Implemented function to retrieve flow information. #1253add/get-flow-info-apifn

 * fixed [h]euristic typo

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

8 files changed, 91 insertions, 35 deletions

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 99b24874b..b44346506 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -61,7 +61,7 @@
 #define ntohl64(x) ( ( (uint64_t)(ntohl( (uint32_t)((x << 32) >> 32) )) << 32) | ntohl( ((uint32_t)(x >> 32)) ) )
 #define htonl64(x) ntohl64(x)
 
-#define EURISTICS_CODE 1
+#define HEURISTICS_CODE 1
 
 /** Client parameters **/
 
@@ -1484,10 +1484,10 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
     }
   }
 
-#ifdef EURISTICS_CODE
-  if(flow->ssh_tls.browser_euristics.is_safari_tls)  fprintf(out, "[Safari]");
-  if(flow->ssh_tls.browser_euristics.is_firefox_tls) fprintf(out, "[Firefox]");
-  if(flow->ssh_tls.browser_euristics.is_chrome_tls)  fprintf(out, "[Chrome]");
+#ifdef HEURISTICS_CODE
+  if(flow->ssh_tls.browser_heuristics.is_safari_tls)  fprintf(out, "[Safari]");
+  if(flow->ssh_tls.browser_heuristics.is_firefox_tls) fprintf(out, "[Firefox]");
+  if(flow->ssh_tls.browser_heuristics.is_chrome_tls)  fprintf(out, "[Chrome]");
 #endif
   
   if(flow->ssh_tls.notBefore && flow->ssh_tls.notAfter) {
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
index dd679125c..42784697a 100644
--- a/example/ndpiSimpleIntegration.c
+++ b/example/ndpiSimpleIntegration.c
@@ -65,7 +65,8 @@ struct nDPI_flow_info {
   uint8_t detection_completed:1;
   uint8_t tls_client_hello_seen:1;
   uint8_t tls_server_hello_seen:1;
-  uint8_t reserved_00:2;
+  uint8_t flow_info_printed:1;
+  uint8_t reserved_00:1;
   uint8_t l4_protocol;
 
   struct ndpi_proto detected_l7_protocol;
@@ -857,10 +858,12 @@ static void ndpi_process_packet(uint8_t * const args,
       flow_to_process->detection_completed == 0)
     {
       if (flow_to_process->detected_l7_protocol.master_protocol != NDPI_PROTOCOL_UNKNOWN ||
-	  flow_to_process->detected_l7_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) {
-	flow_to_process->detection_completed = 1;
-	workflow->detected_flow_protocols++;
-	printf("[%8llu, %d, %4d][DETECTED] protocol: %s | app protocol: %s | category: %s\n",
+          flow_to_process->detected_l7_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)
+      {
+        flow_to_process->detection_completed = 1;
+        workflow->detected_flow_protocols++;
+
+        printf("[%8llu, %d, %4d][DETECTED] protocol: %s | app protocol: %s | category: %s\n",
 	       workflow->packets_captured,
 	       reader_thread->array_index,
 	       flow_to_process->flow_id,
@@ -885,6 +888,20 @@ static void ndpi_process_packet(uint8_t * const args,
        * EoE - End of Example
        */
 
+      if (flow_to_process->flow_info_printed == 0)
+      {
+        char const * const flow_info = ndpi_get_flow_info(flow_to_process->ndpi_flow, &flow_to_process->detected_l7_protocol);
+        if (flow_info != NULL)
+        {
+          printf("[%8llu, %d, %4d] info: %s\n",
+            workflow->packets_captured,
+            reader_thread->array_index,
+            flow_to_process->flow_id,
+            flow_info);
+          flow_to_process->flow_info_printed = 1;
+        }
+      }
+
       if (flow_to_process->detected_l7_protocol.master_protocol == NDPI_PROTOCOL_TLS ||
 	  flow_to_process->detected_l7_protocol.app_protocol == NDPI_PROTOCOL_TLS)
         {
@@ -916,8 +933,10 @@ static void ndpi_process_packet(uint8_t * const args,
 		     ndpi_ssl_version2str(flow_to_process->ndpi_flow,
 					  flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.ssl_version,
 					  &unknown_tls_version),
-		     flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len,
-		     flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names,
+		     (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len == 0 ?
+		      1 : flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len),
+		     (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names == NULL ?
+		      "-" : flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names),
 		     (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN != NULL ?
 		      flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN : "-"),
 		     (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.subjectDN != NULL ?
@@ -957,7 +976,7 @@ static void * processing_thread(void * const ndpi_thread_arg)
   struct nDPI_reader_thread const * const reader_thread =
     (struct nDPI_reader_thread *)ndpi_thread_arg;
 
-  printf("Starting ThreadID %d\n", reader_thread->array_index);
+  printf("Starting Thread %d\n", reader_thread->array_index);
   run_pcap_loop(reader_thread);
   reader_thread->workflow->error_or_eof = 1;
   return NULL;
@@ -1089,9 +1108,11 @@ int main(int argc, char ** argv)
 	 "----------------------------------\n"
 	 "nDPI version: %s\n"
 	 " API version: %u\n"
+	 "libgcrypt...: %s\n"
 	 "----------------------------------\n",
 	 argv[0],
-	 ndpi_revision(), ndpi_get_api_version());
+	 ndpi_revision(), ndpi_get_api_version(),
+	 (ndpi_get_gcrypt_version() == NULL ? "-" : ndpi_get_gcrypt_version()));
 
   if (setup_reader_threads((argc >= 2 ? argv[1] : NULL)) != 0) {
     fprintf(stderr, "%s: setup_reader_threads failed\n", argv[0]);
diff --git a/example/reader_util.c b/example/reader_util.c
index 89a3fcfff..b67a45092 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1176,7 +1176,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
       flow->ssh_tls.sha1_cert_fingerprint_set = 1;
     }
 
