Improve IPv6 support, enabling IPv6 traffic on (almost) all dissector…

…s. (ntop#1380) There are no valid reasons for a (generic) protocol to ignore IPv6 traffic. Note that: * I have not found the specifications of "CheckPoint High Availability Protocol", so I don't know how/if it supports IPv6 * all LRU caches are still IPv4 only Even if src_id/dst_id stuff is probably useless (see ntop#1279), the right way to update the protocol classification is via `ndpi_set_detected_protocol()`
liuxingyuzm · Dec 4, 2021 · 7cba34a · 7cba34a
1 parent 6e86e6d
commit 7cba34a
Show file tree

Hide file tree

Showing 34 changed files with 76 additions and 59 deletions.
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
@@ -87,10 +87,6 @@ extern "C" {
   extern u_int16_t ndpi_check_for_email_address(struct ndpi_detection_module_struct *ndpi_struct,
 						struct ndpi_flow_struct *flow, u_int16_t counter);
 
-  extern void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct,
-				       struct ndpi_flow_struct *flow,
-				       u_int16_t upper_detected_protocol,
-				       u_int16_t lower_detected_protocol);
   extern void ndpi_int_change_category(struct ndpi_detection_module_struct *ndpi_struct,
 				       struct ndpi_flow_struct *flow,
 				       ndpi_protocol_category_t protocol_category);

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -121,6 +121,8 @@ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, ndpi_p
 
 static int removeDefaultPort(ndpi_port_range *range, ndpi_proto_defaults_t *def, ndpi_default_ports_tree_node_t **root);
 static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet);
+static void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
+				     u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol);
 
 /* ****************************************** */
 
@@ -4959,7 +4961,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
       }
 
       *protocol_was_guessed = 1;
-      ndpi_int_change_protocol(ndpi_str, flow, guessed_host_protocol_id, guessed_protocol_id);
+      ndpi_set_detected_protocol(ndpi_str, flow, guessed_host_protocol_id, guessed_protocol_id);
     }
   }
 
@@ -6191,8 +6193,8 @@ void ndpi_int_change_flow_protocol(struct ndpi_detection_module_struct *ndpi_str
  * what it does is:
  * 1.update the flow protocol stack with the new protocol
  */
-void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
-			      u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol) {
+static void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
+				     u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol) {
   if((upper_detected_protocol == NDPI_PROTOCOL_UNKNOWN) && (lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN))
     upper_detected_protocol = lower_detected_protocol;
 

diff --git a/src/lib/protocols/avast_securedns.c b/src/lib/protocols/avast_securedns.c
@@ -60,7 +60,7 @@ void init_avast_securedns_dissector(struct ndpi_detection_module_struct *ndpi_st
                                       ndpi_struct, detection_bitmask, *id,
                                       NDPI_PROTOCOL_AVAST_SECUREDNS,
                                       ndpi_search_avast_securedns,
-                                      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+                                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
                                       SAVE_DETECTION_BITMASK_AS_UNKNOWN,
                                       ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/ayiya.c b/src/lib/protocols/ayiya.c
@@ -77,7 +77,7 @@ void init_ayiya_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in
   ndpi_set_bitmask_protocol_detection("Ayiya", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_AYIYA,
 				      ndpi_search_ayiya,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
@@ -122,7 +122,7 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc
   if(check_hash)
     ndpi_search_bittorrent_hash(ndpi_struct, flow, bt_offset);
 
-  ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN);
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN);
 
   if(flow->protos.bittorrent.hash[0] == '\0') {
     /* This is necessary to inform the core to call this dissector again */

diff --git a/src/lib/protocols/bjnp.c b/src/lib/protocols/bjnp.c
@@ -50,7 +50,7 @@ void init_bjnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
   ndpi_set_bitmask_protocol_detection("BJNP", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_BJNP,
 				      ndpi_search_bjnp,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
   *id += 1;

diff --git a/src/lib/protocols/capwap.c b/src/lib/protocols/capwap.c
@@ -34,22 +34,41 @@ static void ndpi_int_capwap_add_connection(struct ndpi_detection_module_struct *
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CAPWAP, NDPI_PROTOCOL_UNKNOWN);
 }
 
