000000 .... 0 00000000 .... 0 \nHTTP_443 69.105.38.213 42.172.118.65 3546 443 6 1168819203.859 0 175 00000000 .... 0 47455420 GET. 175 \nNo_Payload 209.176.6.159 69.105.2.232 4958 25 6 1168819202.824 0 0 00000000 .... 0 00000000 .... 0 \nHTTPS 143.87.24.19 69.105.2.197 31094 443 6 1168819202.070 35812 4675 16030000 .... 146 16030000 .... 102 \nNo_Payload 38.118.77.114 69.105.2.232 3983 25 6 1168819203.752 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 45.86.130.6 69.105.2.232 51772 25 6 1168819203.982 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.2.156 158.68.130.7 43885 80 6 1168819201.886 97128 388 48545450 HTTP 1368 47455420 GET. 388 \nNo_Payload 208.166.58.33 69.105.2.232 1458 25 6 1168819204.146 0 0 00000000 .... 0 00000000 .... 0 \nSMTP 34.181.123.167 69.105.197.22 1238 25 6 1168819203.087 78 0 32323020 220. 78 00000000 .... 0 \nHTTPS 255.241.86.179 69.105.2.197 50222 443 6 1168819201.340 1943 1690 16030100 .... 122 16030100 .... 102 \nSMTP 213.245.4.62 69.105.2.89 3054 25 6 1168819202.597 199 227 32323020 220. 38 45484c4f EHLO 32 \nSMTP 42.53.76.173 69.105.2.232 51641 25 6 1168819203.265 213 134 32323020 220. 38 45484c4f EHLO 23 \nNo_Payload 95.47.191.88 69.105.2.89 3258 25 6 1168819202.406 0 0 00000000 .... 0 00000000 .... 0 \nSMTP 213.164.56.161 69.105.2.232 3079 25 6 1168819202.615 393 106 32323020 220. 38 45484c4f EHLO 26 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50636 6 1168819204.211 1261 0 47455420 GET. 1261 00000000 .... 0 \nSMTP 40.154.46.27 69.105.2.89 62211 25 6 1168819202.014 76 73 32323020 220. 38 48454c4f HELO 25 \nHTTP 255.243.186.75 69.105.2.157 10780 80 6 1168819204.220 0 2617 00000000 .... 0 504f5354 POST 1380 \nHTTP_P2P 69.105.2.157 61.25.79.77 2048 50637 6 1168819204.362 1255 0 47455420 GET. 1255 00000000 .... 0 \nNo_Payload 209.18.37.173 69.105.2.89 2793 25 6 1168819204.134 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 69.105.2.222 42.66.23.42 44915 80 6 1168819204.349 0 393 00000000 .... 0 47455420 GET. 393 \nSMTP 69.105.206.211 199.86.88.228 55595 25 6 1168819202.726 150 106 32323020 220. 39 45484c4f EHLO 32 \nHTTP 193.202.43.1 69.105.140.182 53388 80 6 1168819203.804 2736 483 48545450 HTTP 1368 47455420 GET. 483 \nSMTP 40.88.96.141 69.105.2.89 4698 25 6 1168819203.230 76 82 32323020 220. 38 48454c4f HELO 13 \nSMTP 36.83.190.6 69.105.2.232 16030 25 6 1168819203.910 38 0 32323020 220. 38 00000000 .... 0 \nSMTP 193.132.251.169 69.105.2.232 51091 25 6 1168819203.556 213 113 32323020 220. 38 45484c4f EHLO 44 \nNo_Payload 47.224.244.229 69.105.206.211 60421 25 6 1168819204.518 0 0 00000000 .... 0 00000000 .... 0 \nHTTP 140.89.63.51 69.105.203.31 38259 80 6 1168819204.323 2858 348 48545450 HTTP 122 47455420 GET. 348 \nSMTP 193.132.251.169 69.105.2.232 51095 25 6 1168819204.341 38 0 32323020 220. 38 00000000 .... 0 \nRazor 197.99.150.3 69.105.2.155 2703 33284 6 1168819203.882 29 117 613d6726 a=g& 12 736e3d44 sn=D 35 \nHTTPS 143.87.24.19 69.105.2.197 31113 443 6 1168819204.476 146 102 16030000 .... 146 16030000 .... 102 \nHTTP 69.105.166.211 194.217.159.152 39679 80 6 1168819203.798 13800 534 48545450 HTTP 1380 47455420 GET. 534 \nNo_Payload 61.97.211.112 69.105.2.89 60499 25 6 1168819201.624 0 0 00000000 .... 0 00000000 .... 0 \nRazor 193.202.51.30 69.105.197.16 2703 39112 6 1168819203.641 44 209 636e3d72 cn=r 25 736e3d43 sn=C 36 \nSMTP 200.199.138.121 69.105.166.216 2018 25 6 1168819203.904 53 75 32323020 220. 11 48454c4f HELO 39 \nHTTP 69.105.207.210 56.147.60.139 56152 80 6 1168819204.426 0 1787 00000000 .... 0 504f5354 POST 1380 \nSMTP 34.181.123.167 69.105.197.22 1237 25 6 1168819202.936 191 20 32323020 220. 78 45484c4f EHLO 20 \nHTTP 69.105.166.211 43.196.35.172 39682 80 6 1168819204.571 0 597 00000000 .... 0 47455420 GET. 597 \nRazor 193.202.51.30 69.105.2.155 2703 38105 6 1168819203.684 105 36 636e3d72 cn=r 25 736e3d43 sn=C 36 \nHTTP 69.105.207.210 140.92.148.70 56146 80 6 1168819201.464 7313 1176 48545450 HTTP 413 47455420 GET. 1176 \nHTTP 69.105.166.211 52.42.15.42 39681 80 6 1168819204.385 0 658 00000000 .... 0 47455420 GET. 658 \nHTTP 39.171.180.203 56.147.60.139 59591 80 6 1168819204.449 0 1477 00000000 .... 0 504f5354 POST 1460 \nSMTP 59.65.15.97 69.105.2.232 3947 25 6 1168819203.072 38 0 32323020 220. 38 00000000 .... 0 \nHTTP 69.105.166.211 52.42.15.42 39678 80 6 1168819203.769 6900 801 48545450 HTTP 1380 47455420 GET. 801 \nNo_Payload 47.154.253.116 69.105.2.232 49839 25 6 1168819204.628 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 202.4.198.105 69.105.13.23 39991 80 6 1168819204.633 0 0 00000000 .... 0 00000000 .... 0 \nMSN 199.248.173.35 69.105.166.211 1863 39670 6 1168819202.913 200 107 55535220 USR. 59 55535220 USR. 37 \nNo_Payload 61.24.28.192 69.105.13.23 50099 80 6 1168819204.571 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 193.132.251.169 69.105.2.232 51102 25 6 1168819204.638 0 0 00000000 .... 0 00000000 .... 0 \nHTTPS 59.103.173.17 69.105.166.218 1879 443 6 1168819203.023 4286 1619 16030000 .... 146 16030000 .... 102 \nHTTPS 255.243.247.179 69.105.2.197 50317 443 6 1168819204.334 3334 865 1603000a .... 1380 16030000 .... 102 \nNo_Payload 35.20.159.19 39.171.180.118 1281 33434 17 1168819201.025 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 39.171.180.118 42.28.149.6 1281 33434 17 1168819201.028 0 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 38.14.110.251 36350 53 17 1168819201.033 175 0 c10a8480 .... 175 00000000 .... 0 \nDNS 69.105.2.89 56.200.226.189 37763 53 17 1168819201.036 300 0 cd098400 .... 150 00000000 .... 0 \nNTP 42.89.152.141 69.105.2.222 58407 123 17 1168819201.064 0 48 00000000 .... 0 1b000000 .... 48 \nDNS 69.105.2.232 52.34.247.29 14739 53 17 1168819201.066 99 0 90218400 .!.. 99 00000000 .... 0 \nDNS 69.105.2.232 56.200.226.189 9338 53 17 1168819201.104 304 0 5aaa8400 Z... 152 00000000 .... 0 \nDNS 69.105.2.232 199.163.9.10 30898 53 17 1168819201.105 0 43 00000000 .... 0 fd9e0000 .... 43 \nDNS 69.105.2.232 41.63.136.239 56450 53 17 1168819201.107 78 0 ac418000 .A.. 78 00000000 .... 0 \nSkype 69.105.166.211 70.211.67.192 39502 80 17 1168819201.117 29 0 ee8e0276 ...v 29 00000000 .... 0 \nDNS 69.105.2.232 38.248.134.10 41497 53 17 1168819201.120 208 0 c1638403 .c.. 104 00000000 .... 0 \nDNS 69.105.13.2 194.246.84.5 11385 53 17 1168819201.161 55 0 7af48403 z... 55 00000000 .... 0 \nNo_Payload 39.171.180.97 42.67.167.68 1281 33434 17 1168819201.172 0 0 00000000 .... 0 00000000 .... 0 \nDNS 39.171.180.91 199.86.75.21 51730 53 17 1168819201.193 178 0 15918400 .... 89 00000000 .... 0 \nUnknown_UDP 69.105.2.89 37.237.12.249 2599 53 17 1168819201.195 258 0 df9c8080 .... 129 00000000 .... 0 \nDNS 69.105.13.2 39.199.110.30 15126 53 17 1168819201.198 113 0 3bcd8000 ;... 113 00000000 .... 0 \nDNS 69.105.2.232 37.30.33.6 63001 53 17 1168819201.203 438 0 33018400 3... 219 00000000 .... 0 \nDNS 69.105.2.232 48.246.25.188 42249 53 17 1168819201.204 95 0 fd1c8403 .... 95 00000000 .... 0 \nDNS 69.105.2.89 103.188.151.234 49115 53 17 1168819201.215 147 0 7b458000 {E.. 147 00000000 .... 0 \nBitTorrent_UDP 214.246.7.18 69.105.230.150 63696 7226 17 1168819201.216 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.232 194.236.28.177 25154 53 17 1168819201.221 820 0 73b88400 s... 410 00000000 .... 0 \nBitTorrent_UDP 38.189.80.15 69.105.230.150 63979 7226 17 1168819201.224 0 302 00000000 .... 0 64313a72 d1:r 302 \nDNS 69.105.13.2 41.61.249.207 36631 53 17 1168819201.231 207 0 8b6c8400 .l.. 207 00000000 .... 0 \nDNS 69.105.13.2 57.115.0.49 51889 53 17 1168819201.231 100 0 ade78403 .... 100 00000000 .... 0 \nDNS 69.105.2.232 42.12.225.56 38515 53 17 1168819201.194 100 45 77ed8403 w... 100 77ed0000 w... 45 \nDNS 69.105.13.2 39.213.161.1 55659 53 17 1168819201.290 304 0 e33f8000 .?.. 152 00000000 .... 0 \nDNS 69.105.2.89 38.131.236.181 21153 53 17 1168819201.299 153 0 f2b38480 .... 153 00000000 .... 0 \nDNS 69.105.2.89 39.253.2.254 27275 53 17 1168819201.299 159 0 953e8000 .>.. 159 00000000 .... 0 \nDNS 69.105.2.89 56.200.226.189 50663 53 17 1168819201.308 300 0 cd528400 .R.. 150 00000000 .... 0 \nBitTorrent_UDP 141.147.19.31 69.105.230.150 24589 7226 17 1168819201.304 0 1644 00000000 .... 0 64313a72 d1:r 822 \nDNS 69.105.13.2 192.138.252.113 65474 53 17 1168819201.313 0 26 00000000 .... 0 ea480000 .H.. 26 \nNTP 136.184.17.5 69.105.13.2 123 123 17 1168819201.313 0 48 00000000 .... 0 1b030aee .... 48 \nDNS 39.171.180.115 35.255.66.196 15282 53 17 1168819201.016 450 31 0e1f8000 .... 450 0e1f0000 .... 31 \nDNS 39.171.180.115 36.16.123.144 15282 53 17 1168819201.016 62 31 0e208400 .... 62 0e200000 .... 31 \nNTP 69.105.2.235 43.94.229.101 123 123 17 1168819201.326 48 0 1b0206ee .... 48 00000000 .... 0 \nDNS 69.105.2.232 41.95.129.43 54742 53 17 1168819201.326 91 0 141a8400 .... 91 00000000 .... 0 \nDNS 69.105.2.232 41.74.247.92 64444 53 17 1168819201.327 0 51 00000000 .... 0 50790000 Py.. 51 \nDNS 69.105.2.232 52.34.247.29 11263 53 17 1168819201.333 164 0 0a278400 .'.. 164 00000000 .... 0 \nDNS 69.105.13.2 46.121.197.244 48003 53 17 1168819201.199 129 29 aac98400 .... 129 aac90000 .... 29 \nDNS 69.105.2.232 70.252.78.13 19115 53 17 1168819201.162 95 49 0c2a8403 .*.. 95 0c2a0000 .*.. 49 \nDNS 69.105.2.232 46.117.175.43 17453 53 17 1168819201.225 105 32 8ebe8000 .... 105 8ebe0000 .... 32 \nICMP 69.105.157.197 197.13.74.146 0 0 1 1168819201.384 33 0 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.141.18 0 0 1 1168819201.385 0 33 00000000 .... 0 00000000 .... 0 \nNTP 61.27.224.71 69.105.13.2 123 123 17 1168819201.387 0 48 00000000 .... 0 0b000000 .... 48 \nICMP 197.13.74.146 69.105.2.6 0 0 1 1168819201.389 0 33 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.194.56 0 0 1 1168819201.396 0 33 00000000 .... 0 00000000 .... 0 \nBitTorrent_UDP 58.108.63.162 69.105.230.150 4365 7226 17 1168819201.396 0 493 00000000 .... 0 64313a72 d1:r 493 \nDNS 69.105.2.89 39.214.90.225 45401 53 17 1168819201.211 178 34 3c2d8000 <-.. 178 3c2d0000 <-.. 34 \nBitTorrent_UDP 209.33.90.42 69.105.230.150 10430 7226 17 1168819201.416 101 0 64313a61 d1:a 101 00000000 .... 0 \nICMP 197.13.74.146 69.105.204.38 0 0 1 1168819201.416 0 33 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.4 199.187.132.231 37074 53 17 1168819201.472 0 72 00000000 .... 0 c7370000 .7.. 72 \nDNS 69.105.13.4 199.187.132.231 39974 53 17 1168819201.472 0 73 00000000 .... 0 ffb50000 .... 73 \nNTP 61.27.227.243 69.105.2.222 123 123 17 1168819201.492 0 48 00000000 .... 0 0b000000 .... 48 \nBitTorrent_UDP 212.233.150.39 69.105.230.150 9618 7226 17 1168819201.496 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 44.131.31.16 69.105.207.255 4248 53 17 1168819201.288 450 201 220d8480 \"... 106 220d0000 \"... 50 \nUnknown_UDP 138.28.98.240 39.171.180.203 5001 5001 17 1168819201.234 232 976 4116956e A..n 92 b407ec94 .... 884 \nDNS 69.105.2.89 37.237.13.22 19989 53 17 1168819201.196 258 44 346e8080 4n.. 129 346e0000 4n.. 44 \nDNS 69.105.13.2 46.152.185.77 25600 53 17 1168819201.515 0 44 00000000 .... 0 08300000 .0.. 44 \nDNS 69.105.2.232 52.91.49.243 51362 53 17 1168819201.519 234 0 2d068480 -... 234 00000000 .... 0 \nDNS 69.105.2.89 39.229.159.30 6131 53 17 1168819201.300 286 29 69398000 i9.. 286 69390000 i9.. 29 \nDNS 69.105.2.232 200.5.74.13 2480 53 17 1168819201.374 191 32 97ac8400 .... 191 97ac0000 .... 32 \nDNS 69.105.13.2 199.187.132.231 17569 53 17 1168819201.537 0 71 00000000 .... 0 12910000 .... 71 \nDNS 69.105.13.2 199.187.132.231 19094 53 17 1168819201.539 0 72 00000000 .... 0 5d360000 ]6.. 72 \nDNS 196.242.143.235 69.105.13.111 35044 53 17 1168819201.551 116 45 39678000 9g.. 116 39670010 9g.. 45 \nDNS 69.105.2.89 200.215.75.148 42590 53 17 1168819201.559 0 28 00000000 .... 0 fbd10000 .... 28 \nSkype 69.105.166.211 211.4.229.249 39502 39061 17 1168819201.568 29 0 21e80228 !..( 29 00000000 .... 0 \nDNS 69.105.2.232 41.200.199.129 20264 53 17 1168819201.108 174 44 9a8c8480 .... 174 9a8c0000 .... 44 \nDNS 69.105.13.2 53.213.78.29 56772 53 17 1168819201.290 136 34 29868400 )... 136 29860000 )... 34 \nBitTorrent_UDP 214.87.117.87 69.105.230.150 10044 7226 17 1168819201.583 0 302 00000000 .... 0 64313a72 d1:r 302 \nDNS 69.105.2.232 214.111.192.254 16321 53 17 1168819201.617 202 0 b61b8400 .... 202 00000000 .... 0 \nDNS 69.105.13.2 215.224.86.255 12885 53 17 1168819201.620 0 43 00000000 .... 0 00af0000 .... 43 \nDNS 69.105.2.89 192.138.252.113 3290 53 17 1168819201.623 0 26 00000000 .... 0 14800000 .... 26 \nDNS 96.179.240.158 69.105.13.111 33918 53 17 1168819201.634 135 52 11c08400 .... 135 11c00010 .... 52 \nBitTorrent_UDP 58.14.68.107 69.105.230.150 18624 7226 17 1168819201.640 0 302 00000000 .... 0 64313a72 d1:r 302 \nDNS 69.105.2.89 143.151.170.65 32186 53 17 1168819201.643 113 0 07108483 .... 113 00000000 .... 0 \nDNS 69.105.2.232 56.200.226.189 19717 53 17 1168819201.520 302 50 98b08400 .... 151 98b00000 .... 50 \nDNS 40.251.135.82 69.105.2.164 56565 53 17 1168819201.672 180 42 11e58400 .... 180 11e50010 .... 42 \nDNS 69.105.2.89 98.12.147.237 44226 53 17 1168819201.216 133 34 c4358480 .5.. 133 c4350000 .5.. 34 \nNTP 142.181.10.234 69.105.2.222 123 123 17 1168819201.681 0 48 00000000 .... 0 db0006ee .... 48 \nDNS 38.49.19.151 69.105.13.111 32768 53 17 1168819201.681 87 42 664b8400 fK.. 87 664b0010 fK.. 42 \nNTP 49.169.25.141 69.105.2.222 9718 123 17 1168819201.689 0 48 00000000 .... 0 1b000000 .... 48 \nBitTorrent_UDP 142.33.181.222 69.105.230.150 23741 7226 17 1168819201.696 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 199.163.9.10 3390 53 17 1168819201.713 0 44 00000000 .... 0 95ad0000 .... 44 \nDNS 69.105.13.2 35.63.137.109 61217 53 17 1168819201.522 115 51 872a8403 .*.. 115 872a0000 .*.. 51 \nDNS 69.105.13.2 200.26.210.91 49822 53 17 1168819201.541 96 44 19a48403 .... 96 19a40000 .... 44 \nUnknown_UDP 39.171.180.115 38.203.122.246 51667 33490 17 1168819201.727 0 10 00000000 .... 0 00c4aa45 ...E 10 \nDNS 69.105.13.2 56.237.151.169 51174 53 17 1168819201.527 228 50 25258403 %%.. 114 25250000 %%.. 50 \nDNS 39.171.180.115 69.202.134.175 15282 53 17 1168819201.016 124 31 0e218400 .!.. 62 0e210000 .!.. 31 \nDNS 69.105.2.232 48.192.132.38 14556 53 17 1168819201.746 0 45 00000000 .... 0 45460000 EF.. 45 \nDNS 69.105.13.2 194.236.28.230 6543 53 17 1168819201.534 93 48 aed28403 .... 93 aed20000 .... 48 \nDNS 69.105.13.2 48.192.132.38 27893 53 17 1168819201.749 0 45 00000000 .... 0 574f0000 WO.. 45 \nDNS 69.105.13.2 48.192.132.38 60511 53 17 1168819201.749 0 45 00000000 .... 0 5dc50000 ]... 45 \nDNS 69.105.13.2 48.192.132.38 48014 53 17 1168819201.749 0 45 00000000 .... 0 df8d0000 .... 45 \nDNS 69.105.2.232 37.173.7.22 31180 53 17 1168819201.761 151 0 4edd8400 N... 151 00000000 .... 0 \nDNS 69.105.13.2 194.202.187.45 43928 53 17 1168819201.761 226 0 2bb98403 +... 113 00000000 .... 0 \nDNS 69.105.13.2 48.125.161.47 30984 53 17 1168819201.620 113 49 977e8403 .... 113 977e0000 .... 49 \nDNS 69.105.2.89 39.222.241.225 24771 53 17 1168819201.564 154 28 55a98000 U... 77 55a90000 U... 28 \nDNS 69.105.13.2 194.173.240.242 45540 53 17 1168819201.766 325 0 13428480 .B.. 325 00000000 .... 0 \nDNS 39.171.180.115 36.219.235.44 15282 53 17 1168819201.016 62 27 0e1e8400 .... 62 0e1e0000 .... 27 \nDNS 69.105.2.232 39.170.246.233 52813 53 17 1168819201.447 122 45 435e8000 C^.. 122 435e0000 C^.. 45 \nDNS 140.76.12.171 69.105.2.164 33113 53 17 1168819201.806 89 47 3e1c8400 >... 89 3e1c0010 >... 47 \nSkype 114.46.129.17 69.105.166.211 39779 39502 17 1168819201.819 94 0 37be029c 7... 94 00000000 .... 0 \nSkype 69.105.166.211 114.44.102.120 39502 34619 17 1168819201.819 0 102 00000000 .... 0 37ba0238 7..8 102 \nDNS 36.83.204.104 69.105.13.111 38110 53 17 1168819201.824 180 42 16c88400 .... 180 16c80000 .... 42 \nDNS 196.242.143.235 69.105.207.255 35044 53 17 1168819201.833 153 45 be828480 .... 153 be820010 .... 45 \nDNS 69.105.2.232 42.45.191.226 25464 53 17 1168819201.847 79 31 d2338000 .3.. 79 d2330000 .3.. 31 \nDNS 69.105.2.232 43.94.183.9 49550 53 17 1168819201.853 146 31 aa308480 .0.. 146 aa300000 .0.. 31 \nDNS 69.105.2.89 42.12.224.99 56081 53 17 1168819201.673 90 45 0dae8000 .... 90 0dae0000 .... 45 \nICMP 69.105.171.181 197.13.74.146 0 0 1 1168819201.879 33 0 00000000 .... 0 00000000 .... 0 \nICMP 69.105.18.240 197.13.74.146 0 0 1 1168819201.881 33 0 00000000 .... 0 00000000 .... 0 \nICMP 69.105.228.171 197.13.74.146 0 0 1 1168819201.883 33 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 140.93.155.42 20287 53 17 1168819201.662 325 38 6bfb8480 k... 325 6bfb0000 k... 38 \nDNS 69.105.13.2 199.163.8.229 7818 53 17 1168819201.885 0 44 00000000 .... 0 5dd30000 ]... 44 \nICMP 69.105.15.253 197.13.74.146 0 0 1 1168819201.887 33 0 00000000 .... 0 00000000 .... 0 \nICMP 69.105.28.176 197.13.74.146 0 0 1 1168819201.887 33 0 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.48.104 0 0 1 1168819201.896 0 33 00000000 .... 0 00000000 .... 0 \nBitTorrent_UDP 58.171.134.69 69.105.230.150 27673 7226 17 1168819201.896 101 0 64313a61 d1:a 101 00000000 .... 0 \nNTP 196.167.167.218 69.105.13.2 123 123 17 1168819201.897 0 48 00000000 .... 0 23000000 #... 48 \nDNS 69.105.2.225 199.163.9.10 50780 53 17 1168819201.909 0 44 00000000 .... 0 01550000 .U.. 44 \nDNS 69.105.2.89 34.6.15.82 65043 53 17 1168819201.682 231 34 f8808400 .... 231 f8800000 .... 34 \nDNS 69.105.13.2 41.61.249.206 26790 53 17 1168819201.923 99 0 10268400 .&.. 99 00000000 .... 0 \nDNS 69.105.2.89 39.253.2.254 16321 53 17 1168819201.301 180 32 23548000 #T.. 180 23540000 #T.. 32 \nDNS 69.105.13.2 199.163.9.10 39069 53 17 1168819201.937 0 44 00000000 .... 0 17ec0000 .... 44 \nNTP 69.105.2.222 61.26.20.210 123 123 17 1168819201.949 48 0 23000000 #... 48 00000000 .... 0 \nUnknown_UDP 69.105.206.213 48.246.25.166 52883 6277 17 1168819201.210 136 170 00440504 .D.. 68 00aa0502 .... 170 \nGnutella_UDP 53.44.136.69 69.105.54.27 57905 27489 17 1168819201.962 0 23 00000000 .... 0 18d9051b .... 23 \nDNS 39.171.180.245 42.27.219.5 10619 53 17 1168819201.230 190 44 06578180 .W.. 190 06570100 .W.. 44 \nDNS 69.105.13.2 92.131.66.21 58492 53 17 1168819201.629 236 43 5e6a8480 ^j.. 236 5e6a0000 ^j.. 43 \nDNS 96.179.240.238 69.105.2.164 35408 53 17 1168819201.994 161 54 32118400 2... 161 32110010 2... 54 \nBitTorrent_UDP 194.206.30.187 69.105.230.150 60232 7226 17 1168819202.017 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.232 41.226.83.26 27218 53 17 1168819201.872 102 46 61ef8000 a... 102 61ef0000 a... 46 \nDNS 69.105.13.2 56.43.150.236 46708 53 17 1168819201.887 52 26 4a858005 J... 26 4a850000 J... 26 \nDNS 69.105.2.232 41.200.199.129 36354 53 17 1168819201.569 107 52 2d638483 -c.. 107 2d630000 -c.. 52 \nDNS 69.105.2.232 49.166.136.217 6804 53 17 1168819202.028 115 0 0a838480 .... 115 00000000 .... 0 \nNo_Payload 42.77.54.77 39.171.180.118 1281 33434 17 1168819202.030 0 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 39.171.180.118 70.8.128.255 1281 33434 17 1168819202.031 0 0 00000000 .... 0 00000000 .... 0 \nICMP 39.171.180.118 50.56.179.95 0 0 1 1168819202.027 56 56 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.225 198.237.29.82 53737 53 17 1168819201.815 33 33 41918002 A... 33 41910000 A... 33 \nICMP 42.18.118.249 39.171.180.118 0 0 1 1168819202.033 56 56 00000000 .... 0 00000000 .... 0 \nICMP 39.171.180.118 43.92.248.36 0 0 1 1168819202.039 56 56 00000000 .... 0 00000000 .... 0 \nNTP 61.26.136.116 69.105.13.2 123 123 17 1168819202.064 0 48 00000000 .... 0 d90004fa .... 48 \nDNS 69.105.2.89 37.146.33.62 31631 53 17 1168819201.766 145 28 0a2f8000 ./.. 145 0a2f0000 ./.. 28 \nDNS 69.105.13.2 56.200.226.189 47129 53 17 1168819201.532 188 49 4c6a8403 Lj.. 94 4c6a0000 Lj.. 49 \nDNS 69.105.2.89 92.131.66.243 39299 53 17 1168819201.742 193 43 332d8400 3-.. 193 332d0000 3-.. 43 \nDNS 69.105.2.89 215.224.86.255 35626 53 17 1168819202.084 0 68 00000000 .... 0 498f0000 I... 68 \nSQLExp 69.105.180.89 36.130.83.11 1434 1126 17 1168819202.092 376 0 04010101 .... 376 00000000 .... 0 \nICMP 39.171.180.118 42.135.12.22 0 0 1 1168819202.035 56 56 00000000 .... 0 00000000 .... 0 \nDNS 141.115.134.245 69.105.13.111 54738 53 17 1168819202.095 116 45 52c88000 R... 116 52c80000 R... 45 \nDNS 69.105.13.2 199.163.9.10 53507 53 17 1168819202.106 0 43 00000000 .... 0 a3a50000 .... 43 \nDNS 69.105.13.2 199.172.177.142 5348 53 17 1168819201.529 55 55 7b378403 {7.. 55 7b370000 {7.. 55 \nDNS 69.105.2.232 36.173.228.170 23596 53 17 1168819201.778 166 45 a58b8400 .... 166 a58b0000 .... 45 \nDNS 69.105.2.232 199.163.8.229 27689 53 17 1168819202.112 0 43 00000000 .... 0 768b0000 v... 43 \nNTP 58.90.213.30 69.105.2.222 40544 123 17 1168819202.121 0 48 00000000 .... 0 d90004fa .... 48 \nDNS 69.105.13.2 199.172.177.142 56984 53 17 1168819201.548 58 58 66bc8403 f... 58 66bc0000 f... 58 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33483 17 1168819202.132 0 10 00000000 .... 0 00c4aa45 ...E 10 \nDNS 69.105.13.2 46.117.186.230 34032 53 17 1168819201.978 137 37 a81d8400 .... 137 a81d0000 .... 37 \nDNS 69.105.2.89 42.97.4.221 38549 53 17 1168819201.399 113 67 23908483 #... 113 23900000 #... 67 \nDNS 69.105.2.89 46.152.185.77 62667 53 17 1168819201.967 96 28 1e188000 .... 96 1e180000 .... 28 \nDNS 69.105.13.2 56.43.134.13 44896 53 17 1168819202.025 52 26 97698005 .i.. 26 97690000 .i.. 26 \nDNS 39.171.180.115 34.249.199.105 15282 53 17 1168819202.016 900 31 0e228000 .\".. 450 0e220000 .\".. 31 \nDNS 69.105.2.89 215.240.255.255 24272 53 17 1168819201.872 168 45 d60b8400 .... 168 d60b0000 .... 45 \nDNS 69.105.13.4 39.229.159.30 8290 53 17 1168819201.981 108 33 2cda8000 ,... 108 2cda0000 ,... 33 \nBitTorrent_UDP 194.111.89.194 69.105.230.150 61068 7226 17 1168819202.199 0 302 00000000 .... 0 64313a72 d1:r 302 \nDNS 69.105.2.89 39.3.15.203 19862 53 17 1168819202.215 192 0 53428000 SB.. 96 00000000 .... 0 \nDNS 69.105.2.232 143.224.48.226 49182 53 17 1168819201.938 127 44 96288000 .(.. 127 96280000 .(.. 44 \nDNS 69.105.2.232 41.163.150.15 4122 53 17 1168819202.021 129 46 41098400 A... 129 41090000 A... 46 \nDNS 69.105.2.232 52.91.49.242 45936 53 17 1168819201.520 370 40 b2588480 .X.. 185 b2580000 .X.. 40 \nDNS 69.105.2.89 43.65.112.156 6534 53 17 1168819201.931 272 44 68388480 h8.. 272 68380000 h8.. 44 \nBitTorrent_UDP 143.141.138.234 69.105.230.150 10869 7226 17 1168819202.257 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.225 52.94.241.75 9508 53 17 1168819202.259 0 45 00000000 .... 0 35a70000 5... 45 \nDNS 69.105.2.89 198.237.29.82 64124 53 17 1168819202.039 66 33 0fb48002 .... 33 0fb40000 .... 33 \nDNS 69.105.2.89 39.212.98.225 28849 53 17 1168819201.202 102 32 4caa8000 L... 102 4caa0000 L... 32 \nDNS 69.105.2.89 38.131.236.181 41077 53 17 1168819201.524 222 31 e4ce8080 .... 222 e4ce0000 .... 31 \nDNS 69.105.2.89 39.196.77.1 50810 53 17 1168819201.989 216 32 2a9a8000 *... 108 2a9a0000 *... 32 \nDNS 69.105.13.2 56.43.150.236 44113 53 17 1168819202.158 52 26 d6dd8005 .... 26 d6dd0000 .... 26 \nDNS 69.105.2.232 52.34.247.29 15055 53 17 1168819201.067 164 44 6ce38400 l... 164 6ce30000 l... 44 \nDNS 69.105.2.232 214.111.192.254 6085 53 17 1168819201.618 178 48 3d798400 =y.. 178 3d790000 =y.. 48 \nDNS 69.105.2.232 168.184.113.201 52161 53 17 1168819201.918 115 35 09ff8480 .... 115 09ff0000 .... 35 \nDNS 69.105.13.2 192.138.252.112 11573 53 17 1168819202.326 0 26 00000000 .... 0 1e640000 .d.. 26 \nDNS 39.171.180.115 38.248.140.120 15282 53 17 1168819202.016 64 31 0e238400 .#.. 64 0e230000 .#.. 31 \nDNS 69.105.2.232 56.200.226.189 30140 53 17 1168819202.186 136 52 a28d8400 .... 68 a28d0000 .... 52 \nDNS 69.105.2.232 52.34.247.28 56860 53 17 1168819201.108 328 44 d6da8400 .... 164 d6da0000 .... 44 \nUnknown_UDP 195.27.149.191 69.105.9.210 49532 9680 17 1168819202.340 0 34 00000000 .... 0 80312ba5 .1+. 34 \nNTP 69.105.2.225 42.27.214.88 123 123 17 1168819202.342 48 0 0b000000 .... 48 00000000 .... 0 \nDNS 69.105.13.2 48.192.132.38 51742 53 17 1168819202.346 0 45 00000000 .... 0 f0840000 .... 45 \nDNS 69.105.2.89 32.25.120.245 41101 53 17 1168819201.912 206 43 63cf8400 c... 206 63cf0000 c... 43 \nDNS 69.105.2.232 199.187.132.231 43920 53 17 1168819202.358 0 74 00000000 .... 0 f67c0000 .|.. 74 \nDNS 69.105.2.232 199.187.132.231 41724 53 17 1168819202.358 0 74 00000000 .... 0 1bd70000 .... 74 \nDNS 69.105.2.89 42.42.2.124 50063 53 17 1168819201.981 82 24 90a08400 .... 82 90a00000 .... 24 \nDNS 69.105.2.225 192.138.252.113 52255 53 17 1168819202.362 0 26 00000000 .... 0 dc090000 .... 26 \nDNS 69.105.2.225 41.61.249.207 63502 53 17 1168819201.631 99 51 66f88400 f... 99 66f80000 f... 51 \nICMP 69.105.32.153 197.13.74.146 0 0 1 1168819202.373 33 0 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.34.31 0 0 1 1168819202.375 0 33 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 37.173.7.22 27041 53 17 1168819201.164 68 52 214a8400 !J.. 68 214a0000 !J.. 52 \nICMP 197.13.74.146 69.105.38.23 0 0 1 1168819202.383 0 33 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.157.32 0 0 1 1168819202.383 0 33 00000000 .... 0 00000000 .... 0 \nUnknown_UDP 69.105.13.4 39.144.121.21 45888 6277 17 1168819201.955 72 188 00480504 .H.. 72 00bc0502 .... 188 \nDNS 69.105.13.2 48.192.132.38 6854 53 17 1168819202.385 0 45 00000000 .... 0 6c390000 l9.. 45 \nICMP 69.105.180.219 197.13.74.146 0 0 1 1168819202.389 33 0 00000000 .... 0 00000000 .... 0 \nNo_Payload 39.171.180.97 42.67.167.68 1025 33434 17 1168819202.210 0 0 00000000 .... 0 00000000 .... 0 \nNTP 59.103.204.104 69.105.13.2 10641 123 17 1168819202.403 0 48 00000000 .... 0 13000b00 .... 48 \nDNS 69.105.2.232 48.246.25.188 54244 53 17 1168819201.355 99 53 8e4e8403 .N.. 99 8e4e0000 .N.. 53 \nDNS 69.105.2.89 208.29.15.215 34073 53 17 1168819202.068 115 28 3a798400 :y.. 115 3a790000 :y.. 28 \nDNS 69.105.13.4 198.237.29.136 55359 53 17 1168819202.197 100 33 f4128400 .... 100 f4120000 .... 33 \nDNS 69.105.2.225 192.138.252.113 45294 53 17 1168819202.422 0 26 00000000 .... 0 6bb40000 k... 26 \nDNS 69.105.2.89 39.192.15.1 24369 53 17 1168819202.223 102 32 83b18000 .... 102 83b10000 .... 32 \nDNS 69.105.13.2 48.192.132.38 23159 53 17 1168819202.424 0 45 00000000 .... 0 18940000 .... 45 \nDNS 69.105.2.232 48.192.132.38 7387 53 17 1168819202.430 0 45 00000000 .... 0 90260000 .&.. 45 \nDNS 69.105.2.225 192.138.252.113 1686 53 17 1168819202.430 0 26 00000000 .... 0 e6880000 .... 26 \nDNS 69.105.13.2 56.43.134.13 11850 53 17 1168819202.297 52 26 a2418005 .A.. 26 a2410000 .A.. 26 \nUnknown_UDP 69.105.2.232 77.229.57.41 48929 6277 17 1168819202.037 208 188 00680604 .h.. 104 00bc0602 .... 188 \nBitTorrent_UDP 209.196.17.124 69.105.230.150 8369 7226 17 1168819201.456 101 604 64313a61 d1:a 101 64313a72 d1:r 302 \nDNS 69.105.2.89 41.249.6.18 3240 53 17 1168819202.155 288 40 546e8000 Tn.. 144 546e0000 Tn.. 40 \nDNS 69.105.2.232 36.173.228.170 21734 53 17 1168819202.112 141 50 ab368400 .6.. 141 ab360000 .6.. 50 \nUnknown_UDP 39.171.180.115 38.203.122.246 51667 33491 17 1168819202.446 0 10 00000000 .... 0 01c4aa45 ...E 10 \nBitTorrent_UDP 214.40.8.48 69.105.230.150 20580 7226 17 1168819202.457 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.89 75.149.112.234 28740 53 17 1168819202.114 162 36 3d7a8000 =z.. 81 3d7a0000 =z.. 36 \nBitTorrent_UDP 143.161.231.90 69.105.230.150 16324 7226 17 1168819201.977 101 302 64313a61 d1:a 101 64313a72 d1:r 302 \nDNS 69.105.2.89 215.240.255.27 55792 53 17 1168819202.172 143 60 55418400 UA.. 143 55410000 UA.. 60 \nDNS 69.105.2.232 105.157.121.17 14695 53 17 1168819202.219 182 44 99288400 .(.. 182 99280000 .(.. 