diff options
| author | Luca <deri@ntop.org> | 2024-09-16 09:21:17 +0200 |
|---|---|---|
| committer | Luca <deri@ntop.org> | 2024-09-16 09:21:17 +0200 |
| commit | 6de91c78955a0d85d97518c273366bd9d6ede5de (patch) | |
| tree | 841b625835620e2f0f6859a8545c09c542607842 | |
| parent | b77d3e3ab6d216cda9a092794a5fb8b1eac86fe6 (diff) | |
Reworked fingerprint export now in JSON
| -rw-r--r-- | example/ndpiReader.c | 9 | ||||
| -rw-r--r-- | example/reader_util.c | 57 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 43 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 6 |
5 files changed, 80 insertions, 39 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b744a8708..a8518d0df 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -943,14 +943,6 @@ void extcap_capture(int datalink_type) { /* ********************************** */ -void printFingerprintHeader() { - if(!fingerprint_fp) return; - - fprintf(fingerprint_fp, "#protocol|src_ip|dst_ip|dst_port|family|fingerprint\n"); -} - -/* ********************************** */ - void printCSVHeader() { if(!csv_fp) return; @@ -1460,7 +1452,6 @@ static void parseOptions(int argc, char **argv) { exit(0); printCSVHeader(); - printFingerprintHeader(); #ifndef USE_DPDK if(do_extcap_capture) { diff --git a/example/reader_util.c b/example/reader_util.c index 51e8c3da0..71f5ed39d 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1042,34 +1042,37 @@ u_int8_t plen2slot(u_int16_t plen) { /* ****************************************************** */ -static void dump_raw_fingerprint(struct ndpi_workflow * workflow, - struct ndpi_flow_info *flow, - char *fingerprint_family, - char *fingerprint) { - char buf[64]; - - fprintf(fingerprint_fp, "%u|%s|%s|%u|%s|%s|%s\n", - flow->protocol,flow->src_name, flow->dst_name, ntohs(flow->dst_port), - ndpi_protocol2name(workflow->ndpi_struct, flow->detected_protocol, buf, sizeof(buf)), - fingerprint_family, fingerprint); -} - -/* ****************************************************** */ - -static void dump_flow_fingerprint(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { - if(is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) || is_ndpi_proto(flow, NDPI_PROTOCOL_QUIC)) { - if(flow->ndpi_flow->protos.tls_quic.ja4_client_raw != NULL) - dump_raw_fingerprint(workflow, flow, "JA4r", flow->ndpi_flow->protos.tls_quic.ja4_client_raw); - } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP) - && (flow->ndpi_flow->protos.dhcp.fingerprint[0] != '\0')) { - char buf[256]; +static void dump_flow_fingerprint(struct ndpi_workflow * workflow, + struct ndpi_flow_info *flow) { + ndpi_serializer serializer; + bool rc; + + if(ndpi_init_serializer(&serializer, ndpi_serialization_format_json) == -1) + return; - snprintf(buf, sizeof(buf), "%s_%s", - flow->ndpi_flow->protos.dhcp.options, - flow->ndpi_flow->protos.dhcp.fingerprint); - - dump_raw_fingerprint(workflow, flow, "DHCP_r", buf); - } + ndpi_serialize_start_of_block(&serializer, "fingerprint"); + rc = ndpi_serialize_flow_fingerprint(flow->ndpi_flow, &serializer); + ndpi_serialize_end_of_block(&serializer); + + if(rc) { + char buf[64], *buffer; + u_int32_t buffer_len; + + ndpi_serialize_string_uint32(&serializer, "proto", flow->protocol); + ndpi_serialize_string_string(&serializer, "cli_ip", flow->src_name); + ndpi_serialize_string_uint32(&serializer, "cli_port", ntohs(flow->src_port)); + ndpi_serialize_string_string(&serializer, "srv_ip", flow->dst_name); + ndpi_serialize_string_uint32(&serializer, "srv_port", ntohs(flow->dst_port)); + ndpi_serialize_string_string(&serializer, "proto", + ndpi_protocol2name(workflow->ndpi_struct, + flow->detected_protocol, + buf, sizeof(buf))); + + buffer = ndpi_serializer_get_buffer(&serializer, &buffer_len); + fprintf(fingerprint_fp, "%s\n", buffer); + } + + ndpi_term_serializer(&serializer); } /* ****************************************************** */ diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index f26e0bdb7..4ed16bf13 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -2307,6 +2307,10 @@ extern "C" { /* ******************************* */ + bool ndpi_serialize_flow_fingerprint(struct ndpi_flow_struct *flow, ndpi_serializer *serializer); + + /* ******************************* */ + const char *ndpi_lru_cache_idx_to_name(lru_cache_type idx); /** diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 77305eb15..012c49baa 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -3602,3 +3602,46 @@ u_int ndpi_encode_domain(struct ndpi_detection_module_struct *ndpi_str, return(out_idx); } + +/* ****************************************************** */ + +static u_int8_t is_ndpi_proto(struct ndpi_flow_struct *flow, u_int16_t id) { + if((flow->detected_protocol_stack[0] == id) + || (flow->detected_protocol_stack[1] == id)) + return(1); + else + return(0); +} + +/* ****************************************************** */ + +bool ndpi_serialize_flow_fingerprint(struct ndpi_flow_struct *flow, ndpi_serializer *serializer) { + if(is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) || is_ndpi_proto(flow, NDPI_PROTOCOL_QUIC)) { + if((flow->protos.tls_quic.ja4_client_raw != NULL) + || (flow->protos.tls_quic.ja4_client[0] != '\0')) { + + if(flow->protos.tls_quic.ja4_client_raw != NULL) + ndpi_serialize_string_string(serializer, "JA4r", flow->protos.tls_quic.ja4_client_raw); + + ndpi_serialize_string_string(serializer, "JA4", flow->protos.tls_quic.ja4_client); + return(true); + } + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP) + && (flow->protos.dhcp.fingerprint[0] != '\0')) { + ndpi_serialize_string_string(serializer, "options", flow->protos.dhcp.options); + ndpi_serialize_string_string(serializer, "fingerprint", flow->protos.dhcp.fingerprint); + + return(true); + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH) + && (flow->protos.ssh.hassh_client[0] != '\0')) { + + ndpi_serialize_string_string(serializer, "hassh_client", flow->protos.ssh.hassh_client); + ndpi_serialize_string_string(serializer, "client_signature", flow->protos.ssh.client_signature); + ndpi_serialize_string_string(serializer, "hassh_server", flow->protos.ssh.hassh_server); + ndpi_serialize_string_string(serializer, "server_signature", flow->protos.ssh.server_signature); + + return(true); + } + + return(false); +} diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 7eb89c648..b558df504 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1,7 +1,7 @@ /* * tls.c - TLS/TLS/DTLS dissector * - * Copyright (C) 2016-22 - ntop.org + * Copyright (C) 2016-24 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -29,7 +29,7 @@ #include "ndpi_encryption.h" #include "ndpi_private.h" -/* #define JA4R_DECIMAL 1 */ +#define JA4R_DECIMAL 1 static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -1801,7 +1801,7 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct, #endif #ifdef JA4R_DECIMAL - rc = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, " "); + rc = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "_"); if(rc > 0) ja4_r_len += rc; #endif |