diff options
| author | Luca <deri@ntop.org> | 2019-08-29 13:40:44 +0200 |
|---|---|---|
| committer | Luca <deri@ntop.org> | 2019-08-29 13:40:44 +0200 |
| commit | 9a6f6d9fe429e1de4316b324a459db345dccfcbb (patch) | |
| tree | d1f6209314676e4e3206e435723ba11312ab9785 | |
| parent | e4e40e3c70e2cd49fd537a526fa70805c8c391c5 (diff) | |
Implemented IAT (Inter Arrival Time) stats
| -rw-r--r-- | example/ndpiReader.c | 25 | ||||
| -rw-r--r-- | example/reader_util.c | 49 | ||||
| -rw-r--r-- | example/reader_util.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_analyze.c | 19 |
5 files changed, 71 insertions, 29 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 30eda2532..f679d9a46 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -943,7 +943,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa json_object *jObj; #endif FILE *out = results_file ? results_file : stdout; - + if((verbose != 1) && (verbose != 2)) return; @@ -997,19 +997,18 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); - if(flow->pktlen_c_to_s && flow->pktlen_s_to_c) { - fprintf(out, "[pktlen c2s avg(stddev)/entropy: %.1f(%.1f)/%.1f]", - ndpi_data_entropy(flow->pktlen_c_to_s), - ndpi_data_average(flow->pktlen_c_to_s), - ndpi_data_stddev(flow->pktlen_c_to_s)); - - fprintf(out, "[pktlen s2c avg(stddev)/entropy: %.1f(%.1f)/%.1f]", - ndpi_data_entropy(flow->pktlen_s_to_c), - ndpi_data_average(flow->pktlen_s_to_c), - ndpi_data_stddev(flow->pktlen_s_to_c)); + if((flow->src2dst_packets+flow->dst2src_packets) > 5) { + if(flow->iat_c_to_s && flow->iat_s_to_c) { + float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes); + fprintf(out, "[bytes ratio: %.3f (%s)]", data_ratio, ndpi_data_ratio2str(data_ratio)); + + /* IAT (Inter Arrival Time) */ + fprintf(out, "[IAT c2s/s2c avg/stddev/entropy: %.1f/%.1f %.1f/%.1f %.1f/%.1f]", + ndpi_data_average(flow->iat_c_to_s), ndpi_data_average(flow->iat_s_to_c), + ndpi_data_stddev(flow->iat_c_to_s), ndpi_data_stddev(flow->iat_s_to_c), + ndpi_data_entropy(flow->iat_c_to_s), ndpi_data_entropy(flow->iat_s_to_c)); + } } - - fprintf(out, "[bytes ratio: %.2f]", ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes)); if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version)); if(flow->ssh_tls.client_info[0] != '\0') fprintf(out, "[client: %s]", flow->ssh_tls.client_info); diff --git a/example/reader_util.c b/example/reader_util.c index 9db5ccb82..136d7ea5b 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -399,11 +399,11 @@ void ndpi_flow_info_freer(void *node) { ndpi_free_flow_info_half(flow); - if(flow->pktlen_c_to_s) - ndpi_free_data_analysis(flow->pktlen_c_to_s); + if(flow->iat_c_to_s) + ndpi_free_data_analysis(flow->iat_c_to_s); - if(flow->pktlen_s_to_c) - ndpi_free_data_analysis(flow->pktlen_s_to_c); + if(flow->iat_s_to_c) + ndpi_free_data_analysis(flow->iat_s_to_c); ndpi_free(flow); } @@ -459,6 +459,8 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { return(0); /* notreached */ } +/* ***************************************************** */ + /** * \brief Update the byte count for the flow record. * \param f Flow data @@ -502,6 +504,8 @@ ndpi_flow_update_byte_count(struct ndpi_flow_info *flow, const void *x, } } +/* ***************************************************** */ + /** * \brief Update the byte distribution mean for the flow record. * \param f Flow record @@ -531,9 +535,10 @@ ndpi_flow_update_byte_dist_mean_var(ndpi_flow_info_t *flow, const void *x, } } -float -ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], - unsigned int num_bytes) +/* ***************************************************** */ + +float ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], + unsigned int num_bytes) { int i; float tmp, sum = 0.0; @@ -703,8 +708,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow newflow->src_ip = iph->saddr, newflow->dst_ip = iph->daddr; newflow->src_port = htons(*sport), newflow->dst_port = htons(*dport); newflow->ip_version = version; - newflow->pktlen_c_to_s = ndpi_init_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW), - newflow->pktlen_s_to_c = ndpi_init_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW); + newflow->iat_c_to_s = ndpi_init_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW), + newflow->iat_s_to_c = ndpi_init_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW); if(version == IPVERSION) { inet_ntop(AF_INET, &newflow->src_ip, newflow->src_name, sizeof(newflow->src_name)); @@ -981,19 +986,41 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, &payload, &payload_len, &src_to_dst_direction, when); if(flow != NULL) { + struct timeval tdiff; + workflow->stats.ip_packet_count++; workflow->stats.total_wire_bytes += rawsize + 24 /* CRC etc */, workflow->stats.total_ip_bytes += rawsize; ndpi_flow = flow->ndpi_flow; if(src_to_dst_direction) { + if(flow->src2dst_last_pkt_time.tv_sec) { + ndpi_timer_sub(&when, &flow->src2dst_last_pkt_time, &tdiff); + + if(flow->iat_c_to_s) { + u_int32_t ms = ndpi_timeval_to_milliseconds(tdiff); + + ndpi_data_add_value(flow->iat_c_to_s, ms); + } + } + flow->src2dst_packets++, flow->src2dst_bytes += rawsize; flow->src2dst_l4_bytes += payload_len; - if(flow->pktlen_c_to_s) ndpi_data_add_value(flow->pktlen_c_to_s, rawsize); + memcpy(&flow->src2dst_last_pkt_time, &when, sizeof(when)); } else { + if(flow->dst2src_last_pkt_time.tv_sec) { + ndpi_timer_sub(&when, &flow->dst2src_last_pkt_time, &tdiff); + + if(flow->iat_s_to_c) { + u_int32_t ms = ndpi_timeval_to_milliseconds(tdiff); + + ndpi_data_add_value(flow->iat_s_to_c, ms); + } + } + flow->dst2src_packets++, flow->dst2src_bytes += rawsize; flow->dst2src_l4_bytes += payload_len; - if(flow->pktlen_s_to_c) ndpi_data_add_value(flow->pktlen_s_to_c, rawsize); + memcpy(&flow->dst2src_last_pkt_time, &when, sizeof(when)); } if(enable_payload_analyzer && (payload_len > 0)) diff --git a/example/reader_util.h b/example/reader_util.h index 1ca498299..8f248a5f0 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -148,7 +148,7 @@ typedef struct ndpi_flow_info { ndpi_protocol detected_protocol; // Flow data analysis - struct ndpi_analyze_struct *pktlen_c_to_s, *pktlen_s_to_c; + struct ndpi_analyze_struct *iat_c_to_s, *iat_s_to_c; char info[96]; char host_server_name[256]; @@ -167,6 +167,8 @@ typedef struct ndpi_flow_info { void *src_id, *dst_id; + struct timeval src2dst_last_pkt_time, dst2src_last_pkt_time; + // Entropy fields u_int16_t src2dst_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ struct timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index c6d17a4b5..9bb767ca7 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -903,7 +903,8 @@ extern "C" { float ndpi_data_variance(struct ndpi_analyze_struct *s); float ndpi_data_stddev(struct ndpi_analyze_struct *s); float ndpi_data_ratio(u_int32_t sent, u_int32_t rcvd); - + const char* ndpi_data_ratio2str(float ratio); + void ndpi_data_print_window_values(struct ndpi_analyze_struct *s); /* debug */ #ifdef __cplusplus } diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c index ce3168165..8facdf371 100644 --- a/src/lib/ndpi_analyze.c +++ b/src/lib/ndpi_analyze.c @@ -154,9 +154,22 @@ void ndpi_data_print_window_values(struct ndpi_analyze_struct *s) { /* ********************************************************************************* */ +/* + Upload / download ration + + -1 Download + 0 Mixed + 1 Upload + */ float ndpi_data_ratio(u_int32_t sent, u_int32_t rcvd) { - int64_t s = (int64_t)sent + (int64_t)rcvd; - int64_t d = (int64_t)sent - (int64_t)rcvd; + float s = (float)((int64_t)sent + (int64_t)rcvd); + float d = (float)((int64_t)sent - (int64_t)rcvd); + + return((s == 0) ? 0 : (d/s)); +} - return((s == 0) ? 0 : ((float)d)/((float)s)); +const char* ndpi_data_ratio2str(float ratio) { + if(ratio < -0.2) return("Download"); + else if(ratio > 0.2) return("Upload"); + else return("Mixed"); } |