diff options
| author | Luca Deri <deri@ntop.org> | 2024-08-24 16:30:58 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2024-08-24 16:30:58 +0200 |
| commit | 53a6bae365618f9b301cf51e5f3f9d5450b0e280 (patch) | |
| tree | 922e0791f71403d03d90fa2958e102fa2a727bfd | |
| parent | 8894ebc76f4e3d928dd3c2e32a0470149ce90550 (diff) | |
Introduced ndpi_master_app_protocol typedef
| -rw-r--r-- | example/ndpiReader.c | 60 | ||||
| -rw-r--r-- | example/reader_util.c | 18 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 22 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 207 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 30 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 26 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 6 | ||||
| -rw-r--r-- | tests/unit/unit.c | 4 |
10 files changed, 194 insertions, 185 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index a385e6a28..9861f6505 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -232,7 +232,7 @@ struct ndpi_packet_tlv { PACK_ON struct ndpi_packet_trailer { u_int32_t magic; /* WIRESHARK_NTOP_MAGIC */ - u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; + ndpi_master_app_protocol proto; ndpi_risk flow_risk; u_int16_t flow_score; char name[16]; @@ -394,8 +394,8 @@ void ndpiCheckHostStringMatch(char *testChar) { if(testRes) { memset(&detected_protocol, 0, sizeof(ndpi_protocol) ); - detected_protocol.app_protocol = match.protocol_id; - detected_protocol.master_protocol = 0; + detected_protocol.proto.app_protocol = match.protocol_id; + detected_protocol.proto.master_protocol = 0; detected_protocol.category = match.protocol_category; ndpi_protocol2name(ndpi_str, detected_protocol, appBufStr, @@ -484,13 +484,13 @@ static void ndpiCheckIPMatch(char *testChar) { if(ret != NDPI_PROTOCOL_UNKNOWN) { memset(&detected_protocol, 0, sizeof(ndpi_protocol)); - detected_protocol.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, ret); + detected_protocol.proto.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, ret); ndpi_protocol2name(ndpi_str, detected_protocol, appBufStr, sizeof(appBufStr)); printf("Match Found for IP %s, port %d -> %s (%d)\n", - ip_str, port, appBufStr, detected_protocol.app_protocol); + ip_str, port, appBufStr, detected_protocol.proto.app_protocol); } else { printf("Match NOT Found for IP: %s\n", testChar); } @@ -1756,19 +1756,19 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa fprintf(out, "[Confidence: %s]", ndpi_confidence_get_name(flow->confidence)); - if(flow->fpc.master_protocol == NDPI_PROTOCOL_UNKNOWN) { + if(flow->fpc.proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) { fprintf(out, "[FPC: %u/%s, ", - flow->fpc.app_protocol, + flow->fpc.proto.app_protocol, ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, - flow->fpc.app_protocol)); + flow->fpc.proto.app_protocol)); } else { fprintf(out, "[FPC: %u.%u/%s.%s, ", - flow->fpc.master_protocol, - flow->fpc.app_protocol, + flow->fpc.proto.master_protocol, + flow->fpc.proto.app_protocol, ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, - flow->fpc.master_protocol), + flow->fpc.proto.master_protocol), ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, - flow->fpc.app_protocol)); + flow->fpc.proto.app_protocol)); } fprintf(out, "Confidence: %s]", ndpi_fpc_confidence_get_name(flow->fpc.confidence)); @@ -2219,8 +2219,8 @@ static void node_print_unknown_proto_walker(const void *node, (void)depth; - if((flow->detected_protocol.master_protocol != NDPI_PROTOCOL_UNKNOWN) - || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) + if((flow->detected_protocol.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) + || (flow->detected_protocol.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)) return; if((which == ndpi_preorder) || (which == ndpi_leaf)) { @@ -2242,8 +2242,8 @@ static void node_print_known_proto_walker(const void *node, (void)depth; - if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_UNKNOWN) - && (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN)) + if((flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) + && (flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN)) return; if((which == ndpi_preorder) || (which == ndpi_leaf)) { @@ -2280,7 +2280,7 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept process_ndpi_collected_info(ndpi_thread_info[thread_id].workflow, flow); - proto = flow->detected_protocol.app_protocol ? flow->detected_protocol.app_protocol : flow->detected_protocol.master_protocol; + proto = flow->detected_protocol.proto.app_protocol ? flow->detected_protocol.proto.app_protocol : flow->detected_protocol.proto.master_protocol; proto = ndpi_map_user_proto_id_to_ndpi_id(ndpi_thread_info[thread_id].workflow->ndpi_struct, proto); @@ -2660,12 +2660,12 @@ static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, voi sport = ntohs(flow->src_port), dport = ntohs(flow->dst_port); /* get app level protocol */ - if(flow->detected_protocol.master_protocol) { + if(flow->detected_protocol.proto.master_protocol) { ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol, proto, sizeof(proto)); } else { strncpy(proto, ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, - flow->detected_protocol.app_protocol),sizeof(proto) - 1); + flow->detected_protocol.proto.app_protocol),sizeof(proto) - 1); proto[sizeof(proto) - 1] = '\0'; } @@ -2705,7 +2705,7 @@ static void node_idle_scan_walker(const void *node, ndpi_VISIT which, int depth, if(verbose == 3) port_stats_walker(node, which, depth, user_data); - if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) && !undetected_flows_deleted) + if((flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) && !undetected_flows_deleted) undetected_flows_deleted = 1; ndpi_flow_info_free_data(flow); @@ -2776,8 +2776,8 @@ static int is_realtime_protocol(ndpi_protocol proto) u_int16_t i; for (i = 0; i < NDPI_ARRAY_LENGTH(realtime_protos); i++) { - if (proto.app_protocol == realtime_protos[i] - || proto.master_protocol == realtime_protos[i]) + if (proto.proto.app_protocol == realtime_protos[i] + || proto.proto.master_protocol == realtime_protos[i]) { return 1; } @@ -3637,7 +3637,7 @@ static void printFlowsStats() { if((all_flows[i].flow->src2dst_syn_count == 0) || (all_flows[i].flow->dst2src_syn_count == 0)) goto print_flow; - if(all_flows[i].flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) { + if(all_flows[i].flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_TLS) { if((all_flows[i].flow->src2dst_packets+all_flows[i].flow->dst2src_packets) < 40) goto print_flow; /* Too few packets for TLS negotiation etc */ } @@ -3721,9 +3721,9 @@ static void printFlowsStats() { fprintf(out, "[%s]", all_flows[i].flow->host_server_name); if(enable_doh_dot_detection) { - if(((all_flows[i].flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) - || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_DOH_DOT) + if(((all_flows[i].flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_TLS) + || (all_flows[i].flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_TLS) + || (all_flows[i].flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_DOH_DOT) ) && all_flows[i].flow->ssh_tls.advertised_alpns /* ALPN */ ) { @@ -4516,13 +4516,13 @@ static void ndpi_process_packet(u_char *args, } #ifdef DEBUG_TRACE - if(trace) fprintf(trace, "Found %u bytes packet %u.%u\n", header->caplen, p.app_protocol, p.master_protocol); + if(trace) fprintf(trace, "Found %u bytes packet %u.%u\n", header->caplen, p.proto.app_protocol, p.proto.master_protocol); #endif if(extcap_dumper && ((extcap_packet_filter == (u_int16_t)-1) - || (p.app_protocol == extcap_packet_filter) - || (p.master_protocol == extcap_packet_filter) + || (p.proto.app_protocol == extcap_packet_filter) + || (p.proto.master_protocol == extcap_packet_filter) ) ) { struct pcap_pkthdr h; @@ -4543,7 +4543,7 @@ static void ndpi_process_packet(u_char *args, trailer->magic = htonl(WIRESHARK_NTOP_MAGIC); trailer->flow_risk = htonl64(flow_risk); trailer->flow_score = htons(ndpi_risk2score(flow_risk, &cli_score, &srv_score)); - trailer->master_protocol = htons(p.master_protocol), trailer->app_protocol = htons(p.app_protocol); + trailer->proto.master_protocol = htons(p.proto.master_protocol), trailer->proto.app_protocol = htons(p.proto.app_protocol); ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, p, trailer->name, sizeof(trailer->name)); /* Metadata */ diff --git a/example/reader_util.c b/example/reader_util.c index fdb01e2ba..014574503 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1010,8 +1010,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo /* ****************************************************** */ static u_int8_t is_ndpi_proto(struct ndpi_flow_info *flow, u_int16_t id) { - if((flow->detected_protocol.master_protocol == id) - || (flow->detected_protocol.app_protocol == id)) + if((flow->detected_protocol.proto.master_protocol == id) + || (flow->detected_protocol.proto.app_protocol == id)) return(1); else return(0); @@ -1556,7 +1556,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(payload_len && ((flow->src2dst_packets+flow->dst2src_packets) < MAX_NUM_BIN_PKTS)) { #if 0 /* Discard packets until the protocol is detected */ - if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) + if(flow->detected_protocol.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) #endif ndpi_inc_bin(&flow->payload_len_bin, plen2slot(payload_len), 1); } @@ -1613,9 +1613,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if((proto == IPPROTO_TCP) && ( is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_TLS) || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_SSH)) ) { if((flow->src2dst_packets+flow->dst2src_packets) < 10 /* MIN_NUM_ENCRYPT_SKIP_PACKETS */) skip = 1; /* Skip initial negotiation packets */ @@ -1632,9 +1632,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if((proto == IPPROTO_TCP) && ( is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_TLS) || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_SSH)) ) flow->has_human_readeable_strings = 0; } @@ -1672,7 +1672,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ipsize, time_ms, &input_info); enough_packets |= ndpi_flow->fail_with_unknown; - if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { + if(enough_packets || (flow->detected_protocol.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) && ndpi_extra_dissection_possible(workflow->ndpi_struct, ndpi_flow)) ; /* Wait for further metadata */ @@ -1680,7 +1680,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, /* New protocol detected or give up */ flow->detection_completed = 1; - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + if(flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) { u_int8_t proto_guessed; flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow, diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index a05026e87..a03e3d986 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1138,24 +1138,28 @@ typedef struct _ndpi_automa { typedef void ndpi_str_hash; -struct ndpi_fpc_info { - u_int16_t master_protocol; - u_int16_t app_protocol; - ndpi_fpc_confidence_t confidence; -}; - -typedef struct ndpi_proto { +typedef struct { /* Note below we do not use ndpi_protocol_id_t as users can define their own custom protocols and thus the typedef could be too short in size. */ - u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */, protocol_by_ip; + u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; +} ndpi_master_app_protocol; + +struct ndpi_fpc_info { + ndpi_master_app_protocol proto; + ndpi_fpc_confidence_t confidence; +}; + +typedef struct ndpi_proto { + ndpi_master_app_protocol proto; + u_int16_t protocol_by_ip; ndpi_protocol_category_t category; void *custom_category_userdata; } ndpi_protocol; -#define NDPI_PROTOCOL_NULL { NDPI_PROTOCOL_UNKNOWN , NDPI_PROTOCOL_UNKNOWN , NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL } +#define NDPI_PROTOCOL_NULL { { NDPI_PROTOCOL_UNKNOWN , NDPI_PROTOCOL_UNKNOWN }, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL } #define NUM_CUSTOM_CATEGORIES 5 #define CUSTOM_CATEGORY_LABEL_LEN 32 diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b496888cb..ae1d546e4 