diff options
| author | Luca Deri <deri@ntop.org> | 2020-10-26 21:40:59 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-10-26 21:40:59 +0100 |
| commit | 948a9060378a2a33f5701947386492ff10cb2de6 (patch) | |
| tree | 82ad122f24bc6ee7a9f5abea09abf790099091fe /example/reader_util.c | |
| parent | 9873972acb2be4682434543b051833feff071f6e (diff) | |
Added -D flag for detecting DoH in the wild
Removed heuristic from CiscoVPN as it leads to false positives
Diffstat (limited to 'example/reader_util.c')
| -rw-r--r-- | example/reader_util.c | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/example/reader_util.c b/example/reader_util.c index 9b31f0e3f..3a8faed03 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -38,6 +38,8 @@ #include <float.h> #endif +#include "reader_util.h" + #ifndef ETH_P_IP #define ETH_P_IP 0x0800 /* IPv4 */ #endif @@ -77,11 +79,6 @@ #define DLT_LINUX_SLL 113 #endif -#define PLEN_MAX 1504 -#define PLEN_BIN_LEN 32 -#define PLEN_NUM_BINS 48 /* 47*32 = 1504 */ -#define MAX_NUM_BIN_PKTS 256 - #include "ndpi_main.h" #include "reader_util.h" #include "ndpi_classify.h" @@ -89,6 +86,7 @@ extern u_int8_t enable_protocol_guess, enable_joy_stats, enable_payload_analyzer; extern u_int8_t verbose, human_readeable_string_len; extern u_int8_t max_num_udp_dissected_pkts /* 8 */, max_num_tcp_dissected_pkts /* 10 */; +extern u_int8_t enable_doh_dot_detection; static u_int32_t flow_id = 0; /* ****************************************************** */ @@ -1213,17 +1211,17 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ndpi_flow->protos.stun_ssl.ssl.alpn); } -#ifdef USE_TLS_LEN - /* For TLS we use TLS block lenght instead of payload lenght */ - ndpi_reset_bin(&flow->payload_len_bin); - - for(i=0; i<flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; i++) { - u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]); - - /* printf("[TLS_LEN] %u\n", len); */ - ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1); + if(enable_doh_dot_detection) { + /* For TLS we use TLS block lenght instead of payload lenght */ + ndpi_reset_bin(&flow->payload_len_bin); + + for(i=0; i<flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; i++) { + u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]); + + /* printf("[TLS_LEN] %u\n", len); */ + ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1); + } } -#endif } if(flow->detection_completed && (!flow->check_extra_packets)) { |