44 \nDNS 69.105.13.2 199.187.132.231 54068 53 17 1168819202.485 0 74 00000000 .... 0 8f860000 .... 74 \nDNS 69.105.13.2 199.187.132.231 36674 53 17 1168819202.485 0 74 00000000 .... 0 4dc70000 M... 74 \nDNS 69.105.2.232 56.200.226.188 41387 53 17 1168819202.335 306 52 ba2c8400 .,.. 153 ba2c0000 .,.. 52 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33484 17 1168819202.489 0 10 00000000 .... 0 01c4aa45 ...E 10 \nDNS 69.105.2.89 198.237.29.83 24621 53 17 1168819202.267 66 33 055c8002 .\\.. 33 055c0000 .\\.. 33 \nDNS 69.105.2.89 194.236.28.161 36462 53 17 1168819202.286 650 50 d8118400 .... 325 d8110000 .... 50 \nDNS 69.105.2.232 168.239.255.25 37276 53 17 1168819202.312 179 45 b9d08480 .... 179 b9d00000 .... 45 \nDNS 69.105.2.89 39.104.140.235 24925 53 17 1168819201.415 430 34 26ba8400 &... 430 26ba0000 &... 34 \nDNS 69.105.2.89 56.78.177.244 55313 53 17 1168819202.294 309 32 d44d8400 .M.. 309 d44d0000 .M.. 32 \nNTP 59.102.51.187 69.105.13.2 123 123 17 1168819202.518 0 48 00000000 .... 0 0b000000 .... 48 \nDNS 69.105.13.2 39.96.255.202 48387 53 17 1168819201.979 113 46 bb148403 .... 113 bb140000 .... 46 \nICMP 197.13.74.146 69.105.220.76 0 0 1 1168819202.527 0 33 00000000 .... 0 00000000 .... 0 \nDNS 141.115.134.245 69.105.207.210 54738 53 17 1168819202.533 153 45 4d488480 MH.. 153 4d480000 MH.. 45 \nBitTorrent_UDP 62.137.22.217 69.105.230.150 8017 7226 17 1168819202.538 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 199.187.132.231 43855 53 17 1168819202.538 0 71 00000000 .... 0 f9a70000 .... 71 \nDNS 69.105.13.2 199.187.132.231 1130 53 17 1168819202.540 0 72 00000000 .... 0 db880000 .... 72 \nDNS 69.105.2.89 39.196.77.1 10508 53 17 1168819202.238 328 46 b3378000 .7.. 164 b3370000 .7.. 46 \nDNS 69.105.2.89 98.230.147.5 19820 53 17 1168819202.361 82 24 6f3b8400 o;.. 82 6f3b0000 o;.. 24 \nDNS 69.105.13.2 199.187.132.231 7744 53 17 1168819202.560 0 74 00000000 .... 0 54610000 Ta.. 74 \nDNS 69.105.13.2 199.187.132.231 21822 53 17 1168819202.560 0 74 00000000 .... 0 1a3e0000 .>.. 74 \nDNS 69.105.13.2 56.43.150.236 16664 53 17 1168819202.432 52 26 f7db8005 .... 26 f7db0000 .... 26 \nDNS 39.171.180.115 35.255.67.22 15282 53 17 1168819202.016 450 31 0e248000 .$.. 450 0e240000 .$.. 31 \nBitTorrent_UDP 44.102.178.96 69.105.230.150 61845 7226 17 1168819202.578 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.89 200.215.75.142 30517 53 17 1168819202.579 0 28 00000000 .... 0 c7e40000 .... 28 \nDNS 69.105.13.2 49.150.137.11 31392 53 17 1168819202.583 0 49 00000000 .... 0 63ce0000 c... 49 \nDNS 69.105.2.225 56.43.150.236 46780 53 17 1168819202.461 26 26 d7048005 .... 26 d7040000 .... 26 \nDNS 69.105.2.89 39.243.34.1 61767 53 17 1168819202.467 111 31 a81d8000 .... 111 a81d0000 .... 31 \nDNS 69.105.13.2 49.122.20.41 1072 53 17 1168819201.545 98 45 f5a38403 .... 98 f5a30000 .... 45 \nDNS 69.105.13.2 194.173.115.213 45970 53 17 1168819201.543 97 44 b5418403 .A.. 97 b5410000 .A.. 44 \nBitTorrent_UDP 208.132.100.55 69.105.230.150 25622 7226 17 1168819201.936 101 2944 64313a61 d1:a 101 64313a72 d1:r 1472 \nDNS 69.105.2.89 192.138.252.112 62097 53 17 1168819202.625 0 26 00000000 .... 0 d20b0000 .... 26 \nDNS 69.105.2.89 197.19.137.22 20124 53 17 1168819202.424 69 32 9d9b8480 .... 69 9d9b0000 .... 32 \nDNS 69.105.2.232 199.187.132.231 24071 53 17 1168819202.634 0 74 00000000 .... 0 978e0000 .... 74 \nDNS 69.105.2.232 199.187.132.231 15005 53 17 1168819202.634 0 72 00000000 .... 0 04a30000 .... 72 \nDNS 69.105.13.2 46.117.186.230 35679 53 17 1168819202.485 79 39 09a88400 .... 79 09a80000 .... 39 \nDNS 69.105.13.2 214.211.218.108 42498 53 17 1168819202.643 0 44 00000000 .... 0 a0350000 .5.. 44 \nBitTorrent_UDP 204.183.8.17 69.105.230.150 54124 7226 17 1168819202.497 101 716 64313a61 d1:a 101 64313a72 d1:r 358 \nDNS 69.105.2.225 49.182.103.138 28012 53 17 1168819202.500 68 36 0e188400 .... 68 0e180000 .... 36 \nDNS 69.105.2.232 37.161.179.160 45562 53 17 1168819202.358 99 53 f14e8403 .N.. 99 f14e0000 .N.. 53 \nNTP 69.105.2.222 53.89.33.109 123 123 17 1168819202.689 48 0 0b000000 .... 48 00000000 .... 0 \nDNS 69.105.2.232 168.239.255.25 44460 53 17 1168819202.510 154 57 03d38480 .... 154 03d30000 .... 57 \nSkype 217.109.219.103 69.105.166.211 18116 15599 17 1168819202.386 23 21 5cc5029b \\... 23 d1ad028d .... 21 \nDNS 69.105.13.2 45.6.215.40 45617 53 17 1168819202.570 96 44 cdf98403 .... 96 cdf90000 .... 44 \nDNS 69.105.2.89 198.237.29.83 1888 53 17 1168819202.490 66 33 7bf48002 {... 33 7bf40000 {... 33 \nDNS 69.105.13.2 46.14.237.231 5381 53 17 1168819202.574 98 45 b0448403 .D.. 98 b0440000 .D.. 45 \nDNS 69.105.2.89 41.63.136.239 12764 53 17 1168819202.381 228 44 b2148000 .... 114 b2140000 .... 44 \nDNS 69.105.13.2 194.173.240.242 7280 53 17 1168819201.662 325 38 41608480 A`.. 325 41600000 A`.. 38 \nDNS 69.105.2.89 39.104.141.227 41946 53 17 1168819202.424 860 34 4c488400 LH.. 430 4c480000 LH.. 34 \nDNS 69.105.2.232 37.173.7.22 53923 53 17 1168819201.533 96 51 605f8403 `_.. 96 605f0000 `_.. 51 \nDNS 69.105.2.89 194.236.28.213 64626 53 17 1168819202.519 190 50 232f8403 #/.. 95 232f0000 #/.. 50 \nDNS 69.105.2.232 105.157.121.17 64081 53 17 1168819202.486 156 49 868b8400 .... 156 868b0000 .... 49 \nDNS 69.105.2.89 208.29.15.215 44219 53 17 1168819202.413 265 28 63c28400 c... 265 63c20000 c... 28 \nDNS 69.105.13.2 197.131.80.241 22106 53 17 1168819202.579 194 44 92eb8403 .... 97 92eb0000 .... 44 \nDNS 69.105.2.225 199.163.9.10 54207 53 17 1168819202.773 0 44 00000000 .... 0 0aaa0000 .... 44 \nDNS 69.105.13.2 56.237.151.171 52678 53 17 1168819202.558 118 54 44b48403 D... 118 44b40000 D... 54 \nDNS 69.105.2.232 41.95.129.43 33101 53 17 1168819202.335 108 51 b5bc8403 .... 108 b5bc0000 .... 51 \nDNS 69.105.2.89 41.205.255.178 1992 53 17 1168819202.441 174 40 150c8400 .... 174 150c0000 .... 40 \nBitTorrent_UDP 139.216.225.144 69.105.230.150 8921 7226 17 1168819202.777 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 45.32.114.6 21891 53 17 1168819202.560 118 59 82b88403 .... 59 82b80000 .... 59 \nDNS 69.105.13.2 199.68.228.60 14142 53 17 1168819202.576 58 58 81328403 .2.. 58 81320000 .2.. 58 \nDNS 69.105.13.2 194.236.28.161 13723 53 17 1168819202.564 194 52 d4568403 .V.. 97 d4560000 .V.. 52 \nDNS 69.105.2.232 168.135.241.20 11233 53 17 1168819202.595 112 44 b5d28000 .... 112 b5d20000 .... 44 \nBitTorrent_UDP 214.120.220.196 69.105.230.150 41739 7226 17 1168819201.016 101 566 64313a61 d1:a 101 64313a72 d1:r 566 \nDNS 69.105.2.232 194.236.28.213 21749 53 17 1168819202.577 192 51 05228403 .\".. 96 05220000 .\".. 51 \nSQLExp 69.105.171.39 197.187.152.40 1434 1421 17 1168819202.796 376 0 04010101 .... 376 00000000 .... 0 \nBitTorrent_UDP 138.118.181.85 69.105.230.150 21074 7226 17 1168819202.817 101 0 64313a61 d1:a 101 00000000 .... 0 \nUnknown_UDP 39.171.180.115 71.103.247.13 51670 33479 17 1168819202.836 0 10 00000000 .... 0 01c4aa45 ...E 10 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33485 17 1168819202.845 0 10 00000000 .... 0 01c4aa45 ...E 10 \nDNS 69.105.2.89 194.236.28.161 5479 53 17 1168819202.636 188 49 73c78403 s... 94 73c70000 s... 49 \nDNS 69.105.13.111 70.121.159.2 53 53 17 1168819202.851 47 130 efb70000 .... 47 efb78400 .... 130 \nDNS 69.105.2.89 43.65.116.242 50127 53 17 1168819202.551 216 46 f0b98480 .... 216 f0b90000 .... 46 \nDNS 69.105.2.232 39.253.2.216 45473 53 17 1168819202.232 100 45 a6e08000 .... 100 a6e00000 .... 45 \nDNS 69.105.2.232 37.173.7.21 46728 53 17 1168819202.551 192 51 47fd8403 G... 96 47fd0000 G... 51 \nDNS 69.105.13.2 199.187.132.231 21667 53 17 1168819202.872 0 73 00000000 .... 0 8ed20000 .... 73 \nDNS 69.105.13.2 41.61.249.207 19069 53 17 1168819201.662 99 51 172d8400 .-.. 99 172d0000 .-.. 51 \nICMP 69.105.206.251 197.13.74.146 0 0 1 1168819202.883 33 0 00000000 .... 0 00000000 .... 0 \nDNS 38.49.19.151 69.105.2.164 32768 53 17 1168819202.887 125 42 9add8400 .... 125 9add0010 .... 42 \nICMP 197.13.74.146 69.105.157.33 0 0 1 1168819202.890 0 33 00000000 .... 0 00000000 .... 0 \nICMP 69.105.143.254 197.13.74.146 0 0 1 1168819202.891 33 0 00000000 .... 0 00000000 .... 0 \nICMP 69.105.13.154 197.13.74.146 0 0 1 1168819202.893 33 0 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.13.103 0 0 1 1168819202.898 0 33 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.180.126 0 0 1 1168819202.898 0 33 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.34.32 0 0 1 1168819202.901 0 33 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 49.140.159.3 27211 53 17 1168819201.864 98 52 ae268403 .&.. 98 ae260000 .&.. 52 \nDNS 69.105.2.225 35.202.246.124 24817 53 17 1168819202.290 93 44 6a978000 j... 93 6a970000 j... 44 \nDNS 69.105.13.2 141.144.159.172 48836 53 17 1168819202.573 101 48 22068403 \"... 101 22060000 \"... 48 \nDNS 69.105.13.2 198.56.46.126 52855 53 17 1168819202.687 152 41 88998400 .... 76 88990000 .... 41 \nDNS 69.105.2.225 199.163.9.10 40145 53 17 1168819202.918 0 44 00000000 .... 0 e2d10000 .... 44 \nDNS 69.105.2.89 38.248.140.18 8884 53 17 1168819202.625 192 39 a2038000 .... 192 a2030000 .... 39 \nDNS 69.105.13.2 38.248.134.10 35929 53 17 1168819202.628 320 43 9adb8400 .... 160 9adb0000 .... 43 \nDNS 69.105.13.2 215.181.188.237 43539 53 17 1168819202.530 104 44 4cad8483 L... 104 4cad0000 L... 44 \nDNS 69.105.2.89 42.42.2.124 21987 53 17 1168819202.552 82 24 66ac8400 f... 82 66ac0000 f... 24 \nICMP 39.171.180.97 42.67.167.68 0 0 1 1168819201.431 1011 983 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 168.141.254.195 10574 53 17 1168819202.792 234 44 437d8400 C}.. 234 437d0000 C}.. 44 \nDNS 69.105.2.89 35.141.133.255 62784 53 17 1168819202.747 64 48 be958400 .... 64 be950000 .... 48 \nDNS 69.105.2.89 194.236.28.230 51608 53 17 1168819202.737 650 50 0ea98400 .... 325 0ea90000 .... 50 \nDNS 49.93.240.2 69.105.2.164 17876 53 17 1168819202.962 115 41 aa218000 .!.. 115 aa210000 .!.. 41 \nDNS 69.105.13.2 199.187.132.231 50467 53 17 1168819202.966 0 73 00000000 .... 0 fcfc0000 .... 73 \nDNS 69.105.13.2 158.68.253.170 57327 53 17 1168819202.969 0 46 00000000 .... 0 00510000 .Q.. 46 \nDNS 69.105.2.89 194.236.28.153 35167 53 17 1168819202.761 648 49 f7968400 .... 324 f7960000 .... 49 \nDNS 69.105.2.89 32.4.80.7 18893 53 17 1168819201.623 192 39 10328000 .2.. 192 10320000 .2.. 39 \nDNS 69.105.13.2 199.187.132.231 57858 53 17 1168819202.984 0 74 00000000 .... 0 9a3f0000 .?.. 74 \nDNS 69.105.13.2 199.187.132.231 26733 53 17 1168819202.984 0 73 00000000 .... 0 ab180000 .... 73 \nDNS 69.105.2.232 70.252.78.13 17331 53 17 1168819202.795 113 49 2af48403 *... 113 2af40000 *... 49 \nDNS 69.105.13.2 45.6.215.40 63088 53 17 1168819202.873 95 45 86e68400 .... 95 86e60000 .... 45 \nBitTorrent_UDP 208.166.79.24 69.105.230.150 8279 7226 17 1168819203.018 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 46.14.237.231 3770 53 17 1168819202.875 118 46 eb408400 .@.. 118 eb400000 .@.. 46 \nNo_Payload 39.171.180.118 70.200.49.7 1281 33434 17 1168819203.031 0 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 56.200.226.189 21686 53 17 1168819202.499 302 50 131f8400 .... 151 131f0000 .... 50 \nDNS 69.105.2.232 70.252.78.146 18043 53 17 1168819202.864 98 52 f2818403 .... 98 f2810000 .... 52 \nDNS 69.105.13.2 70.252.78.13 6669 53 17 1168819202.866 116 52 33e68403 3... 116 33e60000 3... 52 \nICMP 197.13.74.146 69.105.141.23 0 0 1 1168819203.056 0 33 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 216.151.24.178 28503 53 17 1168819202.755 210 49 e4228403 .\".. 105 e4220000 .\".. 49 \nDNS 69.105.2.232 70.252.78.13 4207 53 17 1168819202.864 113 49 fbf88403 .... 113 fbf80000 .... 49 \nDNS 69.105.2.232 49.209.38.38 35222 53 17 1168819202.856 138 39 af9f8000 .... 138 af9f0000 .... 39 \nDNS 69.105.2.89 75.149.112.234 63837 53 17 1168819202.727 190 44 1eac8000 .... 95 1eac0000 .... 44 \nDNS 69.105.2.232 197.39.79.227 39134 53 17 1168819202.948 210 58 7c748400 |t.. 210 7c740000 |t.. 58 \nICMP 197.13.74.146 69.105.140.42 0 0 1 1168819203.093 0 33 00000000 .... 0 00000000 .... 0 \nBitTorrent_UDP 58.109.75.133 69.105.230.150 22435 7226 17 1168819203.098 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.89 41.205.255.178 43502 53 17 1168819202.779 149 28 89b18400 .... 149 89b10000 .... 28 \nDNS 69.105.13.2 56.200.226.185 37373 53 17 1168819202.959 116 52 e66d8403 .m.. 116 e66d0000 .m.. 52 \nBitTorrent_UDP 143.193.86.84 69.105.230.150 25953 7226 17 1168819203.138 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 199.182.255.16 43060 53 17 1168819202.551 572 46 92568400 .V.. 286 92560000 .V.. 46 \nDNS 69.105.13.2 35.141.133.255 40267 53 17 1168819202.555 115 51 be978403 .... 115 be970000 .... 51 \nDNS 69.105.13.2 197.131.80.241 54789 53 17 1168819202.964 202 48 ac7b8403 .{.. 101 ac7b0000 .{.. 48 \nUnknown_UDP 39.171.180.115 71.103.247.13 51670 33480 17 1168819203.154 0 10 00000000 .... 0 02c4aa45 ...E 10 \nSNMP 69.105.2.155 69.105.122.249 39405 161 17 1168819203.109 1562 1342 302d0201 0-.. 47 30290201 0).. 43 \nDNS 69.105.13.2 200.26.210.91 48040 53 17 1168819202.967 97 45 2f1d8403 /... 97 2f1d0000 /... 45 \nUnknown_UDP 39.171.180.115 38.203.122.246 51667 33492 17 1168819203.157 0 10 00000000 .... 0 02c4aa45 ...E 10 \nDNS 69.105.13.2 39.192.15.1 30041 53 17 1168819202.964 108 33 c8c88000 .... 108 c8c80000 .... 33 \nDNS 69.105.13.2 46.117.172.241 55866 53 17 1168819202.637 336 37 d2c68400 .... 336 d2c60000 .... 37 \nDNS 69.105.13.2 37.173.7.21 11615 53 17 1168819202.870 95 50 3edb8403 >... 95 3edb0000 >... 50 \nDNS 69.105.2.89 194.236.28.198 29650 53 17 1168819202.957 410 50 a2718400 .q.. 410 a2710000 .q.. 50 \nDNS 69.105.2.89 39.221.51.1 43397 53 17 1168819203.013 210 33 30e48000 0... 210 30e40000 0... 33 \nDNS 69.105.13.2 43.196.35.167 54224 53 17 1168819203.180 68 36 90c28400 .... 68 90c20000 .... 36 \nDNS 39.171.180.91 78.164.74.212 51730 53 17 1168819203.029 291 46 1fbb8400 .... 291 1fbb0010 .... 46 \nDNS 69.105.13.2 39.253.2.254 25375 53 17 1168819202.964 108 33 5fdf8000 _... 108 5fdf0000 _... 33 \nDNS 69.105.2.225 199.163.9.10 36209 53 17 1168819203.197 0 43 00000000 .... 0 3ee10000 >... 43 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33486 17 1168819203.201 0 10 00000000 .... 0 02c4aa45 ...E 10 \nDNS 69.105.2.232 34.63.113.227 6109 53 17 1168819203.063 268 28 f1ad8000 .... 268 f1ad0000 .... 28 \nDNS 69.105.13.2 158.68.130.247 58004 53 17 1168819202.664 325 38 6d2a8480 m*.. 325 6d2a0000 m*.. 38 \nDNS 69.105.13.2 198.34.96.209 9594 53 17 1168819202.963 104 60 14098483 .... 104 14090000 .... 60 \nDNS 69.105.2.89 47.245.7.20 50534 53 17 1168819202.611 145 36 50ec8480 P... 145 50ec0000 P... 36 \nICMP 69.105.186.155 197.13.74.146 0 0 1 1168819203.217 33 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 39.216.189.14 23417 53 17 1168819202.518 163 44 f20d8000 .... 163 f20d0000 .... 44 \nDNS 39.171.180.115 39.229.159.30 15282 53 17 1168819203.016 31 31 0e258004 .%.. 31 0e250000 .%.. 31 \nBitTorrent_UDP 143.10.61.204 69.105.230.150 8906 7226 17 1168819202.057 101 293 64313a61 d1:a 101 64313a72 d1:r 293 \nDNS 43.94.102.206 69.105.2.164 34269 53 17 1168819203.240 92 47 2a728400 *r.. 92 2a720000 *r.. 47 \nDNS 69.105.2.232 70.252.78.146 33525 53 17 1168819203.058 99 53 cb498403 .I.. 99 cb490000 .I.. 53 \nDNS 69.105.2.225 39.216.189.14 44700 53 17 1168819202.903 99 35 283d8000 (=.. 99 283d0000 (=.. 35 \nSQLExp 61.207.6.23 69.105.198.85 3011 1434 17 1168819203.254 0 376 00000000 .... 0 04010101 .... 376 \nDNS 69.105.2.89 213.191.75.3 13253 53 17 1168819202.543 928 45 8e5c8000 .\\.. 464 8e5c0000 .\\.. 45 \nDNS 69.105.13.2 216.151.24.178 32255 53 17 1168819202.965 206 47 17988403 .... 103 17980000 .... 47 \nDNS 69.105.2.89 52.94.241.75 26099 53 17 1168819203.266 0 45 00000000 .... 0 58d20000 X... 45 \nDNS 69.105.13.2 37.237.13.12 38769 53 17 1168819203.273 0 45 00000000 .... 0 b94e0000 .N.. 45 \nDNS 69.105.13.2 37.237.13.12 51440 53 17 1168819203.273 0 45 00000000 .... 0 3d4b0000 =K.. 45 \nDNS 69.105.13.2 37.173.7.21 12526 53 17 1168819202.960 95 50 b3c78403 .... 95 b3c70000 .... 50 \nDNS 69.105.2.232 92.131.66.243 39288 53 17 1168819203.275 0 43 00000000 .... 0 b2810000 .... 43 \nDNS 69.105.13.2 195.172.177.163 1697 53 17 1168819202.166 222 42 01508400 .P.. 222 01500000 .P.. 42 \nDNS 69.105.2.232 52.34.247.28 14698 53 17 1168819202.086 328 44 d8838400 .... 164 d8830000 .... 44 \nDNS 69.105.2.232 39.199.110.30 35942 53 17 1168819202.593 214 29 cc878000 .... 107 cc870000 .... 29 \nDNS 69.105.13.2 141.144.159.172 36981 53 17 1168819202.961 118 46 ba968400 .... 118 ba960000 .... 46 \nDNS 49.93.240.2 69.105.207.255 18102 53 17 1168819203.302 152 41 dd5b8480 .[.. 152 dd5b0000 .[.. 41 \nDNS 69.105.13.2 168.163.14.222 26180 53 17 1168819203.063 490 42 18c78480 .... 245 18c70000 .... 42 \nDNS 193.168.138.226 69.105.2.164 4043 53 17 1168819203.311 125 45 6f088100 o... 125 6f080100 o... 45 \nDNS 69.105.2.89 37.173.7.22 6683 53 17 1168819202.983 150 49 1ec48400 .... 150 1ec40000 .... 49 \nDNS 69.105.2.89 43.70.228.250 42634 53 17 1168819203.316 0 24 00000000 .... 0 e75b0000 .[.. 24 \nDNS 69.105.13.2 195.172.178.83 24577 53 17 1168819203.169 240 42 4db48480 M... 240 4db40000 M... 42 \nDNS 69.105.13.2 199.187.132.231 12620 53 17 1168819203.338 0 72 00000000 .... 0 5ba20000 [... 72 \nDNS 69.105.13.2 199.187.132.231 16840 53 17 1168819203.338 0 73 00000000 .... 0 f9860000 .... 73 \nBitTorrent_UDP 141.190.47.10 69.105.230.150 65257 7226 17 1168819203.338 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 39.171.180.115 52.77.121.174 15282 53 17 1168819203.016 62 31 0e268005 .&.. 31 0e260000 .&.. 31 \nDNS 69.105.2.232 69.38.120.92 36289 53 17 1168819203.049 102 56 bb708403 .p.. 102 bb700000 .p.. 56 \nDNS 69.105.2.232 197.144.160.235 28093 53 17 1168819203.352 0 45 00000000 .... 0 5da80000 ]... 45 \nBitTorrent_UDP 53.70.159.83 69.105.230.150 8034 7226 17 1168819203.379 101 0 64313a61 d1:a 101 00000000 .... 0 \nUnknown_UDP 39.171.180.203 43.216.111.30 5060 5060 17 1168819203.394 4 0 00000000 .... 4 00000000 .... 0 \nICMP 69.105.32.218 197.13.74.146 0 0 1 1168819203.394 33 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 39.214.90.225 51849 53 17 1168819203.184 214 44 02c28000 .... 214 02c20000 .... 44 \nICMP 197.13.74.146 69.105.171.19 0 0 1 1168819201.072 0 66 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.34.26 0 0 1 1168819201.131 0 66 00000000 .... 0 00000000 .... 0 \nICMP 197.13.74.146 69.105.198.62 0 0 1 1168819201.219 0 66 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 198.237.29.137 9467 53 17 1168819203.171 49 33 71b08400 q... 49 71b00000 q... 33 \nDNS 69.105.2.232 192.138.252.113 34828 53 17 1168819203.405 0 26 00000000 .... 0 ef2b0000 .+.. 26 \nDNS 69.105.2.232 45.203.214.90 43047 53 17 1168819203.203 224 28 8bb78000 .... 112 8bb70000 .... 28 \nICMP 197.13.74.146 69.105.198.13 0 0 1 1168819201.258 0 66 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 40.251.135.94 21380 53 17 1168819203.083 352 44 89918480 .... 176 89910000 .... 44 \nDNS 69.105.2.89 49.140.159.3 29555 53 17 1168819202.847 111 47 be838403 .... 111 be830000 .... 47 \nDNS 69.105.13.2 198.237.29.136 49536 53 17 1168819203.197 200 33 7ecc8400 .... 100 7ecc0000 .... 33 \nDNS 69.105.2.89 194.236.28.161 21857 53 17 1168819203.218 650 50 fdc88400 .... 325 fdc80000 .... 50 \nDNS 69.105.13.2 49.140.159.16 25149 53 17 1168819202.880 93 46 73558403 sU.. 93 73550000 sU.. 46 \nDNS 69.105.197.19 43.94.184.135 38178 53 17 1168819203.413 116 48 ae5c8010 .\\.. 116 ae5c0010 .\\.. 48 \nDNS 69.105.2.89 92.131.66.243 61003 53 17 1168819203.108 170 68 63558400 cU.. 170 63550000 cU.. 68 \nDNS 69.105.2.89 42.12.225.5 29072 53 17 1168819203.393 99 44 11f88000 .... 99 11f80000 .... 44 \nDNS 69.105.197.19 50.61.2.25 38178 53 17 1168819203.442 132 48 d72e8480 .... 132 d72e0010 .... 48 \nDNS 39.171.180.115 41.231.230.178 15282 53 17 1168819203.016 62 31 0e278005 .'.. 31 0e270000 .'.. 31 \nBitTorrent_UDP 61.5.241.19 69.105.230.150 21240 7226 17 1168819203.458 101 0 64313a61 d1:a 101 00000000 .... 0 \nBitTorrent_UDP 58.200.170.47 69.105.230.150 12454 7226 17 1168819203.058 101 1472 64313a61 d1:a 101 64313a72 d1:r 1472 \nUnknown_UDP 39.171.180.115 71.103.247.13 51670 33481 17 1168819203.462 0 10 00000000 .... 0 02c4aa45 ...E 10 \nDNS 69.105.13.2 199.172.178.197 29352 53 17 1168819202.876 59 59 99558403 .U.. 59 99550000 .U.. 59 \nNetBIOS_UDP 43.82.22.227 69.105.166.144 137 137 17 1168819201.965 0 100 00000000 .... 0 bcb70000 .... 50 \nDNS 69.105.2.232 39.192.15.1 47916 53 17 1168819203.285 251 25 350c8000 5... 251 350c0000 5... 25 \nDNS 193.168.138.226 69.105.144.12 4043 53 17 1168819203.486 158 45 6f088580 o... 158 6f080100 o... 45 \nNTP 142.181.164.152 69.105.2.222 46699 123 17 1168819203.496 0 48 00000000 .... 0 13000b00 .... 48 \nDNS 208.63.157.124 69.105.13.111 37669 53 17 1168819203.512 119 36 17bf8400 .... 119 17bf0000 .... 36 \nICMP 69.105.167.181 197.13.74.146 0 0 1 1168819203.541 33 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 52.34.247.29 43668 53 17 1168819202.335 140 55 62ed8400 b... 140 62ed0000 b... 55 \nDNS 69.105.13.2 36.20.106.232 59622 53 17 1168819203.229 282 37 a7368400 .6.. 141 a7360000 .6.. 37 \nDNS 69.105.13.2 199.187.132.231 16414 53 17 1168819203.545 0 73 00000000 .... 0 861d0000 .... 73 \nDNS 69.105.13.2 199.187.132.231 28974 53 17 1168819203.545 0 74 00000000 .... 0 1dd70000 .... 74 \nDNS 69.105.13.2 168.163.5.16 25748 53 17 1168819203.305 658 44 0aa78480 .... 329 0aa70000 .... 44 \nSkype 69.105.144.86 215.27.55.100 54045 27390 17 1168819202.318 36 32 54e502f0 T... 18 a88a0235 ...5 32 \nDNS 69.105.2.232 42.12.224.107 18189 53 17 1168819203.355 131 45 9c4e8000 .N.. 131 9c4e0000 .N.. 45 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33487 17 1168819203.559 0 10 00000000 .... 0 02c4aa45 ...E 10 \nDNS 69.105.13.2 199.187.132.231 9134 53 17 1168819203.562 0 73 00000000 .... 0 dc980000 .... 73 \nDNS 69.105.13.2 199.187.132.231 20599 53 17 1168819203.562 0 73 00000000 .... 0 85a20000 .... 73 \nDNS 69.105.13.2 69.104.1.9 63699 53 17 1168819203.562 159 45 04058400 .... 159 04050000 .... 45 \nDNS 69.105.2.232 37.173.7.1 10750 53 17 1168819203.245 103 57 aabe8403 .... 103 aabe0000 .... 57 \nDNS 69.105.13.2 39.253.2.216 62197 53 17 1168819203.345 94 45 18708000 .p.. 94 18700000 .p.. 45 \nDNS 69.105.13.2 45.114.56.37 41812 53 17 1168819203.568 0 45 00000000 .... 0 585e0000 X^.. 45 \nNTP 61.26.153.95 69.105.13.2 123 123 17 1168819203.571 0 48 00000000 .... 0 23000000 #... 48 \nDNS 69.105.13.2 41.61.249.207 31389 53 17 1168819202.366 135 51 97938400 .... 135 97930000 .... 51 \nDNS 69.105.13.2 199.68.228.57 18547 53 17 1168819202.968 59 59 335d8403 3].. 59 335d0000 3].. 59 \nDNS 69.105.2.89 39.75.246.233 54692 53 17 1168819203.429 306 33 ca1c8000 .... 306 ca1c0000 .... 33 \nDNS 69.105.2.89 200.215.75.148 39111 53 17 1168819203.579 0 28 00000000 .... 0 77670000 wg.. 28 \nDNS 69.105.13.2 36.227.22.21 18774 53 17 1168819203.593 0 45 00000000 .... 0 22290000 \").. 45 \nDNS 69.105.13.2 36.227.22.21 58118 53 17 1168819203.593 0 45 00000000 .... 0 48950000 H... 45 \nDNS 69.105.13.2 213.94.140.72 63971 53 17 1168819202.878 206 47 aad08403 .... 103 aad00000 .... 47 \nDNS 69.105.13.2 49.122.20.41 32308 53 17 1168819202.551 97 44 b1568403 .V.. 97 b1560000 .V.. 44 \nDNS 36.83.190.6 69.105.13.111 54433 53 17 1168819203.602 169 31 0f398400 .9.. 169 0f390000 .9.. 31 \nDNS 69.105.2.89 44.123.71.109 36016 53 17 1168819203.398 252 33 c7b18400 .... 126 c7b10000 .... 33 \nDNS 69.105.13.2 194.173.115.213 4165 53 17 1168819202.552 98 45 03978403 .... 98 03970000 .... 45 \nSQLExp 69.105.171.116 50.25.31.221 1434 1357 17 1168819203.610 376 0 04010101 .... 376 00000000 .... 0 \nDNS 69.105.2.225 200.215.75.148 60353 53 17 1168819203.621 0 28 00000000 .... 0 8dfa0000 .... 28 \nNTP 50.6.41.51 69.105.2.222 6126 123 17 1168819203.622 0 48 00000000 .... 0 13000b00 .... 48 \nUnsupported 69.105.122.244 42.27.214.88 0 0 50 1168819201.017 0 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 200.215.75.148 57059 53 17 1168819203.631 0 28 00000000 .... 0 2ba90000 +... 28 \nDNS 69.105.2.89 192.138.252.113 43564 53 17 1168819203.631 0 26 00000000 .... 0 27960000 '... 26 \nDNS 69.105.2.232 101.146.249.245 28092 53 17 1168819203.405 144 28 99278480 .'.. 144 99270000 .'.. 28 \nDNS 69.105.13.2 45.123.202.172 16471 53 17 1168819203.643 0 44 00000000 .... 0 d91f0000 .... 44 \nDNS 69.105.2.89 194.236.28.230 39577 53 17 1168819203.440 820 50 e9cf8400 .... 410 e9cf0000 .... 50 \nNTP 69.105.2.225 142.181.221.118 123 123 17 1168819203.655 48 0 21010aec !... 48 00000000 .... 0 \nDNS 69.105.2.225 192.138.252.112 10112 53 17 1168819203.657 0 26 00000000 .... 0 91b70000 .... 26 \nBitTorrent_UDP 58.162.78.198 69.105.230.150 23227 7226 17 1168819203.658 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 192.138.252.113 45562 53 17 1168819203.665 0 26 00000000 .... 0 bdd80000 .... 26 \nDNS 69.105.2.89 70.8.138.89 34329 53 17 1168819203.449 634 36 c5e88000 .... 317 c5e80000 .... 36 \nDNS 69.105.2.225 192.138.252.113 2330 53 17 1168819203.672 0 26 00000000 .... 0 94f70000 .... 26 \nDNS 69.105.2.89 42.12.224.99 50819 53 17 1168819203.488 106 46 fdf48403 .... 106 fdf40000 .... 46 \nDNS 69.105.2.232 197.140.25.10 27037 53 17 1168819203.286 139 29 20bb8400 .... 139 20bb0000 .... 29 \nBitTorrent_UDP 199.93.54.125 69.105.230.150 29542 7226 17 1168819203.418 101 974 64313a61 d1:a 101 64313a72 d1:r 974 \nBitTorrent_UDP 139.52.139.206 69.105.230.150 24983 7226 17 1168819203.699 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.232 49.136.139.22 16316 53 17 1168819203.485 217 25 1cdd8400 .... 217 1cdd0000 .... 25 \nDNS 69.105.2.89 192.138.252.113 2820 53 17 1168819203.703 0 26 00000000 .... 0 f7250000 .%.. 26 \nDNS 69.105.2.232 37.173.7.22 20054 53 17 1168819203.703 0 50 00000000 .... 0 a2ec0000 .... 50 \nDNS 69.105.2.89 39.3.15.203 2066 53 17 1168819203.711 0 43 00000000 .... 0 25120000 %... 43 \nICMP 69.105.15.221 197.13.74.146 0 0 1 1168819203.726 33 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 39.157.1.3 16189 53 17 1168819203.439 210 30 64b38000 d... 105 64b30000 d... 30 \nDNS 69.105.2.232 43.70.240.229 53031 53 17 1168819203.552 121 45 a3008000 .... 121 a3000000 .... 45 \nDNS 69.105.13.2 52.42.23.13 47952 53 17 1168819203.463 312 32 3f5e8080 ?^.. 156 3f5e0000 ?^.. 32 \nSQLExp 69.105.231.82 58.21.188.39 1434 1119 17 1168819203.758 376 0 04010101 .... 376 00000000 .... 0 \nICMP 197.13.74.146 69.105.38.8 0 0 1 1168819203.759 0 33 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 38.64.241.255 23436 53 17 1168819203.760 0 51 00000000 .... 0 254b0000 %K.. 51 \nDNS 69.105.2.232 199.172.179.122 18931 53 17 1168819203.760 0 58 00000000 .... 0 6b0a0000 k... 58 \nDNS 69.105.2.89 40.251.135.94 1257 53 17 1168819203.421 252 40 18668480 .f.. 126 18660000 .f.. 40 \nDNS 69.105.2.232 44.231.117.6 54957 53 17 1168819203.763 0 47 00000000 .... 0 45bc0000 E... 47 \nDNS 69.105.2.89 39.198.236.218 24812 53 17 1168819203.579 137 33 d0d48000 .... 137 d0d40000 .... 33 \nDNS 69.105.13.2 57.30.125.80 10118 53 17 1168819203.766 0 46 00000000 .... 0 998b0000 .... 46 \nDNS 69.105.13.2 49.122.20.41 61988 53 17 1168819203.767 0 47 00000000 .... 0 84270000 .'.. 47 \nDNS 69.105.13.2 44.231.117.6 26860 53 17 1168819203.767 0 45 00000000 .... 0 acb80000 .... 45 \nDNS 69.105.13.2 199.14.110.41 57195 53 17 1168819203.769 0 53 00000000 .... 0 e5710000 .q.. 53 \nUnknown_UDP 39.171.180.115 71.103.247.13 51670 33482 17 1168819203.769 0 10 00000000 .... 0 02c4aa45 ...E 10 \nDNS 69.105.13.2 37.173.7.22 46776 53 17 1168819202.562 94 49 b5c18403 .... 