+static int is_capwap_multicast(const struct ndpi_packet_struct *packet)
+{
+  /* RFC 5115 Sec 3.3
+     "The WTP MUST send the Discovery Request
+      message to either the limited broadcast IP address (255.255.255.255),
+      the well-known CAPWAP multicast address (224.0.1.140), or to the
+      unicast IP address of the AC.  For IPv6 networks, since broadcast
+      does not exist, the use of "All ACs multicast address" (FF0X:0:0:0:0:
+      0:0:18C) is used instead.
+  */
+  if(packet->iph) {
+    if((packet->iph->daddr == 0xFFFFFFFF) ||
+       (ntohl(packet->iph->daddr) == 0XE000018C))
+      return 1;
+  } else if(packet->iphv6) {
+    if(((ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] & 0xFFF0FFFF) == 0xFF000000)) &&
+       (packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] == 0) &&
+       (packet->iphv6->ip6_dst.u6_addr.u6_addr32[2] == 0) &&
+       (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[3] == 0x0000018C)))
+      return 1;
+  }
+  return 0;
+}
+
 /* ************************************************** */
 
 static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_struct,
 				     struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int16_t sport, dport;
 
-  if(!packet->iph) {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
-  }
-
   sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
 
   if((dport == NDPI_CAPWAP_CONTROL_PORT)
-     && (packet->iph->daddr == 0xFFFFFFFF)
+     && (is_capwap_multicast(packet))
      && (packet->payload_packet_len >= 16)
      && (packet->payload[0] == 0x0)
      && (packet->payload[8] == 6 /* Mac len */)
@@ -75,7 +94,7 @@ static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_s
   }
 
   if(
-     (((dport == NDPI_CAPWAP_DATA_PORT) && (packet->iph->daddr != 0xFFFFFFFF)) || (sport == NDPI_CAPWAP_DATA_PORT))
+     (((dport == NDPI_CAPWAP_DATA_PORT) && (!is_capwap_multicast(packet))) || (sport == NDPI_CAPWAP_DATA_PORT))
      && (packet->payload_packet_len >= 16)
      && (packet->payload[0] == 0x0)
      ) {
@@ -117,7 +136,7 @@ void init_capwap_dissector(struct ndpi_detection_module_struct *ndpi_struct,
   ndpi_set_bitmask_protocol_detection("CAPWAP", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_CAPWAP,
 				      ndpi_search_capwap,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/cpha.c b/src/lib/protocols/cpha.c
@@ -56,7 +56,7 @@ void init_cpha_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
   ndpi_set_bitmask_protocol_detection("CPHA", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_CPHA,
 				      ndpi_search_cpha,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, /* TODO: ipv6 support? */
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c
@@ -134,7 +134,7 @@ void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
   ndpi_set_bitmask_protocol_detection("CSGO", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_CSGO,
 				      ndpi_search_csgo,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c
@@ -166,7 +166,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
 	   src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
 	src->directconnect_last_safe_access_time = packet->current_time_ms;
 	NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_port));
-	ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
+	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
 	return;
       } else {
 	src->detected_directconnect_port = 0;
@@ -180,7 +180,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
 	   src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
 	src->directconnect_last_safe_access_time = packet->current_time_ms;
 	NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port));
-	ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
+	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
 	return;
       } else {
 	src->detected_directconnect_ssl_port = 0;

diff --git a/src/lib/protocols/drda.c b/src/lib/protocols/drda.c
@@ -95,7 +95,7 @@ void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
   ndpi_set_bitmask_protocol_detection("DRDA", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_DRDA,
 				      ndpi_search_drda,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c
@@ -86,7 +86,7 @@ void init_dropbox_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_
   ndpi_set_bitmask_protocol_detection("DROPBOX", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_DROPBOX,
 				      ndpi_search_dropbox,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
   *id += 1;

diff --git a/src/lib/protocols/genshin_impact.c b/src/lib/protocols/genshin_impact.c
@@ -65,7 +65,7 @@ void init_genshin_impact_dissector(struct ndpi_detection_module_struct *ndpi_str
                                       ndpi_struct, detection_bitmask, *id,
                                       NDPI_PROTOCOL_GENSHIN_IMPACT,
                                       ndpi_search_genshin_impact,
-                                      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+                                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
                                       SAVE_DETECTION_BITMASK_AS_UNKNOWN,
                                       ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c
@@ -79,7 +79,7 @@ void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3
   ndpi_set_bitmask_protocol_detection("Git", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_GIT,
 				      ndpi_search_git,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/hpvirtgrp.c b/src/lib/protocols/hpvirtgrp.c
@@ -63,7 +63,7 @@ void init_hpvirtgrp_dissector(struct ndpi_detection_module_struct *ndpi_struct,
                                       ndpi_struct, detection_bitmask, *id,
                                       NDPI_PROTOCOL_HPVIRTGRP,
                                       ndpi_search_hpvirtgrp,
-                                      NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD,
+                                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                                       SAVE_DETECTION_BITMASK_AS_UNKNOWN,
                                       ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c
@@ -78,7 +78,7 @@ void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
   ndpi_set_bitmask_protocol_detection("LISP", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_LISP,
 				      ndpi_search_lisp,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
   *id += 1;

