aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorToni <matzeton@googlemail.com>2022-04-19 17:46:40 +0200
committerGitHub <noreply@github.com>2022-04-19 17:46:40 +0200
commitfa79f07d1552490a2dc0710059d56d3bb4b1efbe (patch)
tree82c1d8de75d6fee761f74613393c69e7ddc6c8d9
parent739dfc54b06a6995bc4d286eb400e2675b480feb (diff)
Improved sflow protocol detection false-positives. (#1518)
Signed-off-by: lns <matzeton@googlemail.com>
-rw-r--r--src/lib/protocols/sflow.c17
-rw-r--r--tests/result/sflow.pcap.out2
2 files changed, 14 insertions, 5 deletions
diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c
index 7151e6ad7..cf0b9fcad 100644
--- a/src/lib/protocols/sflow.c
+++ b/src/lib/protocols/sflow.c
@@ -35,10 +35,19 @@ void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct
if((packet->udp != NULL)
&& (payload_len >= 24)
/* Version */
- && (packet->payload[0] == 0) && (packet->payload[1] == 0) && (packet->payload[2] == 0)
- && ((packet->payload[3] == 2) || (packet->payload[3] == 5))) {
- NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+ && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000005
+ /* Agent Address type: IPv4 / IPv6 */
+ && (ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000001 ||
+ ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000002)) {
+ NDPI_LOG_INFO(ndpi_struct, "found (probably) sflow\n");
+ if (flow->packet_counter >= 2)
+ {
+ NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow,
+ NDPI_PROTOCOL_SFLOW,
+ NDPI_PROTOCOL_UNKNOWN,
+ NDPI_CONFIDENCE_DPI);
+ }
return;
}
diff --git a/tests/result/sflow.pcap.out b/tests/result/sflow.pcap.out
index f4776abbb..6b14d65a9 100644
--- a/tests/result/sflow.pcap.out
+++ b/tests/result/sflow.pcap.out
@@ -1,6 +1,6 @@
Guessed flow protos: 0
-DPI Packets (UDP): 1 (1.00 pkts/flow)
+DPI Packets (UDP): 2 (2.00 pkts/flow)
Confidence DPI : 1 (flows)
sFlow 9 1702 1