diff options
| author | Luca Deri <deri@ntop.org> | 2020-06-05 16:08:23 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-06-05 16:08:23 +0200 |
| commit | 07c54f99927bac25bb5c430cd7b944b47a76dd79 (patch) | |
| tree | 70ce7d3f27533164a64ead94ef5c25217f710933 | |
| parent | 16ca69733a26cd047a61d9355cba8b39ebaceb28 (diff) | |
Added ndpi_dpi2json() API call
| -rw-r--r-- | src/include/ndpi_api.h.in | 31 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 112 |
2 files changed, 79 insertions, 64 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 40e716e95..5f848ca11 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -258,7 +258,7 @@ extern "C" { */ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, const NDPI_PROTOCOL_BITMASK * detection_bitmask); - + /** * Function to be called before we give up with detection for a given flow. * This function reduces the NDPI_UNKNOWN_PROTOCOL detection @@ -330,7 +330,7 @@ extern "C" { */ u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /** * API call that is called internally by ndpi_detection_process_packet or by apps * that want to avoid calling ndpi_detection_process_packet as they have already @@ -431,7 +431,7 @@ extern "C" { char *string_to_match, u_int string_to_match_len, ndpi_protocol_match_result *ret_match, - u_int16_t master_protocol_id); + u_int16_t master_protocol_id); /** * Check if the string content passed match with a protocol @@ -558,7 +558,7 @@ extern "C" { */ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow, - u_int16_t master_protocol, + u_int16_t master_protocol, char *name, u_int name_len); /** @@ -838,7 +838,7 @@ extern "C" { /* Tells to called on what l4 protocol given application protocol can be found */ ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t ndpi_proto_id); const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto); - + ndpi_proto_defaults_t* ndpi_get_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod); u_int ndpi_get_ndpi_num_supported_protocols(struct ndpi_detection_module_struct *ndpi_mod); u_int ndpi_get_ndpi_num_custom_protocols(struct ndpi_detection_module_struct *ndpi_mod); @@ -851,7 +851,7 @@ extern "C" { u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t *value, u_int8_t clean_key_when_found); void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t value); - + /** * Find a protocol id associated with a string automata * @@ -886,7 +886,7 @@ extern "C" { u_int16_t src_port, u_int16_t dst_port, u_int8_t icmp_type, u_int8_t icmp_code, u_char *hash_buf, u_int8_t hash_buf_len); u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); + struct ndpi_flow_struct *flow); u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher); const char* ndpi_cipher2str(u_int32_t cipher); const char* ndpi_tunnel2str(ndpi_packet_tunnel tt); @@ -904,7 +904,10 @@ extern "C" { char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len); int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str, const char *path, u_int16_t protocol_id); - + int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + ndpi_protocol l7_protocol, + ndpi_serializer *serializer); int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t ip_version, @@ -949,7 +952,7 @@ extern "C" { int ndpi_serialize_string_int32(ndpi_serializer *serializer, const char *key, int32_t value); int ndpi_serialize_string_int64(ndpi_serializer *serializer, - const char *key, int64_t value); + const char *key, int64_t value); int ndpi_serialize_string_uint32(ndpi_serializer *serializer, const char *key, u_int32_t value); int ndpi_serialize_string_uint32_format(ndpi_serializer *serializer, @@ -987,14 +990,14 @@ extern "C" { void ndpi_serializer_create_snapshot(ndpi_serializer *serializer); void ndpi_serializer_rollback_snapshot(ndpi_serializer *serializer); - + /* Deserializer */ int ndpi_init_deserializer(ndpi_deserializer *deserializer, ndpi_serializer *serializer); int ndpi_init_deserializer_buf(ndpi_deserializer *deserializer, u_int8_t *serialized_buffer, u_int32_t serialized_buffer_len); - + ndpi_serialization_format ndpi_deserialize_get_format(ndpi_deserializer *_deserializer); ndpi_serialization_type ndpi_deserialize_get_item_type(ndpi_deserializer *deserializer, ndpi_serialization_type *key_type); int ndpi_deserialize_next(ndpi_deserializer *deserializer); @@ -1020,16 +1023,16 @@ extern "C" { float ndpi_data_average(struct ndpi_analyze_struct *s); float ndpi_data_window_average(struct ndpi_analyze_struct *s); - + float ndpi_data_entropy(struct ndpi_analyze_struct *s); float ndpi_data_variance(struct ndpi_analyze_struct *s); float ndpi_data_stddev(struct ndpi_analyze_struct *s); u_int32_t ndpi_data_min(struct ndpi_analyze_struct *s); u_int32_t ndpi_data_max(struct ndpi_analyze_struct *s); float ndpi_data_ratio(u_int32_t