94 b5c10000 .... 49 \nDNS 69.105.2.232 199.187.132.231 1821 53 17 1168819203.769 0 74 00000000 .... 0 ff530000 .S.. 74 \nDNS 69.105.13.2 199.187.132.231 3568 53 17 1168819203.769 0 74 00000000 .... 0 39e40000 9... 74 \nDNS 69.105.13.2 194.248.235.213 27644 53 17 1168819203.770 0 46 00000000 .... 0 2b6a0000 +j.. 46 \nDNS 69.105.2.232 199.187.132.231 34799 53 17 1168819203.770 0 72 00000000 .... 0 81dd0000 .... 72 \nDNS 69.105.13.2 199.187.132.231 20551 53 17 1168819203.770 0 72 00000000 .... 0 abbb0000 .... 72 \nDNS 69.105.13.2 37.173.7.11 21808 53 17 1168819202.581 102 46 ed4b8403 .K.. 102 ed4b0000 .K.. 46 \nDNS 69.105.13.2 43.94.184.135 61230 53 17 1168819203.767 111 31 95308000 .0.. 111 95300000 .0.. 31 \nDNS 69.105.13.2 72.163.32.254 35243 53 17 1168819203.772 0 48 00000000 .... 0 acfe0000 .... 48 \nDNS 69.105.13.2 37.173.7.1 40790 53 17 1168819203.772 0 56 00000000 .... 0 18920000 .... 56 \nDNS 69.105.2.232 43.94.176.255 58995 53 17 1168819203.766 90 31 d27a8480 .z.. 90 d27a0000 .z.. 31 \nDNS 69.105.13.2 199.187.132.231 15791 53 17 1168819203.773 0 74 00000000 .... 0 72d70000 r... 74 \nDNS 69.105.13.2 199.187.132.231 59313 53 17 1168819203.774 0 72 00000000 .... 0 17ee0000 .... 72 \nDNS 69.105.13.2 42.27.157.222 19821 53 17 1168819203.770 111 31 8e898000 .... 111 8e890000 .... 31 \nDNS 69.105.13.2 43.94.176.255 48551 53 17 1168819203.771 90 31 55cf8480 U... 90 55cf0000 U... 31 \nBitTorrent_UDP 62.177.100.147 69.105.230.150 23762 7226 17 1168819203.778 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 194.236.28.230 31263 53 17 1168819203.562 94 49 53878403 S... 94 53870000 S... 49 \nDNS 69.105.13.2 43.94.176.255 61892 53 17 1168819203.777 146 31 d8e88480 .... 146 d8e80000 .... 31 \nDNS 69.105.13.2 42.45.190.154 55171 53 17 1168819203.770 79 31 52c08000 R... 79 52c00000 R... 31 \nDNS 69.105.13.2 43.94.176.255 30642 53 17 1168819203.785 90 31 5ba98480 [... 90 5ba90000 [... 31 \nNTP 69.105.2.222 39.68.130.20 123 123 17 1168819202.794 96 0 e30004fa .... 48 00000000 .... 0 \nDNS 69.105.13.2 44.155.28.119 20703 53 17 1168819203.600 103 37 0d188400 .... 103 0d180000 .... 37 \nDNS 69.105.2.232 39.221.51.1 5454 53 17 1168819203.631 78 33 57408000 W@.. 78 57400000 W@.. 33 \nDNS 69.105.2.232 39.226.214.1 2876 53 17 1168819203.588 105 32 ce3f8000 .?.. 105 ce3f0000 .?.. 32 \nDNS 69.105.2.232 39.213.161.1 56330 53 17 1168819203.482 109 27 01ca8000 .... 109 01ca0000 .... 27 \nBitTorrent_UDP 209.220.130.16 69.105.230.150 14290 7226 17 1168819203.818 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.89 49.151.159.126 59697 53 17 1168819203.606 93 48 d0d18403 .... 93 d0d10000 .... 48 \nICMP 39.171.180.118 42.28.149.6 0 0 1 1168819201.939 0 450 00000000 .... 0 00000000 .... 0 \nICMP 70.8.128.255 39.171.180.118 0 0 1 1168819201.943 450 0 00000000 .... 0 00000000 .... 0 \nICMP 39.171.180.118 70.200.49.7 0 0 1 1168819201.947 0 450 00000000 .... 0 00000000 .... 0 \nICMP 50.247.39.134 39.171.180.118 0 0 1 1168819201.955 450 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 106.163.2.242 18618 53 17 1168819203.850 0 39 00000000 .... 0 3f640000 ?d.. 39 \nDNS 69.105.2.232 35.168.101.20 6953 53 17 1168819203.634 210 39 60218080 `!.. 105 60210000 `!.. 39 \nICMP 69.105.231.179 197.13.74.146 0 0 1 1168819203.851 33 0 00000000 .... 0 00000000 .... 0 \nICMP 45.35.233.181 39.171.180.118 0 0 1 1168819201.963 450 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 36.20.106.236 58516 53 17 1168819203.545 282 37 26128400 &... 141 26120000 &... 37 \nICMP 39.171.180.118 34.181.74.37 0 0 1 1168819201.967 0 450 00000000 .... 0 00000000 .... 0 \nICMP 39.8.151.211 39.171.180.118 0 0 1 1168819201.971 450 0 00000000 .... 0 00000000 .... 0 \nICMP 70.170.162.205 39.171.180.118 0 0 1 1168819201.975 450 0 00000000 .... 0 00000000 .... 0 \nICMP 39.75.42.249 39.171.180.118 0 0 1 1168819201.979 450 0 00000000 .... 0 00000000 .... 0 \nSQLExp 61.218.233.75 69.105.229.217 4645 1434 17 1168819203.872 0 376 00000000 .... 0 04010101 .... 376 \nDNS 69.105.13.2 52.78.60.252 41270 53 17 1168819203.562 196 45 33fc8403 3... 98 33fc0000 3... 45 \nNTP 248.207.216.213 69.105.13.2 32940 123 17 1168819202.876 0 96 00000000 .... 0 e30004fa .... 48 \nICMP 39.171.180.118 36.174.250.90 0 0 1 1168819201.983 0 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 199.14.110.37 24850 53 17 1168819203.877 0 54 00000000 .... 0 60600000 ``.. 54 \nDNS 69.105.13.2 199.187.132.231 57880 53 17 1168819203.877 0 73 00000000 .... 0 744b0000 tK.. 73 \nICMP 39.171.180.118 66.116.158.18 0 0 1 1168819201.987 0 450 00000000 .... 0 00000000 .... 0 \nICMP 39.171.180.118 38.249.194.30 0 0 1 1168819201.995 0 450 00000000 .... 0 00000000 .... 0 \nICMP 69.105.34.169 197.13.74.146 0 0 1 1168819201.483 66 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 41.61.249.206 38551 53 17 1168819202.664 99 51 632e8400 c... 99 632e0000 c... 51 \nUnknown_UDP 39.171.180.115 38.203.122.246 51667 33493 17 1168819203.893 0 10 00000000 .... 0 02c4aa45 ...E 10 \nICMP 83.33.179.208 39.171.180.118 0 0 1 1168819202.003 450 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 141.144.159.172 15937 53 17 1168819203.562 97 44 f67e8403 .... 97 f67e0000 .... 44 \nICMP 65.73.252.230 39.171.180.118 0 0 1 1168819202.007 450 0 00000000 .... 0 00000000 .... 0 \nICMP 39.171.180.118 70.37.36.69 0 0 1 1168819202.011 0 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 56.200.226.186 10709 53 17 1168819203.759 117 53 2bf18403 +... 117 2bf10000 +... 53 \nDNS 69.105.2.89 49.39.127.97 65296 53 17 1168819203.703 43 43 3f418082 ?A.. 43 3f410000 ?A.. 43 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33488 17 1168819203.916 0 10 00000000 .... 0 02c4aa45 ...E 10 \nDNS 69.105.2.232 35.202.246.124 40647 53 17 1168819203.285 92 44 2c408000 ,@.. 92 2c400000 ,@.. 44 \nDNS 69.105.13.2 46.117.174.61 49723 53 17 1168819203.767 158 31 a3888000 .... 79 a3880000 .... 31 \nICMP 69.104.30.161 39.171.180.118 0 0 1 1168819202.043 450 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 39.226.214.1 54093 53 17 1168819203.706 103 28 39018000 9... 103 39010000 9... 28 \nDNS 69.105.13.2 199.14.110.41 38113 53 17 1168819202.868 95 54 f6988403 .... 95 f6980000 .... 54 \nICMP 100.248.143.196 39.171.180.118 0 0 1 1168819202.047 450 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 43.94.176.255 13488 53 17 1168819203.919 146 31 46ff8480 F... 146 46ff0000 F... 31 \nICMP 39.171.180.118 42.35.77.9 0 0 1 1168819202.048 0 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 42.45.190.154 11005 53 17 1168819203.918 98 34 a83c8000 .<.. 98 a83c0000 .<.. 34 \nICMP 39.171.180.118 42.4.247.45 0 0 1 1168819201.905 503 953 00000000 .... 0 00000000 .... 0 \nICMP 39.171.180.118 35.20.159.19 0 0 1 1168819201.915 1262 1262 00000000 .... 0 00000000 .... 0 \nNTP 43.196.32.233 69.105.2.222 1451 123 17 1168819203.939 0 48 00000000 .... 0 d90004fa .... 48 \nDNS 69.105.13.2 199.172.179.122 32061 53 17 1168819203.765 58 58 07ff8403 .... 58 07ff0000 .... 58 \nDNS 69.105.2.232 42.8.207.9 16980 53 17 1168819203.933 98 34 cf928480 .... 98 cf920000 .... 34 \nDNS 69.105.2.232 34.6.94.44 46797 53 17 1168819203.806 248 27 4bda8400 K... 248 4bda0000 K... 27 \nDNS 69.105.13.2 194.201.170.126 40327 53 17 1168819203.769 102 58 be2b8403 .+.. 102 be2b0000 .+.. 58 \nICMP 69.104.30.163 39.171.180.118 0 0 1 1168819202.055 450 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 56.63.153.165 17478 53 17 1168819203.772 58 58 6ccf8403 l... 58 6ccf0000 l... 58 \nDNS 69.105.13.2 35.63.137.109 38746 53 17 1168819203.761 117 53 66858403 f... 117 66850000 f... 53 \nDNS 69.105.13.2 200.26.210.91 18685 53 17 1168819203.771 96 44 25ea8403 %... 96 25ea0000 %... 44 \nDNS 69.105.13.2 196.229.254.24 33971 53 17 1168819203.766 67 51 4cb48400 L... 67 4cb40000 L... 51 \nDNS 69.105.2.232 200.26.210.91 41676 53 17 1168819203.771 96 44 5d858403 ]... 96 5d850000 ]... 44 \nICMP 50.61.131.221 39.171.180.118 0 0 1 1168819202.055 450 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 43.94.102.206 55844 53 17 1168819203.940 149 44 14e88480 .... 149 14e80000 .... 44 \nDNS 69.105.2.232 183.245.70.206 27731 53 17 1168819203.763 98 45 981b8403 .... 98 981b0000 .... 45 \nSQLExp 42.134.229.240 69.105.203.175 2844 1434 17 1168819203.969 0 376 00000000 .... 0 04010101 .... 376 \nICMP 39.171.180.118 42.77.54.77 0 0 1 1168819201.730 1396 1424 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 39.96.255.202 35306 53 17 1168819202.920 502 30 09488000 .H.. 502 09480000 .H.. 30 \nDNS 69.105.2.232 43.68.142.174 56955 53 17 1168819203.972 0 24 00000000 .... 0 54000000 T... 24 \nDNS 69.105.2.89 48.125.161.47 36052 53 17 1168819203.823 62 46 95658400 .e.. 62 95650000 .e.. 46 \nICMP 69.122.132.129 39.171.180.118 0 0 1 1168819202.059 513 513 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 46.99.57.193 62455 53 17 1168819203.766 102 58 30588483 0X.. 102 30580000 0X.. 58 \nDNS 69.105.13.2 199.14.110.39 64527 53 17 1168819203.978 0 54 00000000 .... 0 478e0000 G... 54 \nDNS 69.105.13.2 199.187.132.231 23651 53 17 1168819203.978 0 73 00000000 .... 0 f7bf0000 .... 73 \nDNS 69.105.2.225 52.34.247.28 19976 53 17 1168819203.245 99 35 aea18400 .... 99 aea10000 .... 35 \nDNS 69.105.2.225 52.34.247.28 64181 53 17 1168819203.981 0 44 00000000 .... 0 4c3a0000 L:.. 44 \nDNS 69.105.2.232 43.68.142.174 50881 53 17 1168819203.983 0 24 00000000 .... 0 5c7a0000 \\z.. 24 \nDNS 69.105.2.89 48.246.25.188 3100 53 17 1168819203.984 0 46 00000000 .... 0 adbf0000 .... 46 \nDNS 69.105.2.232 194.236.28.177 2372 53 17 1168819203.762 652 51 94fb8400 .... 326 94fb0000 .... 51 \nDNS 69.105.13.2 45.32.114.6 49896 53 17 1168819203.771 116 58 be708403 .p.. 58 be700000 .p.. 58 \nDNS 197.168.122.208 69.105.2.164 37974 53 17 1168819203.990 113 55 f9fc8403 .... 113 f9fc0000 .... 55 \nDNS 69.105.13.2 45.32.114.6 17027 53 17 1168819203.776 116 58 7ad08403 z... 58 7ad00000 z... 58 \nDNS 69.105.2.232 93.188.130.231 58739 53 17 1168819203.753 320 32 752f8000 u/.. 160 752f0000 u/.. 32 \nDNS 69.105.2.232 39.192.15.1 54658 53 17 1168819203.806 107 28 5fd48000 _... 107 5fd40000 _... 28 \nDNS 69.105.2.232 47.178.162.5 25848 53 17 1168819204.003 0 28 00000000 .... 0 b0b40000 .... 28 \nDNS 69.105.2.232 47.230.29.159 2650 53 17 1168819203.804 284 32 f0988480 .... 142 f0980000 .... 32 \nDNS 69.105.2.232 198.34.96.209 12646 53 17 1168819203.765 102 58 18fc8483 .... 102 18fc0000 .... 58 \nDNS 69.105.2.232 37.146.33.62 56267 53 17 1168819203.709 104 32 65338000 e3.. 104 65330000 e3.. 32 \nDNS 39.171.180.115 38.84.3.47 15282 53 17 1168819204.016 0 27 00000000 .... 0 0e280000 .(.. 27 \nBitTorrent_UDP 255.120.185.243 69.105.230.150 26119 7226 17 1168819204.019 101 0 64313a61 d1:a 101 00000000 .... 0 \nNo_Payload 39.171.180.118 71.134.47.48 1281 33434 17 1168819204.031 0 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 48.246.25.188 5118 53 17 1168819202.955 110 48 5fca8400 _... 110 5fca0000 _... 48 \nDNS 69.105.2.232 39.216.189.14 12829 53 17 1168819204.039 0 43 00000000 .... 0 89960000 .... 43 \nDNS 69.105.2.89 43.70.221.104 37311 53 17 1168819203.670 105 36 56e88080 V... 105 56e80000 V... 36 \nDNS 69.105.13.2 196.242.64.248 56041 53 17 1168819203.764 117 53 a62c8403 .,.. 117 a62c0000 .,.. 53 \nDNS 69.105.13.2 199.14.110.37 18640 53 17 1168819202.966 95 54 a48c8403 .... 95 a48c0000 .... 54 \nDNS 69.105.2.232 208.12.61.154 39219 53 17 1168819203.750 142 30 17a78400 .... 142 17a70000 .... 30 \nDNS 69.105.2.232 39.199.110.30 41136 53 17 1168819204.053 0 38 00000000 .... 0 96860000 .... 38 \nDNS 69.105.2.89 74.51.21.26 47450 53 17 1168819203.763 320 33 64498480 dI.. 160 64490000 dI.. 33 \nNTP 59.103.214.60 69.105.13.2 123 123 17 1168819204.063 0 48 00000000 .... 0 0b000000 .... 48 \nDNS 69.105.13.2 216.151.24.178 60365 53 17 1168819203.768 868 48 b2328400 .2.. 434 b2320000 .2.. 48 \nDNS 69.105.2.232 39.70.22.225 31511 53 17 1168819203.842 391 26 fa988400 .... 391 fa980000 .... 26 \nNTP 43.95.74.138 69.105.2.222 2522 123 17 1168819204.073 0 48 00000000 .... 0 1b000000 .... 48 \nUnknown_UDP 39.171.180.115 71.103.247.13 51670 33483 17 1168819204.076 0 10 00000000 .... 0 03c4aa45 ...E 10 \nDNS 69.105.13.2 69.38.120.93 14070 53 17 1168819203.777 102 56 e79d8403 .... 102 e79d0000 .... 56 \nUnsupported 42.89.79.180 39.171.180.88 0 0 47 1168819201.843 0 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 56.200.226.188 31979 53 17 1168819203.941 194 52 d0338403 .3.. 97 d0330000 .3.. 52 \nDNS 69.105.2.232 35.141.133.255 56159 53 17 1168819204.093 0 50 00000000 .... 0 c7db0000 .... 50 \nDNS 69.105.2.232 37.173.7.1 19856 53 17 1168819203.772 102 56 cc5a8403 .Z.. 102 cc5a0000 .Z.. 56 \nDNS 69.105.13.2 38.90.30.56 13278 53 17 1168819203.775 96 44 27318403 '1.. 96 27310000 '1.. 44 \nDNS 69.105.2.232 46.117.174.61 3795 53 17 1168819203.960 102 34 19108000 .... 102 19100000 .... 34 \nICMP 68.172.64.150 39.171.180.118 0 0 1 1168819201.999 450 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 39.216.189.14 38015 53 17 1168819204.124 0 46 00000000 .... 0 46770000 Fw.. 46 \nICMP 39.171.180.118 43.66.125.37 0 0 1 1168819202.063 1207 1207 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 56.200.226.185 9217 53 17 1168819203.976 110 48 543f8400 T?.. 110 543f0000 T?.. 48 \nDNS 69.105.2.232 94.144.254.254 4276 53 17 1168819203.805 148 32 d00d8000 .... 74 d00d0000 .... 32 \nDNS 69.105.2.232 42.53.76.169 37501 53 17 1168819204.109 118 34 ef0c8480 .... 118 ef0c0000 .... 34 \nDNS 69.105.13.2 197.120.60.123 5699 53 17 1168819203.989 308 46 5dc38400 ]... 308 5dc30000 ]... 46 \nDNS 69.105.2.89 70.8.138.89 40465 53 17 1168819203.922 1004 30 d7a98000 .... 502 d7a90000 .... 30 \nICMP 69.105.55.148 197.13.74.146 0 0 1 1168819204.144 33 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 198.237.29.136 53035 53 17 1168819203.922 95 28 8b138400 .... 95 8b130000 .... 28 \nICMP 34.63.254.199 39.171.180.118 0 0 1 1168819202.019 450 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 199.14.61.171 14144 53 17 1168819203.978 93 46 060e8483 .... 93 060e0000 .... 46 \nDNS 69.105.13.2 38.248.134.10 34580 53 17 1168819203.857 194 44 d0438000 .C.. 97 d0430000 .C.. 44 \nICMP 39.146.181.162 39.171.180.118 0 0 1 1168819201.959 450 900 00000000 .... 0 00000000 .... 0 \nICMP 39.171.180.118 43.210.38.48 0 0 1 1168819202.015 900 450 00000000 .... 0 00000000 .... 0 \nDNS 39.171.180.115 39.212.98.225 15282 53 17 1168819204.016 62 31 0e298004 .).. 31 0e290000 .).. 31 \nICMP 69.105.128.153 197.13.74.146 0 0 1 1168819204.170 33 0 00000000 .... 0 00000000 .... 0 \nUnknown_UDP 39.171.180.203 59.103.110.166 5003 5003 17 1168819204.005 688 924 e41583c6 .... 100 397af28e 9z.. 100 \nDNS 69.105.13.2 47.167.188.29 30347 53 17 1168819203.586 368 42 75568480 uV.. 184 75560000 uV.. 42 \nDNS 42.27.166.146 69.105.2.164 41158 53 17 1168819204.188 135 52 4d348400 M4.. 135 4d340000 M4.. 52 \nDNS 69.105.2.232 196.229.254.24 9165 53 17 1168819204.004 96 51 80f18403 .... 96 80f10000 .... 51 \nDNS 69.105.2.232 142.181.117.209 31499 53 17 1168819204.195 118 29 5a5f8480 Z_.. 118 5a5f0000 Z_.. 29 \nDNS 69.105.13.2 37.173.7.1 61318 53 17 1168819202.969 104 58 94808403 .... 104 94800000 .... 58 \nDNS 69.105.2.232 34.70.108.139 26406 53 17 1168819203.998 192 32 b9d08480 .... 192 b9d00000 .... 32 \nDNS 69.105.2.232 92.131.66.21 64052 53 17 1168819204.218 0 43 00000000 .... 0 efb50000 .... 43 \nDNS 69.105.2.89 196.229.254.24 31331 53 17 1168819203.117 67 51 dd7d8400 .}.. 67 dd7d0000 .}.. 51 \nBitTorrent_UDP 63.58.113.25 69.105.230.150 26253 7226 17 1168819204.225 101 0 64313a61 d1:a 101 00000000 .... 0 \nICMP 39.171.180.118 69.86.101.60 0 0 1 1168819201.991 450 450 00000000 .... 0 00000000 .... 0 \nICMP 69.105.2.171 197.13.74.146 0 0 1 1168819204.236 33 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 72.163.32.228 59416 53 17 1168819203.768 1020 48 cc1a8400 .... 510 cc1a0000 .... 48 \nNTP 69.105.2.225 59.103.205.218 123 14 17 1168819204.246 48 0 190304fa .... 48 00000000 .... 0 \nNTP 69.105.2.222 59.103.205.218 123 15 17 1168819204.248 48 0 190304fa .... 48 00000000 .... 0 \nDNS 69.105.13.2 42.27.166.235 28529 53 17 1168819204.242 94 45 75588480 uX.. 94 75580000 uX.. 45 \nUnknown_UDP 39.171.180.116 255.243.218.109 5011 5011 17 1168819201.103 828 552 810d6f8c ..o. 60 1ef80239 ...9 60 \nNTP 69.105.13.2 59.103.205.218 123 16 17 1168819204.251 48 0 190304fa .... 48 00000000 .... 0 \nUnknown_UDP 39.171.180.116 42.67.167.68 5003 5003 17 1168819203.025 1392 2236 854e7932 .Ny2 164 2c5070fb ,Pp. 164 \nICMP 69.105.189.160 197.13.74.146 0 0 1 1168819204.265 33 0 00000000 .... 0 00000000 .... 0 \nBitTorrent_UDP 69.105.230.150 82.61.195.91 7226 6882 17 1168819204.272 0 101 00000000 .... 0 64313a61 d1:a 101 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33489 17 1168819204.274 0 10 00000000 .... 0 03c4aa45 ...E 10 \nICMP 209.165.153.129 69.105.40.14 0 0 1 1168819201.275 0 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.2 69.38.120.93 59775 53 17 1168819203.978 104 58 9a938403 .... 104 9a930000 .... 58 \nDNS 69.105.2.89 52.94.241.75 37835 53 17 1168819204.283 0 45 00000000 .... 0 9cde0000 .... 45 \nDNS 69.105.2.89 39.199.110.30 57271 53 17 1168819203.588 118 33 6b778000 kw.. 118 6b770000 kw.. 33 \nDNS 69.105.2.232 39.221.51.47 15778 53 17 1168819204.132 105 46 35cb8000 5... 105 35cb0000 5... 46 \nDNS 69.105.2.232 215.224.86.255 21624 53 17 1168819204.288 0 43 00000000 .... 0 810a0000 .... 43 \nDNS 69.105.2.89 39.229.159.43 34921 53 17 1168819204.076 365 32 f54d8400 .M.. 365 f54d0000 .M.. 32 \nDNS 69.105.13.2 56.200.226.188 40990 53 17 1168819203.763 134 51 825f8400 ._.. 67 825f0000 ._.. 51 \nDNS 69.105.13.2 199.185.182.10 40428 53 17 1168819203.764 100 47 6cc48403 l... 100 6cc40000 l... 47 \nDNS 69.105.13.2 199.185.182.10 50240 53 17 1168819203.764 98 45 de048403 .... 98 de040000 .... 45 \nBitTorrent_UDP 196.51.32.102 69.105.230.150 62928 7226 17 1168819204.311 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 89.50.133.251 69.105.13.111 49647 53 17 1168819201.200 2176 488 35e28000 5... 272 35e20000 5... 61 \nDNS 69.105.2.89 43.70.224.248 62038 53 17 1168819204.335 0 24 00000000 .... 0 adb00000 .... 24 \nDNS 69.105.2.232 49.223.114.21 28294 53 17 1168819204.200 65 49 07718400 .q.. 65 07710000 .q.. 49 \nDNS 39.171.180.245 42.27.219.5 10621 53 17 1168819204.339 0 44 00000000 .... 0 06690100 .i.. 44 \nDNS 69.105.2.89 74.51.21.37 26180 53 17 1168819204.059 380 30 d8d68080 .... 190 d8d60000 .... 30 \nDNS 69.105.13.2 46.4.178.139 51813 53 17 1168819204.135 52 36 d46c8400 .l.. 52 d46c0000 .l.. 36 \nDNS 69.105.2.89 37.161.179.160 57858 53 17 1168819204.344 0 53 00000000 .... 0 0f110000 .... 53 \nDNS 69.105.2.232 52.34.247.29 37292 53 17 1168819203.088 164 44 2cc08400 ,... 164 2cc00000 ,... 44 \nDNS 69.105.2.232 217.195.139.83 18466 53 17 1168819204.011 180 32 d6d18480 .... 180 d6d10000 .... 32 \nDNS 69.105.2.89 194.236.28.153 41954 53 17 1168819204.130 652 51 51858400 Q... 326 51850000 Q... 51 \nBitTorrent_UDP 141.215.178.84 69.105.230.150 16224 7226 17 1168819204.352 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.13.2 199.68.228.59 36794 53 17 1168819203.763 58 58 1fbb8403 .... 58 1fbb0000 .... 58 \nDNS 69.105.2.232 56.200.226.189 6303 53 17 1168819204.201 190 50 1a188403 .... 95 1a180000 .... 50 \nDNS 69.105.2.89 39.226.214.1 32825 53 17 1168819204.144 132 30 4fc18000 O... 132 4fc10000 O... 30 \nDNS 69.105.2.232 52.34.247.29 32132 53 17 1168819204.355 0 55 00000000 .... 0 dd3c0000 .<.. 55 \nDNS 69.105.2.89 90.135.135.255 7900 53 17 1168819204.356 0 39 00000000 .... 0 d8810000 .... 39 \nDNS 69.105.2.89 49.151.159.126 40270 53 17 1168819204.147 326 51 ea208400 .... 326 ea200000 .... 51 \nICMP 197.13.74.146 69.105.200.88 0 0 1 1168819204.364 0 33 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.89 56.200.226.188 44061 53 17 1168819204.365 0 51 00000000 .... 0 6cbc0000 l... 51 \nDNS 69.105.2.232 194.248.235.213 61484 53 17 1168819203.765 99 46 8df38403 .... 99 8df30000 .... 46 \nDNS 69.105.2.225 41.61.249.206 27369 53 17 1168819204.367 0 51 00000000 .... 0 61fc0000 a... 51 \nICMP 39.171.180.118 71.134.47.48 0 0 1 1168819201.951 478 450 00000000 .... 0 00000000 .... 0 \nUnsupported 69.105.122.244 50.61.10.143 0 0 50 1168819201.770 0 0 00000000 .... 0 00000000 .... 0 \nDNS 69.105.13.4 39.253.2.254 20464 53 17 1168819204.376 0 25 00000000 .... 0 0bf00000 .... 25 \nDNS 69.105.2.232 37.173.7.21 24930 53 17 1168819204.072 94 49 6fd18403 o... 94 6fd10000 o... 49 \nNTP 69.105.2.221 94.207.91.13 123 123 17 1168819204.382 0 48 00000000 .... 0 1a0104f8 .... 48 \nDNS 69.105.13.2 41.61.249.206 63758 53 17 1168819204.382 0 51 00000000 .... 0 d7de0000 .... 51 \nICMP 69.105.25.231 197.13.74.146 0 0 1 1168819202.062 66 0 00000000 .... 0 00000000 .... 0 \nUnknown_UDP 39.171.180.115 71.103.247.13 51670 33484 17 1168819204.387 0 10 00000000 .... 0 03c4aa45 ...E 10 \nICMP 39.98.17.236 39.171.180.118 0 0 1 1168819202.023 450 450 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 39.253.0.8 48205 53 17 1168819204.382 350 36 67638000 gc.. 350 67630000 gc.. 36 \nDNS 69.105.13.2 48.85.122.73 47253 53 17 1168819203.772 53 53 5a348403 Z4.. 53 5a340000 Z4.. 53 \nDNS 69.105.2.89 39.192.15.1 31906 53 17 1168819204.194 109 28 ab068000 .... 109 ab060000 .... 28 \nICMP 197.13.74.146 69.105.222.53 0 0 1 1168819204.403 0 33 00000000 .... 0 00000000 .... 0 \nDNS 69.105.2.232 51.249.125.214 13883 53 17 1168819204.218 232 45 9f718480 .q.. 232 9f710000 .q.. 45 \nUnknown_UDP 50.60.128.157 69.105.54.43 1469 8767 17 1168819201.231 1706 80 f4be0200 .... 24 f4be0100 .... 20 \nDNS 69.105.2.89 43.195.240.1 19458 53 17 1168819204.051 105 36 33758400 3u.. 105 33750000 3u.. 36 \nDNS 69.105.2.89 43.195.247.247 53416 53 17 1168819204.422 0 44 00000000 .... 0 6ce50000 l... 44 \nDNS 69.105.2.232 34.63.113.227 8587 53 17 1168819204.288 509 40 abaa8000 .... 509 abaa0000 .... 40 \nDNS 69.105.2.232 39.226.214.1 28768 53 17 1168819204.429 0 40 00000000 .... 0 c5a30000 .... 40 \nDNS 69.105.2.89 56.93.10.242 21970 53 17 1168819204.286 89 33 cc168400 .... 89 cc160000 .... 33 \nDNS 69.105.2.89 194.236.28.198 36984 53 17 1168819204.437 0 51 00000000 .... 0 9afd0000 .... 51 \nDNS 208.63.157.124 69.105.2.164 37669 53 17 1168819204.440 119 36 01628400 .b.. 119 01620000 .b.. 36 \nDNS 69.105.13.2 199.187.132.231 3841 53 17 1168819204.443 0 74 00000000 .... 0 38df0000 8... 74 \nDNS 69.105.13.2 199.187.132.231 28083 53 17 1168819204.443 0 74 00000000 .... 0 336b0000 3k.. 74 \nUnknown_UDP 69.105.13.2 50.105.96.19 524 12452 17 1168819202.575 14 0 111100ff .... 7 00000000 .... 0 \nDNS 69.105.13.2 72.163.32.228 44986 53 17 1168819203.586 204 46 60528403 `R.. 102 60520000 `R.. 46 \nDNS 69.105.2.89 39.212.98.213 16456 53 17 1168819204.297 101 43 4c848000 L... 101 4c840000 L... 43 \nDNS 69.105.2.89 199.212.120.70 41839 53 17 1168819204.449 0 43 00000000 .... 0 d43c0000 .<.. 43 \nDNS 69.105.2.232 141.27.186.251 34757 53 17 1168819204.458 0 56 00000000 .... 0 f6c40000 .... 56 \nDNS 69.105.2.232 39.178.133.230 64663 53 17 1168819204.094 398 45 2c268480 ,&.. 199 2c260000 ,&.. 45 \nSQLExp 59.244.255.227 69.105.157.41 4686 1434 17 1168819204.464 0 376 00000000 .... 0 04010101 .... 376 \nDNS 69.105.13.2 37.237.12.249 13386 53 17 1168819204.149 129 44 fb9a8080 .... 129 fb9a0000 .... 44 \nDNS 69.105.13.2 37.237.13.22 1392 53 17 1168819204.465 0 44 00000000 .... 0 912b0000 .+.. 44 \nDNS 69.105.2.232 53.230.172.46 50205 53 17 1168819204.130 128 32 5e698400 ^i.. 64 5e690000 ^i.. 32 \nDNS 69.105.2.232 49.151.159.126 6931 53 17 1168819204.468 0 51 00000000 .... 0 37f00000 7... 51 \nDNS 69.105.2.232 39.196.77.1 44141 53 17 1168819204.478 0 32 00000000 .... 0 cb190000 .... 32 \nDNS 69.105.13.2 56.200.226.186 26615 53 17 1168819204.487 0 52 00000000 .... 0 a0190000 .... 52 \nDNS 69.105.13.2 56.237.151.171 22923 53 17 1168819204.488 0 51 00000000 .... 0 45ec0000 E... 51 \nNTP 50.60.218.205 69.105.2.222 32769 123 17 1168819204.489 0 48 00000000 .... 0 0b000000 .... 48 \nDNS 69.105.13.2 199.68.228.63 24994 53 17 1168819204.489 0 57 00000000 .... 0 c2950000 .... 57 \nDNS 69.105.13.2 194.236.28.153 63227 53 17 1168819204.490 0 49 00000000 .... 0 59c80000 Y... 49 \nDNS 69.105.13.2 194.236.28.230 46210 53 17 1168819204.491 0 50 00000000 .... 0 fddd0000 .... 50 \nDNS 69.105.13.2 44.231.117.6 32906 53 17 1168819204.494 0 46 00000000 .... 0 02bd0000 .... 46 \nDNS 69.105.13.2 52.78.60.252 17626 53 17 1168819204.494 0 45 00000000 .... 0 c98f0000 .... 45 \nDNS 69.105.13.2 49.241.133.246 5518 53 17 1168819204.500 0 46 00000000 .... 0 16140000 .... 46 \nDNS 69.105.2.89 70.35.10.51 45567 53 17 1168819204.283 195 44 7e908000 .... 195 7e900000 .... 44 \nDNS 69.105.13.2 199.14.110.41 62388 53 17 1168819204.502 0 53 00000000 .... 0 80d80000 .... 53 \nDNS 69.105.2.89 39.229.159.43 7055 53 17 1168819204.503 0 44 00000000 .... 0 2d890000 -... 44 \nDNS 69.105.13.2 199.187.132.231 50194 53 17 1168819204.503 0 73 00000000 .... 0 fec20000 .... 73 \nDNS 69.105.13.2 199.187.132.231 22043 53 17 1168819204.504 0 72 00000000 .... 0 f4e90000 .... 72 \nDNS 69.105.13.2 56.200.226.191 26332 53 17 1168819204.505 0 44 00000000 .... 0 93580000 .X.. 44 \nDNS 69.105.13.2 199.172.178.197 42747 53 17 1168819204.506 0 58 00000000 .... 0 e0690000 .i.. 58 \nDNS 69.105.13.2 48.246.25.161 43134 53 17 1168819204.508 0 45 00000000 .... 0 11060000 .... 45 \nDNS 141.72.168.228 69.105.13.111 56245 53 17 1168819204.509 118 35 94728400 .r.. 118 94720000 .r.. 35 \nDNS 69.105.2.225 36.20.106.236 62837 53 17 1168819204.511 0 37 00000000 .... 0 c7e40000 .... 37 \nDNS 69.105.2.232 36.83.204.65 61236 53 17 1168819204.222 120 45 cad88403 .... 120 cad80000 .... 45 \nNTP 69.105.2.222 43.231.43.74 123 123 17 1168819204.522 48 0 db0006ee .... 48 00000000 .... 0 \nDNS 34.195.225.230 69.105.2.164 52202 53 17 1168819204.521 100 45 a9628000 .b.. 100 a9620000 .b.. 45 \nDNS 69.105.13.2 42.12.227.140 30672 53 17 1168819204.265 91 44 1b9f8000 .... 91 1b9f0000 .... 44 \nDNS 69.105.13.2 50.56.190.237 45172 53 17 1168819204.523 99 44 a0088483 .... 99 a0080000 .... 44 \nDNS 69.105.2.232 34.249.199.23 63107 53 17 1168819204.390 398 36 29238000 )#.. 199 29230000 )#.. 36 \nDNS 69.105.2.232 39.96.228.244 11991 53 17 1168819204.537 0 36 00000000 .... 0 2c8b0000 ,... 36 \nBitTorrent_UDP 59.105.184.232 69.105.230.150 17160 7226 17 1168819203.738 101 604 64313a61 d1:a 101 64313a72 d1:r 302 \nDNS 69.105.2.232 39.202.120.30 3240 53 17 1168819204.338 350 36 e3bb8000 .... 350 e3bb0000 .... 36 \nDNS 69.105.2.232 46.117.174.226 42754 53 17 1168819204.546 0 36 00000000 .... 0 e6b30000 .... 36 \nDNS 69.105.2.89 39.199.110.30 32795 53 17 1168819203.853 186 25 bfb98000 .... 186 bfb90000 .... 25 \nDNS 69.105.2.89 166.114.113.196 43968 53 17 1168819204.548 0 25 00000000 .... 0 d6c40000 .... 25 \nBitTorrent_UDP 196.156.227.33 69.105.230.150 61321 7226 17 1168819204.552 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 95.47.46.213 69.105.2.164 53 53 17 1168819204.553 180 42 92d08400 .... 180 92d00000 .... 42 \nDNS 69.105.2.232 39.202.120.30 40873 53 17 1168819204.356 350 36 ae578000 .W.. 350 ae570000 .W.. 36 \nDNS 69.105.2.232 35.255.67.22 53950 53 17 1168819204.564 0 36 00000000 .... 0 03880000 .... 36 \nDNS 69.105.13.2 39.216.189.14 57576 53 17 1168819204.566 0 44 00000000 .... 0 2ebb0000 .... 44 \nDNS 69.105.2.89 194.236.28.150 60618 53 17 1168819204.352 822 51 bbb58400 .... 411 bbb50000 .... 51 \nDNS 69.105.13.2 56.55.195.171 16290 53 17 1168819204.382 103 37 53c88400 S... 103 53c80000 S... 37 \nDNS 69.105.13.2 45.114.4.249 4886 53 17 1168819204.577 0 45 00000000 .... 0 9ad20000 .... 45 \nDNS 46.71.24.211 69.105.13.111 32768 53 17 1168819204.582 311 42 45548400 ET.. 311 45540010 ET.. 42 \nDNS 69.105.13.4 39.199.110.30 22946 53 17 1168819203.353 352 25 fa3d8000 .=.. 176 fa3d0000 .=.. 25 \nDNS 69.105.2.232 52.34.247.28 38769 53 17 1168819203.352 280 55 fc3b8400 .;.. 140 fc3b0000 .;.. 55 \nBitTorrent_UDP 63.82.215.21 69.105.230.150 16351 7226 17 1168819204.592 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.89 200.41.220.69 47861 53 17 1168819204.398 148 28 ac078400 .... 148 ac070000 .... 28 \nDNS 69.105.2.232 51.249.125.214 12952 53 17 1168819204.415 207 43 fd758480 .u.. 207 fd750000 .u.. 43 \nDNS 69.105.2.225 36.227.22.21 55310 53 17 1168819204.611 0 45 00000000 .... 0 0c5f0000 ._.. 45 \nDNS 69.105.2.225 36.227.22.21 29024 53 17 1168819204.611 0 45 00000000 .... 0 72c90000 r... 45 \nDNS 69.105.13.2 143.247.81.117 56535 53 17 1168819204.344 52 36 44898400 D... 52 44890000 D... 36 \nDNS 69.105.13.2 46.4.178.139 8949 53 17 1168819204.614 0 36 00000000 .... 0 12d00000 .... 36 \nUnknown_UDP 50.60.128.157 69.105.54.43 1470 27960 17 1168819201.009 22147 4386 b3100100 .... 238 04670100 .g.. 39 \nDNS 69.105.13.2 41.61.249.206 53679 53 17 1168819203.382 135 51 9a9d8400 .... 135 9a9d0000 .... 51 \nUnknown_UDP 36.15.98.194 39.171.180.115 64394 33490 17 1168819204.631 0 10 00000000 .... 0 03c4aa45 ...E 10 \nUnknown_UDP 39.171.180.115 38.203.122.246 51667 33494 17 1168819204.631 0 10 00000000 .... 0 03c4aa45 ...E 10 \nBitTorrent_UDP 32.219.96.223 69.105.230.150 10292 7226 17 1168819204.632 101 0 64313a61 d1:a 101 00000000 .... 0 \nDNS 69.105.2.232 56.131.129.6 46382 53 17 1168819203.801 483 33 b2cc8480 .... 483 b2cc0000 .... 33 \nUnknown_UDP 43.94.240.242 69.105.54.43 27960 27960 17 1168819201.004 9404 6027 d4b10000 .... 154 c4940100 .... 45 \nDNS 69.105.2.232 194.236.28.153 24685 53 17 1168819204.634 0 50 00000000 .... 0 1a4e0000 .N.. 50 \nDNS 69.105.2.232 48.246.25.188 10039 53 17 1168819204.636 0 47 00000000 .... 0 f3af0000 .... 47 \nDNS 69.105.2.232 36.242.58.241 36767 53 17 1168819204.637 0 47 00000000 .... 0 4dd90000 M... 47 \nDNS 69.105.2.232 35.255.67.22 33139 53 17 1168819204.637 0 31 00000000 .... 0 641d0000 d... 31 \nDNS 69.105.2.232 52.2.27.5 36581 53 17 1168819204.638 0 50 00000000 .... 0 b62f0000 ./.. 50 \nRTP 138.28.239.9 39.171.180.203 35440 35410 17 1168819201.010 5760 5824 80121afc .... 32 8012a8b2 .... 32 \nDNS 69.105.2.232 198.117.167.61 34504 53 17 1168819204.639 0 44 00000000 .... 0 0c9f0000 .... 44 \nDNS 89.50.133.3 69.105.13.111 1828 53 17 1168819201.514 1088 244 73e08000 s... 272 73e00000 s... 61 \nDNS 69.105.2.232 194.201.170.126 46452 53 17 1168819204.641 0 57 00000000 .... 0 c1b70000 .... 57 \nDNS 69.105.2.232 49.42.116.243 53234 53 17 1168819204.642 0 45 00000000 .... 0 f0d10000 .... 45 \nDNS 69.105.2.232 195.59.19.103 54268 53 17 1168819204.642 0 30 00000000 .... 0 e8ad0000 .... 30 \nDNS 69.105.2.232 70.254.249.249 44558 53 17 1168819204.643 0 45 00000000 .... 0 300a0000 0... 45 \nDNS 69.105.2.89 39.221.51.1 22724 53 17 1168819204.478 109 31 aef48000 .... 109 aef40000 .... 31 \nDNS 69.105.2.89 194.201.238.41 26632 53 17 1168819204.644 0 31 00000000 .... 0 04760000 .v.. 31 \nDNS 69.105.2.232 48.85.122.73 36486 53 17 1168819204.644 0 52 00000000 .... 0 2e640000 .d.. 52 \nDNS 69.105.2.232 199.187.132.231 17265 53 17 1168819204.644 0 71 00000000 .... 0 62b60000 b... 71 \nDNS 69.105.2.232 200.26.210.91 6296 53 17 1168819204.645 0 43 00000000 .... 0 44ce0000 D... 43 \nDNS 69.105.2.232 199.68.228.60 36061 53 17 1168819204.646 0 57 00000000 .... 0 757c0000 u|.. 57 \nDNS 69.105.2.232 37.173.7.1 16144 53 17 1168819204.646 0 55 00000000 .... 0 3c910000 <... 55 \n"