diff --git a/src/lib/protocols/megaco.c b/src/lib/protocols/megaco.c
@@ -54,7 +54,7 @@ void init_megaco_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
   ndpi_set_bitmask_protocol_detection("Megaco", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_MEGACO,
 				      ndpi_search_megaco,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/mpegts.c b/src/lib/protocols/mpegts.c
@@ -56,7 +56,7 @@ void init_mpegts_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
   ndpi_set_bitmask_protocol_detection("MPEG_TS", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_MPEGTS,
 				      ndpi_search_mpegts,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c
@@ -186,7 +186,7 @@ void init_netflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_
   ndpi_set_bitmask_protocol_detection("NetFlow", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_NETFLOW,
 				      ndpi_search_netflow,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/nintendo.c b/src/lib/protocols/nintendo.c
@@ -59,7 +59,7 @@ void init_nintendo_dissector(struct ndpi_detection_module_struct *ndpi_struct,
   ndpi_set_bitmask_protocol_detection("Nintendo", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_NINTENDO,
 				      ndpi_search_nintendo,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
   *id += 1;

diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
@@ -1342,7 +1342,7 @@ static void process_tls(struct ndpi_detection_module_struct *ndpi_struct,
   if(flow->protos.tls_quic.alpn &&
      strncmp(flow->protos.tls_quic.alpn, "doq", 3) == 0) {
     NDPI_LOG_DBG(ndpi_struct, "Found DOQ (ALPN: [%s])\n", flow->protos.tls_quic.alpn);
-    ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_QUIC);
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_QUIC);
   }
 }
 static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
@@ -1594,7 +1594,7 @@ static int ndpi_search_quic_extra(struct ndpi_detection_module_struct *ndpi_stru
       packet->payload[1] == 200 || /* RTCP, Sender Report */
       is_valid_rtp_payload_type(packet->payload[1] & 0x7F)) /* RTP */) {
     NDPI_LOG_DBG(ndpi_struct, "Found RTP/RTCP over QUIC\n");
-    ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNAPCHAT_CALL, NDPI_PROTOCOL_QUIC);
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNAPCHAT_CALL, NDPI_PROTOCOL_QUIC);
   } else {
     /* Unexpected traffic pattern: we should investigate it... */
     NDPI_LOG_INFO(ndpi_struct, "To investigate...\n");

diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c
@@ -74,7 +74,7 @@ void init_radius_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
   ndpi_set_bitmask_protocol_detection("Radius", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_RADIUS,
 				      ndpi_search_radius,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
@@ -403,7 +403,7 @@ void init_rtp_dissector(struct ndpi_detection_module_struct *ndpi_struct,
   ndpi_set_bitmask_protocol_detection("RTP", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_RTP,
 				      ndpi_search_rtp,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c
@@ -221,7 +221,7 @@ void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct,
   ndpi_set_bitmask_protocol_detection("RX", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_RX,
 				      ndpi_search_rx,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c
@@ -50,7 +50,7 @@ void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in
   ndpi_set_bitmask_protocol_detection("sFlow", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_SFLOW,
 				      ndpi_search_sflow,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -221,7 +221,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     printf("[STUN] Here we go\n");;
 #endif
 
-  if(ndpi_struct->stun_cache) {
+  if(ndpi_struct->stun_cache && packet->iph) { /* TODO: ipv6 */
     u_int16_t proto;
     u_int32_t key = get_stun_lru_key(packet, 0);
     int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto,
@@ -471,10 +471,12 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
   printf("==>> NDPI_PROTOCOL_WHATSAPP_CALL\n");
 #endif
 
-  if(is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr)))      
-    flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
-  else if(is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
-    flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
+  if(packet->iph) { /* TODO: ipv6 */
+    if(is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr)))
+      flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
+    else if(is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
+      flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
+  }
 
   rc = (flow->stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
 
@@ -543,7 +545,7 @@ void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
   ndpi_set_bitmask_protocol_detection("STUN", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_STUN,
 				      ndpi_search_stun,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
 

diff --git a/src/lib/protocols/teredo.c b/src/lib/protocols/teredo.c
@@ -36,7 +36,7 @@ void ndpi_search_teredo(struct ndpi_detection_module_struct *ndpi_struct, struct
      && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544))
      && (packet->payload_packet_len >= 40 /* IPv6 header */)) {
     NDPI_LOG_INFO(ndpi_struct,"found teredo\n");
-    ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN);
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN);
   }  else {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
   }
@@ -48,6 +48,7 @@ void init_teredo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
   ndpi_set_bitmask_protocol_detection("TEREDO", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_TEREDO,
 				      ndpi_search_teredo,
+				      /* Teredo is inherently IPV4 only */
 				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);