sent, u_int32_t rcvd); - + const char* ndpi_data_ratio2str(float ratio); - + void ndpi_data_print_window_values(struct ndpi_analyze_struct *s); /* debug */ ndpi_risk_enum ndpi_validate_url(char *url); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 4958e4a0c..00fb47dad 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -924,63 +924,22 @@ void ndpi_serialize_risk(ndpi_serializer *serializer, /* ********************************** */ /* ********************************** */ -int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t ip_version, - u_int8_t l4_protocol, u_int16_t vlan_id, - u_int32_t src_v4, u_int32_t dst_v4, - struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6, - u_int16_t src_port, u_int16_t dst_port, - ndpi_protocol l7_protocol, - ndpi_serializer *serializer) { - char buf[64], src_name[32], dst_name[32]; - - if(ndpi_init_serializer(serializer, ndpi_serialization_format_json) == -1) - return(-1); - - if(ip_version == 4) { - inet_ntop(AF_INET, &src_v4, src_name, sizeof(src_name)); - inet_ntop(AF_INET, &dst_v4, dst_name, sizeof(dst_name)); - } else { - inet_ntop(AF_INET6, src_v6, src_name, sizeof(src_name)); - inet_ntop(AF_INET6, dst_v6, dst_name, sizeof(dst_name)); - /* For consistency across platforms replace :0: with :: */ - ndpi_patchIPv6Address(src_name), ndpi_patchIPv6Address(dst_name); - } - - ndpi_serialize_string_string(serializer, "src_ip", src_name); - ndpi_serialize_string_string(serializer, "dest_ip", dst_name); - if(src_port) ndpi_serialize_string_uint32(serializer, "src_port", src_port); - if(dst_port) ndpi_serialize_string_uint32(serializer, "dst_port", dst_port); - - switch(l4_protocol) { - case IPPROTO_TCP: - ndpi_serialize_string_string(serializer, "proto", "TCP"); - break; - - case IPPROTO_UDP: - ndpi_serialize_string_string(serializer, "proto", "UDP"); - break; - - case IPPROTO_ICMP: - ndpi_serialize_string_string(serializer, "proto", "ICMP"); - break; - - default: - ndpi_serialize_string_uint32(serializer, "proto", l4_protocol); - break; - } - - ndpi_serialize_risk(serializer, flow); +/* NOTE: serializer must have been already initialized */ +int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + ndpi_protocol l7_protocol, + ndpi_serializer *serializer) { + char buf[64]; + + if(flow == NULL) return(-1); ndpi_serialize_start_of_block(serializer, "ndpi"); + ndpi_serialize_risk(serializer, flow); ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol, buf, sizeof(buf))); if(l7_protocol.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) ndpi_serialize_string_string(serializer, "category", ndpi_category_get_name(ndpi_struct, l7_protocol.category)); ndpi_serialize_end_of_block(serializer); - if(flow == NULL) return(0); - switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) { case NDPI_PROTOCOL_DHCP: ndpi_serialize_start_of_block(serializer, "dhcp"); @@ -1170,6 +1129,59 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, /* ********************************** */ +/* NOTE: serializer is initialized by the function */ +int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int8_t ip_version, + u_int8_t l4_protocol, u_int16_t vlan_id, + u_int32_t src_v4, u_int32_t dst_v4, + struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6, + u_int16_t src_port, u_int16_t dst_port, + ndpi_protocol l7_protocol, + ndpi_serializer *serializer) { + char src_name[32], dst_name[32]; + + if(ndpi_init_serializer(serializer, ndpi_serialization_format_json) == -1) + return(-1); + + if(ip_version == 4) { + inet_ntop(AF_INET, &src_v4, src_name, sizeof(src_name)); + inet_ntop(AF_INET, &dst_v4, dst_name, sizeof(dst_name)); + } else { + inet_ntop(AF_INET6, src_v6, src_name, sizeof(src_name)); + inet_ntop(AF_INET6, dst_v6, dst_name, sizeof(dst_name)); + /* For consistency across platforms replace :0: with :: */ + ndpi_patchIPv6Address(src_name), ndpi_patchIPv6Address(dst_name); + } + + ndpi_serialize_string_string(serializer, "src_ip", src_name); + ndpi_serialize_string_string(serializer, "dest_ip", dst_name); + if(src_port) ndpi_serialize_string_uint32(serializer, "src_port", src_port); + if(dst_port) ndpi_serialize_string_uint32(serializer, "dst_port", dst_port); + + switch(l4_protocol) { + case IPPROTO_TCP: + ndpi_serialize_string_string(serializer, "proto", "TCP"); + break; + + case IPPROTO_UDP: + ndpi_serialize_string_string(serializer, "proto", "UDP"); + break; + + case IPPROTO_ICMP: + ndpi_serialize_string_string(serializer, "proto", "ICMP"); + break; + + default: + ndpi_serialize_string_uint32(serializer, "proto", l4_protocol); + break; + } + + return(ndpi_dpi2json(ndpi_struct, flow, l7_protocol, serializer)); +} + +/* ********************************** */ + const char* ndpi_tunnel2str(ndpi_packet_tunnel tt) { switch(tt) { case ndpi_no_tunnel: |