  },
  {
    "path": "tools/Makefile.am",
    "content": "SUBDIRS=find_unknown protoident arff\n#SUBDIRS += live\n\nEXTRA_DIST=tools_common.h\n"
  },
  {
    "path": "tools/Makefile.tools",
    "content": "AM_CFLAGS=-I\"$(top_srcdir)/lib\"\nAM_CXXFLAGS=-I\"$(top_srcdir)/lib\"\nAM_LDFLAGS=-L\"$(top_srcdir)/lib/.libs\"\n\n"
  },
  {
    "path": "tools/arff/Makefile.am",
    "content": "bin_PROGRAMS=lpi_arff\n\nman_MANS = lpi_arff.1\nEXTRA_DIST = $(man_MANS)\n\ninclude ../Makefile.tools\nlpi_arff_SOURCES=lpi_arff.cc ../tools_common.cc\nlpi_arff_LDADD = @ADD_LIBS@ -lprotoident\n"
  },
  {
    "path": "tools/arff/lpi_arff.1",
    "content": ".TH LPI_ARFF \"1\" \"April 2019\" \"libprotoident\" \"User Commands\"\n.SH NAME\nlpi_arff \\- output the application protocol of all network flows in a trace using the ARFF format\n.SH SYNOPSIS\n.B lpi_arff\ninputuri\n\n.SH DESCRIPTION\nThis tool attempts to identify each individual flow within the provided\nnetwork packet trace, using libprotoident to attempt to determine the\napplication protocol being used by each flow. The output of this tool\nis written to standard output using the ARFF format so that it can be\nanalysed easily using the Weka machine learning software.\nNote that identification only occurs when the flow has concluded or expired due\nto inactivity, so it is not very effective for real-time use cases.\n.PP\nThe \\fBinputuri\\fR argument must be a valid libtrace URI.\n\n.SH OUTPUT FORMAT\nThe output begins with a series of lines describing each feature that\nwill be used to describe each flow. Following that, for each flow in the input\ntrace, a single line is printed to stdout describing the flow. The line\ncontains the following comma-separated fields (in order):\n\n.nf\n * Application protocol (as reported by libprotoident)\n * ID number for the application protocol\n * Total number of packets sent from first endpoint to second endpoint\n * Total number of bytes sent from first endpoint to second endpoint\n * Total number of packets sent from second endpoint to first endpoint\n * Total number of bytes sent from second endpoint to first endpoint\n * Minimum payload size sent from first endpoint to second endpoint\n * Mean payload size sent from first endpoint to second endpoint\n * Maximum payload size sent from first endpoint to second endpoint\n * Standard deviation of payload size sent from first endpoint to second endpoint\n * Minimum payload size sent from second endpoint to first endpoint\n * Mean payload size sent from second endpoint to first endpoint\n * Maximum payload size sent from second endpoint to first endpoint\n * Standard deviation of payload size sent from second endpoint to first endpoint\n * Minimum packet interarrival time for packets sent from first endpoint to second endpoint\n * Mean packet interarrival time for packets sent from first endpoint to second endpoint\n * Maximum packet interarrival time for packets sent from first endpoint to second endpoint\n * Standard deviation of packet interarrival time for packets sent from first endpoint to second endpoint\n * Minimum packet interarrival time for packets sent from second endpoint to first endpoint\n * Mean packet interarrival time for packets sent from second endpoint to first endpoint\n * Maximum packet interarrival time for packets sent from second endpoint to first endpoint\n * Standard deviation of packet interarrival time for packets sent from second endpoint to first endpoint\n * Flow duration (in microseconds)\n * Flow start time (as a Unix timestamp)\n.fi\n\n.SH LINKS\nMore details about libprotoident, the protocols it supports and how it\nworks can be found at https://github.com/wanduow/libprotoident/wiki\n\n.SH SEE ALSO\nlpi_find_unknown(1), lpi_protoident(1)\n\n.SH AUTHORS\nShane Alcock <shane.alcock@waikato.ac.nz>\n"
  },
  {
    "path": "tools/arff/lpi_arff.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011-2015 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *      Paweł Foremski <pjf@iitis.pl> (ARFF statistics)\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id: lpi_protoident.cc 102 2011-10-18 00:43:04Z salcock $\n */\n\n/*\n * Program flow\n *\n * main()\n * - parse command-line options\n * - initialize libraries\n * - read packet by packet in loop, call per_packet() for each\n\n * per_packet()\n * - skip non-IP traffic\n * - call garbage collector - expire_ident_flows() - may print output\n * - match packet to flow\n * - update flow statistics\n * - identify the packet, call libprotoident\n *\n * expire_ident_flows()\n * - loop through all expired flows and call display_ident() for each of them\n *\n */\n\n#define __STDC_FORMAT_MACROS\n#define __STDC_LIMIT_MACROS\n\n#include <stdio.h>\n#include <assert.h>\n#include <getopt.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <stdlib.h>\n#include <inttypes.h>\n#include <signal.h>\n#include <string.h>\n#include <stdint.h>\n#include <math.h>\n\n#include <libtrace.h>\n#include <libtrace_parallel.h>\n#include <libflowmanager.h>\n#include <libprotoident.h>\n\n#include \"../tools_common.h\"\n\nenum {\n\tDIR_METHOD_TRACE,\n\tDIR_METHOD_MAC,\n\tDIR_METHOD_PORT\n};\n\nlibtrace_t *currenttrace;\nstatic volatile int done = 0;\n\nstruct globalopts {\n\n        int dir_method;\n        bool only_dir0 ;\n        bool only_dir1 ;\n        bool require_both ;\n        bool nat_hole ;\n        bool ignore_rfc1918 ;\n        char *local_mac ;\n        uint8_t mac_bytes[6];\n};\n\nstruct threadlocal {\n        FlowManager *flowmanager;\n};\n\nstruct ident_stats {\n\tuint64_t pkts;\n\tuint64_t bytes;\n\n\tuint16_t pktlen_min;\n\tuint16_t pktlen_max;\n\tdouble pktlen_mean;\n\tdouble pktlen_std;\n\n\tuint32_t iat_min;\n\tuint32_t iat_max;\n\tdouble iat_mean;\n\tdouble iat_std;\n};\n\n/* This data structure is used to demonstrate how to use the 'extension' \n * pointer to store custom data for a flow */\ntypedef struct ident {\n\tuint8_t init_dir;\n\n\tstruct ident_stats in;\n\tstruct ident_stats out;\n\n\tdouble start_ts;\n\tdouble last_ts;\n\n\tlpi_data_t lpi;\n} IdentFlow;\n\n\nstatic void *start_processing(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global) {\n\n        bool opt_false = false;\n        struct globalopts *opts = (struct globalopts *)global;\n\n        struct threadlocal *tl = (struct threadlocal *)malloc(sizeof(\n                        struct threadlocal));\n        tl->flowmanager = new FlowManager();\n\n        /* This tells libflowmanager to ignore any flows where an RFC1918\n         * private IP address is involved */\n        if (tl->flowmanager->setConfigOption(LFM_CONFIG_IGNORE_RFC1918, \n                                &(opts->ignore_rfc1918)) == 0) {\n                fprintf(stderr, \"Failed to set IGNORE RFC 1918 option in libflowmanager\\n\");\n        }\n\n        /* This tells libflowmanager not to replicate the TCP timewait\n         * behaviour where closed TCP connections are retained in the Flow\n         * map for an extra 2 minutes */\n        if (tl->flowmanager->setConfigOption(LFM_CONFIG_TCP_TIMEWAIT,\n                                &opt_false) == 0) {\n                fprintf(stderr, \"Failed to set TCP TIMEWAIT option in libflowmanager\\n\");\n        }\n\n        /* This tells libflowmanager not to utilise the fast expiry rules for\n         * short-lived UDP connections - these rules are experimental \n         * behaviour not in line with recommended \"best\" practice */\n        if (tl->flowmanager->setConfigOption(LFM_CONFIG_SHORT_UDP,\n                                &opt_false) == 0) {\n                fprintf(stderr, \"Failed to set SHORT UDP option in libflowmanager\\n\");\n        }\n\n        return tl;\n}\n\n\nstatic void *start_reporter(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global) {\n        return NULL;\n}\n\nstatic void stop_reporter(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global, void *tls) {\n        if (tls)\n                free(tls);\n}\n\n\n/* Initialises the custom data for the given flow. Allocates memory for a\n * IdentFlow structure and ensures that the extension pointer points at\n * it.\n */\nvoid init_ident_flow(Flow *f, uint8_t dir, double ts)\n{\n\tIdentFlow *ident = NULL;\n\n\tident = (IdentFlow *) malloc(sizeof(IdentFlow));\n\n\tmemset(ident, 0, sizeof(IdentFlow));\n\tident->init_dir = dir;\n\n\tident->start_ts = ts;\n\tident->last_ts = ts;\n\n\tident->in.pktlen_min = UINT16_MAX;\n\tident->out.pktlen_min = UINT16_MAX;\n\n\tident->in.iat_min = UINT32_MAX;\n\tident->out.iat_min = UINT32_MAX;\n\n\tlpi_init_data(&ident->lpi);\n\n\tf->extension = ident;\n}\n\nstatic void dump_len_stats(struct ident_stats *is, char *space, int spacelen) {\n\n        if (is->pkts == 0) {\n                snprintf(space, spacelen - 1, \",0,0,0,0\");\n        } else {\n                snprintf(space, spacelen - 1, \",%u,%.0f,%u,%.0f\",\n                        is->pktlen_min, is->pktlen_mean, is->pktlen_max,\n                        sqrt(is->pktlen_std / is->pkts));\n        }\n}\n\nstatic void dump_iat_stats(struct ident_stats *is, char *space, int spacelen) {\n\n        if (is->pkts == 0) {\n                snprintf(space, spacelen - 1, \",0,0,0,0\");\n        } else {\n                snprintf(space, spacelen - 1, \",%u,%.0f,%u,%.0f\",\n                        is->iat_min, is->iat_mean, is->iat_max,\n                        sqrt(is->iat_std / is->pkts));\n        }\n}\n\n\nchar *display_ident(Flow *f, IdentFlow *ident, struct globalopts *opts)\n{\n\tchar s_ip[100];\n\tchar c_ip[100];\n        char len_stats_out[200];\n        char len_stats_in[200];\n        char iat_stats_out[200];\n        char iat_stats_in[200];\n        char *str;\n        lpi_module_t *proto;\n\n\tif (opts->only_dir0 && ident->init_dir == 1)\n\t\treturn NULL;\n\tif (opts->only_dir1 && ident->init_dir == 0)\n\t\treturn NULL;\n\tif (opts->require_both) {\n\t\tif (ident->lpi.payload_len[0] == 0 ||\n\t\t    ident->lpi.payload_len[1] == 0) {\n\t\t\treturn NULL;\n\t\t}\n\t}\n\n\tproto = lpi_guess_protocol(&ident->lpi);\n\n\tf->id.get_server_ip_str(s_ip);\n\tf->id.get_client_ip_str(c_ip);\n\n        str = (char *)malloc(1000);\n\n        dump_len_stats(&ident->out, len_stats_out, 200);\n        dump_len_stats(&ident->in, len_stats_in, 200);\n        dump_iat_stats(&ident->out, iat_stats_out, 200);\n        dump_iat_stats(&ident->in, iat_stats_in, 200);\n\n\t/* basic statistics */\n\tsnprintf(str, 999,\n                \"%s,%d,%\" PRIu64 \",%\" PRIu64 \",%\" PRIu64 \",%\" PRIu64\n                \"%s%s%s%s,%.0f,%f\\n\",\n\t\tproto->name, f->id.get_protocol(),\n\t\tident->out.pkts, ident->out.bytes, ident->in.pkts,\n                ident->in.bytes, len_stats_out, len_stats_in,\n                iat_stats_out, iat_stats_in,\n                (ident->last_ts - ident->start_ts) * 1000000.0,\n                ident->start_ts);\n\n        return str;\n}\n\n/* Expires all flows that libflowmanager believes have been idle for too\n * long. The exp_flag variable tells libflowmanager whether it should force\n * expiry of all flows (e.g. if you have reached the end of the program and\n * want the stats for all the still-active flows). Otherwise, only flows\n * that have been idle for longer than their expiry timeout will be expired.\n */\nvoid expire_ident_flows(libtrace_t *trace, libtrace_thread_t *thread,\n                struct globalopts *opts, FlowManager *fm,\n                double ts, bool exp_flag)\n{\n\tFlow *expired;\n        char *result = NULL;\n        libtrace_generic_t gen;\n\n\t/* Loop until libflowmanager has no more expired flows available */\n\twhile ((expired = fm->expireNextFlow(ts, exp_flag)) != NULL) {\n\n\t\tIdentFlow *ident = (IdentFlow *)expired->extension;\n\n\t\tresult = display_ident(expired, ident, opts);\n                if (result) {\n                        gen.ptr = result;\n                        trace_publish_result(trace, thread, ts,\n                                gen, RESULT_USER);\n                }\n\t\t/* Don't forget to free our custom data structure */\n\t\tfree(ident);\n\n\t\tfm->releaseFlow(expired);\n\t}\n}\n\nstatic void stop_processing(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global, void *tls) {\n\n        struct globalopts *opts = (struct globalopts *)global;\n        struct threadlocal *tl = (struct threadlocal *)tls;\n\n        expire_ident_flows(trace, thread, opts, tl->flowmanager, 0, true);\n        delete(tl->flowmanager);\n        free(tl);\n\n\n}\n\n\nstatic void per_result(libtrace_t *trace, libtrace_thread_t *sender,\n                void *global, void *tls, libtrace_result_t *result) {\n\n        char *resultstr;\n\n        if (result->type != RESULT_USER)\n                return;\n\n        resultstr = (char *)result->value.ptr;\n        printf(\"%s\", resultstr);\n        free(resultstr);\n\n}\n\n\n/** Update flow statistics */\nvoid per_packet_flow(libtrace_packet_t *packet, IdentFlow *ident, int dir, \n\t\tdouble ts)\n{\n\tstruct ident_stats *is;\n\tint pktlen;\n\tuint32_t iat;\n\tdouble diff, mean, iatd;\n\n\tis = (dir == 0 ? &ident->out : &ident->in);\n\n\t/* basic statistics */\n\tpktlen = trace_get_payload_length(packet);\n\tis->pkts++;\n\tis->bytes += pktlen;\n\n\t/* packet length statistics */\n\tif (pktlen < is->pktlen_min)\n\t\tis->pktlen_min = pktlen;\n\tif (pktlen > is->pktlen_max)\n\t\tis->pktlen_max = pktlen;\n\n\tdiff = pktlen - is->pktlen_mean;\n\tmean = is->pktlen_mean + diff / is->pkts;\n\tis->pktlen_std += diff * (pktlen - mean);\n\tis->pktlen_mean = mean;\n\n\t/* packet inter-arrival time */\n\tiatd = ts - ident->last_ts;\n\tif (iatd < 0) {\n\t\tiat = 0;\n\t} else {\n\t\t/* convert to us */\n\t\tiatd *= 1000000;\n\n\t\tif (iatd > UINT32_MAX)\n\t\t\tiat = UINT32_MAX;\n\t\telse\n\t\t\tiat = iatd;\n\t}\n\n\tif (iat < is->iat_min)\n\t\tis->iat_min = iat;\n\tif (iat > is->iat_max)\n\t\tis->iat_max = iat;\n\n\tdiff = iat - is->iat_mean;\n\tmean = is->iat_mean + diff / is->pkts;\n\tis->iat_std += diff * (iat - mean);\n\tis->iat_mean = mean;\n\n\t/* update timestamp of last packet */\n\tident->last_ts = ts;\n}\n\n/** This function receives each packet from libtrace */\nstatic libtrace_packet_t *per_packet(libtrace_t *trace,\n                libtrace_thread_t *thread, void *global, void *tls,\n                libtrace_packet_t *packet) {\n\tFlow *f;\n\tIdentFlow *ident = NULL;\n\tuint8_t dir = 255;\n\tbool is_new = false;\n\n\tlibtrace_tcp_t *tcp = NULL;\n\tvoid *l3;\n\tdouble ts;\n\n\tuint16_t l3_type;\n        struct globalopts *opts = (struct globalopts *)global;\n        struct threadlocal *tl = (struct threadlocal *)tls;\n\n\n\t/* Libflowmanager only deals with IP traffic, so ignore anything\n\t * that does not have an IP header */\n\tl3 = trace_get_layer3(packet, &l3_type, NULL);\n\tif (l3_type != TRACE_ETHERTYPE_IP && l3_type != TRACE_ETHERTYPE_IPV6)\n\t\treturn packet;\n\tif (l3 == NULL) return packet;\n\n\t/* Expire all suitably idle flows */\n\tts = trace_get_seconds(packet);\n\texpire_ident_flows(trace, thread, opts, tl->flowmanager, ts, false);\n\n\t/* Determine packet direction\n\t * 0 is output, 1 is input */\n\tswitch (opts->dir_method) {\n\t\tcase DIR_METHOD_TRACE:\n\t\t\tdir = trace_get_direction(packet);\n\t\t\tbreak;\n\t\tcase DIR_METHOD_MAC:\n\t\t\tdir = mac_get_direction(packet, opts->mac_bytes);\n\t\t\tbreak;\n\t\tcase DIR_METHOD_PORT:\n\t\t\tdir = port_get_direction(packet);\n\t}\n\n\tif (dir != 0 && dir != 1)\n\t\treturn packet;\n\n\t/* Match the packet to a Flow - this will create a new flow if\n\t * there is no matching flow already in the Flow map and set the\n\t * is_new flag to true. */\n\tf = tl->flowmanager->matchPacketToFlow(packet, dir, &is_new);\n\n\t/* Libflowmanager did not like something about that packet - best to\n\t * just ignore it and carry on */\n\tif (f == NULL) {\n\t\treturn packet;\n\t}\n\n\ttcp = trace_get_tcp(packet);\n\t/* If the returned flow is new, you will probably want to allocate and\n\t * initialise any custom data that you intend to track for the flow */\n\tif (is_new) {\n\t\tinit_ident_flow(f, dir, ts);\n\t\tident = (IdentFlow *)f->extension;\n\t} else {\n\t\tident = (IdentFlow *)f->extension;\n\t\tif (tcp && tcp->syn && !tcp->ack)\n\t\t\tident->init_dir = dir;\n\t}\n\n\t/* Update flow statistics in ident */\n\tper_packet_flow(packet, ident, dir, ts);\n\n\t/* Pass the packet into libprotoident so it can extract any info\n\t * it needs from this packet */\n\tlpi_update_data(packet, &ident->lpi, dir);\n\n\t/* Tell libflowmanager to update the expiry time for this flow */\n\ttl->flowmanager->updateFlowExpiry(f, packet, dir, ts);\n        return packet;\n}\n\nstatic void cleanup_signal(int sig)\n{\n\t(void)sig;\n        if (!done) {\n        \tdone = 1;\n                trace_pstop(currenttrace);\n        }\n}\n\nstatic void usage(char *prog)\n{\n\tprintf(\"Usage details for %s\\n\\n\", prog);\n\tprintf(\"%s [-l <mac>] [-T] [-b] [-d <dir>] [-f <filter>] [-R] [-t <threads>] [-B buflen] inputURI [inputURI ...]\\n\\n\", prog);\n\tprintf(\"Options:\\n\");\n\tprintf(\"  -l <mac>     Determine direction based on <mac> representing the 'inside'\\n\");\n\tprintf(\"               portion of the network\\n\");\n\tprintf(\"  -T           Use trace direction tags to determine direction\\n\");\n\tprintf(\"  -b           Ignore flows that do not send data in both directions \\n\");\n\tprintf(\"  -d <dir>     Ignore flows where the initial packet does not match the given\\n\");\n\tprintf(\"               direction\\n\");\n\tprintf(\"  -f <filter>  Ignore flows that do not match the given BPF filter\\n\");\n\tprintf(\"  -R           Ignore flows involving private RFC 1918 address space\\n\");\n        printf(\"  -t <threads>  Share the workload over the given number of threads\\n\");\n        printf(\"  -B <buflen>   Buffer results until there are <buflen> results waiting\\n\");\n\texit(0);\n}\n\nint main(int argc, char *argv[])\n{\n\tlibtrace_filter_t *filter = NULL;\n\tstruct sigaction sigact;\n        struct globalopts opts;\n        int threads = 1;\n        int bufferresults = 10;\n\n\tint i, opt;\n\tdouble ts;\n\tchar *filterstring = NULL;\n\tint dir;\n\n        libtrace_callback_set_t *processing, *reporter;\n\n        opts.dir_method = DIR_METHOD_PORT;\n        opts.only_dir0 = false;\n        opts.only_dir1 = false;\n        opts.require_both = false;\n        opts.nat_hole = false;\n        opts.ignore_rfc1918 = false;\n        opts.local_mac = NULL;\n\n        processing = trace_create_callback_set();\n        trace_set_starting_cb(processing, start_processing);\n        trace_set_stopping_cb(processing, stop_processing);\n        trace_set_packet_cb(processing, per_packet);\n\n        reporter = trace_create_callback_set();\n        trace_set_starting_cb(reporter, start_reporter);\n        trace_set_stopping_cb(reporter, stop_reporter);\n        trace_set_result_cb(reporter, per_result);\n\n\twhile ((opt = getopt(argc, argv, \"l:bB:d:f:RhTt:\")) != EOF) {\n\t\tswitch (opt) {\n\t\t\tcase 'l':\n\t\t\t\topts.local_mac = optarg;\n\t\t\t\topts.dir_method = DIR_METHOD_MAC;\n\t\t\t\tbreak;\n\t\t\tcase 'b':\n\t\t\t\topts.require_both = true;\n\t\t\t\tbreak;\n                        case 'B':\n                                bufferresults = atoi(optarg);\n                                if (bufferresults <= 0)\n                                        bufferresults = 1;\n                                break;\n\t\t\tcase 'd':\n\t\t\t\tdir = atoi(optarg);\n\t\t\t\tif (dir == 0)\n\t\t\t\t\topts.only_dir0 = true;\n\t\t\t\tif (dir == 1)\n\t\t\t\t\topts.only_dir1 = true;\n\t\t\t\tbreak;\n\t\t\tcase 'f':\n\t\t\t\tfilterstring = optarg;\n\t\t\t\tbreak;\n\t\t\tcase 'R':\n\t\t\t\topts.ignore_rfc1918 = true;\n\t\t\t\tbreak;\n\t\t\tcase 'T':\n\t\t\t\topts.dir_method = DIR_METHOD_TRACE;\n\t\t\t\tbreak;\n                        case 't':\n                                threads = atoi(optarg);\n                                if (threads <= 0)\n                                        threads = 1;\n                                break;\n\t\t\tcase 'h':\n\t\t\tdefault:\n\t\t\t\tusage(argv[0]);\n\t\t}\n\t}\n\n\tif (filterstring != NULL) {\n\t\tfilter = trace_create_filter(filterstring);\n\t}\n\n        if (opts.local_mac != NULL) {\n                if (convert_mac_string(opts.local_mac, opts.mac_bytes) < 0) {\n                        fprintf(stderr, \"Invalid MAC: %s\\n\", opts.local_mac);\n                        return 1;\n                }\n        }\n\n\tsigact.sa_handler = cleanup_signal;\n\tsigemptyset(&sigact.sa_mask);\n\tsigact.sa_flags = SA_RESTART;\n\n\tsigaction(SIGINT, &sigact, NULL);\n\tsigaction(SIGTERM, &sigact, NULL);\n\n\tsignal(SIGINT,&cleanup_signal);\n\tsignal(SIGTERM,&cleanup_signal);\n\n\tif (lpi_init_library() == -1)\n\t\treturn -1;\n\n\tfor (i = optind; i < argc; i++) {\n                if (done) break;\n\t\tfprintf(stderr, \"%s\\n\", argv[i]);\n\n\t\t/* printf arff file header */\n\t\tprintf(\"@relation '%s'\\n\", argv[i]);\n\t\tprintf(\"\\n\");\n\t\tprintf(\"@attribute label string\\n\");\n\t\tprintf(\"@attribute protocol numeric\\n\");\n\t\tprintf(\"@attribute fpackets numeric\\n\");\n\t\tprintf(\"@attribute fbytes numeric\\n\");\n\t\tprintf(\"@attribute bpackets numeric\\n\");\n\t\tprintf(\"@attribute bbytes numeric\\n\");\n\t\tprintf(\"@attribute minfpktl numeric\\n\");\n\t\tprintf(\"@attribute meanfpktl numeric\\n\");\n\t\tprintf(\"@attribute maxfpktl numeric\\n\");\n\t\tprintf(\"@attribute stdfpktl numeric\\n\");\n\t\tprintf(\"@attribute minbpktl numeric\\n\");\n\t\tprintf(\"@attribute meanbpktl numeric\\n\");\n\t\tprintf(\"@attribute maxbpktl numeric\\n\");\n\t\tprintf(\"@attribute stdbpktl numeric\\n\");\n\t\tprintf(\"@attribute minfiat numeric\\n\");\n\t\tprintf(\"@attribute meanfiat numeric\\n\");\n\t\tprintf(\"@attribute maxfiat numeric\\n\");\n\t\tprintf(\"@attribute stdfiat numeric\\n\");\n\t\tprintf(\"@attribute minbiat numeric\\n\");\n\t\tprintf(\"@attribute meanbiat numeric\\n\");\n\t\tprintf(\"@attribute maxbiat numeric\\n\");\n\t\tprintf(\"@attribute stdbiat numeric\\n\");\n\t\tprintf(\"@attribute duration numeric\\n\");\n\t\tprintf(\"@attribute timestamp numeric\\n\");\n\t\tprintf(\"\\n\");\n\t\tprintf(\"@data\\n\");\n\n\t\t/* Bog-standard libtrace stuff for reading trace files */\n\t\tcurrenttrace = trace_create(argv[i]);\n\n\t\tif (!currenttrace) {\n\t\t\tperror(\"Creating libtrace trace\");\n\t\t\treturn -1;\n\t\t}\n\n\t\tif (trace_is_err(currenttrace)) {\n\t\t\ttrace_perror(currenttrace, \"Opening trace file\");\n\t\t\ttrace_destroy(currenttrace);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (filter && trace_config(currenttrace, TRACE_OPTION_FILTER, filter) == -1) {\n\t\t\ttrace_perror(currenttrace, \"Configuring filter\");\n\t\t\ttrace_destroy(currenttrace);\n\t\t\treturn -1;\n\t\t}\n\n\n                trace_set_perpkt_threads(currenttrace, threads);\n                trace_set_reporter_thold(currenttrace, bufferresults);\n\n                trace_set_combiner(currenttrace, &combiner_unordered,\n                        (libtrace_generic_t){0});\n\n                trace_set_hasher(currenttrace, HASHER_BIDIRECTIONAL, NULL, NULL);\n\n                if (trace_pstart(currenttrace, &opts, processing, reporter) == -1) {\n                        trace_perror(currenttrace, \"Starting trace\");\n                        trace_destroy(currenttrace);\n                        continue;\n                }\n\n                trace_join(currenttrace);\n                trace_destroy(currenttrace);\n\n\n\t}\n\n        trace_destroy_callback_set(processing);\n        trace_destroy_callback_set(reporter);\n        lpi_free_library();\n\n\treturn 0;\n}\n"
