diff options
| author | Luca Deri <deri@ntop.org> | 2021-05-10 22:43:05 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-05-10 22:43:05 +0200 |
| commit | 4297a65ce881c8c5462c520f3b3dc987879bccce (patch) | |
| tree | 1aa1a37405717efff20cbb2cdf7e93fca064b041 | |
| parent | fff60ec31721c32fa4737aba9e40f4d45bd21eca (diff) | |
Implemented flow score in Wireshark integration
| -rw-r--r-- | example/ndpiReader.c | 2 | ||||
| -rw-r--r-- | src/include/ndpi_api.h.in | 1 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 5 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 33 | ||||
| -rw-r--r-- | wireshark/ndpi.lua | 9 |
5 files changed, 47 insertions, 3 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 1736b4fa3..47480f111 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -181,6 +181,7 @@ struct ndpi_packet_trailer { u_int32_t magic; /* WIRESHARK_NTOP_MAGIC */ u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; ndpi_risk flow_risk; + u_int16_t flow_score; char name[16]; } PACK_OFF; @@ -3294,6 +3295,7 @@ static void ndpi_process_packet(u_char *args, memset(trailer, 0, sizeof(struct ndpi_packet_trailer)); trailer->magic = htonl(WIRESHARK_NTOP_MAGIC); trailer->flow_risk = htonl64(flow_risk); + trailer->flow_score = htons(ndpi_risk2score(flow_risk)); trailer->master_protocol = htons(p.master_protocol), trailer->app_protocol = htons(p.app_protocol); ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, p, trailer->name, sizeof(trailer->name)); crc = (uint32_t*)&extcap_buf[h.caplen+sizeof(struct ndpi_packet_trailer)]; diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 9bb9a8c73..45eb071d3 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -1502,6 +1502,7 @@ extern "C" { const char* ndpi_risk2str(ndpi_risk_enum risk); ndpi_risk_severity ndpi_risk2severity(ndpi_risk_enum risk); + u_int16_t ndpi_risk2score(ndpi_risk_enum risk); /* ******************************* */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 4c0e4818e..7f7a084e2 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -114,6 +114,11 @@ typedef enum { NDPI_RISK_SEVERE } ndpi_risk_severity; +#define NDPI_SCORE_RISK_LOW 10 +#define NDPI_SCORE_RISK_MEDIUM 50 +#define NDPI_SCORE_RISK_HIGH 100 +#define NDPI_SCORE_RISK_SEVERE 250 + /* NDPI_VISIT */ typedef enum { ndpi_preorder, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 07b1cbb02..91055f694 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1839,6 +1839,39 @@ ndpi_risk_severity ndpi_risk2severity(ndpi_risk_enum risk) { /* ******************************************************************** */ +u_int16_t ndpi_risk2score(ndpi_risk_enum risk) { + u_int16_t score = 0; + u_int32_t i; + + for(i = 0; i < NDPI_MAX_RISK; i++) { + ndpi_risk_enum r = (ndpi_risk_enum)i; + + if(NDPI_ISSET_BIT(risk, r)) { + switch(ndpi_risk2severity(r)) { + case NDPI_RISK_LOW: + score += NDPI_SCORE_RISK_LOW; + break; + + case NDPI_RISK_MEDIUM: + score += NDPI_SCORE_RISK_MEDIUM; + break; + + case NDPI_RISK_HIGH: + score += NDPI_SCORE_RISK_HIGH; + break; + + case NDPI_RISK_SEVERE: + score += NDPI_SCORE_RISK_SEVERE; + break; + } + } + } + + return(score); +} + +/* ******************************************************************** */ + const char* ndpi_http_method2str(ndpi_http_method m) { switch(m) { case NDPI_HTTP_METHOD_UNKNOWN: break; diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index ddda4bcdc..47419aa67 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -28,6 +28,7 @@ ndpi_fds.application_protocol = ProtoField.new("nDPI Application Protocol", "ndp ndpi_fds.name = ProtoField.new("nDPI Protocol Name", "ndpi.protocol.name", ftypes.STRING) ndpi_fds.flow_risk = ProtoField.new("nDPI Flow Risk", "ndpi.flow_risk", ftypes.UINT64) ndpi_fds.flow_risk_str = ProtoField.new("nDPI Flow Risk String", "ndpi.flow_risk_str", ftypes.STRING) +ndpi_fds.flow_score = ProtoField.new("nDPI Flow Risk", "ndpi.flow_risk", ftypes.UINT32) local ntop_proto = Proto("ntop", "ntop Extensions") ntop_proto.fields = {} @@ -979,10 +980,12 @@ function ndpi_proto.dissector(tvb, pinfo, tree) local ndpi_subtree = tree:add(ndpi_proto, tvb(), "nDPI Protocol") local str_risk = elems[6]..elems[7]..elems[8]..elems[9]..elems[10]..elems[11]..elems[12]..elems[13] local flow_risk = tonumber(str_risk, 16) -- 16 = HEX + local str_score = elems[14]..elems[15] + local flow_score = tonumber(str_score, 16) -- 16 = HEX local len = tvb:len() local name = "" - for i=14,29 do + for i=16,31 do name = name .. string.char(tonumber(elems[i], 16)) end @@ -990,10 +993,10 @@ function ndpi_proto.dissector(tvb, pinfo, tree) ndpi_subtree:add(ndpi_fds.application_protocol, tvb(len-30, 2)) ndpi_subtree:add(ndpi_fds.flow_risk, tvb(len-28, 8)) ndpi_subtree:add(ndpi_fds.flow_risk_str, map_ndpi_risk(flow_risk)) + ndpi_subtree:add(ndpi_fds.flow_score, tvb(len-22, 2)) ndpi_subtree:add(ndpi_fds.name, tvb(len-20, 16)) - if(application_protocol ~= 0) then - + if(application_protocol ~= 0) then -- Set protocol name in the wireshark protocol column (if not Unknown) pinfo.cols.protocol = name --print(network_protocol .. "/" .. application_protocol .. "/".. name) |