diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2024-09-04 09:29:47 +0200 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-05 16:27:24 +0200 |
| commit | 23ae3d0c265590a138f156c2193998e3b8f2fdd5 (patch) | |
| tree | 840983e8c51cd0e1b4b9c7e2a9db4ea8c4ff7e6d | |
| parent | e562cdc5bdbff7c804c89ce148c4ff14f0c21500 (diff) | |
wireshark: extcap: export flow risk info
| -rw-r--r-- | example/ndpiReader.c | 5 | ||||
| -rw-r--r-- | wireshark/ndpi.lua | 16 |
2 files changed, 14 insertions, 7 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 677f5e3b9..8afd2df3b 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -235,6 +235,7 @@ struct ndpi_packet_trailer { ndpi_master_app_protocol proto; ndpi_risk flow_risk; u_int16_t flow_score; + char flow_risk_info[32]; char name[16]; /* TLV of attributes. Having a max and fixed size for all the metadata is not efficient but greatly improves detection of the trailer by Wireshark */ @@ -4547,6 +4548,10 @@ static void ndpi_process_packet(u_char *args, trailer->magic = htonl(WIRESHARK_NTOP_MAGIC); trailer->flow_risk = htonl64(flow_risk); trailer->flow_score = htons(ndpi_risk2score(flow_risk, &cli_score, &srv_score)); + if(flow->risk_str) { + strncpy(trailer->flow_risk_info, flow->risk_str, sizeof(trailer->flow_risk_info)); + trailer->flow_risk_info[sizeof(trailer->flow_risk_info) - 1] = '\0'; + } trailer->proto.master_protocol = htons(p.proto.master_protocol), trailer->proto.app_protocol = htons(p.proto.app_protocol); ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, p, trailer->name, sizeof(trailer->name)); diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 22aee4011..9c80666bc 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -37,6 +37,7 @@ ndpi_fds.application_protocol = ProtoField.new("nDPI Application Protocol", "ndp ndpi_fds.name = ProtoField.new("nDPI Protocol Name", "ndpi.protocol.name", ftypes.STRING) ndpi_fds.flow_risk = ProtoField.new("nDPI Flow Risk", "ndpi.flow_risk", ftypes.UINT64, nil, base.HEX) ndpi_fds.flow_score = ProtoField.new("nDPI Flow Score", "ndpi.flow_score", ftypes.UINT32) +ndpi_fds.flow_risk_info = ProtoField.new("nDPI Flow Risk Info", "ndpi.flow_risk_info", ftypes.STRING) ndpi_fds.metadata_list = ProtoField.new("nDPI Metadata List", "ndpi.metadata_list", ftypes.NONE) ndpi_fds.metadata = ProtoField.new("nDPI Metadata", "ndpi.metadata", ftypes.NONE) @@ -1123,18 +1124,19 @@ function ndpi_proto.dissector(tvb, pinfo, tree) if(flow_score > 0) then local level if(flow_score <= 10) then -- NDPI_SCORE_RISK_LOW - level = PI_NOTE + level = PI_CHAT elseif(flow_score <= 50) then -- NDPI_SCORE_RISK_MEDIUM - level = PI_WARN + level = PI_NOTE else - level = PI_ERROR + level = PI_WARN end ndpi_subtree:add_expert_info(PI_PROTOCOL, level, "Non zero score") end - ndpi_subtree:add(ndpi_fds.name, trailer_tvb(18, 16)) - name = trailer_tvb(18, 16):string() + ndpi_subtree:add(ndpi_fds.flow_risk_info, trailer_tvb(18, 32)) + ndpi_subtree:add(ndpi_fds.name, trailer_tvb(50, 16)) + name = trailer_tvb(50, 16):string() if(application_protocol ~= 0) then -- Set protocol name in the wireshark protocol column (if not Unknown) @@ -1143,9 +1145,9 @@ function ndpi_proto.dissector(tvb, pinfo, tree) end -- Metadata - local offset = 34 + local offset = 66 metadata_list_tree = ndpi_subtree:add(ndpi_fds.metadata_list, trailer_tvb(offset, 256)) - while offset + 4 < 294 do + while offset + 4 < 326 do local mtd_type = trailer_tvb(offset, 2):int(); local mtd_length = trailer_tvb(offset + 2, 2):int(); |