  },
  {
    "path": "tools/find_unknown/Makefile.am",
    "content": "bin_PROGRAMS=lpi_find_unknown \n\nman_MANS = lpi_find_unknown.1\nEXTRA_DIST = $(man_MANS)\n\ninclude ../Makefile.tools\nlpi_find_unknown_SOURCES=lpi_find_unknown.cc ../tools_common.cc\nlpi_find_unknown_LDADD = @ADD_LIBS@ -lprotoident\n"
  },
  {
    "path": "tools/find_unknown/lpi_find_unknown.1",
    "content": ".TH LPI_FIND_UNKNOWN \"1\" \"April 2019\" \"libprotoident\" \"User Commands\"\n.SH NAME\nlpi_find_unknown \\- list all network flows in a trace that libprotoident cannot identify\n.SH SYNOPSIS\n.B lpi_find_unknown\ninputuri\n\n.SH DESCRIPTION\nThis tool attempts to identify each individual flow within the provided\nnetwork packet trace that libprotoident is unable to provide a positive\nclassification result for. This is mainly useful in situations where one\nis looking to add support for new protocols to libprotoident, but the tool\nhas been made available nonetheless.\nNote that identification only occurs when the flow has concluded or expired due\nto inactivity, so it is not very effective for real-time use cases.\n.PP\nThe \\fBinputuri\\fR argument must be a valid libtrace URI.\n\n.SH OUTPUT FORMAT\nFor each flow discovered in the input trace which libprotoident is unable\nto identify, a single line is printed to stdout describing the flow. The line\ncontains the following whitespace separated field (in order):\n\n.nf\n* IP address of the first endpoint\n* IP address of the second endpoint\n* Port used by the first endpoint\n* Port used by the second endpoint\n* Transport protocol (6 = TCP, 17 = UDP)\n* Unix timestamp when the flow began\n* Unix timestamp when the flow ended\n* Total bytes sent from first endpoint to second endpoint\n* Total bytes sent from second endpoint to first endpoint\n* First four bytes of payload sent from first endpoint (in hex)\n* First four bytes of payload sent from first endpoint (ASCII)\n* Size of first payload-bearing packet sent from first endpoint\n* First four bytes of payload sent from second endpoint (in hex)\n* First four bytes of payload sent from second endpoint (ASCII)\n* Size of first payload-bearing packet sent from second endpoint\n.fi\n\n.SH LINKS\nMore details about libprotoident, the protocols it supports and how it\nworks can be found at https://github.com/wanduow/libprotoident/wiki\n\n.SH SEE ALSO\nlpi_arff(1), lpi_protoident(1)\n\n.SH AUTHORS\nShane Alcock <shane.alcock@waikato.ac.nz>\n"
  },
  {
    "path": "tools/find_unknown/lpi_find_unknown.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011-2015 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n\n#define __STDC_FORMAT_MACROS\n\n#include <stdio.h>\n#include <assert.h>\n#include <getopt.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <stdlib.h>\n#include <inttypes.h>\n#include <signal.h>\n\n#include <libtrace.h>\n#include <libtrace_parallel.h>\n#include <libflowmanager.h>\n#include <libprotoident.h>\n\n#include \"../tools_common.h\"\n\nenum {\n\tDIR_METHOD_TRACE,\n\tDIR_METHOD_MAC,\n\tDIR_METHOD_PORT\n};\n\nlibtrace_t *currenttrace;\nstatic volatile int done = 0;\n\nstruct globalopts {\n\n        int dir_method;\n        bool only_dir0 ;\n        bool only_dir1 ;\n        bool require_both ;\n        bool nat_hole ;\n        bool ignore_rfc1918 ;\n        char *local_mac ;\n        uint8_t mac_bytes[6];\n};\n\nstruct threadlocal {\n        FlowManager *flowmanager;\n};\n\n/* This data structure is used to demonstrate how to use the 'extension' \n * pointer to store custom data for a flow */\ntypedef struct ident {\n\tuint8_t init_dir;\n\tuint64_t in_bytes;\n\tuint64_t out_bytes;\n\tuint64_t in_pkts;\n\tuint64_t out_pkts;\n\tdouble start_ts;\n        double end_ts;\n\tlpi_data_t lpi;\n} IdentFlow;\n\nstatic void *start_processing(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global) {\n\n        bool opt_false = false;\n        struct globalopts *opts = (struct globalopts *)global;\n\n        struct threadlocal *tl = (struct threadlocal *)malloc(sizeof(\n                        struct threadlocal));\n        tl->flowmanager = new FlowManager();\n\n        /* This tells libflowmanager to ignore any flows where an RFC1918\n\t * private IP address is involved */\n        if (tl->flowmanager->setConfigOption(LFM_CONFIG_IGNORE_RFC1918, \n\t\t\t\t&(opts->ignore_rfc1918)) == 0) {\n                fprintf(stderr, \"Failed to set IGNORE RFC 1918 option in libflowmanager\\n\");\n        }\n\n\t/* This tells libflowmanager not to replicate the TCP timewait\n\t * behaviour where closed TCP connections are retained in the Flow\n\t * map for an extra 2 minutes */\n        if (tl->flowmanager->setConfigOption(LFM_CONFIG_TCP_TIMEWAIT,\n                                &opt_false) == 0) {\n                fprintf(stderr, \"Failed to set TCP TIMEWAIT option in libflowmanager\\n\");\n        }\n\n\t/* This tells libflowmanager not to utilise the fast expiry rules for\n\t * short-lived UDP connections - these rules are experimental \n\t * behaviour not in line with recommended \"best\" practice */\n\tif (tl->flowmanager->setConfigOption(LFM_CONFIG_SHORT_UDP,\n                                &opt_false) == 0) {\n                fprintf(stderr, \"Failed to set SHORT UDP option in libflowmanager\\n\");\n        }\n\n        return tl;\n}\n\nstatic void *start_reporter(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global) {\n        return NULL;\n}\n\nstatic void stop_reporter(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global, void *tls) {\n        if (tls)\n                free(tls);\n}\n\n/* Initialises the custom data for the given flow. Allocates memory for a\n * IdentFlow structure and ensures that the extension pointer points at\n * it.\n */\nvoid init_ident_flow(Flow *f, uint8_t dir, double ts) {\n\tIdentFlow *ident = NULL;\n\n\tident = (IdentFlow *)malloc(sizeof(IdentFlow));\n\tident->init_dir = dir;\n\tident->in_bytes = 0;\n\tident->out_bytes = 0;\n\tident->in_pkts = 0;\n\tident->out_pkts = 0;\n\tident->start_ts = ts;\n        ident->end_ts = ts;\n\tlpi_init_data(&ident->lpi);\n\tf->extension = ident;\n}\n\nvoid dump_payload(lpi_data_t lpi, uint8_t dir, char *space, int spacelen) {\n\n\tint i;\n\tuint8_t *pl = (uint8_t *)(&(lpi.payload[dir]));\n\n        char ascii[4][5];\n\n\tfor (i = 0; i < 4; i++) {\n\t\tif (*pl > 32 && *pl < 126) {\n\t\t\tsnprintf(ascii[i], 5, \"%c\", *pl);\n\t\t} else {\n\t\t\tsnprintf(ascii[i], 5, \".\");\n\t\t}\n\t\tpl ++;\n\t}\n\n        snprintf(space, spacelen - 1, \"%08x %s%s%s%s %u\",\n                        ntohl(lpi.payload[dir]), ascii[0], ascii[1],\n                        ascii[2], ascii[3], lpi.payload_len[dir]);\n\n\n}\n\nchar *display_ident(Flow *f, IdentFlow *ident, struct globalopts *opts) {\n\n        char s_ip[100];\n\tchar c_ip[100];\n        char pload_out[100];\n        char pload_in[100];\n        char *str;\n\tlpi_module_t *proto;\n\n\tif (opts->only_dir0 && ident->init_dir == 1)\n\t\treturn NULL;\n\tif (opts->only_dir1 && ident->init_dir == 0)\n\t\treturn NULL;\n\tif (opts->require_both) {\n\t\tif (ident->lpi.payload_len[0] == 0 || \n\t\t\t\tident->lpi.payload_len[1] == 0) {\n\t\t\treturn NULL;\n\t\t}\n\t}\n\n\tif (opts->nat_hole) {\n                if (ident->init_dir != 1)\n                        return NULL;\n                if (ident->lpi.payload_len[0] == 0 && ident->in_pkts <= 3)\n                        return NULL;\n        }\n\n\tproto = lpi_guess_protocol(&ident->lpi);\n\n        if (proto->protocol != LPI_PROTO_UNKNOWN &&\n                        proto->protocol != LPI_PROTO_UDP) {\n                return NULL;\n        }\n\n\tf->id.get_server_ip_str(s_ip);\n\tf->id.get_client_ip_str(c_ip);\n\n\tdump_payload(ident->lpi, 0, pload_out, 100);\n\tdump_payload(ident->lpi, 1, pload_in, 100);\n        str = (char *)malloc(750);\n        snprintf(str, 750, \"%s %s %u %u %u %.3f %.3f %\" PRIu64 \" %\" PRIu64 \" %s %s\\n\",\n\t\t\ts_ip, c_ip,\n                        f->id.get_server_port(), f->id.get_client_port(),\n                        f->id.get_protocol(), ident->start_ts,\n                        ident->end_ts,\n\t\t\tident->out_bytes, ident->in_bytes,\n                        pload_out, pload_in);\n\n        return str;\n\n}\n\n/* Expires all flows that libflowmanager believes have been idle for too\n * long. The exp_flag variable tells libflowmanager whether it should force\n * expiry of all flows (e.g. if you have reached the end of the program and\n * want the stats for all the still-active flows). Otherwise, only flows\n * that have been idle for longer than their expiry timeout will be expired.\n */\nvoid expire_ident_flows(libtrace_t *trace, libtrace_thread_t *thread,\n                struct globalopts *opts, FlowManager *fm, double ts,\n                bool exp_flag) {\n        Flow *expired;\n        char *result = NULL;\n        libtrace_generic_t gen;\n\n        /* Loop until libflowmanager has no more expired flows available */\n\twhile ((expired = fm->expireNextFlow(ts, exp_flag)) != NULL) {\n\n                IdentFlow *ident = (IdentFlow *)expired->extension;\n\t\tresult = display_ident(expired, ident, opts);\n                if (result) {\n                        gen.ptr = result;\n                        trace_publish_result(trace, thread, ident->end_ts,\n                                        gen,  RESULT_USER);\n                }\n\t\t/* Don't forget to free our custom data structure */\n                free(ident);\n\n                fm->releaseFlow(expired);\n        }\n}\n\nstatic void stop_processing(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global, void *tls) {\n\n        struct globalopts *opts = (struct globalopts *)global;\n        struct threadlocal *tl = (struct threadlocal *)tls;\n\n        expire_ident_flows(trace, thread, opts, tl->flowmanager, 0, true);\n        delete(tl->flowmanager);\n        free(tl);\n\n\n}\n\n\nstatic void per_result(libtrace_t *trace, libtrace_thread_t *sender,\n                void *global, void *tls, libtrace_result_t *result) {\n\n        char *resultstr;\n\n        if (result->type != RESULT_USER)\n                return;\n\n        resultstr = (char *)result->value.ptr;\n        printf(\"%s\", resultstr);\n        free(resultstr);\n\n}\n\nstatic libtrace_packet_t *per_packet(libtrace_t *trace,\n                libtrace_thread_t *thread, void *global, void *tls,\n                libtrace_packet_t *packet) {\n\n        Flow *f;\n        IdentFlow *ident = NULL;\n        uint8_t dir = 255;\n        bool is_new = false;\n\n        libtrace_tcp_t *tcp = NULL;\n        void *l3;\n\tdouble ts;\n\n        uint16_t l3_type;\n        struct globalopts *opts = (struct globalopts *)global;\n        struct threadlocal *tl = (struct threadlocal *)tls;\n\n        /* Libflowmanager only deals with IP traffic, so ignore anything\n\t * that does not have an IP header */\n        l3 = trace_get_layer3(packet, &l3_type, NULL);\n        if (l3_type != TRACE_ETHERTYPE_IP && l3_type != TRACE_ETHERTYPE_IPV6) \n\t\treturn packet;\n        if (l3 == NULL) return packet;\n\n\t/* Expire all suitably idle flows */\n        ts = trace_get_seconds(packet);\n        expire_ident_flows(trace, thread, opts, tl->flowmanager, ts, false);\n\n\t/* Determine packet direction */\n\tif (opts->dir_method == DIR_METHOD_TRACE) {\n\t\tdir = trace_get_direction(packet);\n\t}\n\tif (opts->dir_method == DIR_METHOD_MAC) {\n\t\tdir = mac_get_direction(packet, opts->mac_bytes);\n\t}\n\tif (opts->dir_method == DIR_METHOD_PORT) {\n\t\tdir = port_get_direction(packet);\n\t}\n\n\tif (dir != 0 && dir != 1)\n\t\treturn packet;\n\n        /* Match the packet to a Flow - this will create a new flow if\n\t * there is no matching flow already in the Flow map and set the\n\t * is_new flag to true. */\n        f = tl->flowmanager->matchPacketToFlow(packet, dir, &is_new);\n\n\t/* Libflowmanager did not like something about that packet - best to\n\t * just ignore it and carry on */\n        if (f == NULL) {\n\t\treturn packet;\n\t}\n\n        tcp = trace_get_tcp(packet);\n\t/* If the returned flow is new, you will probably want to allocate and\n\t * initialise any custom data that you intend to track for the flow */\n        if (is_new) {\n                init_ident_flow(f, dir, ts);\n        \tident = (IdentFlow *)f->extension;\n\t} else {\n        \tident = (IdentFlow *)f->extension;\n\t\tif (tcp && tcp->syn && !tcp->ack)\n\t\t\tident->init_dir = dir;\n                if (ident->end_ts < ts)\n                        ident->end_ts = ts;\n\t}\n\n\t/* Update our own byte and packet counters for reporting purposes */\n\tif (dir == 0) {\n\t\tident->out_pkts += 1;\n\t\tident->out_bytes += trace_get_payload_length(packet);\n\t}\n\telse {\n\t\tident->in_bytes += trace_get_payload_length(packet);\n\t\tident->in_pkts += 1;\n\t}\n\n\n\t/* Pass the packet into libprotoident so it can extract any info\n\t * it needs from this packet */\n\tlpi_update_data(packet, &ident->lpi, dir);\n\n\tassert(f);\n        /* Tell libflowmanager to update the expiry time for this flow */\n        tl->flowmanager->updateFlowExpiry(f, packet, dir, ts);\n\n        return packet;\n}\n\nstatic void cleanup_signal(int sig) {\n\t(void)sig;\n        if (!done) {\n                trace_pstop(currenttrace);\n        \tdone = 1;\n        }\n}\n\nstatic void usage(char *prog) {\n\n\tprintf(\"Usage details for %s\\n\\n\", prog);\n\tprintf(\"%s [-l <mac>] [-T] [-b] [-d <dir>] [-f <filter>] [-R] [-H] [-t <threads>] [-B <buflen] inputURI [inputURI ...]\\n\\n\", prog);\n\tprintf(\"Options:\\n\");\n\tprintf(\"  -l <mac>\tDetermine direction based on <mac> representing the 'inside' \\n\t\t\tportion of the network\\n\");\n\tprintf(\"  -T\t\tUse trace direction tags to determine direction\\n\");\n\tprintf(\"  -b\t\tIgnore flows that do not send data in both directions \\n\");\n\tprintf(\"  -d <dir>\tIgnore flows where the initial packet does not match the given \\n   \t\tdirection\\n\");\n\tprintf(\"  -f <filter>\tIgnore flows that do not match the given BPF filter\\n\");\n\tprintf(\"  -R \t\tIgnore flows involving private RFC 1918 address space\\n\");\n\tprintf(\"  -H\t\tIgnore flows that do not meet the criteria for an SPNAT hole\\n\");\n        printf(\"  -t <threads>  Share the workload over the given number of threads\\n\");\n        printf(\"  -B <buflen>   Buffer results until there are <buflen> results waiting\\n\");\n\texit(0);\n\n}\n\nint main(int argc, char *argv[]) {\n\n\tlibtrace_filter_t *filter = NULL;\n\tstruct sigaction sigact; \n        struct globalopts opts;\n        int i, opt;\n\tchar *filterstring = NULL;\n\tint dir;\n        int threads = 1;\n        int bufferresults = 1;\n\n        libtrace_callback_set_t *processing, *reporter;\n\n        opts.dir_method = DIR_METHOD_PORT;\n        opts.only_dir0 = false;\n        opts.only_dir1 = false;\n        opts.require_both = false;\n        opts.nat_hole = false;\n        opts.ignore_rfc1918 = false;\n        opts.local_mac = NULL;\n\n        processing = trace_create_callback_set();\n        trace_set_starting_cb(processing, start_processing);\n        trace_set_stopping_cb(processing, stop_processing);\n        trace_set_packet_cb(processing, per_packet);\n\n        reporter = trace_create_callback_set();\n        trace_set_starting_cb(reporter, start_reporter);\n        trace_set_stopping_cb(reporter, stop_reporter);\n        trace_set_result_cb(reporter, per_result);\n\n\twhile ((opt = getopt(argc, argv, \"l:bB:Hd:f:RhTt:\")) != EOF) {\n                switch (opt) {\n\t\t\tcase 'l':\n\t\t\t\topts.local_mac = optarg;\n\t\t\t\topts.dir_method = DIR_METHOD_MAC;\n\t\t\t\tbreak;\n\t\t\tcase 'b':\n\t\t\t\topts.require_both = true;\n\t\t\t\tbreak;\n                        case 'B':\n                                bufferresults = atoi(optarg);\n                                if (bufferresults <= 0)\n                                        bufferresults = 1;\n                                break;\n                        case 'd':\n\t\t\t\tdir = atoi(optarg);\n\t\t\t\tif (dir == 0)\n\t\t\t\t\topts.only_dir0 = true;\n\t\t\t\tif (dir == 1)\n\t\t\t\t\topts.only_dir1 = true;\n\t\t\t\tbreak;\n\t\t\tcase 'f':\n                                filterstring = optarg;\n                                break;\n\t\t\tcase 'R':\n\t\t\t\topts.ignore_rfc1918 = true;\n\t\t\t\tbreak;\n\t\t\tcase 'H':\n\t\t\t\topts.nat_hole = true;\n\t\t\t\tbreak;\n\t\t\tcase 'T':\n\t\t\t\topts.dir_method = DIR_METHOD_TRACE;\n\t\t\t\tbreak;\n                        case 't':\n                                threads = atoi(optarg);\n                                if (threads <= 0)\n                                        threads = 1;\n                                break;\n                \tcase 'h':\n\t\t\tdefault:\n\t\t\t\tusage(argv[0]);\n\t\t}\n\n        }\n\n        if (filterstring != NULL) {\n                filter = trace_create_filter(filterstring);\n        }\n\n\tif (opts.local_mac != NULL) {\n                if (convert_mac_string(opts.local_mac, opts.mac_bytes) < 0) {\n                        fprintf(stderr, \"Invalid MAC: %s\\n\", opts.local_mac);\n                        return 1;\n                }\n        }\n\n\tsigact.sa_handler = cleanup_signal;\n\tsigemptyset(&sigact.sa_mask);\n\tsigact.sa_flags = SA_RESTART;\n\n\tsigaction(SIGINT, &sigact, NULL);\n\tsigaction(SIGTERM, &sigact, NULL);\n\n\tsignal(SIGINT,&cleanup_signal);\n\tsignal(SIGTERM,&cleanup_signal);\n\n\tif (lpi_init_library() == -1)\n\t\treturn -1;\n\n        for (i = optind; i < argc; i++) {\n                if (done)\n                        break;\n                fprintf(stderr, \"%s\\n\", argv[i]);\n                \n\t\t/* Bog-standard libtrace stuff for reading trace files */\n\t\tcurrenttrace = trace_create(argv[i]);\n\n                if (!currenttrace) {\n                        perror(\"Creating libtrace trace\");\n                        return -1;\n                }\n\n                if (trace_is_err(currenttrace)) {\n                        trace_perror(currenttrace, \"Opening trace file\");\n                        trace_destroy(currenttrace);\n                        continue;\n                }\n\n                if (filter && trace_config(currenttrace, TRACE_OPTION_FILTER, filter) == -1) {\n                        trace_perror(currenttrace, \"Configuring filter\");\n                        trace_destroy(currenttrace);\n                        return -1;\n                }\n\n                trace_set_perpkt_threads(currenttrace, threads);\n                trace_set_reporter_thold(currenttrace, bufferresults);\n                trace_set_combiner(currenttrace, &combiner_unordered,\n                        (libtrace_generic_t){0});\n\n                trace_set_hasher(currenttrace, HASHER_BIDIRECTIONAL, NULL, NULL);\n\n                if (trace_pstart(currenttrace, &opts, processing, reporter) == -1) {\n                        trace_perror(currenttrace, \"Starting trace\");\n                        trace_destroy(currenttrace);\n                        continue;\n                }\n\n                trace_join(currenttrace);\n                trace_destroy(currenttrace);\n\n        }\n\n        trace_destroy_callback_set(processing);\n        trace_destroy_callback_set(reporter);\n\tlpi_free_library();\n\n        return 0;\n\n}\n\n"
  },
  {
    "path": "tools/live/Makefile.am",
    "content": "bin_PROGRAMS=lpi_live\n\n#include_HEADERS=lpicp.h lpicp_export.h\n\ninclude ../Makefile.tools\nlpi_live_SOURCES=lpi_live.cc live_common.cc ../tools_common.cc \nlpi_live_LDADD = @ADD_LIBS@ -lprotoident -lpacketdump\n\n#if BUILD_COLLECTOR\n#bin_PROGRAMS+=lpi_collector\n#lpi_collector_SOURCES=collector.cc live_common.cc ../tools_common.cc lpicp.cc \\\n#\tlpicp_export.cc \n#lpi_collector_LDADD = @ADD_LIBS@ -lprotoident -lpacketdump -lwandevent\n#endif\n\n"
  },
  {
    "path": "tools/live/collector.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2012 The University of Waikato, Hamilton, New Zealand.\n * Author: Meenakshee Mungro\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n#define __STDC_FORMAT_MACROS\n\n#include <stdio.h>\n#include <assert.h>\n#include <getopt.h>\n#include <signal.h>\n#include <stdlib.h>\n#include <inttypes.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <sys/time.h>\n#include <errno.h>\n#include <sys/types.h>\n#include <netdb.h>\n\n#include <libtrace.h>\n#include <libwandevent.h>\n#include <libflowmanager.h>\n#include <libprotoident.h>\n#include <libpacketdump.h>\n\n#include \"../tools_common.h\"\n#include \"live_common.h\"\n#include \"lpicp_export.h\"\n#include \"lpicp.h\"\n\nwand_event_handler_t *ev_hdl = NULL;\n\nenum {\n        DIR_METHOD_TRACE,\n        DIR_METHOD_MAC,\n        DIR_METHOD_PORT\n};\n\nint dir_method = DIR_METHOD_TRACE;\n\nchar *local_mac = NULL;\nuint8_t mac_bytes[6];\n\nlibtrace_t *trace = NULL;\nlibtrace_packet_t *packet = NULL;\n\nuint32_t report_freq = 300;\nchar* local_id = (char*) \"unnamed\";\n\n/* A file descriptor event - used when waiting on input from a live interface */\nstruct wand_fdcb_t fd_cb;\nstruct wand_fdcb_t socket_cb;\n\n/* A timer event - used when waiting for the next packet to occur in a trace \n * file replay\n */\nstruct wand_timer_t packet_timer;\n/* Timer that fires every n seconds, where n is the interval at which output is \n * produced \n */\nstruct wand_timer_t output_timer;\n/* Signal event which is triggered when the user triggers a SIGINT */\nstruct wand_signal_t signal_sigint;\n/* Struct that stores the time at which the reporting period started */\nstruct timeval start_reporting_period;\n\nstatic volatile int done = 0;\n\n/* Structure which contains all the current values for all the statistics the \n * collector needs to track. */\nLiveCounters counts;\n\n/* Function prototype */\nvoid collect_packets(libtrace_t *trace, libtrace_packet_t *packet );\n\nvoid usage(char *prog) {\n\treturn;\n}\n\n/* Function which prints the stats to the console every n seconds, where n is a \n * value provided in the command line arguments \n */\nvoid output_stats(struct wand_timer_t *timer)\n{\n\tstruct timeval *tv;\n\ttv = (struct timeval *) timer->data;\t\n\t\n\toutput_timer.expire = wand_calc_expire(ev_hdl, report_freq, 0);\n\toutput_timer.callback = output_stats;\t\n\tgettimeofday(&start_reporting_period, NULL);\t\n\toutput_timer.data = &start_reporting_period;\n\n\t/* the timer will be inserted into a doubly linked list and pointers \n\t * should start out as NULL */\n\toutput_timer.prev = output_timer.next = NULL;\n\n\twand_add_timer(ev_hdl, &output_timer);\n\n\tlpicp_export_counters(&counts, start_reporting_period, local_id, report_freq);\t\n\n\treset_counters(&counts, false);\n}\n\n/* Expires all flows that libflowmanager believes have been idle for too\n * long. The exp_flag variable tells libflowmanager whether it should force\n * expiry of all flows (e.g. if you have reached the end of the program and\n * want the stats for all the still-active flows). Otherwise, only flows\n * that have been idle for longer than their expiry timeout will be expired.\n */\nvoid expire_live_flows(double ts, bool exp_flag) {\n\tFlow *expired;\n\n\t/* Loop until libflowmanager has no more expired flows available */\n\twhile ((expired = lfm_expire_next_flow(ts, exp_flag)) != NULL) {               \n\t\t\n\t\tLiveFlow *live = (LiveFlow *)expired->extension;\t\t\n\t\tdestroy_live_flow(live, &counts);\n\t\t\n\t\t/* VERY IMPORTANT: delete the Flow structure itself, even\n\t\t * though we did not directly allocate the memory ourselves \n\t\t */\n\t\tlfm_release_flow(expired);\n\t}\n}\n\n/* Function which processes a packet after it is read from the trace.\n * It expires any old flows that are due to expire, takes the current packet \n * and matches it to the flow it belongs to, checks if it is a new flow and acts\n * accordingly, updates the state properly by checking if it is a TCP flow, and\n * updates the expiry time for the current flow. \n */\nvoid process_packet(libtrace_packet_t *packet)\n{\n\tuint8_t dir = 255;\n\tFlow *f;\n\tLiveFlow *live = NULL;\n\tbool is_new = false;\n    \n\t/* Defines a tcp header structure */\n\tlibtrace_tcp_t *tcp = NULL;\n\tvoid *l3;\n\tdouble ts;\n\n\tuint16_t l3_type = 0;\n\n\tl3 = trace_get_layer3(packet, &l3_type, NULL);\n\t/* if the packet is not an IPv4 or IPv6 packet */\n\tif (l3_type != TRACE_ETHERTYPE_IP && l3_type != TRACE_ETHERTYPE_IPV6) \n\t\treturn;\n\tif (l3 == NULL) \n\t\treturn;\n    \n\t/* Expire all suitably idle flows */\n\tts = trace_get_seconds(packet);\n\texpire_live_flows(ts, false);\n\t\n\t/* Determine packet direction */\t\n\tif (dir_method == DIR_METHOD_TRACE) {\n\t\tdir = trace_get_direction(packet);\n\t}\n\tif (dir_method == DIR_METHOD_MAC) {\n\t\tdir = mac_get_direction(packet, mac_bytes);\n\t}\n\tif (dir_method == DIR_METHOD_PORT) {\n\t\tdir = port_get_direction(packet);\n\t}\n    \n\tif (dir != 0 && dir != 1)\n\t\treturn;\n\t\n\t\t\n\t/* Match the packet to a Flow - this will create a new flow if\n\t * there is no matching flow already in the Flow map and set the\n\t * is_new flag to true */\n\tf = lfm_match_packet_to_flow(packet, dir, &is_new);\n\n\t/* Libflowmanager did not like something about that packet - best to\n\t * just ignore it and carry on */\n\tif (f == NULL) {\n\t\treturn;\n\t}\n\t    \n\ttcp = trace_get_tcp(packet);\n\t\n\t/* If the returned flow is new, allocate and initialise any custom data \n\t * that needs to be tracked for the flow */\n\tif (is_new) {\t\n\t\tinit_live_flow(&counts, f, dir, ts);\n\t\tlive = (LiveFlow *)f->extension;\n\t} \n\telse {\n\t\tlive = (LiveFlow *)f->extension;\n\t}\n\t\n\t/* Call method which updates the statistics stored in the LiveFlow \n         * structure, based on the provided packet */\n\tupdate_liveflow_stats(live, packet, &counts, dir);\n\t\n\t/* Pass the packet into libprotolive so that it can extract any\n\t * info it needs from this packet */\n\tlpi_update_data(packet, &live->lpi, dir);\t\n\t\n\tif (update_protocol_counters( live, &counts, \n\t\t\t\ttrace_get_wire_length(packet),\n\t\t\t\ttrace_get_payload_length(packet), dir) == -1) {\t\t\n\t\ttrace_dump_packet(packet);\t\n\t}\n\t\t\n\t/* Update TCP state for TCP flows. The TCP state determines how long\n\t * the flow can be idle before being expired by libflowmanager. For\n\t * instance, flows for which we have only seen a SYN will expire much\n\t * quicker than a TCP connection that has completed the handshake */\t\n\tif (tcp) {\n\t\tlfm_check_tcp_flags(f, tcp, dir, ts);\n\t}\n\n\t/* Tell libflowmanager to update the expiry time for this flow */\n\tlfm_update_flow_expiry_timeout(f, ts);\t\n}\n\n/* File descriptor callback method which is executed when a fd is added */\nvoid source_read_event( struct wand_fdcb_t *event, \n\t\t\tenum wand_eventtype_t event_type)\n{\n\twand_del_event(ev_hdl, event);\n\n\t/* Not very nice if this fails but it really REALLY shouldn't fail */\n\tassert(event_type == EV_READ);\n\tcollect_packets(trace, packet);\n}\n\n/* Callback function for packet_timer which is executed when the timer fires */\nvoid sleep_timer_event(struct wand_timer_t *timer)\n{\n\tcollect_packets(trace, packet);\n}\n\n/* Function which handles a SIGINT by deleting the signal and halting execution\n * of the program\n */\nstatic void cleanup_signal(struct wand_signal_t *signal ) \n{\t\n\twand_del_signal(signal);\n\t\t\n\tfprintf(stdout, \"%s\\n\", \"Terminating program...