Permalink
Browse files

Added Modbus over TCP dissector

  • Loading branch information...
lucaderi committed Dec 21, 2018
1 parent 91da00f commit 5241c9f3cfefd8da67c2e07de1864ac956f9788d
@@ -78,8 +78,8 @@ typedef enum {
NDPI_PROTOCOL_SMBV23 = 41, /* SMB version 2/3 */
NDPI_PROTOCOL_MINING = 42, /* Bitcoin, Ethereum, ZCash, Monero */
NDPI_PROTOCOL_NEST_LOG_SINK = 43, /* Nest Log Sink (Nest Protect) - Darryl Sokoloski <darryl@egloo.ca> */

NDPI_PROTOCOL_FREE_44 = 44, /* Free */
NDPI_PROTOCOL_MODBUS = 44, /* Modbus */

NDPI_PROTOCOL_FREE_45 = 45, /* Free */
NDPI_PROTOCOL_FREE_46 = 46, /* Free */

@@ -363,4 +363,5 @@ void init_fbzero_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
void init_memcached_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_nest_log_sink_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
#endif /* __NDPI_PROTOCOLS_H__ */
@@ -1238,11 +1238,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "NestLogSink", NDPI_PROTOCOL_CATEGORY_CLOUD,
ndpi_build_default_ports(ports_a, 11095, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_44,
0 /* can_have_a_subprotocol */, no_master,
no_master, "Free", NDPI_PROTOCOL_CATEGORY_CUSTOM_1 /* dummy */,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MODBUS,
1 /* no subprotocol */, no_master,
no_master, "Modbus", NDPI_PROTOCOL_CATEGORY_NETWORK, /* Perhaps IoT in the future */
ndpi_build_default_ports(ports_a, 502, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_45,
0 /* can_have_a_subprotocol */, no_master,
no_master, "Free", NDPI_PROTOCOL_CATEGORY_CUSTOM_1 /* dummy */,
@@ -1699,7 +1699,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
0 /* can_have_a_subprotocol */, no_master,
no_master, "UPnP", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 1780, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 1900, 0, 0, 0, 0) /* UDP */); /* Missing dissector: port based only */
ndpi_build_default_ports(ports_b, 1900, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TELEGRAM,
0 /* can_have_a_subprotocol */, no_master,
no_master, "Telegram", NDPI_PROTOCOL_CATEGORY_CHAT,
@@ -3285,6 +3285,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* NINTENDO */
init_nintendo_dissector(ndpi_struct, &a, detection_bitmask);

/* MODBUS */
init_modbus_dissector(ndpi_struct, &a, detection_bitmask);

/*** Put false-positive sensitive protocols at the end ***/

/* SKYPE */
@@ -4325,7 +4328,7 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str
if(ndpi_struct->custom_categories.categories_loaded) {
prefix_t prefix;
patricia_node_t *node;

/* Make sure all in network byte order otherwise compares wont work */
fill_prefix_v4(&prefix, (struct in_addr *)&iph->saddr,
32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
@@ -0,0 +1,72 @@

/*
* modbus.c
*
* Copyright (C) 2018 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*
*/


#include "ndpi_protocol_ids.h"
#include "ndpi_api.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MODBUS

void ndpi_search_modbus_tcp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
NDPI_LOG_DBG(ndpi_struct, "search Modbus\n");
u_int16_t modbus_port = htons(502); // port used by modbus

/* Check connection over TCP */

if(packet->tcp) {
/* The payload of Modbus-TCP segment must be at least 8 bytes (7 bytes of header application
packet plus 1 byte of minimum payload of application packet)
*/
if((packet->payload_packet_len >= 8)
&&((packet->tcp->dest == modbus_port) || (packet->tcp->source == modbus_port))) {
// Modbus uses the port 502
u_int16_t modbus_len = htons(*((u_int16_t*)&packet->payload[4]));

// the fourth parameter of the payload is the length of the segment
if((modbus_len-1) == (packet->payload_packet_len - 7 /* ModbusTCP header len */)) {
NDPI_LOG_INFO(ndpi_struct, "found MODBUS\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MODBUS, NDPI_PROTOCOL_UNKNOWN);
return;
}
}
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

}



void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {

ndpi_set_bitmask_protocol_detection("Modbus", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_MODBUS,
ndpi_search_modbus_tcp,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
}
BIN +8.14 KB tests/pcap/modbus.pcap
Binary file not shown.
@@ -0,0 +1,3 @@
Modbus 102 6681 1

1 TCP 192.168.110.131:2074 <-> 192.168.110.138:502 [proto: 44/Modbus][cat: Network/14][51 pkts/3366 bytes <-> 51 pkts/3315 bytes]

0 comments on commit 5241c9f

Please sign in to comment.