USDT probes: add two new probes for detecting IP fragments (ntop#3134)

Author: IvanNardi

.github/workflows/build.yml

@@ -290,12 +290,16 @@ jobs:
           # Verify both probes are present
           readelf -n example/ndpiReader | grep -q 'flow_classified'
           readelf -n example/ndpiReader | grep -q 'hostname_set'
+          readelf -n example/ndpiReader | grep -q 'fragment_ipv4'
+          readelf -n example/ndpiReader | grep -q 'fragment_ipv6'
           echo "All expected USDT probes found."
       - name: List probes via bpftrace
         run: |
           sudo bpftrace -l "usdt:./example/ndpiReader:ndpi:*" | tee /tmp/probe_list.txt
           grep -q 'flow_classified' /tmp/probe_list.txt
           grep -q 'hostname_set' /tmp/probe_list.txt
+          grep -q 'fragment_ipv4' /tmp/probe_list.txt
+          grep -q 'fragment_ipv6' /tmp/probe_list.txt
           echo "bpftrace can see all probes."
       - name: Test flow_classified probe with ndpiReader
         run: |
@@ -333,7 +337,7 @@ jobs:
           # Verify we actually traced some hostnames
           grep -q '@hostnames:' /tmp/bpf_hostname.txt
           echo "hostname_set probe: OK"
-      - name: Test both probes simultaneously
+      - name: Test both hostname_set and flow_classified simultaneously
         run: |
           sudo bpftrace -e '
           usdt:./example/ndpiReader:ndpi:hostname_set {
@@ -345,3 +349,29 @@ jobs:
           grep -q '@classified' /tmp/bpf_both.txt
           grep -q '@hostnames' /tmp/bpf_both.txt
           echo "Both probes fired successfully."
+      - name: Test fragment_ipv4 probe with ndpiReader
+        run: |
+          READER=$(realpath example/ndpiReader)
+          sudo ./bpftrace -I . --include ndpi_types.h \
+          -e 'usdt:./example/ndpiReader:ndpi:fragment_ipv4 {
+            $iph = (struct ndpi_iphdr *)arg0;
+            @frags = count();
+            @top[ntop($iph->saddr)] = count();
+          }' -c './example/ndpiReader -q -i tests/pcap/ip_fragmented_garbage.pcap' 2>&1 | tee /tmp/frag_ipv4.txt
+          # Verify we actually traced some hostnames
+          grep -q '@frags:' /tmp/frag_ipv4.txt
+          grep -q '@top' /tmp/frag_ipv4.txt
+          echo "fragment_ipv4 probe: OK"
+      - name: Test fragment_ipv6 probe with ndpiReader
+        run: |
+          READER=$(realpath example/ndpiReader)
+          sudo ./bpftrace -I . --include ndpi_types.h \
+          -e 'usdt:./example/ndpiReader:ndpi:fragment_ipv6 {
+            $ip6h = (struct ndpi_ipv6hdr *)arg0;
+            @frags = count();
+            @top[ntop($ip6h->ip6_src.u6_addr.u6_addr8)] = count();
+          }' -c './example/ndpiReader -q -i tests/pcap/dns_fragmented.pcap' 2>&1 | tee /tmp/frag_ipv6.txt
+          # Verify we actually traced some hostnames
+          grep -q '@frags:' /tmp/frag_ipv6.txt
+          grep -q '@top' /tmp/frag_ipv6.txt
+          echo "fragment_ipv6 probe: OK"

doc/usdt.rst

@@ -69,6 +69,14 @@ Available Probes
        HTTP (Host header), QUIC, NetBIOS, DHCP, STUN, and others.
        The hostname is provided directly as a string for convenience;
        the flow pointer gives access to all other flow fields.
+   * - ``fragment_ipv4``
+     - | ``arg0``: pointer to IPv4 header (``struct ndpi_iphdr *``)
+     - Fires when a (IPv4) packet processed by the library is fragmented
+       at IP layer.
+   * - ``fragment_ipv6``
+     - | ``arg0``: pointer to IPv6 header (``struct ndpi_ipv6hdr *``)
+     - Fires when a (IPv6) packet processed by the library is fragmented
+       at IP layer.
 