\");\n\tdone = 1;\n\tev_hdl->running = false;\n}\n\n/* Function which processes a libtrace event and executes the appropriate code \n * for each event type\n */\nint process_event(libtrace_eventobj_t event, libtrace_packet_t *packet)\n{\n\tswitch(event.type)\n\t{\n\t\t/* wait on a file descriptor(comes up when working with a live \n\t\t * source) */\n\t\tcase TRACE_EVENT_IOWAIT:\n\t\t\tfd_cb.fd = event.fd;\n\t\t\t/* only catering to READ events */\n\t\t\tfd_cb.flags = EV_READ;\n\t\t\tfd_cb.data = NULL;\n\t\t\tfd_cb.callback = source_read_event;\n\t\t\twand_add_event(ev_hdl, &fd_cb);\n\t\t\t/* Stop the current poll loop */\n\t\t\treturn 0;\n\t\t\n\t\t/* this event type comes up with static trace files */\n\t\tcase TRACE_EVENT_SLEEP:\n\t\t\t/* Next packet will be available in N seconds, sleep \n\t\t\t * until then */\n\t\t\tint micros;\n\t\t\tmicros = (int)((event.seconds - \n\t\t\t\t\t(int)event.seconds) * 1000000.0);\n\t\t\tpacket_timer.expire = wand_calc_expire(ev_hdl, \n\t\t\t\t\t\t(int)event.seconds, micros);\n\t\t\t\n\t\t\tpacket_timer.callback = sleep_timer_event;\n\t\t\tpacket_timer.data = NULL;\n\t\t\t/* the timer will be inserted into a doubly linked list \n\t\t\t * and pointers should start out as NULL */\n\t\t\tpacket_timer.prev = packet_timer.next = NULL;\n\n\t\t\twand_add_timer(ev_hdl, &packet_timer);\n\t\t\treturn 0;\n\t\t\t\n\t\tcase TRACE_EVENT_PACKET:\n\t\t\t/* A packet is available - pass it on to the meter */\n\t\t\tif (event.size == -1)\n\t\t\t{\n\t\t\t\t/* Error occured */\n\t\t\t\t/* We don't need wdcap's fancy error handling - \n\t\t\t\t * just drop the trace */\n\t\t\t\tev_hdl->running = false;\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\t/* No error, so call function which processes packets */\n\t\t\tprocess_packet(packet);\n\n\t\t\t/* check for more packets */\n\t\t\treturn 1;\n\t\t\t\n\t\tcase TRACE_EVENT_TERMINATE:\n\t\t\t/* The input trace has terminated */\n\t\t\tev_hdl->running = false;\n\t\t\treturn 0;\n\t\t\n\t\tdefault:\n\t\t\tfprintf(stderr, \"Unknown libtrace event type: %d\\n\", \n\t\t\t\t\t\tevent.type);\n\t\t\treturn 0;\t\n\t}\t\n}\n\n/* Function which polls the trace for the next packet if available */\nvoid collect_packets(libtrace_t *trace, libtrace_packet_t *packet )\n{\n\tstruct libtrace_eventobj_t event;\n\tint poll_again = 1;\n\n\tdo\n\t{\n\t\tif (done)\n\t\t\treturn;\n\t\t\t\n\t\t/* Process the next libtrace event from an input trace and \n\t\t * return a libtrace_event struct containing the event type and \n\t\t * details of the event */\n\t\tevent = trace_event(trace, packet);\n\n\t\t/* process_event returns 1(allows resuming packet checking) or\n\t\t *  0(stops polling) */\n\t\tpoll_again = process_event(event, packet);\t\t\n\t}\n\t\n\twhile (poll_again);\t\n}\n\nint main(int argc, char *argv[])\n{\t\n\tint opt, i;\n\tlibtrace_filter_t *filter = NULL;\n\tchar *filterstring = NULL;\n\t\n\tbool opt_false = false;\n\tbool ignore_rfc1918 = false;\n\t\n\t/* The default number of clients that can be connected to the server at a time. \n\t* Can be set when starting the server */\n\tint max_clients = 20; \n\t\n\tstruct sockaddr_in addr;\n\tint sock, sa_len = sizeof(struct sockaddr_in);\n\tint sockopt = 1;\n\n\tsock = socket(PF_INET, SOCK_STREAM, 0);\n\tif (sock == -1) {\n\t\tperror (\"socket\");\n\t\treturn -1;\n\t}\n\n\tif (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &sockopt, sizeof(sockopt)) == -1) {\n\t\tperror(\"setsockopt (SO_REUSEADDR)\");\n\t\treturn -1;\n\t}\n\t\n\taddr.sin_family = AF_INET;\n\tmemset(addr.sin_zero, 0, sizeof(addr.sin_zero));\n\taddr.sin_port = htons(3678);\n\t\n\t/* Bind to all local IPv4 addresses */\n\taddr.sin_addr.s_addr = INADDR_ANY;\n\t\n\t/* Bind the socket to the port */\n\tif (bind(sock, (struct sockaddr *)&addr, sa_len) == -1) {\n\t\tperror(\"bind\");\n\t\treturn -1;\n\t}\n\t\n\t/* Start listening for inbound connections */\n\tif (listen(sock, 10) == -1) {\n\t\tperror(\"listen\");\n\t\treturn -1;\n\t}\t\n\t\n\t/* Initialise libwandevent */\n\tif (wand_event_init() == -1) {\n\t\tfprintf(stderr, \"Error initialising libwandevent\\n\");\n\t\treturn -1;\n\t}\n\t\n\t/* create an event handler */\n\tev_hdl = wand_create_event_handler();\n\t\t\n\tif (ev_hdl == NULL) {\n\t\tfprintf(stderr, \"Error creating event handler\\n\");\n\t\treturn -1;\n\t}\n\t\n\t/* Add listening fd to libwandevent */\n\tsocket_cb.fd = sock;\n\tsocket_cb.flags = EV_READ;\n\tsocket_cb.data = NULL;\n\tsocket_cb.callback = accept_connections;\n\twand_add_event(ev_hdl, &socket_cb);\n\t\n\t/* event handler has been correctly created, so add a signal event for SIGINT */\n\tsignal_sigint.signum = SIGINT;\n\tsignal_sigint.data = NULL;\n\tsignal_sigint.callback = cleanup_signal;\n\twand_add_signal(&signal_sigint);\t\n\t\n\tif (argc < 2) {\n\t\tusage(argv[0]);\n\t\treturn 1;\n\t}\n\n\twhile ((opt = getopt(argc, argv, \"f:l:i:r:c:TPR\")) != EOF) {\n\t\tswitch (opt) {\n\t\t\t/* Ignore flows that do not match the given BPF filter */\n\t\t\tcase 'f':\n\t\t\t\tfilterstring = optarg;\n\t\t\t\tbreak;\n\t\t\t/* Determine direction based on <mac> representing the \n\t\t\t * 'inside' portion of the network */\n\t\t\tcase 'l':\n\t\t\t\tlocal_mac = optarg;\n\t\t\t\tdir_method = DIR_METHOD_MAC;\n\t\t\t\tbreak;\n\t\t\t/* Store string that will identify this particular \n\t\t\t * measurement process, e.g. source of the packets   */\n\t\t\tcase 'i':\n\t\t\t\tlocal_id = optarg;\n\t\t\t\tbreak;\n\t\t\t/* Store the number of seconds that have passed since \n\t\t\t * the counters were last reset */\n\t\t\tcase 'r':\n\t\t\t\treport_freq = atoi(optarg);\n\t\t\t\tbreak;\n\t\t\t/* The maximum number of clients that can connect to the \n\t\t\t * server. \n\t\t\t * Defaults to 20 if the option is not set */\n\t\t\tcase 'c':\n\t\t\t\tmax_clients = atoi(optarg);\t\t\t\t\n\t\t\t\tbreak;\n\t\t\t/* Use trace direction tags to determine direction */\n\t\t\tcase 'T':\n\t\t\t\tdir_method = DIR_METHOD_TRACE;\n\t\t\t\tbreak;\n\t\t\t/* Use port number to determine direction */\n\t\t\tcase 'P':\n\t\t\t\tdir_method = DIR_METHOD_PORT;\n\t\t\t\tbreak;\n\t\t\t/* ignore any flows where an RFC1918 private IP address \n\t\t\t * is involved */ \n\t\t\tcase 'R':\n\t\t\t\tignore_rfc1918 = true;\n\t\t\t\tbreak;\n\n\t\t\tdefault:\n\t\t\t\tusage(argv[0]);\n\t\t}\n\t}\n\t\n\t/* set the size of the array that stores client file descriptors */\n\tcreate_client_array(max_clients);\n\t\n\t// if -l <mac> was specified in the command line args\n\tif (local_mac != NULL) {\n\n\t\tif (convert_mac_string(local_mac, mac_bytes) < 0) {\n\t\t\tfprintf(stderr, \"Invalid MAC: %s\\n\", local_mac);\n\t\t\treturn 1;\n\t\t}\n\t}\n    \n\t/* This tells libflowmanager to ignore any flows where an RFC1918 \n\t * private IP address is involved */\n\tif (lfm_set_config_option(LFM_CONFIG_IGNORE_RFC1918, \n\t\t\t\t\t\t&ignore_rfc1918) == 0)\n\t\treturn -1;\n\n\t/* This tells libflowmanager not to replicate the TCP timewait behaviour \n\t * where closed TCP connections are retained in the Flow map for an \n\t * extra 2 minutes */\n\tif (lfm_set_config_option(LFM_CONFIG_TCP_TIMEWAIT, &opt_false) == 0)\n\t\treturn -1;\n\n\t/* This tells libflowmanager not to utilise the fast expiry rules for \n\t * short-lived UDP connections - these rules are experimental behaviour \n\t * not in line with recommended \"best\" practice */\n\tif (lfm_set_config_option(LFM_CONFIG_SHORT_UDP, &opt_false) == 0)\n\t\treturn -1;\n\n\tif (optind + 1 > argc) {\n\t\tusage(argv[0]);\n\t\treturn 1;\n\t}\n\t\n\tif (lpi_init_library() == -1)\n\t\treturn -1;\n\t\n\t/* nothing has gone wrong yet, so create packet */\n\tpacket = trace_create_packet();\n\n\tif (filterstring) {\n\t\tfilter = trace_create_filter(filterstring);\n\t}\n\n\toutput_timer.expire = wand_calc_expire(ev_hdl, report_freq, 0);\n\toutput_timer.callback = output_stats;\n\tgettimeofday(&start_reporting_period, NULL);\t\n\toutput_timer.data = &start_reporting_period;\n\toutput_timer.prev = output_timer.next = NULL ;\n\twand_add_timer(ev_hdl, &output_timer);\n\t\n\tfor (i = optind; i < argc; i++) {\n\t\t/* Create an input trace from a URI provided in arguments and \n\t\t * return a pointer to a libtrace_t */\n\t\ttrace = trace_create(argv[i]);\n\n\t\tif (trace_is_err(trace)) {\n\t\t\t/* outputs the error message for an input trace to \n\t\t\t * stderr and clear the error status. */\n\t\t\ttrace_perror(trace,\"Opening trace file\");\n\t\t\treturn 1;\n\t\t}\n\n\t\tif (filter && trace_config(trace, TRACE_OPTION_FILTER, \n\t\t\t\t\t\t\t\tfilter) == -1) {\n\t\t\ttrace_perror(trace, \"trace_config(filter)\");\n\t\t\treturn 1;\n\t\t}\n\n\t\t// Start an input trace and returns 0 on success, -1 on failure\n\t\tif (trace_start(trace)) {\n\t\t\ttrace_perror(trace,\"Starting trace\");\n\t\t\ttrace_destroy(trace);\n\t\t\treturn 1;\n\t\t}\n\n\t\t/* as long as this is true, libwandevent will keep running */\n\t\tev_hdl->running = true;\n\t\t\n\t\tcollect_packets(trace, packet);\n\t\t\n\t\t/* Once we hit a wait event, fire up the event handler. We\n\t\t * won't fall out of this function call until we reach the\n\t\t * end of the trace or something goes awry with reading\n\t\t * the trace */\n\t\twand_event_run(ev_hdl);\n\n\t\t/* if there's an error after the event handler has started */\n\t\tif (trace_is_err(trace)) {\n\t\t\ttrace_perror(trace,\"Reading packets\");\n\t\t\ttrace_destroy(trace);\n\t\t\treturn 1;\n\t\t}\n\t\t\n\t\tif (done)\n\t\t\tbreak;\n\t\t\n\t\t/* Close an input trace, freeing up any resources it may have \n\t\t * been using */\n\t\ttrace_destroy(trace);\n\t}\n\t\n\t/* cleaning up resources and final exporting of flows */\n\tif (filter)\n\t\ttrace_destroy_filter(filter);\n\n\ttrace_destroy_packet(packet);\n\twand_destroy_event_handler(ev_hdl);\n\texpire_live_flows(0, true);\n\tlpi_free_library();\n\tclose(sock);\n\t\n\treturn 0;\n}\n"
  },
  {
    "path": "tools/live/live_common.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n/* The basis of this code was taken from the lpi_live tool and moved into a\n * separate source file that could be shared between the original tool and our\n * new collector.\n */\n#define __STDC_FORMAT_MACROS\n\n#include <stdio.h>\n#include <assert.h>\n#include <getopt.h>\n#include <signal.h>\n#include <stdlib.h>\n#include <inttypes.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <sys/time.h>\n#include <errno.h>\n#include <sys/types.h>\n#include <netdb.h>\n#include <map>\n\n#include <libflowmanager.h>\n#include <libtrace.h>\n\n#include \"live_common.h\"\n\n/* These macros should make this code a lot more readable */\n#define PROTONUM (live->proto->protocol)\n#define OUT_BYTES (cnt->out_byte_count)\n#define IN_BYTES (cnt->in_byte_count)\n#define OUT_PKTS (cnt->out_pkt_count)\n#define IN_PKTS (cnt->in_pkt_count)\n#define OUT_NEW (cnt->out_flow_count)\n#define IN_NEW (cnt->in_flow_count)\n#define OUT_CURR (cnt->out_current_flows)\n#define IN_CURR (cnt->in_current_flows)\n#define OUT_PEAK (cnt->out_peak_flows)\n#define IN_PEAK (cnt->in_peak_flows)\n\nstatic void wipe_local_ip_collectors(IPMap *ipmap) {\n\t\n\tIPMap::iterator ii = ipmap->begin();\n\n\twhile (ii != ipmap->end()) {\n\t\tIPMap::iterator tmp = ii;\n\t\tii ++;\n\t\tipmap->erase(tmp);\n\t}\n\n\tassert(ipmap->empty());\n}\n\nstatic void reset_local_ip_counts(uint64_t *counts, IPMap *ipmap) {\n\n\tIPMap::iterator ii = ipmap->begin();\n\n\twhile (ii != ipmap->end()) {\n\t\tbool active = false;\n\n\t\tfor (int i = 0; i < LPI_PROTO_LAST; i++) {\n\t\t\tii->second.total_observed_period[i] =\n\t\t\tii->second.currently_active_flows[i];\n\t\t\tif (ii->second.total_observed_period[i] > 0) {\n\t\t\t\tcounts[i]++;\n\t\t\t\tactive = true;\n\t\t\t}\n\t\t}\n\n\t\tif (!active) {\n\t\t\t/* If there are no active flows for this IP,\n\t\t\t * remove it from the IP map to save space\n\t\t\t */\n\t\t\tIPMap::iterator tmp = ii;\n\t\t\tii ++;\n\t\t\tipmap->erase(tmp);\n\t\t} else {\n\t\t\tii++;\n\t\t}\n\t}\n\n}\n\nstatic int reset_user(UserCounters *user, bool wipe_all) {\n\tsize_t array_size = LPI_PROTO_LAST * sizeof(uint64_t);\n\n\tmemset(user->in_pkt_count, 0, array_size);\n\tmemset(user->out_pkt_count, 0, array_size);\n\tmemset(user->in_byte_count, 0, array_size);\n\tmemset(user->out_byte_count, 0, array_size);\n\tmemset(user->in_flow_count, 0, array_size);\n\tmemset(user->out_flow_count, 0, array_size);\n\n\tmemset(user->remote_ips, 0, array_size);\n\n\t/* Don't reset the current flow count unless told to! */\n\tif (wipe_all) {\n\t\tmemset(user->in_current_flows, 0, array_size);\n\t\tmemset(user->out_current_flows, 0, array_size);\n\t} \n\n\tfor (int i = 0; i < LPI_PROTO_LAST; i++) {\n\t\tuser->in_peak_flows[i] = user->in_current_flows[i];\n\t\tuser->out_peak_flows[i] = user->out_current_flows[i];\n\t}\n\n\n\tif (user->in_current_flows > 0)\n\t\treturn 0;\n\tif (user->out_current_flows > 0)\n\t\treturn 0;\n\n\t/* Tell the caller that this user is no longer active and can be\n\t * released */\n\treturn 1;\n\n}\n\nvoid reset_counters(LiveCounters *cnt, bool wipe_all) {\n\n\tUserMap::iterator it, tmp; \n\n\treset_user(&cnt->all, wipe_all);\n\n\tit = cnt->users.begin();\n\n\twhile (it != cnt->users.end()) {\n\t\tif (reset_user(it->second, wipe_all)) {\n\t\t\ttmp = it;\n\t\t\tit ++;\n\t\t\tfree(tmp->second);\n\t\t\tcnt->users.erase(tmp);\n\t\t} else {\n\t\t\tit ++;\n\t\t}\n\t}\n\tmemset(cnt->all_local_ips, 0, LPI_PROTO_LAST * sizeof(uint64_t));\n\tmemset(cnt->active_local_ips, 0, LPI_PROTO_LAST * sizeof(uint64_t));\n\n\tif (!wipe_all) {\n\t\treset_local_ip_counts(cnt->all_local_ips, &cnt->observed_local);\n\t\treset_local_ip_counts(cnt->active_local_ips, &cnt->active_local);\n\t} else {\n\t\twipe_local_ip_collectors(&cnt->observed_local);\n\t\twipe_local_ip_collectors(&cnt->active_local);\n\t}\n\tcnt->reports ++;\n}\n\n\nvoid init_live_counters(LiveCounters *cnt, bool track_users) {\n\n\tcnt->user_tracking = track_users;\n\treset_counters(cnt, true);\n\t\n\t/* Force the report count to be zero, because reset_counters would\n\t * normally increment it */\n\tcnt->reports = 0;\n}\n\nvoid init_live_flow(LiveCounters *cnt, Flow *f, uint8_t dir, double ts) {\n        LiveFlow *live = NULL;\n\n        live = (LiveFlow *)malloc(sizeof(LiveFlow));\n        live->init_dir = dir;\n        live->in_wbytes = 0;\n        live->out_wbytes = 0;\n        live->in_pbytes = 0;\n        live->out_pbytes = 0;\n        live->in_pkts = 0;\n        live->out_pkts = 0;\n        live->start_ts = ts;\n        live->start_period = cnt->reports;\n        live->count_period = cnt->reports;\n        lpi_init_data(&live->lpi);\n        f->extension = live;\n        live->proto = NULL;\n\n        live->activated_ip = false;\n\n        f->id.get_local_ip_str(live->local_ip);\n        f->id.get_external_ip_str(live->ext_ip);\n\n\tif (cnt->user_tracking) {\n\t\t/* Create a new counter for the user if needed */\n\t\tUserMap::iterator it = cnt->users.find(live->local_ip);\n\t\tif (it != cnt->users.end())\n\t\t\treturn;\n\t\t\n\t\tUserCounters *uc = (UserCounters *)malloc(sizeof(UserCounters));\n\t\treset_user(uc, true);\n\t\tcnt->users[live->local_ip] = uc;\n\t\tcnt->user_count ++;\n\t}\n\n\n}\n\nstatic void stdout_counter_array(double ts, const char *id, uint32_t freq,\n                const char *type, uint64_t *counter) {\n\n        int i;\n\n\n        for (i = 0; i < LPI_PROTO_LAST; i++) {\n\t\t/* Ignore protocols that are deprecated in libprotoident */\n                if (lpi_is_protocol_inactive((lpi_protocol_t)i))\n                        continue;\n\n                fprintf(stdout, \"%s,%.0f,%u,%s,%s,\", id, ts, freq, type,\n                                lpi_print((lpi_protocol_t)i));\n                fprintf(stdout, \"%\" PRIu64 \"\\n\", counter[i]);\n        }\n\n}\n\n/* Dumps the values for all of our counters to standard output */\nvoid dump_counters_stdout(UserCounters *cnt, double ts, char *local_id, \n\t\tuint32_t report_freq) {\n\n        stdout_counter_array(ts, local_id, report_freq, \"in_pkts\", IN_PKTS);\n        stdout_counter_array(ts, local_id, report_freq, \"out_pkts\", OUT_PKTS);\n        stdout_counter_array(ts, local_id, report_freq, \"in_bytes\", IN_BYTES);\n        stdout_counter_array(ts, local_id, report_freq, \"out_bytes\", OUT_BYTES);\n        stdout_counter_array(ts, local_id, report_freq, \"in_new_flows\", IN_NEW);\n        stdout_counter_array(ts, local_id, report_freq, \"out_new_flows\", OUT_NEW);\n        stdout_counter_array(ts, local_id, report_freq, \"in_peak_flows\", IN_PEAK);\n        stdout_counter_array(ts, local_id, report_freq, \"out_peak_flows\", OUT_PEAK);\n\n}\n\n/* Safely decrements a counter value - this way we won't reduce below zero and\n * succumb to integer wrapping bugs */\nstatic inline void decrement_counter(uint64_t *array, lpi_protocol_t proto,\n                uint32_t val) {\n\n        if (array[proto] < val) {\n                array[proto] = 0;\n        }\n        else {\n                array[proto] -= val;\n        }\n\n}\n\n/* Determines whether it is worth calling lpi_guess_protocol for a flow */\nstatic bool should_guess(LiveFlow *live, uint32_t plen, uint8_t dir) {\n\n\t/* Special case to deal with possible \"No Payload\" flows */\n        if (live->out_pbytes == 0 && live->in_pbytes == 0 && live->proto == NULL)\n                return true;\n\n\t/* If the current packet has no payload, then it is not going to\n \t * change anything */\n        if (plen == 0)\n                return false;\n\n\t/* If this is the first outgoing packet with payload, check */ \n        if (dir == 0 && live->out_pbytes == plen)\n                return true;\n\t/* If this is the first incoming packet with payload, check */\n        if (dir == 1 && live->in_pbytes == plen)\n                return true;\n\n\t/* This is a payload bearing packet but it isn't the first for that\n\t * direction so it isn't going to affect libprotoident at all */\n        return false;\n}\n\nstatic inline void activate_local_ip(LiveFlow *live, IPMap *ipmap, \n\t\tuint64_t *ip_counts) {\n\n\t/* Update the IP map for this flow */\n\tIPCollector& ip_coll = (*ipmap)[live->local_ip];\n\n\tip_coll.currently_active_flows[PROTONUM] += 1;\n\tip_coll.total_observed_period[PROTONUM] += 1;\n\n\tif (ip_coll.total_observed_period[PROTONUM] == 1)\n\t\tip_counts[PROTONUM] += 1;\n}\n\nstatic inline void swap_local_ip(LiveFlow *live, IPMap *ipmap, \n\t\tuint64_t *ip_counts, lpi_protocol_t old) {\n\n\tIPMap::iterator it = ipmap->find(live->local_ip);\n\tassert(it != ipmap->end());\n\n\tIPCollector &col = it->second;\n\tassert(col.currently_active_flows[old] > 0);\n\tassert(col.total_observed_period[old] > 0);\n\n\tcol.currently_active_flows[old] -= 1;\n\tcol.total_observed_period[old] -= 1;\n\tcol.currently_active_flows[PROTONUM] += 1;\n\tcol.total_observed_period[PROTONUM] += 1;\n\n\tif (col.total_observed_period[old] == 0) {\n\t\tip_counts[old] -= 1;\n\t}\n\tif (col.total_observed_period[PROTONUM] == 1) {\n\t\tip_counts[PROTONUM] += 1;\n\t}\n\n}\n\nstatic inline void deactivate_local_ip(LiveFlow *live, IPMap *ipmap) { \n\n\tIPMap::iterator it = ipmap->find(live->local_ip);\n\tassert(it != ipmap->end());\n\tIPCollector &col = it->second;\n\tcol.currently_active_flows[PROTONUM] -= 1;\n\n}\n\nstatic inline void update_unchanged(LiveFlow *live, UserCounters *cnt,\n                uint32_t wlen,  uint8_t dir) {\n        /* The protocol classification hasn't changed, so just increment\n\t * the packet and byte counters based on the new packet */\n\n\tif (dir == 0) {\n                OUT_BYTES[PROTONUM] += wlen;\n                OUT_PKTS[PROTONUM] += 1;\n        } else {\n                IN_BYTES[PROTONUM] += wlen;\n                IN_PKTS[PROTONUM] += 1;\n        }\n}\n\nstatic inline void update_unchanged_ip(LiveFlow *live, LiveCounters *cnt,\n\t\tuint32_t plen, uint8_t dir) {\n\n\t/* Basically, we are just checking for cases where the flow has not\n\t * seen any outgoing payload originally, but this last packet has\n\t * changed that so we need to count the local IP as active */\n\n\tif (dir != 0)\n\t\treturn;\n\tif (plen == 0)\n\t\treturn;\n\tif (plen != live->out_pbytes)\n\t\treturn;\n\n\tif (PROTONUM == LPI_PROTO_NO_PAYLOAD)\n\t\tassert(0);\n\tassert(live->activated_ip == false);\n\t//printf(\"UNCHANGED: Activating %s\\n\", live->local_ip, PROTONUM);\t\n\tactivate_local_ip(live, &(cnt->active_local), cnt->active_local_ips);\n\tlive->activated_ip = true;\n}\n\nstatic inline void update_new(LiveFlow *live, UserCounters *cnt) {\n\n\t/* This is a new flow that has been classified for the first\n\t * time. We therefore need to increase the new, current and\n\t * possibly peak flow counters for whatever protocol we belong\n\t * to */\n        if (live->init_dir == 0) {\n                OUT_NEW[PROTONUM] += 1;\n                OUT_CURR[PROTONUM] += 1;\n\n                if (OUT_CURR[PROTONUM] > OUT_PEAK[PROTONUM])\n                        OUT_PEAK[PROTONUM] = OUT_CURR[PROTONUM];\n        } else {\n                IN_NEW[PROTONUM] += 1;\n                IN_CURR[PROTONUM] += 1;\n\n                if (IN_CURR[PROTONUM] > IN_PEAK[PROTONUM])\n                        IN_PEAK[PROTONUM] = IN_CURR[PROTONUM];\n\n        }\n\n\t/* Also add our packet and byte counts to the appropriate counters */\n\tOUT_BYTES[PROTONUM] += live->out_wbytes;\n\tOUT_PKTS[PROTONUM] += live->out_pkts;\n\tIN_BYTES[PROTONUM] += live->in_wbytes;\n\tIN_PKTS[PROTONUM] += live->in_pkts;\n\t\n}\n\nstatic inline void update_new_ip(LiveFlow *live, LiveCounters *cnt) {\n\n\t/* New flow, so increment the observed IP count */\n\tactivate_local_ip(live, &(cnt->observed_local), cnt->all_local_ips);\n\n\t/* If this flow has sent payload in direction 0, update the active\n\t * IP count too */\n\n\tif (live->out_pbytes == 0) {\n\t\treturn;\n\t}\n\n\tif (PROTONUM == LPI_PROTO_NO_PAYLOAD)\n\t\tassert(0);\n\n\t//printf(\"NEW: Activating %s %d\\n\", live->local_ip, PROTONUM);\t\n\tassert(live->activated_ip == false);\n\tactivate_local_ip(live, &(cnt->active_local), cnt->active_local_ips);\n\tlive->activated_ip = true;\n}\n\n\nstatic inline void update_changed(LiveFlow *live, UserCounters *cnt, \n\t\tuint32_t wlen, uint8_t dir, uint32_t period,\n\t\tlpi_protocol_t old) {\n\n\t/* Protocol has \"changed\" - subtract whatever we would have\n\t * inserted into the previous protocol counter and shift those\n\t * values into the new one */\n\t\n\t/* If the current period is the same period as when the flow\n\t * started, we need to correct our new flow counter */\n\tif (period == live->start_period) {\n\n\t\tif (live->init_dir == 0) {\n\t\t\tassert(OUT_NEW[old] > 0);\n\t\t\tOUT_NEW[old] --;\n\t\t\tOUT_NEW[PROTONUM] ++;\n\t\t} else {\n\t\t\tassert(IN_NEW[old] > 0);\n\t\t\tIN_NEW[old] --;\n\t\t\tIN_NEW[PROTONUM] ++;\n\t\t}\n\t}\n\n\t/* Update the current and peak flow counts as necessary. Peak flow\n\t * counts can end up being a bit misleading as a result - you can't\n\t * really do it live AND get complete accuracy :/ */\n\n\tif (live->init_dir == 0) {\n\t\tassert(OUT_CURR[old] > 0);\n\t\tOUT_CURR[old] --;\n\t\tOUT_CURR[PROTONUM] ++;\n                if (OUT_CURR[PROTONUM] > OUT_PEAK[PROTONUM])\n                        OUT_PEAK[PROTONUM] = OUT_CURR[PROTONUM];\n\t} else {\n\t\tassert(IN_CURR[old] > 0);\n\t\tIN_CURR[old] --;\n\t\tIN_CURR[PROTONUM] ++;\n                if (IN_CURR[PROTONUM] > IN_PEAK[PROTONUM])\n                        IN_PEAK[PROTONUM] = IN_CURR[PROTONUM];\n\t}\n\n\t/* The stats in the LiveFlow include the current packet, but the\n\t * current counter values do not so we need to NOT include the current\n\t * packet when correcting the byte and packet counts */\n\n\tif (dir == 0) {\n\n\t\tassert(live->out_wbytes >= wlen);\n\t\tassert(live->out_pkts >= 1);\n\t\tdecrement_counter(IN_BYTES, old, live->in_wbytes);\n\t\tdecrement_counter(IN_PKTS, old, live->in_pkts);\n\t\tdecrement_counter(OUT_BYTES, old, live->out_wbytes - wlen);\n\t\tdecrement_counter(OUT_PKTS, old, live->out_pkts - 1);\n\n\t} else {\n\t\tassert(live->in_wbytes >= wlen);\n\t\tassert(live->in_pkts >= 1);\n\t\tdecrement_counter(OUT_BYTES, old, live->out_wbytes);\n\t\tdecrement_counter(OUT_PKTS, old, live->out_pkts);\n\t\tdecrement_counter(IN_BYTES, old, live->in_wbytes - wlen);\n\t\tdecrement_counter(IN_PKTS, old, live->in_pkts - 1);\n\n\t}\n\t/* Right, now we can add our packets and bytes to the counter for\n\t * our new protocol */\n\tOUT_BYTES[PROTONUM] += live->out_wbytes;\n\tOUT_PKTS[PROTONUM] += live->out_pkts;\n\tIN_BYTES[PROTONUM] += live->in_wbytes;\n\tIN_PKTS[PROTONUM] += live->in_pkts;\n}\n\nstatic void update_changed_ip(LiveFlow *live, LiveCounters *cnt, \n\t\tuint32_t plen, uint8_t dir, lpi_protocol_t old) {\n\t\n\tswap_local_ip(live, &cnt->observed_local, cnt->all_local_ips, old);\n\n\tif (live->out_pbytes == 0)\n\t\treturn;\n\t\n\tif (PROTONUM == LPI_PROTO_NO_PAYLOAD)\n\t\tassert(0);\n\tif (dir == 0 && plen == live->out_pbytes) {\n\t\t/* The packet that triggered the change is the first \n\t\t * outgoing packet for this flow, so we haven't activated\n\t\t * the IP for this flow yet! */\n\t\t//printf(\"SWAP: Activating %s %d\\n\", live->local_ip, PROTONUM);\t\n\t\tactivate_local_ip(live, &(cnt->active_local), \n\t\t\t\tcnt->active_local_ips);\n\t\treturn;\n\t}\n\t\n\t//printf(\"Swapping %s %d->%d\\n\", live->local_ip, old, PROTONUM);\t\n\tswap_local_ip(live, &cnt->active_local, cnt->active_local_ips, old);\n}\n\t\n\nint update_protocol_counters(LiveFlow *live, LiveCounters *cnt, uint32_t wlen,\n                uint32_t plen, uint8_t dir) {\n\n\t/* Remember the old protocol before we overwrite it! */\n\tlpi_module_t *old_proto = live->proto;\n\n\t/* We only want to ask lpi for the protocol if there is a chance that\n\t * the protocol may have changed. */\n        if (should_guess(live, plen, dir)) {\n                live->proto = lpi_guess_protocol(&live->lpi);\n        }\n\n        if (live->proto == NULL) {\n                fprintf(stderr, \"Warning: guessed NULL protocol\\n\");\n                return -1;\n        }\n\n        if (old_proto == live->proto) {\n                update_unchanged(live, &cnt->all, wlen, dir);\n\t\tif (cnt->user_tracking) {\n\t\t\tupdate_unchanged(live, cnt->users[live->local_ip],\n\t\t\t\t\twlen, dir);\n\t\t}\n\t\tupdate_unchanged_ip(live, cnt, plen, dir);\n        } else if (old_proto == NULL) {\n                update_new(live, &cnt->all);\n\t\tif (cnt->user_tracking) {\n\t\t\tupdate_new(live, cnt->users[live->local_ip]);\n\t\t}\n\t\tupdate_new_ip(live, cnt);\n\n        } else {\n\t\tupdate_changed(live, &cnt->all, wlen, dir, cnt->reports, \n\t\t\t\told_proto->protocol);\n\t\tif (cnt->user_tracking) {\n\t\t\tupdate_changed(live, cnt->users[live->local_ip],\n\t\t\t\t\twlen, dir, cnt->reports, \n\t\t\t\t\told_proto->protocol);\n\t\t}\n\t\tupdate_changed_ip(live, cnt, plen, dir, old_proto->protocol);\n\t}\n\n\treturn 0;\n}\n\nvoid update_liveflow_stats(LiveFlow *live, libtrace_packet_t *packet,\n\t\tLiveCounters *cnt, uint8_t dir) {\n\n\t/* We're in a new reporting period - reset our stats because we\n \t * only want the amount of traffic since we last reported */\n\tif (live->count_period != cnt->reports) {\n                live->out_wbytes = 0;\n                live->out_pkts = 0;\n                live->in_wbytes = 0;\n                live->in_pkts = 0;\n                live->count_period = cnt->reports;\n        }\n        \n\tassert(trace_get_payload_length(packet) <= 65536);\n\n        if (dir == 0) {\n                live->out_pbytes += trace_get_payload_length(packet);\n                live->out_wbytes += trace_get_wire_length(packet);\n                live->out_pkts += 1;\n        } else {\n                live->in_pbytes += trace_get_payload_length(packet);\n                live->in_wbytes += trace_get_wire_length(packet);\n                live->in_pkts += 1;\n\n        }\n\n}\n\nstatic inline void update_counter_expired(LiveFlow *live, UserCounters *cnt) {\n\tif (live->init_dir == 0) {\n\t\tassert(OUT_CURR[PROTONUM] != 0);\n\t\tOUT_CURR[PROTONUM] --;\n\t} else {\n\t\tassert(IN_CURR[PROTONUM] != 0);\n\t\tIN_CURR[PROTONUM] --;\n\t}\n}\n\nstatic inline void update_expired_ip(LiveFlow *live, LiveCounters *cnt) {\n\n\tdeactivate_local_ip(live, &(cnt->observed_local));\n\tif (live->out_pbytes == 0)\n\t\treturn;\n\tdeactivate_local_ip(live, &(cnt->active_local));\n\n}\n\nvoid destroy_live_flow(LiveFlow *live, LiveCounters *cnt) {\n\n\t/* Decrement the currently active flow counter for our matching\n\t * protocol */\n\t\n\tupdate_counter_expired(live, &cnt->all);\n\tif (cnt->user_tracking) {\n\t\tupdate_counter_expired(live, cnt->users[live->local_ip]);\n\t}\n\t\n\tupdate_expired_ip(live, cnt);\n\tfree(live);\n}\n"