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -281,6 +281,7 @@ char *ndpi_get_proto_by_id(struct ndpi_detection_module_struct *ndpi_str, u_int /* *********************************************************************************** */ +/* NOTE: name can be HTTP or YouTube but not TLS.YouTube */ u_int16_t ndpi_get_proto_by_name(struct ndpi_detection_module_struct *ndpi_str, const char *name) { u_int16_t i, num = ndpi_get_num_supported_protocols(ndpi_str); char *p; @@ -7491,7 +7492,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s flow->risk_shadow = flow->risk; } - switch(ret->app_protocol) { + switch(ret->proto.app_protocol) { case NDPI_PROTOCOL_MICROSOFT_AZURE: ndpi_reconcile_msteams_udp(ndpi_str, flow, flow->detected_protocol_stack[1]); break; @@ -7537,7 +7538,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s it switches to TLS.TCP. Let's try to catch it */ if((flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE) - && (ret->master_protocol == NDPI_PROTOCOL_UNKNOWN) + && (ret->proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) && ndpi_str->msteams_cache ) { u_int16_t dummy; @@ -7565,7 +7566,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s if(ndpi_lru_find_cache(ndpi_str->msteams_cache, make_msteams_key(flow, 1 /* client */), &dummy, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow))) { - ret->app_protocol = NDPI_PROTOCOL_MSTEAMS; + ret->proto.app_protocol = NDPI_PROTOCOL_MSTEAMS; /* Refresh cache */ ndpi_lru_add_to_cache(ndpi_str->msteams_cache, @@ -7617,7 +7618,8 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s break; } /* switch */ - ret->master_protocol = flow->detected_protocol_stack[1], ret->app_protocol = flow->detected_protocol_stack[0]; + ret->proto.master_protocol = flow->detected_protocol_stack[1], + ret->proto.app_protocol = flow->detected_protocol_stack[0]; for(i=0; i<2; i++) { switch(ndpi_get_proto_breed(ndpi_str, flow->detected_protocol_stack[i])) { @@ -7761,48 +7763,49 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st } /* Init defaults */ - ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.master_protocol = flow->detected_protocol_stack[1], + ret.proto.app_protocol = flow->detected_protocol_stack[0]; ret.protocol_by_ip = flow->guessed_protocol_id_by_ip; ret.category = flow->category; /* Ensure that we don't change our mind if detection is already complete */ - if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) + if(ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) return(ret); /* Check some caches */ /* Does it looks like BitTorrent? */ - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && search_into_bittorrent_cache(ndpi_str, flow)) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); - ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.app_protocol = flow->detected_protocol_stack[0]; } /* Does it looks like some Mining protocols? */ - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && ndpi_str->mining_cache && ndpi_lru_find_cache(ndpi_str->mining_cache, mining_make_lru_cache_key(flow), &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow))) { ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); - ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.app_protocol = flow->detected_protocol_stack[0]; } /* Does it looks like Ookla? */ - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && ntohs(flow->s_port) == 8080 && ookla_search_into_cache(ndpi_str, flow)) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); - ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.app_protocol = flow->detected_protocol_stack[0]; } /* TODO: not sure about the best "order" among fully encrypted logic, classification by-port and classification by-ip...*/ - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && flow->first_pkt_fully_encrypted == 1) { ndpi_set_risk(flow, NDPI_FULLY_ENCRYPTED, NULL); } /* Classification by-port */ if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_PORT) && - ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) { /* Ignore guessed protocol if they have been discarded */ if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN && @@ -7813,22 +7816,23 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) { ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_MATCH_BY_PORT); - ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.app_protocol = flow->detected_protocol_stack[0]; } } /* Classification by-ip, as last effort */ if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_IP) && - ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { ndpi_set_detected_protocol(ndpi_str, flow, - flow->guessed_protocol_id_by_ip, ret.master_protocol, + flow->guessed_protocol_id_by_ip, + ret.proto.master_protocol, NDPI_CONFIDENCE_MATCH_BY_IP); - ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.app_protocol = flow->detected_protocol_stack[0]; } - if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) { + if(ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) { *protocol_was_guessed = 1; ndpi_fill_protocol_category(ndpi_str, flow, &ret); } @@ -8169,7 +8173,8 @@ int ndpi_fill_ipv6_protocol_category(struct ndpi_detection_module_struct *ndpi_s void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_protocol *ret) { - if((ret->master_protocol == NDPI_PROTOCOL_UNKNOWN) && (ret->app_protocol == NDPI_PROTOCOL_UNKNOWN)) + if((ret->proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) + && (ret->proto.app_protocol == NDPI_PROTOCOL_UNKNOWN)) return; if(ndpi_str->custom_categories.categories_loaded) { @@ -8213,7 +8218,7 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { /* ********************************************************************************* */ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) { - if((ret->master_protocol == NDPI_PROTOCOL_HTTP) && (ret->app_protocol == NDPI_PROTOCOL_NTOP)) + if((ret->proto.master_protocol == NDPI_PROTOCOL_HTTP) && (ret->proto.app_protocol == NDPI_PROTOCOL_NTOP)) return(1); else return(0); @@ -8302,7 +8307,7 @@ static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_ if(ndpi_is_ntop_protocol(returned_proto)) return(1); - if(returned_proto->master_protocol == NDPI_PROTOCOL_TLS) { + if(returned_proto->proto.master_protocol == NDPI_PROTOCOL_TLS) { switch(expected_proto->proto->protoId) { case NDPI_PROTOCOL_MAIL_IMAPS: case NDPI_PROTOCOL_MAIL_POPS: @@ -8320,7 +8325,7 @@ static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_protocol *ret) { struct ndpi_packet_struct *packet = &ndpi_str->packet; - ret->master_protocol = ret->app_protocol = NDPI_PROTOCOL_UNKNOWN, ret->category = 0; + ret->proto.master_protocol = ret->proto.app_protocol = NDPI_PROTOCOL_UNKNOWN, ret->category = 0; if(packet->iphv6 || packet->iph) { u_int8_t user_defined_proto; @@ -8345,8 +8350,8 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n if(flow->guessed_protocol_id >= NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ - ret->master_protocol = NDPI_PROTOCOL_UNKNOWN, - ret->app_protocol = flow->guessed_protocol_id; + ret->proto.master_protocol = NDPI_PROTOCOL_UNKNOWN, + ret->proto.app_protocol = flow->guessed_protocol_id; flow->confidence = NDPI_CONFIDENCE_CUSTOM_RULE; ndpi_fill_protocol_category(ndpi_str, flow, ret); return(-1); @@ -8369,7 +8374,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet = {0}; /* This is a custom protocol and it has priority over everything else */ - ret->master_protocol = flow->guessed_protocol_id, ret->app_protocol = flow->guessed_protocol_id_by_ip; + ret->proto.master_protocol = flow->guessed_protocol_id, ret->proto.app_protocol = flow->guessed_protocol_id_by_ip; flow->num_dissector_calls += ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet); @@ -8389,12 +8394,12 @@ static void fpc_update(struct ndpi_detection_module_struct *ndpi_str, ndpi_fpc_confidence_t fpc_confidence) { NDPI_LOG_DBG(ndpi_str, "FPC %d.%d/%s -> %d.%d/%s\n", - flow->fpc.master_protocol, flow->fpc.app_protocol, + flow->fpc.proto.master_protocol, flow->fpc.proto.app_protocol, ndpi_fpc_confidence_get_name(flow->fpc.confidence), fpc_master, fpc_app, ndpi_fpc_confidence_get_name(fpc_confidence)); - flow->fpc.master_protocol = fpc_master; - flow->fpc.app_protocol = fpc_app; + flow->fpc.proto.master_protocol = fpc_master; + flow->fpc.proto.app_protocol = fpc_app; flow->fpc.confidence = fpc_confidence; } @@ -8461,8 +8466,8 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]); - ret.master_protocol = flow->detected_protocol_stack[1], - ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.master_protocol = flow->detected_protocol_stack[1], + ret.proto.app_protocol = flow->detected_protocol_stack[0]; ret.protocol_by_ip = flow->guessed_protocol_id_by_ip; ret.category = flow->category; @@ -8484,8 +8489,8 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if(flow->extra_packets_func) { ndpi_process_extra_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms, input_info); /* Update in case of new match */ - ret.master_protocol = flow->detected_protocol_stack[1], - ret.app_protocol = flow->detected_protocol_stack[0], + ret.proto.master_protocol = flow->detected_protocol_stack[1], + ret.proto.app_protocol = flow->detected_protocol_stack[0], ret.category = flow->category; return(ret); @@ -8531,7 +8536,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio for(i=0; (i<MAX_NBPF_CUSTOM_PROTO) && (ndpi_str->nbpf_custom_proto[i].tree != NULL); i++) { if(nbpf_match(ndpi_str->nbpf_custom_proto[i].tree, &t)) { /* match found */ - ret.master_protocol = ret.app_protocol = ndpi_str->nbpf_custom_proto[i].l7_protocol; + ret.proto.master_protocol = ret.proto.app_protocol = ndpi_str->nbpf_custom_proto[i].l7_protocol; ndpi_fill_protocol_category(ndpi_str, flow, &ret); ndpi_reconcile_protocols(ndpi_str, flow, &ret); flow->confidence = NDPI_CONFIDENCE_NBPF; @@ -8578,21 +8583,21 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio ret_protocols: if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) { - ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.master_protocol = flow->detected_protocol_stack[1], ret.proto.app_protocol = flow->detected_protocol_stack[0]; - if(ret.app_protocol == ret.master_protocol) - ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; + if(ret.proto.app_protocol == ret.proto.master_protocol) + ret.proto.master_protocol = NDPI_PROTOCOL_UNKNOWN; } else - ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.app_protocol = flow->detected_protocol_stack[0]; /* Don't overwrite the category if already set */ - if((flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) && (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)) + if((flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) && (ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)) ndpi_fill_protocol_category(ndpi_str, flow, &ret); else ret.category = flow->category; if((!flow->risk_checked) - && ((ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) || (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)) + && ((ret.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) || (ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)) ) { default_ports_tree_node_t *found; u_int16_t *default_ports; @@ -8601,21 +8606,21 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio found = ndpi_get_guessed_protocol_id(ndpi_str, IPPROTO_UDP, ntohs(flow->c_port), ntohs(flow->s_port)), - default_ports = ndpi_str->proto_defaults[ret.master_protocol ? ret.master_protocol : ret.app_protocol].udp_default_ports; + default_ports = ndpi_str->proto_defaults[ret.proto.master_protocol ? ret.proto.master_protocol : ret.proto.app_protocol].udp_default_ports; else if(packet->tcp) found = ndpi_get_guessed_protocol_id(ndpi_str, IPPROTO_TCP, ntohs(flow->c_port), ntohs(flow->s_port)), - default_ports = ndpi_str->proto_defaults[ret.master_protocol ? ret.master_protocol : ret.app_protocol].tcp_default_ports; + default_ports = ndpi_str->proto_defaults[ret.proto.master_protocol ? ret.proto.master_protocol : ret.proto.app_protocol].tcp_default_ports; else found = NULL, default_ports = NULL; if(found && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN) - && (found->proto->protoId != ret.master_protocol) - && (found->proto->protoId != ret.app_protocol) + && (found->proto->protoId != ret.proto.master_protocol) + && (found->proto->protoId != ret.proto.app_protocol) ) { - // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol); + // printf("******** %u / %u\n", found->proto->protoId, ret.proto.master_protocol); if(!ndpi_check_protocol_port_mismatch_exceptions(found, &ret)) { /* @@ -8637,7 +8642,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio ntohs(flow->c_port), ntohs(flow->s_port)); if((r == NULL) - || ((r->proto->protoId != ret.app_protocol) && (r->proto->protoId != ret.master_protocol))) { + || ((r->proto->protoId != ret.proto.app_protocol) && (r->proto->protoId != ret.proto.master_protocol))) { if(default_ports[0] != 0) { char str[64]; u_int8_t i, offset; @@ -8673,9 +8678,9 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if((num_loops == 0) && (!found)) { if(packet->udp) - default_ports = ndpi_str->proto_defaults[ret.app_protocol].udp_default_ports; + default_ports = ndpi_str->proto_defaults[ret.proto.app_protocol].udp_default_ports; else - default_ports = ndpi_str->proto_defaults[ret.app_protocol].tcp_default_ports; + default_ports = ndpi_str->proto_defaults[ret.proto.app_protocol].tcp_default_ports; num_loops = 1; goto check_default_ports; @@ -8686,8 +8691,8 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio ntohs(flow->c_port), ntohs(flow->s_port)); if((r == NULL) - || ((r->proto->protoId != ret.app_protocol) && (r->proto->protoId != ret.master_protocol))) { - if(ret.app_protocol != NDPI_PROTOCOL_FTP_DATA) + || ((r->proto->protoId != ret.proto.app_protocol) && (r->proto->protoId != ret.proto.master_protocol))) { + if(ret.proto.app_protocol != NDPI_PROTOCOL_FTP_DATA) ndpi_set_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT,NULL); } } @@ -8734,12 +8739,12 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio /* ndpi_reconcile_protocols(ndpi_str, flow, &ret); */ if(ndpi_str->cfg.fully_encrypted_heuristic && - ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && /* Only for unknown traffic */ + ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && /* Only for unknown traffic */ flow->packet_counter == 1 && packet->payload_packet_len > 0) { flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow); } - if((ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) + if((ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) && (packet->payload_packet_len > 0) && (flow->packet_counter <= 5)) { ndpi_search_portable_executable(ndpi_str, flow); @@ -8752,9 +8757,9 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->first_pkt_fully_encrypted == 0 && flow->packet_counter < 5 && /* The following protocols do their own entropy calculation/classification. */ - ret.app_protocol != NDPI_PROTOCOL_IP_ICMP) { + ret.proto.app_protocol != NDPI_PROTOCOL_IP_ICMP) { - if (ret.app_protocol != NDPI_PROTOCOL_HTTP) { + if (ret.proto.app_protocol != NDPI_PROTOCOL_HTTP) { flow->entropy = ndpi_entropy(packet->payload, packet->payload_packet_len); } @@ -8778,8 +8783,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct packetlen, current_time_ms, input_info); - p.master_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.master_protocol); - p.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.app_protocol); + p.proto.master_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.proto.master_protocol); + p.proto.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.proto.app_protocol); p.protocol_by_ip = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.protocol_by_ip); return(p); @@ -9172,7 +9177,7 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, s ndpi_protocol ret; ndpi_int_change_protocol(flow, upper_detected_protocol, lower_detected_protocol, confidence); - ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + ret.proto.master_protocol = flow->detected_protocol_stack[1], ret.proto.app_protocol = flow->detected_protocol_stack[0]; ndpi_reconcile_protocols(ndpi_str, flow, &ret); } @@ -9208,8 +9213,8 @@ ndpi_protocol_category_t ndpi_get_flow_category(struct ndpi_flow_struct *flow) void ndpi_get_flow_ndpi_proto(struct ndpi_flow_struct *flow, struct ndpi_proto * ndpi_proto) { - ndpi_proto->master_protocol = ndpi_get_flow_masterprotocol(flow); - ndpi_proto->app_protocol = ndpi_get_flow_appprotocol(flow); + ndpi_proto->proto.master_protocol = ndpi_get_flow_masterprotocol(flow); + ndpi_proto->proto.app_protocol = ndpi_get_flow_appprotocol(flow); ndpi_proto->category = ndpi_get_flow_category(flow); } @@ -9304,19 +9309,19 @@ u_int16_t ntohs_ndpi_bytestream_to_number(const u_int8_t *str, /* ****************************************************** */ u_int8_t ndpi_is_proto(ndpi_protocol proto, u_int16_t p) { - return(((proto.app_protocol == p) || (proto.master_protocol == p)) ? 1 : 0); + return(((proto.proto.app_protocol == p) || (proto.proto.master_protocol == p)) ? 1 : 0); } /* ****************************************************** */ u_int16_t ndpi_get_lower_proto(ndpi_protocol proto) { - return((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) ? proto.master_protocol : proto.app_protocol); + return((proto.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) ? proto.proto.master_protocol : proto.proto.app_protocol); } /* ****************************************************** */ u_int16_t ndpi_get_upper_proto(ndpi_protocol proto) { - return((proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) ? proto.app_protocol : proto.master_protocol); + return((proto.