 bpftrace Notes
 --------------

example/reader_util.c

@@ -1052,7 +1052,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo
   const u_int8_t *l4ptr = (((const u_int8_t *) iph6) + sizeof(struct ndpi_ipv6hdr));
   if(ipsize < sizeof(struct ndpi_ipv6hdr) + ip_len)
     return(NULL);
-  if(ndpi_handle_ipv6_extension_headers(ipsize - sizeof(struct ndpi_ipv6hdr), &l4ptr, &ip_len, &l4proto) != 0) {
+  if(ndpi_handle_ipv6_extension_headers(NULL, iph6, ipsize - sizeof(struct ndpi_ipv6hdr), &l4ptr, &ip_len, &l4proto) != 0) {
     return(NULL);
   }
   iph.protocol = l4proto;
@@ -2564,7 +2564,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
     const u_int8_t *l4ptr = (((const u_int8_t *) iph6) + sizeof(struct ndpi_ipv6hdr));
     u_int16_t ipsize = header->caplen - ip_offset;
 
-    if(ndpi_handle_ipv6_extension_headers(ipsize - sizeof(struct ndpi_ipv6hdr), &l4ptr, &ip_len, &proto) != 0) {
+    if(ndpi_handle_ipv6_extension_headers(NULL, iph6, ipsize - sizeof(struct ndpi_ipv6hdr), &l4ptr, &ip_len, &proto) != 0) {
       return(nproto);
     }
 

src/include/ndpi_main.h

@@ -80,7 +80,9 @@ extern "C" {
 #define ndpi_match_strprefix(payload, payload_len, str)			\
   ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1))
 
-  int ndpi_handle_ipv6_extension_headers(u_int16_t l3len,
+  int ndpi_handle_ipv6_extension_headers(struct ndpi_detection_module_struct *ndpi_str,
+                                         const struct ndpi_ipv6hdr *ip6h,
+                                         u_int16_t l3len,
 					 const u_int8_t ** l4ptr, u_int16_t * l4len,
 					 u_int8_t * nxt_hdr);
 

src/include/ndpi_private.h

@@ -662,7 +662,8 @@ void exclude_dissector(struct ndpi_detection_module_struct *ndpi_str, struct ndp
 
 char *strptime(const char *s, const char *format, struct tm *tm);
 
-u_int8_t iph_is_valid_and_not_fragmented(const struct ndpi_iphdr *iph, const u_int16_t ipsize);
+u_int8_t iph_is_valid_and_not_fragmented(struct ndpi_detection_module_struct *ndpi_str,
+                                         const struct ndpi_iphdr *iph, const u_int16_t ipsize);
 
 int current_pkt_from_client_to_server(const struct ndpi_detection_module_struct *ndpi_str, const struct ndpi_flow_struct *flow);
 int current_pkt_from_server_to_client(const struct ndpi_detection_module_struct *ndpi_str, const struct ndpi_flow_struct *flow);

src/lib/ndpi_main.c

@@ -26,6 +26,7 @@
 #include <netinet/ip.h>
 #endif
 
+
 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNKNOWN
 
 #include "ndpi_config.h"
@@ -7715,8 +7716,14 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp
  * 	nxt_hdr: first byte of the layer 4 packet
  * returns 0 upon success and 1 upon failure
  */
-int ndpi_handle_ipv6_extension_headers(u_int16_t l3len, const u_int8_t **l4ptr,
+int ndpi_handle_ipv6_extension_headers(struct ndpi_detection_module_struct *ndpi_str,
+                                       const struct ndpi_ipv6hdr *ip6h,
+                                       u_int16_t l3len, const u_int8_t **l4ptr,
                                        u_int16_t *l4len, u_int8_t *nxt_hdr) {
+#ifndef HAVE_USDT
+  __ndpi_unused_param(ip6h);
+#endif
+
   while(l3len > 1 && (*nxt_hdr == 0 || *nxt_hdr == 43 || *nxt_hdr == 44 || *nxt_hdr == 60 || *nxt_hdr == 135 || *nxt_hdr == 59)) {
     u_int16_t ehdr_len, frag_offset;
 
