Add (generic) JSON protocol dissector.

Signed-off-by: Toni Uhlig <[email protected]>

Author: utoni

src/include/ndpi_private.h

@@ -1086,6 +1086,7 @@ void init_mudfish_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 void init_tristation_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 void init_samsung_sdp_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 void init_matter_dissector(struct ndpi_detection_module_struct *ndpi_struct);
+void init_json_dissector(struct ndpi_detection_module_struct *ndpi_struct);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
   #include "../../../nDPI-custom/custom_ndpi_private.h"

src/include/ndpi_protocol_ids.h

@@ -497,6 +497,7 @@ typedef enum {
   NDPI_PROTOCOL_AWS_DYNAMODB          = 465,
   NDPI_PROTOCOL_ESPN                  = 466,
   NDPI_PROTOCOL_AKAMAI                = 467,
+  NDPI_PROTOCOL_JSON                  = 468,
 
   /* If you add a new protocol, please update the documentation at doc/protocols.rst, too! */
 

src/lib/ndpi_main.c

@@ -2962,12 +2962,16 @@ static void init_protocol_defaults(struct ndpi_detection_module_struct *ndpi_str
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */ ,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */,
                           0);
-
   ndpi_set_proto_defaults(ndpi_str, 1 , 1 , NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AKAMAI,
                           "Akamai", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */ ,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */,
                           0);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_JSON,
+                          "JSON", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */,
+                          0);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -7453,6 +7457,9 @@ static int dissectors_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* MATTER */
   init_matter_dissector(ndpi_str);
 
+  /* JSON */
+  init_json_dissector(ndpi_str);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif

src/lib/protocols/json.c

@@ -0,0 +1,111 @@
+/*
+ * json.c
+ *
+ * Copyright (C) 2025 - Toni Uhlig <[email protected]>
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_JSON
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+
+static void ndpi_int_json_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
+                                         struct ndpi_flow_struct * const flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found JSON\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow,
+                             NDPI_PROTOCOL_JSON,
+                             NDPI_PROTOCOL_UNKNOWN,
+                             NDPI_CONFIDENCE_DPI);
+}
+
+static void ndpi_search_json(struct ndpi_detection_module_struct *ndpi_struct,
+                             struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+  size_t offset = 0;
+  size_t bytes_checked = 0;
+  const size_t max_bytes_to_check = 16;
+
+  NDPI_LOG_DBG(ndpi_struct, "search JSON\n");
+
+  if (packet->payload_packet_len < 2) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  do {
+    if (offset >= packet->payload_packet_len) {
+      break;
+    }
+    if (packet->payload[offset] == '{') {
+      break;
+    }
+    if (packet->payload[offset] != ' ' &&
+        packet->payload[offset] != '\t' &&
+        packet->payload[offset] != '\r' &&
+        packet->payload[offset] != '\n' &&
+        isalnum(packet->payload[offset]) == 0 &&
+        offset >= 8)
+    {
+      NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+      return;
+    }
+  } while (++offset < max_bytes_to_check);
+
+  if (offset == max_bytes_to_check || offset >= packet->payload_packet_len) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  offset = packet->payload_packet_len;
+
+  do {
+    if (packet->payload[offset - 1] == '}') {
+      break;
+    }
+    if (packet->payload[offset - 1] != ' ' &&
+        packet->payload[offset - 1] != '\t' &&
+        packet->payload[offset - 1] != '\r' &&
+        packet->payload[offset - 1] != '\n' &&
+        isalnum(packet->payload[offset - 1]) == 0)
+    {
+      NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+      return;
+    }
+  } while (--offset > 0 && ++bytes_checked < max_bytes_to_check);
+
+  if (bytes_checked == max_bytes_to_check) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  ndpi_int_json_add_connection(ndpi_struct, flow);
+}
+
+void init_json_dissector(struct ndpi_detection_module_struct *ndpi_struct)
+{
+  register_dissector("JSON", ndpi_struct,
+                     ndpi_search_json,
+                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+                     1, NDPI_PROTOCOL_JSON);
+}

tests/cfgs/caches_cfg/result/ookla.pcap.out

@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 572 (95.33 diss/flow)
+Num dissector calls: 575 (95.83 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/caches_cfg/result/teams.pcap.out

@@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 521 (6.28 diss/flow)
+Num dissector calls: 523 (6.30 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       30/0/0 (insert/search/found)

tests/cfgs/caches_global/result/lru_ipv6_caches.pcapng.out

@@ -2,7 +2,7 @@ DPI Packets (TCP):	9	(3.00 pkts/flow)
 DPI Packets (UDP):	35	(3.89 pkts/flow)
 Confidence DPI (cache)      : 4 (flows)
 Confidence DPI              : 8 (flows)
-Num dissector calls: 337 (28.08 diss/flow)
+Num dissector calls: 339 (28.25 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 25/4/2 (insert/search/found)
 LRU cache stun:       6/0/0 (insert/search/found)

tests/cfgs/caches_global/result/ookla.pcap.out

@@ -4,7 +4,7 @@ DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence DPI (partial cache): 1 (flows)
 Confidence DPI              : 4 (flows)
 Confidence DPI (aggressive) : 1 (flows)
-Num dissector calls: 572 (95.33 diss/flow)
+Num dissector calls: 575 (95.83 diss/flow)
 LRU cache ookla:      4/2/2 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/caches_global/result/teams.pcap.out

@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI (partial)    : 4 (flows)
 Confidence DPI              : 76 (flows)
-Num dissector calls: 521 (6.28 diss/flow)
+Num dissector calls: 523 (6.30 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       30/0/0 (insert/search/found)

tests/cfgs/classification_only/result/bittorrent_tcp_miss.pcapng.out

@@ -1,6 +1,6 @@
 DPI Packets (TCP):	10	(10.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 227 (227.00 diss/flow)
+Num dissector calls: 228 (228.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 5/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)