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) ? proto.proto.app_protocol : proto.proto.master_protocol); } /* ****************************************************** */ @@ -9336,28 +9341,28 @@ static ndpi_protocol ndpi_internal_guess_undetected_protocol(struct ndpi_detecti if(flow && ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP))) { if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) { if(flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { - ret.master_protocol = flow->guessed_protocol_id; - ret.app_protocol = flow->guessed_protocol_id_by_ip; + ret.proto.master_protocol = flow->guessed_protocol_id; + ret.proto.app_protocol = flow->guessed_protocol_id_by_ip; } else { - ret.app_protocol = flow->guessed_protocol_id; + ret.proto.app_protocol = flow->guessed_protocol_id; } } else { - ret.app_protocol = flow->guessed_protocol_id_by_ip; + ret.proto.app_protocol = flow->guessed_protocol_id_by_ip; } - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && search_into_bittorrent_cache(ndpi_str, flow)) { /* This looks like BitTorrent */ - ret.app_protocol = NDPI_PROTOCOL_BITTORRENT; + ret.proto.app_protocol = NDPI_PROTOCOL_BITTORRENT; } } else { - ret.app_protocol = guess_protocol_id(ndpi_str, flow, proto, 0, 0, &user_defined_proto); + ret.proto.app_protocol = guess_protocol_id(ndpi_str, flow, proto, 0, 0, &user_defined_proto); } ret.category = ndpi_get_proto_category(ndpi_str, ret); #ifdef BITTORRENT_CACHE_DEBUG - printf("[%s:%u] Guessed %u.%u\n", __FILE__, __LINE__, ret.master_protocol, ret.app_protocol); + printf("[%s:%u] Guessed %u.%u\n", __FILE__, __LINE__, ret.proto.master_protocol, ret.proto.app_protocol); #endif return(ret); @@ -9385,17 +9390,17 @@ ndpi_protocol ndpi_guess_undetected_protocol_v4(struct ndpi_detection_module_str rc = NDPI_PROTOCOL_UNKNOWN; if(rc != NDPI_PROTOCOL_UNKNOWN) { - ret.app_protocol = rc, - ret.master_protocol = guess_protocol_id(ndpi_str, flow, proto, sport, dport, &user_defined_proto); + ret.proto.app_protocol = rc, + ret.proto.master_protocol = guess_protocol_id(ndpi_str, flow, proto, sport, dport, &user_defined_proto); - if(ret.app_protocol == ret.master_protocol) - ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; + if(ret.proto.app_protocol == ret.proto.master_protocol) + ret.proto.master_protocol = NDPI_PROTOCOL_UNKNOWN; } else { - ret.app_protocol = guess_protocol_id(ndpi_str, flow, proto, sport, dport, &user_defined_proto), - ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; + ret.proto.app_protocol = guess_protocol_id(ndpi_str, flow, proto, sport, dport, &user_defined_proto), + ret.proto.master_protocol = NDPI_PROTOCOL_UNKNOWN; } - if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) { + if(ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) { ret.category = ndpi_get_proto_category(ndpi_str, ret); return(ret); } @@ -9410,8 +9415,8 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow, u_int8_t proto) { ndpi_protocol p = ndpi_internal_guess_undetected_protocol(ndpi_str, flow, proto); - p.master_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.master_protocol), - p.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.app_protocol); + p.proto.master_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.proto.master_protocol), + p.proto.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, p.proto.app_protocol); return(p); } @@ -9419,13 +9424,13 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct /* ****************************************************** */ char *ndpi_protocol2id(ndpi_protocol proto, char *buf, u_int buf_len) { - if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.master_protocol != proto.app_protocol)) { - if(proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) - ndpi_snprintf(buf, buf_len, "%u.%u", proto.master_protocol, proto.app_protocol); + if((proto.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.proto.master_protocol != proto.proto.app_protocol)) { + if(proto.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) + ndpi_snprintf(buf, buf_len, "%u.%u", proto.proto.master_protocol, proto.proto.app_protocol); else - ndpi_snprintf(buf, buf_len, "%u", proto.master_protocol); + ndpi_snprintf(buf, buf_len, "%u", proto.proto.master_protocol); } else - ndpi_snprintf(buf, buf_len, "%u", proto.app_protocol); + ndpi_snprintf(buf, buf_len, "%u", proto.proto.app_protocol); return(buf); } @@ -9434,14 +9439,14 @@ char *ndpi_protocol2id(ndpi_protocol proto, char *buf, u_int buf_len) { char *ndpi_protocol2name(struct ndpi_detection_module_struct *ndpi_str, ndpi_protocol proto, char *buf, u_int buf_len) { - if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.master_protocol != proto.app_protocol)) { - if(proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) - ndpi_snprintf(buf, buf_len, "%s.%s", ndpi_get_proto_name(ndpi_str, proto.master_protocol), - ndpi_get_proto_name(ndpi_str, proto.app_protocol)); + if((proto.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.proto.master_protocol != proto.proto.app_protocol)) { + if(proto.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) + ndpi_snprintf(buf, buf_len, "%s.%s", ndpi_get_proto_name(ndpi_str, proto.proto.master_protocol), + ndpi_get_proto_name(ndpi_str, proto.proto.app_protocol)); else - ndpi_snprintf(buf, buf_len, "%s", ndpi_get_proto_name(ndpi_str, proto.master_protocol)); + ndpi_snprintf(buf, buf_len, "%s", ndpi_get_proto_name(ndpi_str, proto.proto.master_protocol)); } else - ndpi_snprintf(buf, buf_len, "%s", ndpi_get_proto_name(ndpi_str, proto.app_protocol)); + ndpi_snprintf(buf, buf_len, "%s", ndpi_get_proto_name(ndpi_str, proto.proto.app_protocol)); return(buf); } @@ -9616,21 +9621,21 @@ ndpi_protocol_category_t ndpi_get_proto_category(struct ndpi_detection_module_st return(proto.category); #if 0 - proto.master_protocol = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto.master_protocol), - proto.app_protocol = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto.app_protocol); + proto.proto.master_protocol = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto.proto.master_protocol), + proto.proto.app_protocol = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto.proto.app_protocol); #endif /* Simple rule: sub protocol first, master after, with some exceptions (i.e. mail) */ - if(category_depends_on_master(proto.master_protocol)) { - if(ndpi_is_valid_protoId(proto.master_protocol)) - return(ndpi_str->proto_defaults[proto.master_protocol].protoCategory); - } else if((proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) || - (ndpi_str->proto_defaults[proto.app_protocol].protoCategory != