Improved sflow protocol detection false-positives. (#1518)

Signed-off-by: lns <matzeton@googlemail.com>

2 files changed, 14 insertions, 5 deletions

diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c
index 7151e6ad7..cf0b9fcad 100644
--- a/src/lib/protocols/sflow.c
+++ b/src/lib/protocols/sflow.c
@@ -35,10 +35,19 @@ void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct
   if((packet->udp != NULL)
      && (payload_len >= 24)
      /* Version */
-     && (packet->payload[0] == 0) && (packet->payload[1] == 0) && (packet->payload[2] == 0)
-     && ((packet->payload[3] == 2) || (packet->payload[3] == 5))) {
-    NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+     && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000005
+     /* Agent Address type: IPv4 / IPv6 */
+     && (ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000001 ||
+         ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000002)) {
+    NDPI_LOG_INFO(ndpi_struct, "found (probably) sflow\n");
+    if (flow->packet_counter >= 2)
+    {
+      NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
+      ndpi_set_detected_protocol(ndpi_struct, flow,
+                                 NDPI_PROTOCOL_SFLOW,
+                                 NDPI_PROTOCOL_UNKNOWN,
+                                 NDPI_CONFIDENCE_DPI);
+    }
     return;
   }
 
diff --git a/tests/result/sflow.pcap.out b/tests/result/sflow.pcap.out
index f4776abbb..6b14d65a9 100644
--- a/tests/result/sflow.pcap.out
+++ b/tests/result/sflow.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	0
 
-DPI Packets (UDP):	1	(1.00 pkts/flow)
+DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 
 sFlow	9	1702	1