-    flow->ssh_tls.browser_euristics = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.browser_euristics;
+    flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.browser_heuristics;
     
     if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn) {
       if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn)) != NULL)
diff --git a/example/reader_util.h b/example/reader_util.h
index 28ea6029e..0c584b378 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -211,7 +211,7 @@ typedef struct ndpi_flow_info {
       ja3_client[33], ja3_server[33],
       sha1_cert_fingerprint[20];
     u_int8_t sha1_cert_fingerprint_set;
-    struct tls_euristics browser_euristics;
+    struct tls_heuristics browser_heuristics;
     
     struct {
       u_int16_t cipher_suite;
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index df545a165..8cbbfc9e6 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -941,9 +941,6 @@ extern "C" {
   void set_ndpi_flow_free(void  (*__ndpi_flow_free)(void *ptr));
   void set_ndpi_debug_function(struct ndpi_detection_module_struct *ndpi_str,
 			       ndpi_debug_function_ptr ndpi_debug_printf);
-  //void * ndpi_malloc(size_t size);
-  //void * ndpi_calloc(unsigned long count, size_t size);
-  //void ndpi_free(void *ptr);
   u_int16_t ndpi_get_api_version(void);
   const char *ndpi_get_gcrypt_version(void);
 
@@ -964,6 +961,9 @@ extern "C" {
 				      char *buffer, u_int buffer_size,
 				      u_int8_t min_string_match_len, /* Will return 0 if no string > min_string_match_len have been found */
 				      char *outbuf, u_int outbuf_len);
+  /* Return a flow info string (summarized). Does only work for DNS/HTTP/TLS/QUIC. */
+  const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow,
+                                 ndpi_protocol const * const l7_protocol);
   char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow,
                              u_int16_t version, u_int8_t *unknown_tls_version);
   int ndpi_netbios_name_interpret(u_char *in, u_int in_len, u_char *out, u_int out_len);
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index aeac33b30..f2a40db0a 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1242,9 +1242,9 @@ typedef enum {
 
 #define MAX_NUM_TLS_SIGNATURE_ALGORITHMS 16
 
-struct tls_euristics {
+struct tls_heuristics {
   /*
-    TLS euristics for detecting browsers usage
+    TLS heuristics for detecting browsers usage
     NOTE: expect false positives
   */
   u_int8_t is_safari_tls:1, is_firefox_tls:1, is_chrome_tls:1, notused:5;
@@ -1361,7 +1361,7 @@ struct ndpi_flow_struct {
 	u_int16_t client_signature_algorithms[MAX_NUM_TLS_SIGNATURE_ALGORITHMS];
 #endif
 
-	struct tls_euristics browser_euristics;
+	struct tls_heuristics browser_heuristics;
 
 	struct {
 	  u_int16_t cipher_suite;
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 87b2b3e8a..43eacefb1 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -846,6 +846,41 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st
 
 /* ********************************** */
 
+static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const * const flow,
+                                                  u_int16_t proto_id)
+{
+  switch (proto_id)
+  {
+    case NDPI_PROTOCOL_DNS:
+    case NDPI_PROTOCOL_HTTP:
+        return (char const *)flow->host_server_name;
+    case NDPI_PROTOCOL_QUIC:
+    case NDPI_PROTOCOL_TLS:
+        if (flow->l4.tcp.tls.hello_processed != 0)
+        {
+          return flow->protos.tls_quic_stun.tls_quic.client_requested_server_name;
+        }
+        break;
+  }
+
+  return NULL;
+}
+
+const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow,
+                               ndpi_protocol const * const l7_protocol)
+{
+  char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->app_protocol);
+
+  if (app_protocol_info != NULL)
+  {
+    return app_protocol_info;
+  }
+
+  return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->master_protocol);
+}
+
+/* ********************************** */
+
 char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow,
                            u_int16_t version, u_int8_t *unknown_tls_version) {
 
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index b0730a1c3..752c4b780 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1593,12 +1593,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	   this is time consuming and we want to avoid overhead whem possible
 	*/
 	if(this_is_not_safari)
-	  flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0;
+	  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
 	else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur))
-	  flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1;
+	  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1;
 
 	if(chrome_ciphers == 13)
-	  flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 1;
+	  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 1;
 
 	/* Note that both Safari and Chrome can overlap */
 #ifdef DEBUG_HEURISTIC
@@ -1865,7 +1865,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 		  switch(signature_algo) {
 		  case ECDSA_SECP521R1_SHA512:
-		    flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls = 1;
+		    flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls = 1;
 		    break;
 
 		  case ECDSA_SECP256R1_SHA256:
@@ -1891,23 +1891,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		       safari_signature_algorithms, chrome_signature_algorithms);
 #endif
 
-		if(flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls)
-		  flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0,
-		    flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0;
+		if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls)
+		  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0,
+		    flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
 
 		if(safari_signature_algorithms != 8)
-		   flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0;
+		   flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
 
 		if((chrome_signature_algorithms != 8) || duplicate_found)
-		   flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0;
+		   flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
 
 		/* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */
-		if(flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls)
-		  flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0;
+		if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls)
+		  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
 
-		if((flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls == 0)
+		if((flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls == 0)
 		   && duplicate_found)
-		  flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1; /* Safari */
+		  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */
 
 #ifdef DEBUG_HEURISTIC
 		printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n",