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) { - if(ndpi_is_valid_protoId(proto.app_protocol)) - return(ndpi_str->proto_defaults[proto.app_protocol].protoCategory); - } else if(ndpi_is_valid_protoId(proto.master_protocol)) - return(ndpi_str->proto_defaults[proto.master_protocol].protoCategory); + if(category_depends_on_master(proto.proto.master_protocol)) { + if(ndpi_is_valid_protoId(proto.proto.master_protocol)) + return(ndpi_str->proto_defaults[proto.proto.master_protocol].protoCategory); + } else if((proto.proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) || + (ndpi_str->proto_defaults[proto.proto.app_protocol].protoCategory != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) { + if(ndpi_is_valid_protoId(proto.proto.app_protocol)) + return(ndpi_str->proto_defaults[proto.proto.app_protocol].protoCategory); + } else if(ndpi_is_valid_protoId(proto.proto.master_protocol)) + return(ndpi_str->proto_defaults[proto.proto.master_protocol].protoCategory); return(NDPI_PROTOCOL_CATEGORY_UNSPECIFIED); } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ef0f185f0..5de1b7107 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -821,12 +821,12 @@ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow, ndpi_protocol const * const l7_protocol) { - char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->app_protocol); + char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->proto.app_protocol); if(app_protocol_info != NULL) return app_protocol_info; - return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->master_protocol); + return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->proto.master_protocol); } /* ********************************** */ @@ -1127,7 +1127,7 @@ void ndpi_serialize_proto(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_uint32(serializer, "encrypted", ndpi_is_encrypted_proto(ndpi_struct, l7_protocol)); ndpi_protocol_breed_t breed = ndpi_get_proto_breed(ndpi_struct, - (l7_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN ? l7_protocol.app_protocol : l7_protocol.master_protocol)); + (l7_protocol.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN ? l7_protocol.proto.app_protocol : l7_protocol.proto.master_protocol)); ndpi_serialize_string_string(serializer, "breed", ndpi_get_proto_breed_name(breed)); if(l7_protocol.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) { @@ -1272,7 +1272,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "hostname", host_server_name); } - switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) { + switch(l7_protocol.proto.master_protocol ? l7_protocol.proto.master_protocol : l7_protocol.proto.app_protocol) { case NDPI_PROTOCOL_IP_ICMP: if(flow->entropy > 0.0f) { ndpi_serialize_string_float(serializer, "entropy", flow->entropy, "%.6f"); @@ -1493,7 +1493,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, break; case NDPI_PROTOCOL_DISCORD: - if (l7_protocol.master_protocol != NDPI_PROTOCOL_TLS) { + if (l7_protocol.proto.master_protocol != NDPI_PROTOCOL_TLS) { ndpi_serialize_start_of_block(serializer, "discord"); ndpi_serialize_string_string(serializer, "client_ip", flow->protos.discord.client_ip); ndpi_serialize_end_of_block(serializer); @@ -1918,8 +1918,8 @@ ndpi_risk_enum ndpi_validate_url(char *url) { /* ******************************************************************** */ u_int8_t ndpi_is_protocol_detected(ndpi_protocol proto) { - if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) - || (proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) + if((proto.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) + || (proto.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) || (proto.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) return(1); else @@ -2905,15 +2905,15 @@ u_int8_t ndpi_is_valid_protoId(u_int16_t protoId) { u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str, ndpi_protocol proto) { - if(proto.master_protocol == NDPI_PROTOCOL_UNKNOWN && ndpi_is_valid_protoId(proto.app_protocol)) { - return(!ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto); - } else if(ndpi_is_valid_protoId(proto.master_protocol) && ndpi_is_valid_protoId(proto.app_protocol)) { - if(ndpi_str->proto_defaults[proto.master_protocol].isClearTextProto - && (!ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto)) + if(proto.proto.master_protocol == NDPI_PROTOCOL_UNKNOWN && ndpi_is_valid_protoId(proto.proto.app_protocol)) { + return(!ndpi_str->proto_defaults[proto.proto.app_protocol].isClearTextProto); + } else if(ndpi_is_valid_protoId(proto.proto.master_protocol) && ndpi_is_valid_protoId(proto.proto.app_protocol)) { + if(ndpi_str->proto_defaults[proto.proto.master_protocol].isClearTextProto + && (!ndpi_str->proto_defaults[proto.proto.app_protocol].isClearTextProto)) return(0); else - return((ndpi_str->proto_defaults[proto.master_protocol].isClearTextProto - && ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto) ? 0 : 1); + return((ndpi_str->proto_defaults[proto.proto.master_protocol].isClearTextProto + && ndpi_str->proto_defaults[proto.proto.app_protocol].isClearTextProto) ? 0 : 1); } else return(0); } @@ -2921,7 +2921,7 @@ u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************* */ u_int32_t ndpi_get_flow_error_code(struct ndpi_flow_struct *flow) { - switch(flow->detected_protocol_stack[0] /* app_protocol */) { + switch(flow->detected_protocol_stack[0] /* proto.app_protocol */) { case NDPI_PROTOCOL_DNS: return(flow->protos.dns.reply_code); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 7fc2e2085..94367d318 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -699,8 +699,8 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st u_int num_queries, idx; char _hostname[256]; - ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; - ret.app_protocol = (d_port == LLMNR_PORT) ? NDPI_PROTOCOL_LLMNR : (((d_port == MDNS_PORT) && isLLMNRMulticastAddress(packet) ) ? NDPI_PROTOCOL_MDNS : NDPI_PROTOCOL_DNS); + ret.proto.master_protocol = NDPI_PROTOCOL_UNKNOWN; + ret.proto.app_protocol = (d_port == LLMNR_PORT) ? NDPI_PROTOCOL_LLMNR : (((d_port == MDNS_PORT) && isLLMNRMulticastAddress(packet) ) ? NDPI_PROTOCOL_MDNS : NDPI_PROTOCOL_DNS); if(invalid) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); @@ -800,29 +800,29 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(ndpi_struct->cfg.dns_subclassification_enabled) { ndpi_protocol_match_result ret_match; - ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, + ret.proto.