@@ -7736,6 +7743,16 @@ int ndpi_handle_ipv6_extension_headers(u_int16_t l3len, const u_int8_t **l4ptr,
       }
       l3len -= 5;
 
+      if(ndpi_str) {
+        uint16_t offlg = ntohs(*(u_int16_t *)((*l4ptr) + 2));
+        if((offlg & 0xfff8) != 0 || (offlg & 0x0001) != 0) {
+          NDPI_LOG_DBG(ndpi_str, "IP(v6) fragment\n");
+
+          NDPI_DTRACE1(fragment_ipv6,
+                       ip6h /* IPV6 header */);
+        }
+      }
+
       *nxt_hdr = (*l4ptr)[0];
       frag_offset = ntohs(*(u_int16_t *)((*l4ptr) + 2)) >> 3;
       // Handle ipv6 fragments as the ipv4 ones: keep the first fragment, drop the others
@@ -7777,12 +7794,22 @@ int ndpi_handle_ipv6_extension_headers(u_int16_t l3len, const u_int8_t **l4ptr,
 /* ******************************************************************** */
 
 /* Used by dns.c */
-u_int8_t iph_is_valid_and_not_fragmented(const struct ndpi_iphdr *iph, const u_int16_t ipsize) {
+u_int8_t iph_is_valid_and_not_fragmented(struct ndpi_detection_module_struct *ndpi_str,
+                                         const struct ndpi_iphdr *iph, const u_int16_t ipsize) {
   /*
     returned value:
     0: fragmented
     1: not fragmented
   */
+
+  if((ntohs(iph->frag_off) & 0x2000) ||
+     (ntohs(iph->frag_off) & 0x1fff)) {
+    NDPI_LOG_DBG(ndpi_str, "IP(v4) fragment\n");
+
+    NDPI_DTRACE1(fragment_ipv4,
+                 iph /* IPV4 header */);
+  }
+
   //#ifdef REQUIRE_FULL_PACKETS
 
   if(iph->protocol == IPPROTO_UDP) {
@@ -7844,7 +7871,7 @@ static u_int8_t ndpi_detection_get_l4_internal(struct ndpi_detection_module_stru
   }
 
   /* 0: fragmented; 1: not fragmented */
-  if(iph != NULL && iph_is_valid_and_not_fragmented(iph, l3_len)) {
+  if(iph != NULL && iph_is_valid_and_not_fragmented(ndpi_str, iph, l3_len)) {
     u_int16_t len = ndpi_min(ntohs(iph->tot_len), l3_len);
     u_int16_t hlen = (iph->ihl * 4);
 
@@ -7863,7 +7890,7 @@ static u_int8_t ndpi_detection_get_l4_internal(struct ndpi_detection_module_stru
     l4protocol = iph_v6->ip6_hdr.ip6_un1_nxt;
 
     // we need to handle IPv6 extension headers if present
-    if(ndpi_handle_ipv6_extension_headers(l3_len - sizeof(struct ndpi_ipv6hdr), &l4ptr, &l4len, &l4protocol) != 0) {
+    if(ndpi_handle_ipv6_extension_headers(ndpi_str, iph_v6, l3_len - sizeof(struct ndpi_ipv6hdr), &l4ptr, &l4len, &l4protocol) != 0) {
       return(1);
     }
 

src/lib/protocols/dns.c

@@ -926,7 +926,7 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct
 
       /* 0: fragmented; 1: not fragmented */
       if((flags & 0x20)
-	 || (iph_is_valid_and_not_fragmented(packet->iph, packet->l3_packet_len) == 0)) {
+	 || (iph_is_valid_and_not_fragmented(ndpi_struct, packet->iph, packet->l3_packet_len) == 0)) {
 	ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL);
       }
     } else if(packet->iphv6 != NULL) {