From f1c62ca720e1cd9697f7b56314f7040ec21df540 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Fri, 17 Jan 2025 18:31:00 +0100 Subject: [PATCH] Improved DICOM detection --- src/lib/protocols/dicom.c | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/src/lib/protocols/dicom.c b/src/lib/protocols/dicom.c index d8abf9ed95d..18354258f01 100644 --- a/src/lib/protocols/dicom.c +++ b/src/lib/protocols/dicom.c @@ -34,29 +34,24 @@ PACK_ON struct dicom_header { static void ndpi_search_dicom(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t dicom_port = ntohs(104); NDPI_LOG_DBG(ndpi_struct, "search DICOM\n"); if(packet->iph && (packet->payload_packet_len > sizeof(struct dicom_header))) { - if(packet->tcp->dest == dicom_port) { - struct dicom_header *h = (struct dicom_header*)packet->payload; - - if((h->pdu_type == 0x01 /* A-ASSOCIATE */) - && (h->pad == 0x0) - && (packet->payload_packet_len <= (ntohl(h->pdu_len)+6)) - && (packet->payload_packet_len > 9) - && (packet->payload[6] == 0x0) && (packet->payload[7] == 0x1) /* Protocol Version */ - && (packet->payload[8] == 0x0) && (packet->payload[9] == 0x0) /* Pad */ - - ) { - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_DICOM, - NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - } else - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } else if(packet->tcp->dest != dicom_port) - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); /* At least one port must be the DICOM port */ + struct dicom_header *h = (struct dicom_header*)packet->payload; + + if((h->pdu_type == 0x01 /* A-ASSOCIATE */) + && (h->pad == 0x0) + && (packet->payload_packet_len <= (ntohl(h->pdu_len)+6)) + && (packet->payload_packet_len > 9) + && (packet->payload[6] == 0x0) && (packet->payload[7] == 0x1) /* Protocol Version */ + && (packet->payload[8] == 0x0) && (packet->payload[9] == 0x0) /* Pad */ + ) { + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_DICOM, + NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + } else + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } else NDPI_EXCLUDE_PROTO(ndpi_struct, flow); }