  },
  {
    "path": "tools/live/live_common.h",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n\n#ifndef LIVE_COMMON_H_\n#define LIVE_COMMON_H_\n\n#include <stdio.h>\n#include <assert.h>\n#include <getopt.h>\n#include <signal.h>\n#include <stdlib.h>\n#include <inttypes.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <sys/time.h>\n#include <errno.h>\n#include <sys/types.h>\n#include <netdb.h>\n#include <string>\n\n#include <libprotoident.h>\n#include <libwandevent.h>\n#include <libflowmanager.h>\n\nusing namespace std;\n\nstruct IPCollector {\n\tIPCollector() {\n\t\tmemset(currently_active_flows, 0, LPI_PROTO_LAST * sizeof(uint64_t));\n\t\tmemset(total_observed_period, 0, LPI_PROTO_LAST * sizeof(uint64_t));\n\t}\n\n\tuint64_t currently_active_flows[LPI_PROTO_LAST];\n\tuint64_t total_observed_period[LPI_PROTO_LAST];\n};\n\ntypedef map<string, IPCollector> IPMap;\n\n/* This structure contains all the current values for all the statistics we\n * want our collector to be able to track on a per-user basis. There is an \n * entry in each array for each supported LPI protocol */\ntypedef struct user_counts {\n\t\n\t/* Incoming packets */\n        uint64_t in_pkt_count[LPI_PROTO_LAST];\n\t/* Outgoing packets */\n        uint64_t out_pkt_count[LPI_PROTO_LAST];\n\t/* Incoming bytes (based on wire length) */\n        uint64_t in_byte_count[LPI_PROTO_LAST];\n\t/* Outgoing bytes (based on wire length) */\n        uint64_t out_byte_count[LPI_PROTO_LAST];\n\t/* New flows originating from outside the local network */\n        uint64_t in_flow_count[LPI_PROTO_LAST];\n\t/* New flows originating from inside the local network */\n        uint64_t out_flow_count[LPI_PROTO_LAST];\n\n\t/* Currently active flows that originated from outside */\n        uint64_t in_current_flows[LPI_PROTO_LAST];\n\t/* Currently active flows that originated from inside */\n        uint64_t out_current_flows[LPI_PROTO_LAST];\n\t/* Peak values for in_current_flows since the last report */\n        uint64_t in_peak_flows[LPI_PROTO_LAST];\n\t/* Peak values for out_current_flows since the last report */\n        uint64_t out_peak_flows[LPI_PROTO_LAST];\n\t\n\t/* Number of remote IPs that are talking to us */\n\tuint64_t remote_ips[LPI_PROTO_LAST];\n} UserCounters;\n\ntypedef map <string, UserCounters *> UserMap;\n\ntypedef struct counters {\n\n\t/* The number of times that the counters have been reset, which\n\t * should correspond with the number of times we have reported\n\t * statistics (hence the name 'reports' rather than 'resets')\n\t */\n\tuint32_t reports;\n\tuint32_t user_count;\n\t\t\n\tUserCounters all;\n\tUserMap users;\n       \n       \t/* These aren't useful to track on a per user basis */ \n\tIPMap active_local;\n\tIPMap observed_local;\n\n\tuint64_t all_local_ips[LPI_PROTO_LAST];\n\tuint64_t active_local_ips[LPI_PROTO_LAST];\n\n\tbool user_tracking;\n\n} LiveCounters;\n\n/* Structure containing all the data we want to store for each flow */\ntypedef struct live {\n\t/* The direction of the first packet for the flow */\n        uint8_t init_dir;\n        \n\t/* The local IP, stored as a string */\n        char local_ip[INET6_ADDRSTRLEN];\n\t/* The remote IP, stored as a string */\n        char ext_ip[INET6_ADDRSTRLEN]; \n\n\t/** Statistics about this flow\n\t * NOTE: byte and packet counts are not for the flow as a whole, but\n\t * instead refer to what has been seen during the current reporting\n\t * period, i.e. since the last time reset_counters() was called.\n\t */\n\t/* Incoming packets observed for the flow */\n        uint64_t in_pkts;\n\t/* Outgoing packets observed for the flow */\n        uint64_t out_pkts;\n\t/* Incoming bytes (wire length) observed for the flow */\n        uint64_t in_wbytes;\n\t/* Incoming bytes (payload length) observed for the flow */\n        uint64_t in_pbytes;\n\t/* Outgoing bytes (wire length) observed for the flow */\n        uint64_t out_wbytes;\n\t/* Outgoing bytes (payload length) observed for the flow */\n        uint64_t out_pbytes;\n        \n\t/* Timestamp when this flow was first observed */\n\tdouble start_ts;\n\n\t/* The reporting period when this flow was first observed */\n        uint32_t start_period;\n\t/* The reporting period when this flow was last observed */\n        uint32_t count_period;\n\n\t/* LPI data structure - needed for classification */\n        lpi_data_t lpi;\n\t/* The protocol that this flow matches */\n        lpi_module_t *proto;\n\n\tbool activated_ip;\n} LiveFlow;\n\n\n/* Allocates and initialises a new LiveFlow structure and attaches it to the\n * provided Flow structure. \n * \n * When you're done with the flow, make sure to call destroy_live_flow!\n */\nvoid init_live_flow(LiveCounters *cnt, Flow *f, uint8_t dir, double ts);\n\n/* Initialises a LiveCounters structure. Does not allocate memory - you should\n * pass in a pointer to an existing instance of LiveCounters.\n *\n * This will reset ALL the counter values and the report count to zero.\n */\nvoid init_live_counters(LiveCounters *cnt, bool track_users);\n\n/* Resets the counters - if not doing cumulative stats, this should be called\n * after outputting the counters. \n *\n * If wipe_all is true, then the currently active flow counts will be set to\n * zero (probably not what you want).\n * If wipe_all is false, the currently active flow counts will be retained and\n * the peak active flow counts will be set to the currently active flow count.\n *\n * Calling this function will also increment the reports value in the \n * LiveCounters structure.\n */\nvoid reset_counters(LiveCounters *cnt, bool wipe_all);\n\n/* Dumps the values of all the counters to standard output\n * ts should be set to the timestamp when the counters were last reset\n * local_id is a string that will identify this particular measurement process,\n * \te.g. the source of the packets\n * report_freq is the number of seconds that have passed since the counters\n * \twere last reset (this will be included in the output so users can do\n *\trate calculations).\n *\n * Counters are not reset after dumping - you need to call reset_counters()\n * to do that.\n */\nvoid dump_counters_stdout(UserCounters *cnt, double ts, char *local_id, \n                uint32_t report_freq);\n\n/* Updates the counters based on the most recent packet for a given flow.\n * If the classification for the flow has changed, the counters for the old\n * protocol are decreased appropriately and the flow stats are reattributed\n * to the new protocol.\n *\n * Workflow is important with this function - it should be called AFTER calling\n * both update_liveflow_stats() AND lpi_update_data(). See lpi_live.cc for a\n * working example.\n *\n * wlen is the wire length for the most recent packet.\n * plen is the payload length for the most recent packet.\n * dir is the direction of the most recent packet.\n *\n * Returns -1 if an error occurs, 0 if successful.\n */\nint update_protocol_counters(LiveFlow *live, LiveCounters *cnt, uint32_t wlen, \n\t\tuint32_t plen, uint8_t dir);\n\n/* Cleans up a LiveFlow structure that had been created using init_live_flow().\n * Also decrements the appropriate current flow counter, so you can call this\n * when a flow expires and ensure the counter is correct. */\nvoid destroy_live_flow(LiveFlow *live, LiveCounters *cnt);\n\n/* Updates the statistics stored in the LiveFlow structure, based on the\n * provided packet. \n *\n * First, it checks if the counters have been reset since the last time the \n * flow was updated. If so, the stats are reset to zero (the stats only refer\n * to the current reporting period).\n *\n * After that, the byte and packet counts are incremented accordingly.\n */\nvoid update_liveflow_stats(LiveFlow *live, libtrace_packet_t *packet,\n                LiveCounters *cnt, uint8_t dir);\n                \n\n#endif\n"
  },
  {
    "path": "tools/live/lpi_live.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n#define __STDC_FORMAT_MACROS\n\n#include <stdio.h>\n#include <assert.h>\n#include <getopt.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <stdlib.h>\n#include <inttypes.h>\n#include <signal.h>\n#include <string.h>\n#include <unistd.h>\n\n#include <libtrace.h>\n#include <libflowmanager.h>\n#include <libpacketdump.h>\n#include <libprotoident.h>\n\n#include \"../tools_common.h\"\n#include \"live_common.h\"\n\nenum {\n        DIR_METHOD_TRACE,\n        DIR_METHOD_MAC,\n        DIR_METHOD_PORT\n};\n\nint dir_method = DIR_METHOD_PORT;\n\nchar *local_mac = NULL;\nuint8_t mac_bytes[6];\n\nstatic volatile int done = 0;\n\nuint32_t report_freq = 60;\nchar local_id[256];\n\nbool output_rrd = false;\n\nLiveCounters counts;\n\nvoid dump_rrd_counters(double ts) {\n\tint i;\n\t\n\n\tfor (i = 0; i < LPI_PROTO_LAST; i++) {\n\t\tif (lpi_is_protocol_inactive((lpi_protocol_t)i))\n\t\t\tcontinue;\n\t\tfprintf(stdout, \"%s %s %u:\", local_id, lpi_print((lpi_protocol_t)i), (uint32_t)ts);\n\t\tfprintf(stdout, \"%\" PRIu64 \":\", counts.all.in_pkt_count[i]);\n\t\tfprintf(stdout, \"%\" PRIu64 \":\", counts.all.out_pkt_count[i]);\n\t\tfprintf(stdout, \"%\" PRIu64 \":\", counts.all.in_byte_count[i]);\n\t\tfprintf(stdout, \"%\" PRIu64 \":\", counts.all.out_byte_count[i]);\n\t\tfprintf(stdout, \"%\" PRIu64 \":\", counts.all.in_flow_count[i]);\n\t\tfprintf(stdout, \"%\" PRIu64 \":\", counts.all.out_flow_count[i]);\n\t\tfprintf(stdout, \"%\" PRIu64 \":\", counts.all.in_current_flows[i]);\n\t\tfprintf(stdout, \"%\" PRIu64 \"\\n\", counts.all.out_current_flows[i]);\n\t}\n\n}\n\n/* Expires all flows that libflowmanager believes have been idle for too\n * long. The exp_flag variable tells libflowmanager whether it should force\n * expiry of all flows (e.g. if you have reached the end of the program and\n * want the stats for all the still-active flows). Otherwise, only flows\n * that have been idle for longer than their expiry timeout will be expired.\n */\nvoid expire_live_flows(double ts, bool exp_flag) {\n        Flow *expired;\n\n        /* Loop until libflowmanager has no more expired flows available */\n\twhile ((expired = lfm_expire_next_flow(ts, exp_flag)) != NULL) {\n\n                LiveFlow *live = (LiveFlow *)expired->extension;\n\t\t\n\t\tdestroy_live_flow(live, &counts);\n\t\t\n\t\t/* VERY IMPORTANT: delete the Flow structure itself, even\n\t\t * though we did not directly allocate the memory ourselves */\n\t\tlfm_release_flow(expired);\n\n        }\n}\n\n\nvoid per_packet(libtrace_packet_t *packet) {\n\n        Flow *f;\n        LiveFlow *live = NULL;\n        uint8_t dir;\n        bool is_new = false;\n\n        libtrace_tcp_t *tcp = NULL;\n        void *l3;\n\tdouble ts;\n\n        uint16_t l3_type = 0;\n\n        l3 = trace_get_layer3(packet, &l3_type, NULL);\n        if (l3_type != TRACE_ETHERTYPE_IP && l3_type != TRACE_ETHERTYPE_IPV6) \n\t\treturn;\n        if (l3 == NULL) return;\n\n\t/* Expire all suitably idle flows */\n        ts = trace_get_seconds(packet);\n        expire_live_flows(ts, false);\n\n\t/* Determine packet direction */\n\tif (dir_method == DIR_METHOD_TRACE) {\n                dir = trace_get_direction(packet);\n        }\n        if (dir_method == DIR_METHOD_MAC) {\n                dir = mac_get_direction(packet, mac_bytes);\n        }\n        if (dir_method == DIR_METHOD_PORT) {\n                dir = port_get_direction(packet);\n        }\n\n\n        if (dir != 0 && dir != 1)\n                return;\n\n        \n\t/* Match the packet to a Flow - this will create a new flow if\n\t * there is no matching flow already in the Flow map and set the\n\t * is_new flag to true. */\n        f = lfm_match_packet_to_flow(packet, dir, &is_new);\n\n\t/* Libflowmanager did not like something about that packet - best to\n\t * just ignore it and carry on */\n        if (f == NULL) {\n                return;\n\t}\n\n        tcp = trace_get_tcp(packet);\n\t/* If the returned flow is new, you will probably want to allocate and\n\t * initialise any custom data that you intend to track for the flow */\n        if (is_new) {\n                init_live_flow(&counts, f, dir, ts);\n\t    \tlive = (LiveFlow *)f->extension;\n\t} else {\n        \tlive = (LiveFlow *)f->extension;\n\t\t//if (tcp && tcp->syn && !tcp->ack)\n\t\t//\tlive->init_dir = dir;\n\t}\n\n\tupdate_liveflow_stats(live, packet, &counts, dir);\n\n\t/* Pass the packet into libprotolive so that it can extract any\n\t * info it needs from this packet */\n\tlpi_update_data(packet, &live->lpi, dir);\n\n\tif (update_protocol_counters(live, &counts,\n\t\t\ttrace_get_wire_length(packet), \n\t\t\ttrace_get_payload_length(packet), dir) == -1) {\n\t\t\n\t\ttrace_dump_packet(packet);\n\t\t//dump_live_flow(live);\n\t}\n\n\n\n        /* Update TCP state for TCP flows. The TCP state determines how long\n\t * the flow can be idle before being expired by libflowmanager. For\n\t * instance, flows for which we have only seen a SYN will expire much\n\t * quicker than a TCP connection that has completed the handshake */\n        if (tcp) {\n                lfm_check_tcp_flags(f, tcp, dir, ts);\n        }\n\n        /* Tell libflowmanager to update the expiry time for this flow */\n        lfm_update_flow_expiry_timeout(f, ts);\n\n\n}\n\nstatic void cleanup_signal(int sig) {\n\t(void)sig;\n\tdone=1;\n}\n\nstatic void usage(char *prog) {\n\n        printf(\"Usage details for %s\\n\\n\", prog);\n        printf(\"%s [-i <freq>] [-m <monitor id>] [-l <mac] [-T] [-f <filter>] [-r] [-R] [-H] inputURI [inputURI ...]\\n\\n\", prog);\n        printf(\"Options:\\n\");\n\tprintf(\"  -l <mac>      Determine direction based on <mac> representing the 'inside' \\n                 portion of the network\\n\");\n\tprintf(\"  -m <id>\tId number to use for this monitor (defaults to $HOSTNAME)\\n\");\n\tprintf(\"  -T            Use trace direction tags to determine direction\\n\");\n        printf(\"  -f <filter>   Ignore flows that do not match the given BPF filter\\n\");\n        printf(\"  -R            Ignore flows involving private RFC 1918 address space\\n\");\n        printf(\"  -i <freq>\tReport statistics every <freq> seconds\\n\");\n\tprintf(\"  -r\t\tOutput results in a format that can be easily used to update an RRD\\n\");\n\texit(0);\n\n}\n\n\nint main(int argc, char *argv[]) {\n\n\tlibtrace_t *trace;\n\tlibtrace_packet_t *packet;\n\tlibtrace_filter_t *filter = NULL;\n\tstruct sigaction sigact;\n\n\tbool opt_true = true;\n\tbool opt_false = false;\n\n\tint i, opt;\n\tdouble ts;\n\tchar *filterstring = NULL;\n\tint dir;\n\tbool ignore_rfc1918 = false;\n\n\tdouble next_report = 0.0;\n\n\tuint32_t max_reports = 0;\n\tuint32_t reports_done = 0;\n\n\tif (gethostname(local_id, 256) == -1) {\n\t\tstrncpy(local_id, \"unknown\", 256);\n\t}\n\n\tpacket = trace_create_packet();\n\tif (packet == NULL) {\n\t\tperror(\"Creating libtrace packet\");\n\t\treturn -1;\n\t}\n\n\twhile ((opt = getopt(argc, argv, \"ri:f:Rhl:Tm:\")) != EOF) {\n\t\tswitch (opt) {\n\t\t\tcase 'l':\n\t\t\t\tlocal_mac = optarg;\n\t\t\t\tdir_method = DIR_METHOD_MAC;\n\t\t\t\tbreak;\n\t\t\tcase 'T':\n\t\t\t\tdir_method = DIR_METHOD_TRACE;\n\t\t\t\tbreak;\n\t\t\tcase 'f':\n\t\t\t\tfilterstring = optarg;\n\t\t\t\tbreak;\n\t\t\tcase 'r':\n\t\t\t\toutput_rrd = true;\n\t\t\t\tbreak;\n\t\t\tcase 'R':\n\t\t\t\tignore_rfc1918 = true;\n\t\t\t\tbreak;\n\t\t\tcase 'i':\n\t\t\t\treport_freq = atoi(optarg);\n\t\t\t\tbreak;\n\t\t\tcase 'm':\n\t\t\t\tstrncpy(local_id, optarg, 256);\n\t\t\t\tbreak;\n\t\t\tcase 'h':\n\t\t\tdefault:\n\t\t\t\tusage(argv[0]);\n\t\t\t}\n\t}\n\n\tif (filterstring != NULL) {\n\t\tfilter = trace_create_filter(filterstring);\n\t}\n\n\tif (local_mac != NULL) {\n\t\tif (convert_mac_string(local_mac, mac_bytes) < 0) {\n\t\t\tfprintf(stderr, \"Invalid MAC: %s\\n\", local_mac);\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\t/* This tells libflowmanager to ignore any flows where an RFC1918\n\t * private IP address is involved */\n\tif (lfm_set_config_option(LFM_CONFIG_IGNORE_RFC1918, \n\t\t&ignore_rfc1918) == 0)\n\t\treturn -1;\n\n\t/* This tells libflowmanager not to replicate the TCP timewait\n\t * behaviour where closed TCP connections are retained in the Flow\n\t * map for an extra 2 minutes */\n\tif (lfm_set_config_option(LFM_CONFIG_TCP_TIMEWAIT, &opt_false) == 0)\n\t\treturn -1;\n\n\t/* This tells libflowmanager not to utilise the fast expiry rules for\n\t * short-lived UDP connections - these rules are experimental \n\t * behaviour not in line with recommended \"best\" practice */\n\tif (lfm_set_config_option(LFM_CONFIG_SHORT_UDP, &opt_false) == 0)\n\t\treturn -1;\n\n\tsigact.sa_handler = cleanup_signal;\n\tsigemptyset(&sigact.sa_mask);\n\tsigact.sa_flags = SA_RESTART;\n\n\tsigaction(SIGINT, &sigact, NULL);\n\tsigaction(SIGTERM, &sigact, NULL);\n\n\tsignal(SIGINT,&cleanup_signal);\n\tsignal(SIGTERM,&cleanup_signal);\n\n\tif (lpi_init_library() == -1)\n\t\treturn -1;\n\n\tinit_live_counters(&counts, false);\n\n\tif (optind == argc) {\n\t\tfprintf(stderr, \"No input sources specified!\\n\");\n\t\tusage(argv[0]);\n\t}\n\n\tfor (i = optind; i < argc; i++) {\n\t\tfprintf(stderr, \"%s\\n\", argv[i]);\n\n\t\t/* Bog-standard libtrace stuff for reading trace files */\n\t\ttrace = trace_create(argv[i]);\n\n\t\tif (!trace) {\n\t\t\tperror(\"Creating libtrace trace\");\n\t\t\treturn -1;\n\t\t}\n\n\t\tif (trace_is_err(trace)) {\n\t\t\ttrace_perror(trace, \"Opening trace file\");\n\t\t\ttrace_destroy(trace);\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (filter && trace_config(trace, TRACE_OPTION_FILTER, filter) == -1) {\n\t\t\ttrace_perror(trace, \"Configuring filter\");\n\t\t\ttrace_destroy(trace);\n\t\t\treturn -1;\n\t\t}\n\n\t\tif (trace_start(trace) == -1) {\n\t\t\ttrace_perror(trace, \"Starting trace\");\n\t\t\ttrace_destroy(trace);\n\t\t\tcontinue;\n\t\t}\n\t\twhile (trace_read_packet(trace, packet) > 0) {\n\t\tts = trace_get_seconds(packet);\n\t\t\tper_packet(packet);\n\t\t\tif (next_report == 0.0 && ts != 0.0) {\n\t\t\t\tnext_report = ts + report_freq;\n\t\t\t}\n\n\t\t\twhile (ts > next_report) {\n\t\t\t\tif (output_rrd) {\n\t\t\t\t\tdump_rrd_counters(next_report - report_freq);\n\t\t\t\t} else {\n\t\t\t\t\tdump_counters_stdout(&counts.all, next_report - report_freq, local_id, report_freq);\n\t\t\t\t}\n\t\t\t\treset_counters(&counts, false);\n\t\t\t\tnext_report += report_freq;\n\t\t\t\treports_done ++;\n\n\t\t\t\tif (max_reports != 0 && \n\t\t\t\t\t\treports_done >= max_reports)\n\t\t\t\t\tdone = 1;\n\t\t\t}\n\n\t\t\tif (done)\n\t\t\t\tbreak;\n\n\t\t}\n\n\t\tif (done) {\n\t\t\ttrace_destroy(trace);\n\t\t\tbreak;\n\t\t}\n\t\t\n\t\tif (trace_is_err(trace)) {\n\t\t\ttrace_perror(trace, \"Reading packets\");\n\t\t\ttrace_destroy(trace);\n\t\t\tcontinue;\n\t\t}\n\n\t\ttrace_destroy(trace);\n\n\t}\n\n\treset_counters(&counts, false);\n\n\ttrace_destroy_packet(packet);\n\texpire_live_flows(ts, true);\n\tlpi_free_library();\n\n\treturn 0;\n\n}\n"
  },
  {
    "path": "tools/live/lpicp.cc",
    "content": "#include <sys/param.h>\n#include \"lpicp.h\"\n\n/* Handy 32 bit byteswapping function - borrowed from libtrace */\nstatic inline uint32_t byteswap32(uint32_t num)\n{\n\treturn ((num&0x000000FFU)<<24)\n\t\t| ((num&0x0000FF00U)<<8)\n\t\t| ((num&0x00FF0000U)>>8)\n\t\t| ((num&0xFF000000U)>>24);\n}\n\n\n/* Even handier 64 bit byte swapping function */\nstatic inline uint64_t byteswap64(uint64_t num)\n{\n\treturn (byteswap32((num&0xFFFFFFFF00000000ULL)>>32))\n\t\t|((uint64_t)byteswap32(num&0x00000000FFFFFFFFULL)<<32);\n}\n\n\n#ifndef __BYTE_ORDER\n#warning \"Byte order is not defined\"\n#endif\n\n\n\nuint64_t ntoh64(uint64_t num) {\n#if __BYTE_ORDER == __BIG_ENDIAN\n\treturn num;\n#else\n\treturn byteswap64(num);\n#endif\n}\n\nuint64_t hton64(uint64_t num) {\n#if __BYTE_ORDER == __BIG_ENDIAN\n\treturn num;\n#else\n\treturn byteswap64(num);\n#endif\n}\n"
  },
  {
    "path": "tools/live/lpicp.h",
    "content": "#ifndef LPICP_H\n#define LPICP_H\n\n#include <stdint.h>\n\nenum lpicp_record {\n        LPICP_STATS,\n        LPICP_ONGOING,\n        LPICP_EXPIRED \n};\n\nenum lpicp_metric {\n\tLPICP_METRIC_PKTS,\n\tLPICP_METRIC_BYTES,\t\n\tLPICP_METRIC_NEW_FLOWS,\n\tLPICP_METRIC_CURR_FLOWS,\n\tLPICP_METRIC_PEAK_FLOWS,\n\tLPICP_METRIC_ACTIVE_IPS\n};\n\n/* Structure which defines a custom header used at the start of a packet which \n * contains flow records that are to be exported over a network.\n * It contains the information that is common for all the flows. */\ntypedef struct __attribute__((packed)) lpicp_header {\n\t\n\tuint8_t version;\n\tuint8_t record_type;\n\tuint16_t total_len;\n\tuint16_t name_len;\n\tuint16_t reserved;\n\n} Lpicp_header_t ;\n\n/* Structure which defines a stat header used for LPICP_STATS records */\ntypedef struct __attribute__((packed)) lpicp_stat_header {\n\tuint32_t secs;\n\tuint32_t usecs;\n\tuint32_t freq;\n\tuint8_t dir;\n\tuint8_t metric;\n\tuint16_t num_records;\t\t\n} Lpicp_stat_header_t;\n\n/* Function to convert a uint64_t to Host Byte Order from Network Byte Order */\nuint64_t ntoh64(uint64_t num);\n\n/* Function to convert a uint64_t to Network Byte Order from Host Byte Order */\nuint64_t hton64(uint64_t num);\n#endif\n"
  },
  {
    "path": "tools/live/lpicp_export.cc",
    "content": "#define __STDC_FORMAT_MACROS\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <inttypes.h>\n#include <assert.h>\n\n#include \"lpicp.h\"\n#include \"live_common.h\" \n\nLpi_collect_buffer_t buffer;\nLpicp_header_t *tmp_hdr;\n\nvoid lpi_create_header (char *local_id )\n{ \n\t /* Casting the buffer struct as a Lpicp_header_t and filling in the available \n\t * values*/\n\ttmp_hdr = (Lpicp_header_t *)&(buffer.buf[buffer.buf_used]);\n\ttmp_hdr->version = 1;\n\ttmp_hdr->record_type = LPICP_STATS;\n\t\n\t/* Restricting local_id to 100 characters */\n\tif ( strlen(local_id) > 100) {\n\t\tchar tmp[100];\n\t\tstrncpy(tmp, local_id, 100);\n\t\tlocal_id = tmp;\t\t\n\t}\t\n\t\n\ttmp_hdr->name_len = ntohs((uint16_t)strlen(local_id));\n\ttmp_hdr->reserved = 0;\n\t\n\t/* Incrementing buf_used with the size of the struct Lpicp_header_t, which\n\t * is 8bytes */\n\tbuffer.buf_used = sizeof(tmp_hdr);\n}\n\nvoid lpi_add_localId (char *local_id )\n{\n\t/* Copy the local_id into the buffer and increment buffer.buf_used */\n\tchar* s = strcpy(&buffer.buf[buffer.buf_used], local_id);\n\tbuffer.buf_used += strlen(local_id);\t\n}\n\nvoid lpi_add_subheader (struct timeval tv, uint32_t report_len, uint8_t dir, uint8_t metric)\n{\n\t/* Casting the buffer struct as a Lpicp_stat_header_t and filling in the available \n\t * values*/\n\tLpicp_stat_header_t *tmp_stat_hdr = \n\t\t\t(Lpicp_stat_header_t *)&(buffer.buf[buffer.buf_used]);\n\t\n\ttmp_stat_hdr->secs = ntohl(tv.tv_sec);\n\ttmp_stat_hdr->usecs = ntohl(tv.tv_usec);\n\ttmp_stat_hdr->freq = ntohl(report_len);\n\ttmp_stat_hdr->dir = dir; \n\ttmp_stat_hdr->metric = metric;\n\t\t\n\t/* Incrementing buf_used with the size of the struct Lpicp_stat_header_t, \n\t * which is 8bytes */\n\t buffer.buf_used += sizeof(Lpicp_stat_header_t);\n}\n\n/*0 if you have to stop and start a new record\n 1 if you managed to fit the current protocol in\n*/\nint lpi_print_proto_values(int index, uint64_t* array)\n{\n\t/* Check that the total size of the bytes to be added for a particular \n\t * protocol(protocol name length, protocol name, value) won't exceed the \n\t * total number of bytes in buffer.buf */\n\tif ((1 + (strlen(lpi_print((lpi_protocol_t) index))) + sizeof(uint64_t)) \n\t\t\t\t> (sizeof(buffer.buf) - buffer.buf_used)) {\t\t\t\t\t\n\t\treturn 0;\n\t} else {\n\t\t/* Adding length of the protocol name to the buffer */\n\t\tint len = (strlen(lpi_print((lpi_protocol_t) index)));\n\t\tuint8_t temp_len = len;\n\t\t\n\t\tuint8_t *proto_len = (uint8_t *)&(buffer.buf[buffer.buf_used]);\n\t\t*proto_len = temp_len;\n\t\tbuffer.buf_used++;\t\n\t\t\t\t\n\t\t/* Adding the protocol name */\n\t\tchar* s = strcpy(&buffer.buf[buffer.buf_used], \n\t\t\t\t\t\tlpi_print((lpi_protocol_t) index));\n\t\tbuffer.buf_used += len;\t\n\t\t\n\t\t/* Adding the value */\n\t\tuint64_t *value = (uint64_t *)&(buffer.buf[buffer.buf_used]);\n\t\t*value = hton64(array[index]);\n\t\tbuffer.buf_used += sizeof(uint64_t);\n\t\t\n\t\treturn 1;\t\t\n\t}\t\n}\n\nvoid lpi_export_single_counter (uint64_t* array, struct timeval tv, uint8_t dir,\n\t\t\t\tuint8_t metric, char* local_id, uint32_t report_len)\n{\n\tuint32_t current_proto_id = 0;\n\t\n\twhile (current_proto_id != LPI_PROTO_LAST ) {\n\t\t\n\t\t/* Resetting the buffer */\n\t\tbuffer.buf_used = 0;\t\n\t\tbuffer.buf_exported = 0;\n\t\t\n\t\t/* Resetting the number of records exported in this packet */\n\t\t/* Set the number of exported records */\n\t\tint i = sizeof(Lpicp_header_t) + strlen(local_id);\n\t\tLpicp_stat_header_t *tmp_stat_hdr = (Lpicp_stat_header_t *)&(buffer.buf[i]);\n\t\ttmp_stat_hdr->num_records = ntohs(0);\n\t\tint num_rec = 0;\n\t\t\n\t\t/* Adding the header, local_id and subheader to the buffer */\n\t\tlpi_create_header(local_id);\n\t\tlpi_add_localId(local_id);\n\t\tlpi_add_subheader(tv, report_len, dir, metric);\n\t\t\n\t\tfor (current_proto_id; current_proto_id < LPI_PROTO_LAST; current_proto_id++) {\t\t\n\t\t\t\n\t\t\tint ret = lpi_print_proto_values(current_proto_id, array);\n\t\t\t\n\t\t\tif (ret == 0) \n\t\t\t\tbreak;\t\n\t\t\telse\n\t\t\t\tnum_rec++;\n\t\t}\n\t\t\n\t\t/* Set the total length of the packet */\n\t\ttmp_hdr->total_len = ntohs(buffer.buf_used);\n\t\t\n\t\t/* Set the number of records exported in this flow */\n\t\ttmp_stat_hdr->num_records = ntohs(num_rec);\t\t\n\t\twrite_buffer_network(&buffer);\t\t\t\n\t}\t\t \t\t\t\n}\n\nvoid lpicp_export_counters(LiveCounters *count, struct timeval tv, char *local_id, \n\t\tuint32_t report_len)\n{ \n\t/* Exporting incoming packet counts */\n\tlpi_export_single_counter( count->in_pkt_count, tv, 1, LPICP_METRIC_PKTS, \n\t\t\t\tlocal_id, report_len);\t\n\t\t\t\t\n\t/* Outgoing packets */\n\tlpi_export_single_counter( count->out_pkt_count, tv, 0, LPICP_METRIC_PKTS, \n\t\t\t\tlocal_id, report_len);\t\n\t\t\t\t\n\t/* Incoming bytes (based on wire length) */\n\tlpi_export_single_counter( count->in_byte_count, tv, 1, LPICP_METRIC_BYTES, \n\t\t\t\tlocal_id, report_len);\t\n          \n\t/* Outgoing bytes (based on wire length) */\n\tlpi_export_single_counter( count->out_byte_count, tv, 0, LPICP_METRIC_BYTES, \n\t\t\t\tlocal_id, report_len);\n\t\n\t/* New flows originating from outside the local network */\n        lpi_export_single_counter( count->in_flow_count, tv, 1, LPICP_METRIC_NEW_FLOWS, \n\t\t\t\tlocal_id, report_len);\n                \n\t/* New flows originating from inside the local network */\n\tlpi_export_single_counter( count->out_flow_count, tv, 0, LPICP_METRIC_NEW_FLOWS, \n\t\t\t\tlocal_id, report_len);\n\t\t\t\t\n\t/* Peak values for in_current_flows since the last report */\n\tlpi_export_single_counter( count->in_peak_flows, tv, 1, LPICP_METRIC_PEAK_FLOWS, \n\t\t\t\tlocal_id, report_len);\n        \n\t/* Peak values for out_current_flows since the last report */\n\tlpi_export_single_counter( count->out_peak_flows, tv, 0, LPICP_METRIC_PEAK_FLOWS, \n\t\t\t\tlocal_id, report_len);\t\n\n\t/* Number of local IPs observed using each protocol */\t\t\t\n\tlpi_export_single_counter( count->local_ips, tv, 1, LPICP_METRIC_ACTIVE_IPS, \n\t\t\t\tlocal_id, report_len);\t\n}\n\n\n\n\n\n\n"
