Added dpi.compute_entropy configuration parameter

5 files changed, 18 insertions, 9 deletions

diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
index 1cae79640..9e28b91e3 100644
--- a/doc/configuration_parameters.md
+++ b/doc/configuration_parameters.md
@@ -11,6 +11,7 @@ TODO
 | NULL         | "tcp_ack_payload_heuristic"               | disable       | NULL      | NULL      | In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. This parameter enable/disable an heuristic to detect these packets and to ignore them, allowing correct detection/classification. See #1946 for other details |
 | NULL         | "fully_encrypted_heuristic"               | enable        | NULL      | NULL      | Enable/disable an heuristic to detect fully encrypted sessions, i.e. flows where every bytes of the payload is encrypted in an attempt to “look like nothing”. This heuristic only analyzes the first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf |
 | NULL         | "libgcrypt.init"                          | 1             | NULL      | NULL      | Enable/disable initialization of libgcrypt. When using the external libgcrypt (instead of the internal crypto code) the libgcrypt runtime must be initialized. If, for whatever reasons, the application alread does it, nDPI must be told to skip it. Note that, by default, nDPI uses the crypto code and not libgcrypt: in that case this parameter is ignored |
+| NULL         | "dpi.compute_entropy"                     | 1             | NULL      | NULL      | Enable/disable computation of flow entropy |
 | NULL         | "dpi.guess_on_giveup"                     | 0x03          | 0x00      | 0x03      | Tell the library to guess flow classification, if any DPI algorithms/logics fail.  The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable guessing by port; 0x02 = enable guessing by ip |
 | NULL         | "flow_risk_lists.load"                    | 1             | NULL      | NULL      | Enable/disable loading of every IP addresses lists used to check any flow risks |
 | NULL         | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1             | NULL      | NULL      | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk |
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index cf26d0841..c19f8d1be 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -702,8 +702,9 @@ static void help(u_int long_help) {
 #endif
 
   if(long_help) {
-    printf("\n\nSize of nDPI Flow structure: %u\n"
-           "Sizeof of nDPI Flow protocol union: %zu\n",
+    printf("\n\n"
+	   "Size of nDPI Flow structure:      %u\n"
+           "Size of nDPI Flow protocol union: %zu\n",
            ndpi_detection_get_sizeof_ndpi_flow_struct(),
            sizeof(((struct ndpi_flow_struct *)0)->protos));
 
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 693b2cd57..76d2c7def 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -195,7 +195,8 @@ struct ndpi_detection_module_config_struct {
   int track_payload_enabled;
   int libgcrypt_init;
   int guess_on_giveup;
-
+  int compute_entropy;
+  
   char filename_config[CFG_MAX_LEN];
 
   int log_level;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index c7648079e..65df915e1 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2792,6 +2792,8 @@ int ndpi_load_ptree_file(ndpi_ptree_t *ptree,
 	
 	if(inet_pton(AF_INET6, addr, &addr6) == 1)
 	  node = add_to_ptree(ptree->v6, AF_INET6, &addr6, cidr ? atoi(cidr) : 128);
+	else
+	  node = NULL;
       }
       
       if(node != NULL) {
@@ -4374,13 +4376,14 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str
 	    ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL);
 
 	  if(packet->payload_packet_len > sizeof(struct ndpi_icmphdr)) {
-	    if (flow->skip_entropy_check == 0) {
+	    if(ndpi_str->cfg.compute_entropy && (flow->skip_entropy_check == 0)) {
 	      flow->entropy = ndpi_entropy(packet->payload + sizeof(struct ndpi_icmphdr),
 	                                   packet->payload_packet_len - sizeof(struct ndpi_icmphdr));
 	      ndpi_entropy2risk(flow);
 	    }
 
 	    u_int16_t chksm = icmp4_checksum(packet->payload, packet->payload_packet_len);
+	    
 	    if(chksm) {
 	      ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL);
 	    }
@@ -8563,15 +8566,17 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio
     ndpi_search_shellscript(ndpi_str, flow);
   }
 
-  if(flow->skip_entropy_check == 0 &&
+  if(ndpi_str->cfg.compute_entropy &&
+     flow->skip_entropy_check == 0 &&
      flow->first_pkt_fully_encrypted == 0 &&
      flow->packet_counter < 5 &&
      /* The following protocols do their own entropy calculation/classification. */
-     ret.app_protocol != NDPI_PROTOCOL_IP_ICMP)
-  {
+     ret.app_protocol != NDPI_PROTOCOL_IP_ICMP) {
+
     if (ret.app_protocol != NDPI_PROTOCOL_HTTP) {
       flow->entropy = ndpi_entropy(packet->payload, packet->payload_packet_len);
     }
+    
     ndpi_entropy2risk(flow);
   }
 
@@ -11173,6 +11178,7 @@ static const struct cfg_param {
   { NULL,            "fully_encrypted_heuristic",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(fully_encrypted_heuristic), NULL },
   { NULL,            "libgcrypt.init",                          "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(libgcrypt_init), NULL },
   { NULL,            "dpi.guess_on_giveup",                     "0x3", "0", "3", CFG_PARAM_INT, __OFF(guess_on_giveup), NULL },
+  { NULL,            "dpi.compute_entropy",                     "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(compute_entropy), NULL },
 
   { NULL,            "flow_risk_lists.load",                    "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_lists_enabled), NULL },
 
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index d20de6ef2..ce86b4426 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2743,8 +2743,7 @@ void ndpi_entropy2risk(struct ndpi_flow_struct *flow) {
       flow->detected_protocol_stack[0] == NDPI_PROTOCOL_QUIC ||
       flow->detected_protocol_stack[1] == NDPI_PROTOCOL_QUIC ||
       flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DTLS ||
-      flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DTLS)
-  {
+      flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DTLS) {
     flow->skip_entropy_check = 1;
     goto reset_risk;
   }
@@ -2780,6 +2779,7 @@ reset_risk:
 }
 
 /* ******************************************************************** */
+
 static inline uint16_t get_n16bit(uint8_t const * cbuf) {
   uint16_t r = ((uint16_t)cbuf[0]) | (((uint16_t)cbuf[1]) << 8);
   return r;