Add (generic) JSON protocol dissector.

Signed-off-by: Toni Uhlig <[email protected]>

Author: utoni

doc/protocols.rst

@@ -4257,3 +4257,10 @@ References: `Official site <https://www.espn.com/>`_
 Akamai Technologies, Inc. is an American company specialized in content delivery network (CDN), cybersecurity, DDoS mitigation, and cloud services.
 
 References: `Official site <https://www.akamai.com>`_
+
+
+.. _Proto_468:
+
+`NDPI_PROTOCOL_JSON`
+====================
+JSON (JavaScript Object Notation) is an open standard file format and data interchange format that uses human-readable text.

src/include/ndpi_private.h

@@ -1086,6 +1086,7 @@ void init_mudfish_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 void init_tristation_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 void init_samsung_sdp_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 void init_matter_dissector(struct ndpi_detection_module_struct *ndpi_struct);
+void init_json_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
   #include "../../../nDPI-custom/custom_ndpi_private.h"

src/include/ndpi_protocol_ids.h

@@ -497,6 +497,7 @@ typedef enum {
   NDPI_PROTOCOL_AWS_DYNAMODB          = 465,
   NDPI_PROTOCOL_ESPN                  = 466,
   NDPI_PROTOCOL_AKAMAI                = 467,
+  NDPI_PROTOCOL_JSON                  = 468,
 
   /* If you add a new protocol, please update the documentation at doc/protocols.rst, too! */
 

src/lib/ndpi_main.c

@@ -2962,12 +2962,16 @@ static void init_protocol_defaults(struct ndpi_detection_module_struct *ndpi_str
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */ ,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */,
                           0);
-
   ndpi_set_proto_defaults(ndpi_str, 1 , 1 , NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AKAMAI,
                           "Akamai", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */ ,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */,
                           0);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_JSON,
+                          "JSON", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */,
+                          0);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -7453,6 +7457,9 @@ static int dissectors_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* MATTER */
   init_matter_dissector(ndpi_str);
 
+  /* JSON */
+  init_json_dissector(ndpi_str);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif

src/lib/protocols/http.c

@@ -31,6 +31,9 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
+extern void ndpi_search_json(struct ndpi_detection_module_struct *ndpi_struct,
+                             struct ndpi_flow_struct *flow);
+
 static const char* binary_exec_file_mimes_e[] = { "exe", NULL };
 static const char* binary_exec_file_mimes_j[] = { "java-vm", NULL };
 static const char* binary_exec_file_mimes_v[] = { "vnd.ms-cab-compressed", "vnd.microsoft.portable-executable", NULL };
@@ -164,6 +167,10 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_
     return(0); /* We are good now */
   }
 
+  if (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
+    ndpi_search_json(ndpi_struct, flow);
+  }
+
   /* Possibly more processing */
   return(1);
 }

src/lib/protocols/json.c

@@ -0,0 +1,123 @@
+/*
+ * json.c
+ *
+ * Copyright (C) 2011-25 - ntop.org
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_JSON
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+
+#define JSON_MAX_BYTES_TO_CHECK 16
+
+static void ndpi_int_json_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
+                                         struct ndpi_flow_struct * const flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found JSON\n");
+  if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
+    ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_JSON, NDPI_CONFIDENCE_DPI);
+  } else {
+    ndpi_set_detected_protocol(ndpi_struct, flow,
+                               NDPI_PROTOCOL_JSON,
+                               NDPI_PROTOCOL_UNKNOWN,
+                               NDPI_CONFIDENCE_DPI);
+  }
+}
+
+void ndpi_search_json(struct ndpi_detection_module_struct *ndpi_struct,
+                      struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+  size_t offset = 0;
+  size_t bytes_checked = 0;
+
+  NDPI_LOG_DBG(ndpi_struct, "search JSON\n");
+
+  if (packet->payload_packet_len < 2) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  do {
+    if (offset >= packet->payload_packet_len) {
+      break;
+    }
+    if (packet->payload[offset] == '{' ||
+        packet->payload[offset] == '[')
+    {
+      break;
+    }
+    if (packet->payload[offset] != ' ' &&
+        packet->payload[offset] != '\t' &&
+        packet->payload[offset] != '\r' &&
+        packet->payload[offset] != '\n' &&
+        ndpi_isalnum(packet->payload[offset]) == 0 &&
+        offset >= 8)
+    {
+      NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+      return;
+    }
+  } while (++offset < JSON_MAX_BYTES_TO_CHECK);
+
+  for (size_t i = offset; i < ndpi_min(JSON_MAX_BYTES_TO_CHECK, packet->payload_packet_len); ++i) {
+    if (ndpi_isprint(packet->payload[i]) == 0 &&
+        packet->payload[i] != '\t' &&
+        packet->payload[i] != '\r' &&
+        packet->payload[i] != '\n')
+    {
+      NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+      return;
+    }
+  }
+
+  if (offset == JSON_MAX_BYTES_TO_CHECK || offset >= packet->payload_packet_len) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  offset = packet->payload_packet_len;
+
+  do {
+    if (packet->payload[offset - 1] == '}' ||
+        packet->payload[offset - 1] == ']')
+    {
+      break;
+    }
+    if (packet->payload[offset - 1] != ' ' &&
+        packet->payload[offset - 1] != '\t' &&
+        packet->payload[offset - 1] != '\r' &&
+        packet->payload[offset - 1] != '\n' &&
+        ndpi_isalnum(packet->payload[offset - 1]) == 0)
+    {
+      NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+      return;
+    }
+  } while (--offset > 0 && ++bytes_checked < JSON_MAX_BYTES_TO_CHECK);
+
+  ndpi_int_json_add_connection(ndpi_struct, flow);
+}
+
+void init_json_dissector(struct ndpi_detection_module_struct *ndpi_struct)
+{
+  register_dissector("JSON", ndpi_struct,
+                     ndpi_search_json,
+                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+                     1, NDPI_PROTOCOL_JSON);
+}

tests/cfgs/caches_cfg/result/ookla.pcap.out

@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 572 (95.33 diss/flow)
+Num dissector calls: 575 (95.83 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/caches_cfg/result/teams.pcap.out

@@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 521 (6.28 diss/flow)
+Num dissector calls: 523 (6.30 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       30/0/0 (insert/search/found)

tests/cfgs/caches_global/result/lru_ipv6_caches.pcapng.out

@@ -2,7 +2,7 @@ DPI Packets (TCP):	9	(3.00 pkts/flow)
 DPI Packets (UDP):	35	(3.89 pkts/flow)
 Confidence DPI (cache)      : 4 (flows)
 Confidence DPI              : 8 (flows)
-Num dissector calls: 337 (28.08 diss/flow)
+Num dissector calls: 339 (28.25 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 25/4/2 (insert/search/found)
 LRU cache stun:       6/0/0 (insert/search/found)

tests/cfgs/caches_global/result/ookla.pcap.out

@@ -4,7 +4,7 @@ DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence DPI (partial cache): 1 (flows)
 Confidence DPI              : 4 (flows)
 Confidence DPI (aggressive) : 1 (flows)
-Num dissector calls: 572 (95.33 diss/flow)
+Num dissector calls: 575 (95.83 diss/flow)
 LRU cache ookla:      4/2/2 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)