  },
  {
    "path": "tools/live/lpicp_export.h",
    "content": "#ifndef LPICP_EXPORT_H\n#define LPICP_EXPORT_H\n\n#include \"lpicp.h\"\n#include \"live_common.h\"\n\n/*\n * Exports all counters defined in the struct LiveCounters.\n * \n * cnt is the struct which contains all the arrays with the protocol values.\n * tv is the timestamp when the counters were last reset.\n * local_id is a string that will identify this particular measurement process,\n * \te.g. the source of the packets\n * report_len  is the number of seconds that have passed since the counters\n * \twere last reset (this will be included in the output so users can do\n *\trate calculations). \n */\nvoid lpicp_export_counters(LiveCounters *cnt, struct timeval tv, char *local_id, \n\t\tuint32_t report_len);\n\n\n/* Exports a single counter over the network by adding data(protocol length, \n * name, and value) to the buffer for each of the protocols supported by Libprotoident.\n * \n * array is the array of counters that needs to be exported, e.g. in_pkt_count[].\n * tv is the timestamp when the counters were last reset.\n * dir is the direction of the most recent packet.\n * metric ?? \n * local_id is a string that will identify this particular measurement process,\n * \te.g. the source of the packets\n * report_len  is the number of seconds that have passed since the counters\n * \twere last reset (this will be included in the output so users can do\n *\trate calculations). \n */\t\t\nvoid lpi_export_single_counter (uint64_t * array, struct timeval tv, uint8_t dir,\n\t\t\t\tuint8_t metric, char* local_id, uint32_t report_len);\n\n\n/* Creates a header for the custom buffer which will contain flow records.\n * This header contains the information that is common for all flows.\n * \n * local_id is a string that will identify this particular measurement process,\n * \te.g. the source of the packets\n */\t\t\t\nvoid lpi_create_header (char *local_id );\n\n/* Adds the local_id after the header has been added to the buffer. \n * \n * local_id is a string that will identify this particular measurement process,\n * \te.g. the source of the packets\n */\nvoid lpi_add_localId (char *local_id );\n\n\n/* Adds the subheader to the buffer after the header and local_id have been added.\n * \n * tv is the timestamp when the counters were last reset.\n * report_len  is the number of seconds that have passed since the counters\n * \twere last reset (this will be included in the output so users can do\n *\trate calculations).\n * dir is the direction of the most recent packet.\n * metric ?? \n */\nvoid lpi_add_subheader (struct timeval tv, uint32_t report_len, uint8_t dir, \n\t\t\t\tuint8_t metric);\n\t\n\t\t\t\t\n/* Appends the protocol details(protocol name length, name and value) from the \n * array in the arguments to the buffer which is to be exported over the network.\n * \n * index is the index of the protocol which is used to retrieve the protocol length,\n * name and value from the array.\n * array is the array of counters that needs to be exported, e.g. in_pkt_count[].\n * \n * Returns 0 if the entry for a protocol would overflow the buffer, or else 1.\n */\t\t\t\nint lpi_print_proto_values(int index, uint64_t* array);\n\t\t\n#endif\n"
  },
  {
    "path": "tools/protoident/Makefile.am",
    "content": "bin_PROGRAMS=lpi_protoident\n\nman_MANS = lpi_protoident.1\nEXTRA_DIST = $(man_MANS)\n\ninclude ../Makefile.tools\nlpi_protoident_SOURCES=lpi_protoident.cc ../tools_common.cc\nlpi_protoident_LDADD = @ADD_LIBS@ -lprotoident\n"
  },
  {
    "path": "tools/protoident/lpi_protoident.1",
    "content": ".TH LPI_PROTOIDENT \"1\" \"April 2019\" \"libprotoident\" \"User Commands\"\n.SH NAME\nlpi_protoident \\- list the application protocol of all network flows in a trace\n.SH SYNOPSIS\n.B lpi_protoident\ninputuri\n\n.SH DESCRIPTION\nThis tool attempts to identify each individual flow within the provided\nnetwork packet trace, along with the application protocol that is being used by \nit, using the libprotoident traffic classification library.\nIdentification only occurs when the flow has concluded or expired due\nto inactivity, so it is not very effective for real-time use cases.\n.PP\nThe \\fBinputuri\\fR argument must be a valid libtrace URI.\n\n.SH OUTPUT FORMAT\nFor each flow discovered in the input trace, a single line is printed to\nstdout describing the flow. The line contains the following whitespace\nseparated field (in order):\n\n.nf\n* Application protocol (as reported by libprotoident)\n* IP address of the first endpoint\n* IP address of the second endpoint\n* Port used by the first endpoint\n* Port used by the second endpoint\n* Transport protocol (6 = TCP, 17 = UDP)\n* Unix timestamp when the flow began\n* Unix timestamp when the flow ended\n* Total bytes sent from first endpoint to second endpoint\n* Total bytes sent from second endpoint to first endpoint\n* First four bytes of payload sent from first endpoint (in hex)\n* First four bytes of payload sent from first endpoint (ASCII)\n* Size of first payload-bearing packet sent from first endpoint\n* First four bytes of payload sent from second endpoint (in hex)\n* First four bytes of payload sent from second endpoint (ASCII)\n* Size of first payload-bearing packet sent from second endpoint\n.fi\n\n.SH LINKS\nMore details about libprotoident, the protocols it supports and how it\nworks can be found at https://github.com/wanduow/libprotoident/wiki\n\n.SH SEE ALSO\nlpi_arff(1), lpi_find_unknown(1)\n\n.SH AUTHORS\nShane Alcock <shane.alcock@waikato.ac.nz>\n"
  },
  {
    "path": "tools/protoident/lpi_protoident.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011-2015 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n\n#define __STDC_FORMAT_MACROS\n\n#include <stdio.h>\n#include <assert.h>\n#include <getopt.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <stdlib.h>\n#include <inttypes.h>\n#include <signal.h>\n\n#include <libtrace.h>\n#include <libtrace_parallel.h>\n#include <libflowmanager.h>\n#include <libprotoident.h>\n\n#include \"../tools_common.h\"\n\nenum {\n\tDIR_METHOD_TRACE,\n\tDIR_METHOD_MAC,\n\tDIR_METHOD_PORT\n};\n\nlibtrace_t *currenttrace;\nstatic volatile int done = 0;\n\nstruct globalopts {\n\n        int dir_method;\n        bool only_dir0 ;\n        bool only_dir1 ;\n        bool require_both ;\n        bool nat_hole ;\n        bool ignore_rfc1918 ;\n        char *local_mac ;\n        uint8_t mac_bytes[6];\n};\n\nstruct threadlocal {\n        FlowManager *flowmanager;\n};\n\n/* This data structure is used to demonstrate how to use the 'extension' \n * pointer to store custom data for a flow */\ntypedef struct ident {\n\tuint8_t init_dir;\n\tuint64_t in_bytes;\n\tuint64_t out_bytes;\n\tuint64_t in_pkts;\n\tuint64_t out_pkts;\n\tdouble start_ts;\n        double end_ts;\n\tlpi_data_t lpi;\n} IdentFlow;\n\nstatic void *start_processing(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global) {\n\n        bool opt_false = false;\n        struct globalopts *opts = (struct globalopts *)global;\n\n        struct threadlocal *tl = (struct threadlocal *)malloc(sizeof(\n                        struct threadlocal));\n        tl->flowmanager = new FlowManager();\n\n        /* This tells libflowmanager to ignore any flows where an RFC1918\n\t * private IP address is involved */\n        if (tl->flowmanager->setConfigOption(LFM_CONFIG_IGNORE_RFC1918, \n\t\t\t\t&(opts->ignore_rfc1918)) == 0) {\n                fprintf(stderr, \"Failed to set IGNORE RFC 1918 option in libflowmanager\\n\");\n        }\n\n\t/* This tells libflowmanager not to replicate the TCP timewait\n\t * behaviour where closed TCP connections are retained in the Flow\n\t * map for an extra 2 minutes */\n        if (tl->flowmanager->setConfigOption(LFM_CONFIG_TCP_TIMEWAIT,\n                                &opt_false) == 0) {\n                fprintf(stderr, \"Failed to set TCP TIMEWAIT option in libflowmanager\\n\");\n        }\n\n\t/* This tells libflowmanager not to utilise the fast expiry rules for\n\t * short-lived UDP connections - these rules are experimental \n\t * behaviour not in line with recommended \"best\" practice */\n\tif (tl->flowmanager->setConfigOption(LFM_CONFIG_SHORT_UDP,\n                                &opt_false) == 0) {\n                fprintf(stderr, \"Failed to set SHORT UDP option in libflowmanager\\n\");\n        }\n\n        return tl;\n}\n\nstatic void *start_reporter(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global) {\n        return NULL;\n}\n\nstatic void stop_reporter(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global, void *tls) {\n        if (tls)\n                free(tls);\n}\n\n/* Initialises the custom data for the given flow. Allocates memory for a\n * IdentFlow structure and ensures that the extension pointer points at\n * it.\n */\nvoid init_ident_flow(Flow *f, uint8_t dir, double ts) {\n\tIdentFlow *ident = NULL;\n\n\tident = (IdentFlow *)malloc(sizeof(IdentFlow));\n\tident->init_dir = dir;\n\tident->in_bytes = 0;\n\tident->out_bytes = 0;\n\tident->in_pkts = 0;\n\tident->out_pkts = 0;\n\tident->start_ts = ts;\n        ident->end_ts = ts;\n\tlpi_init_data(&ident->lpi);\n\tf->extension = ident;\n}\n\nvoid dump_payload(lpi_data_t lpi, uint8_t dir, char *space, int spacelen) {\n\n\tint i;\n\tuint8_t *pl = (uint8_t *)(&(lpi.payload[dir]));\n\n        char ascii[4][5];\n\n\tfor (i = 0; i < 4; i++) {\n\t\tif (*pl > 32 && *pl < 126) {\n\t\t\tsnprintf(ascii[i], 5, \"%c\", *pl);\n\t\t} else {\n\t\t\tsnprintf(ascii[i], 5, \".\");\n\t\t}\n\t\tpl ++;\n\t}\n\n        snprintf(space, spacelen - 1, \"%08x %s%s%s%s %u\",\n                        ntohl(lpi.payload[dir]), ascii[0], ascii[1],\n                        ascii[2], ascii[3], lpi.payload_len[dir]);\n\n\n}\n\nchar *display_ident(Flow *f, IdentFlow *ident, struct globalopts *opts) {\n\n        char s_ip[100];\n\tchar c_ip[100];\n        char pload_out[100];\n        char pload_in[100];\n        char *str;\n\tlpi_module_t *proto;\n\n\tif (opts->only_dir0 && ident->init_dir == 1)\n\t\treturn NULL;\n\tif (opts->only_dir1 && ident->init_dir == 0)\n\t\treturn NULL;\n\tif (opts->require_both) {\n\t\tif (ident->lpi.payload_len[0] == 0 || \n\t\t\t\tident->lpi.payload_len[1] == 0) {\n\t\t\treturn NULL;\n\t\t}\n\t}\n\n\tif (opts->nat_hole) {\n                if (ident->init_dir != 1)\n                        return NULL;\n                if (ident->lpi.payload_len[0] == 0 && ident->in_pkts <= 3)\n                        return NULL;\n        }\n\n\tproto = lpi_guess_protocol(&ident->lpi);\n\n\tf->id.get_server_ip_str(s_ip);\n\tf->id.get_client_ip_str(c_ip);\n\n\tdump_payload(ident->lpi, 0, pload_out, 100);\n\tdump_payload(ident->lpi, 1, pload_in, 100);\n        str = (char *)malloc(750);\n        snprintf(str, 750, \"%s %s %s %u %u %u %.3f %.3f %\" PRIu64 \" %\" PRIu64 \" %s %s\\n\",\n\t\t\tproto->name, s_ip, c_ip,\n                        f->id.get_server_port(), f->id.get_client_port(),\n                        f->id.get_protocol(), ident->start_ts,\n                        ident->end_ts,\n\t\t\tident->out_bytes, ident->in_bytes,\n                        pload_out, pload_in);\n\n        return str;\n}\n\n/* Expires all flows that libflowmanager believes have been idle for too\n * long. The exp_flag variable tells libflowmanager whether it should force\n * expiry of all flows (e.g. if you have reached the end of the program and\n * want the stats for all the still-active flows). Otherwise, only flows\n * that have been idle for longer than their expiry timeout will be expired.\n */\nvoid expire_ident_flows(libtrace_t *trace, libtrace_thread_t *thread,\n                struct globalopts *opts, FlowManager *fm, double ts,\n                bool exp_flag) {\n        Flow *expired;\n        char *result = NULL;\n        libtrace_generic_t gen;\n\n        /* Loop until libflowmanager has no more expired flows available */\n\twhile ((expired = fm->expireNextFlow(ts, exp_flag)) != NULL) {\n\n                IdentFlow *ident = (IdentFlow *)expired->extension;\n\t\tresult = display_ident(expired, ident, opts);\n                if (result) {\n                        gen.ptr = result;\n                        trace_publish_result(trace, thread, ident->end_ts,\n                                        gen, RESULT_USER);\n                }\n\t\t/* Don't forget to free our custom data structure */\n                free(ident);\n\n                fm->releaseFlow(expired);\n        }\n}\n\nstatic void stop_processing(libtrace_t *trace, libtrace_thread_t *thread,\n                void *global, void *tls) {\n\n        struct globalopts *opts = (struct globalopts *)global;\n        struct threadlocal *tl = (struct threadlocal *)tls;\n\n        expire_ident_flows(trace, thread, opts, tl->flowmanager, 0, true);\n        delete(tl->flowmanager);\n        free(tl);\n\n\n}\n\n\nstatic void per_result(libtrace_t *trace, libtrace_thread_t *sender,\n                void *global, void *tls, libtrace_result_t *result) {\n\n        char *resultstr;\n\n        if (result->type != RESULT_USER)\n                return;\n\n        resultstr = (char *)result->value.ptr;\n        printf(\"%s\", resultstr);\n        free(resultstr);\n\n}\n\nstatic libtrace_packet_t *per_packet(libtrace_t *trace,\n                libtrace_thread_t *thread, void *global, void *tls,\n                libtrace_packet_t *packet) {\n\n        Flow *f;\n        IdentFlow *ident = NULL;\n        uint8_t dir = 255;\n        bool is_new = false;\n\n        libtrace_tcp_t *tcp = NULL;\n        void *l3;\n\tdouble ts;\n\n        uint16_t l3_type = 0;\n        struct globalopts *opts = (struct globalopts *)global;\n        struct threadlocal *tl = (struct threadlocal *)tls;\n\n        /* Libflowmanager only deals with IP traffic, so ignore anything\n\t * that does not have an IP header */\n        l3 = trace_get_layer3(packet, &l3_type, NULL);\n        if (l3_type != TRACE_ETHERTYPE_IP && l3_type != TRACE_ETHERTYPE_IPV6) \n\t\treturn packet;\n        if (l3 == NULL) return packet;\n\n\t/* Expire all suitably idle flows */\n        ts = trace_get_seconds(packet);\n        expire_ident_flows(trace, thread, opts, tl->flowmanager, ts, false);\n\n\t/* Determine packet direction */\n\tif (opts->dir_method == DIR_METHOD_TRACE) {\n\t\tdir = trace_get_direction(packet);\n\t}\n\tif (opts->dir_method == DIR_METHOD_MAC) {\n\t\tdir = mac_get_direction(packet, opts->mac_bytes);\n\t}\n\tif (opts->dir_method == DIR_METHOD_PORT) {\n\t\tdir = port_get_direction(packet);\n\t}\n\n\tif (dir != 0 && dir != 1)\n\t\treturn packet;\n\n        /* Match the packet to a Flow - this will create a new flow if\n\t * there is no matching flow already in the Flow map and set the\n\t * is_new flag to true. */\n        f = tl->flowmanager->matchPacketToFlow(packet, dir, &is_new);\n\n\t/* Libflowmanager did not like something about that packet - best to\n\t * just ignore it and carry on */\n        if (f == NULL) {\n\t\treturn packet;\n\t}\n\n        tcp = trace_get_tcp(packet);\n\t/* If the returned flow is new, you will probably want to allocate and\n\t * initialise any custom data that you intend to track for the flow */\n        if (is_new) {\n                init_ident_flow(f, dir, ts);\n        \tident = (IdentFlow *)f->extension;\n\t} else {\n        \tident = (IdentFlow *)f->extension;\n\t\tif (tcp && tcp->syn && !tcp->ack)\n\t\t\tident->init_dir = dir;\n                if (ident->end_ts < ts)\n                        ident->end_ts = ts;\n\t}\n\n\t/* Update our own byte and packet counters for reporting purposes */\n\tif (dir == 0) {\n\t\tident->out_pkts += 1;\n\t\tident->out_bytes += trace_get_payload_length(packet);\n\t}\n\telse {\n\t\tident->in_bytes += trace_get_payload_length(packet);\n\t\tident->in_pkts += 1;\n\t}\n\n\n\t/* Pass the packet into libprotoident so it can extract any info\n\t * it needs from this packet */\n\tlpi_update_data(packet, &ident->lpi, dir);\n\n\tassert(f);\n        /* Tell libflowmanager to update the expiry time for this flow */\n        tl->flowmanager->updateFlowExpiry(f, packet, dir, ts);\n\n        return packet;\n}\n\nstatic void cleanup_signal(int sig) {\n\t(void)sig;\n        if (!done) {\n                trace_pstop(currenttrace);\n        \tdone = 1;\n        }\n}\n\nstatic void usage(char *prog) {\n\n\tprintf(\"Usage details for %s\\n\\n\", prog);\n\tprintf(\"%s [-l <mac>] [-T] [-b] [-d <dir>] [-f <filter>] [-R] [-H] [-t <threads>] [-B buflen] inputURI [inputURI ...]\\n\\n\", prog);\n\tprintf(\"Options:\\n\");\n\tprintf(\"  -l <mac>\tDetermine direction based on <mac> representing the 'inside' \\n\t\t\tportion of the network\\n\");\n\tprintf(\"  -T\t\tUse trace direction tags to determine direction\\n\");\n\tprintf(\"  -b\t\tIgnore flows that do not send data in both directions \\n\");\n\tprintf(\"  -d <dir>\tIgnore flows where the initial packet does not match the given \\n   \t\tdirection\\n\");\n\tprintf(\"  -f <filter>\tIgnore flows that do not match the given BPF filter\\n\");\n\tprintf(\"  -R \t\tIgnore flows involving private RFC 1918 address space\\n\");\n\tprintf(\"  -H\t\tIgnore flows that do not meet the criteria for an SPNAT hole\\n\");\n        printf(\"  -t <threads>  Share the workload over the given number of threads\\n\");\n        printf(\"  -B <buflen>   Buffer results until there are <buflen> results waiting\\n\");\n\texit(0);\n\n}\n\nint main(int argc, char *argv[]) {\n\n\tlibtrace_filter_t *filter = NULL;\n\tstruct sigaction sigact; \n        struct globalopts opts;\n        int i, opt;\n\tchar *filterstring = NULL;\n\tint dir;\n        int threads = 1;\n        int bufferresults = 10;\n\n        libtrace_callback_set_t *processing, *reporter;\n\n        opts.dir_method = DIR_METHOD_PORT;\n        opts.only_dir0 = false;\n        opts.only_dir1 = false;\n        opts.require_both = false;\n        opts.nat_hole = false;\n        opts.ignore_rfc1918 = false;\n        opts.local_mac = NULL;\n\n        processing = trace_create_callback_set();\n        trace_set_starting_cb(processing, start_processing);\n        trace_set_stopping_cb(processing, stop_processing);\n        trace_set_packet_cb(processing, per_packet);\n\n        reporter = trace_create_callback_set();\n        trace_set_starting_cb(reporter, start_reporter);\n        trace_set_stopping_cb(reporter, stop_reporter);\n        trace_set_result_cb(reporter, per_result);\n\n\twhile ((opt = getopt(argc, argv, \"l:bB:Hd:f:RhTt:\")) != EOF) {\n                switch (opt) {\n\t\t\tcase 'l':\n\t\t\t\topts.local_mac = optarg;\n\t\t\t\topts.dir_method = DIR_METHOD_MAC;\n\t\t\t\tbreak;\n\t\t\tcase 'b':\n\t\t\t\topts.require_both = true;\n\t\t\t\tbreak;\n                        case 'B':\n                                bufferresults = atoi(optarg);\n                                if (bufferresults <= 0)\n                                        bufferresults = 1;\n                                break;\n                        case 'd':\n\t\t\t\tdir = atoi(optarg);\n\t\t\t\tif (dir == 0)\n\t\t\t\t\topts.only_dir0 = true;\n\t\t\t\tif (dir == 1)\n\t\t\t\t\topts.only_dir1 = true;\n\t\t\t\tbreak;\n\t\t\tcase 'f':\n                                filterstring = optarg;\n                                break;\n\t\t\tcase 'R':\n\t\t\t\topts.ignore_rfc1918 = true;\n\t\t\t\tbreak;\n\t\t\tcase 'H':\n\t\t\t\topts.nat_hole = true;\n\t\t\t\tbreak;\n\t\t\tcase 'T':\n\t\t\t\topts.dir_method = DIR_METHOD_TRACE;\n\t\t\t\tbreak;\n                        case 't':\n                                threads = atoi(optarg);\n                                if (threads <= 0)\n                                        threads = 1;\n                                break;\n                \tcase 'h':\n\t\t\tdefault:\n\t\t\t\tusage(argv[0]);\n\t\t}\n\n        }\n\n        if (filterstring != NULL) {\n                filter = trace_create_filter(filterstring);\n        }\n\n\tif (opts.local_mac != NULL) {\n                if (convert_mac_string(opts.local_mac, opts.mac_bytes) < 0) {\n                        fprintf(stderr, \"Invalid MAC: %s\\n\", opts.local_mac);\n                        return 1;\n                }\n        }\n\n\tsigact.sa_handler = cleanup_signal;\n\tsigemptyset(&sigact.sa_mask);\n\tsigact.sa_flags = SA_RESTART;\n\n\tsigaction(SIGINT, &sigact, NULL);\n\tsigaction(SIGTERM, &sigact, NULL);\n\n\tsignal(SIGINT,&cleanup_signal);\n\tsignal(SIGTERM,&cleanup_signal);\n\n\tif (lpi_init_library() == -1)\n\t\treturn -1;\n\n        for (i = optind; i < argc; i++) {\n                if (done)\n                        break;\n                fprintf(stderr, \"%s\\n\", argv[i]);\n                \n\t\t/* Bog-standard libtrace stuff for reading trace files */\n\t\tcurrenttrace = trace_create(argv[i]);\n\n                if (!currenttrace) {\n                        perror(\"Creating libtrace trace\");\n                        return -1;\n                }\n\n                if (trace_is_err(currenttrace)) {\n                        trace_perror(currenttrace, \"Opening trace file\");\n                        trace_destroy(currenttrace);\n                        continue;\n                }\n\n                if (filter && trace_config(currenttrace, TRACE_OPTION_FILTER, filter) == -1) {\n                        trace_perror(currenttrace, \"Configuring filter\");\n                        trace_destroy(currenttrace);\n                        return -1;\n                }\n\n                trace_set_perpkt_threads(currenttrace, threads);\n                trace_set_reporter_thold(currenttrace, bufferresults);\n\n                trace_set_combiner(currenttrace, &combiner_unordered,\n                        (libtrace_generic_t){0});\n\n                trace_set_hasher(currenttrace, HASHER_BIDIRECTIONAL, NULL, NULL);\n\n                if (trace_pstart(currenttrace, &opts, processing, reporter) == -1) {\n                        trace_perror(currenttrace, \"Starting trace\");\n                        trace_destroy(currenttrace);\n                        continue;\n                }\n\n                trace_join(currenttrace);\n                trace_destroy(currenttrace);\n\n        }\n\n        trace_destroy_callback_set(processing);\n        trace_destroy_callback_set(reporter);\n\tlpi_free_library();\n\n        return 0;\n\n}\n\n"
  },
  {
    "path": "tools/tools_common.cc",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include \"tools_common.h\"\n\nint convert_mac_string(char *string, uint8_t *bytes) {\n\n        uint32_t digits[6];\n\n        if (sscanf(string, \"%x:%x:%x:%x:%x:%x\", &(digits[0]),\n                        &(digits[1]), &(digits[2]), &(digits[3]),\n                        &(digits[4]), &(digits[5])) != 6)\n                return -1;\n\n        for (int i = 0; i < 6; i++) {\n\n                if (digits[i] > 255)\n                        return -1;\n                bytes[i] = (uint8_t)digits[i];\n        }\n\n        return 0;\n\n}\n\nint mac_get_direction(libtrace_packet_t *packet, uint8_t *mac_bytes) {\n\n\tuint8_t *src_mac = NULL;\n        uint8_t *dest_mac = NULL;\n\n\tsrc_mac = trace_get_source_mac(packet);\n        dest_mac = trace_get_destination_mac(packet);\n\n        if (!src_mac || !dest_mac) {\n                return -1;\n        }\n\t\n\tif (memcmp(src_mac, mac_bytes, 6) == 0)\n                return 0;\n        else if (memcmp(dest_mac, mac_bytes, 6) == 0)\n                return 1;\n\n\treturn -1;\n\n}\n\nint port_get_direction(libtrace_packet_t *packet) {\n\tuint16_t src_port;\n        uint16_t dst_port;\n\tint dir = 2;\n\tvoid *l3;\n\tuint16_t ethertype;\n\tuint32_t rem;\n\tlibtrace_ip_t *ip = NULL;\n\tlibtrace_ip6_t *ip6 = NULL;\n\tuint8_t proto;\n\n\tsrc_port = trace_get_source_port(packet);\n        dst_port = trace_get_destination_port(packet);\n\n\tl3 = trace_get_layer3(packet, &ethertype, &rem);\n\t\t\n\tif (ethertype == TRACE_ETHERTYPE_IP && rem >= sizeof(libtrace_ip_t)) {\n\t\tip = (libtrace_ip_t *)l3;\n\t\tproto = ip->ip_p;\n\t}\n\telse if (ethertype == TRACE_ETHERTYPE_IPV6 && rem >= sizeof(libtrace_ip6_t)) \t{\n\t\tip6 = (libtrace_ip6_t *)l3;\n\t\tproto = ip6->nxt;\n\t} else {\n                return -1;\n        }\n\n\n        if (src_port == dst_port) {\n\n\t\tif (l3 == NULL || rem == 0)\n\t\t\treturn dir;\n\n\t\tif (ip) {\n\t                if (ip->ip_src.s_addr < ip->ip_dst.s_addr)\n        \t                dir = 0;\n        \t        else\n        \t                dir = 1;\n\t\t}\n\n\t\tif (ip6) {\n\t\t\tif (memcmp(&(ip6->ip_src), &(ip6->ip_dst), \n\t\t\t\t\t\tsizeof(struct in6_addr)) < 0) {\n\t\t\t\tdir = 0;\n\t\t\t} else {\n\t\t\t\tdir = 1;\n\t\t\t}\n\t\t}\n\n        } else {\n                if (trace_get_server_port(proto, src_port, dst_port) \n\t\t\t\t\t== USE_SOURCE) {\n                        dir = 0;\n\t\t} else {\n                        dir = 1;\n\t\t}\n        }\n\n\treturn dir;\n}\n"
  },
  {
    "path": "tools/tools_common.h",
    "content": "/* \n * This file is part of libprotoident\n *\n * Copyright (c) 2011 The University of Waikato, Hamilton, New Zealand.\n * Author: Shane Alcock\n *\n * With contributions from:\n *      Aaron Murrihy\n *      Donald Neal\n *\n * All rights reserved.\n *\n * This code has been developed by the University of Waikato WAND \n * research group. For further information please see http://www.wand.net.nz/\n *\n * libprotoident is free software; you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation; either version 2 of the License, or\n * (at your option) any later version.\n *\n * libprotoident is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with libprotoident; if not, write to the Free Software\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA\n *\n * $Id$\n */\n\n\n#ifndef TOOLS_COMMON_H_\n#define TOOLS_COMMON_H_\n\n#include <inttypes.h>\n#include <libtrace.h>\n\nint convert_mac_string(char *string, uint8_t *bytes);\nint mac_get_direction(libtrace_packet_t *packet, uint8_t *mac_bytes);\nint port_get_direction(libtrace_packet_t *packet);\n\n#endif\n"
  }
]