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, flow->host_server_name, strlen(flow->host_server_name), &ret_match, NDPI_PROTOCOL_DNS); /* Add to FPC DNS cache */ - if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN && + if(ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN && (flow->protos.dns.rsp_type == 0x1 || flow->protos.dns.rsp_type == 0x1c) && /* A, AAAA */ ndpi_struct->fpc_dns_cache) { ndpi_lru_add_to_cache(ndpi_struct->fpc_dns_cache, - fpc_dns_cache_key_from_dns_info(flow), ret.app_protocol, + fpc_dns_cache_key_from_dns_info(flow), ret.proto.app_protocol, ndpi_get_current_time(flow)); } - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) - ret.master_protocol = checkDNSSubprotocol(s_port, d_port); + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) + ret.proto.master_protocol = checkDNSSubprotocol(s_port, d_port); else - ret.master_protocol = NDPI_PROTOCOL_DNS; + ret.proto.master_protocol = NDPI_PROTOCOL_DNS; ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); } else { - ret.master_protocol = checkDNSSubprotocol(s_port, d_port); - ret.app_protocol = NDPI_PROTOCOL_UNKNOWN; + ret.proto.master_protocol = checkDNSSubprotocol(s_port, d_port); + ret.proto.app_protocol = NDPI_PROTOCOL_UNKNOWN; } /* Category is always NDPI_PROTOCOL_CATEGORY_NETWORK, regardless of the subprotocol */ @@ -835,11 +835,11 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(is_query) { /* In this case we say that the protocol has been detected just to let apps carry on with their activities */ - ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, ret.proto.app_protocol, ret.proto.master_protocol, NDPI_CONFIDENCE_DPI); if(ndpi_struct->cfg.dns_parse_response_enabled) { /* We have never triggered extra-dissection for LLMNR. Keep the old behaviour */ - if(ret.master_protocol != NDPI_PROTOCOL_LLMNR) { + if(ret.proto.master_protocol != NDPI_PROTOCOL_LLMNR) { /* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */ flow->max_extra_packets_to_check = 5; flow->extra_packets_func = search_dns_again; @@ -864,7 +864,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st matched a subprotocol **/ NDPI_LOG_INFO(ndpi_struct, "found DNS\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, ret.proto.app_protocol, ret.proto.master_protocol, NDPI_CONFIDENCE_DPI); } else { if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 345f77c47..5ff7e0e88 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1772,8 +1772,8 @@ static int ndpi_search_quic_extra(struct ndpi_detection_module_struct *ndpi_stru NDPI_LOG_DBG(ndpi_struct, "Found RTP/RTCP over QUIC\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNAPCHAT_CALL, NDPI_PROTOCOL_QUIC, NDPI_CONFIDENCE_DPI); /* In "extra_eval" data path, if we change the classification, we need to update the category, too */ - proto.master_protocol = NDPI_PROTOCOL_QUIC; - proto.app_protocol = NDPI_PROTOCOL_SNAPCHAT_CALL; + proto.proto.master_protocol = NDPI_PROTOCOL_QUIC; + proto.proto.app_protocol = NDPI_PROTOCOL_SNAPCHAT_CALL; proto.category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; ndpi_fill_protocol_category(ndpi_struct, flow, &proto); } else { diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index eba865ecb..a238e0a45 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -964,7 +964,7 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd /* In "normal" data-path the generic code in `ndpi_internal_detection_process_packet()` takes care of setting the category */ if(flow->extra_packets_func) { - ndpi_protocol ret = { master_proto, app_proto, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { { master_proto, app_proto }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; flow->category = ndpi_get_proto_category(ndpi_struct, ret); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 2d8247d51..9fe2a460a 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -349,7 +349,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow))) { - ndpi_protocol ret = { __get_master(ndpi_struct, flow), cached_proto, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { { __get_master(ndpi_struct, flow), cached_proto }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); @@ -735,7 +735,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct if(rc == 0) { /* Match found */ u_int16_t proto_id = (u_int16_t)val; - ndpi_protocol ret = { __get_master(ndpi_struct, flow), proto_id, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { { __get_master(ndpi_struct, flow), proto_id }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); @@ -1357,7 +1357,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, /* DTLS mid session: no need to further inspect the flow */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DTLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_protocol ret = { __get_master(ndpi_struct, flow), NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { { __get_master(ndpi_struct, flow), NDPI_PROTOCOL_UNKNOWN }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; flow->category = ndpi_get_proto_category(ndpi_struct, ret); flow->tls_quic.certificate_processed = 1; /* Fake, to avoid extra dissection */ diff --git a/tests/unit/unit.c b/tests/unit/unit.c index 3ad95e229..8e797a3b1 100644 --- a/tests/unit/unit.c +++ b/tests/unit/unit.c @@ -282,8 +282,8 @@ int serializeProtoUnitTest(void) } assert(ndpi_init_serializer(&serializer, fmt) != -1); - ndpi_protocol ndpi_proto = { .master_protocol = NDPI_PROTOCOL_TLS, - .app_protocol = NDPI_PROTOCOL_FACEBOOK, + ndpi_protocol ndpi_proto = { .proto.master_protocol = NDPI_PROTOCOL_TLS, + .proto.app_protocol = NDPI_PROTOCOL_FACEBOOK, .protocol_by_ip = NDPI_PROTOCOL_FACEBOOK, .category = NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK }; ndpi_risk risks = 0; |