diff options
| author | Luca Deri <deri@ntop.org> | 2019-10-02 23:01:29 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-10-02 23:01:29 +0200 |
| commit | 4fd7e5734a2c0e35a3de0ab17f016411589488da (patch) | |
| tree | b50e326724fa3af2f1ce503d371ce10c53ccc8bc /example | |
| parent | 3dbf7bbabb291f803d2232e79642554769bea325 (diff) | |
Manual merge of pull #769
Diffstat (limited to 'example')
| -rw-r--r-- | example/ndpiReader.c | 42 | ||||
| -rw-r--r-- | example/reader_util.c | 226 | ||||
| -rw-r--r-- | example/reader_util.h | 52 |
3 files changed, 173 insertions, 147 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index c22a6d496..2a1bbd8bb 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -262,6 +262,7 @@ flowGetBDMeanandVariance(struct ndpi_flow_info* flow) { uint32_t tmp[256], i; unsigned int num_bytes; double mean = 0.0, variance = 0.0; + struct ndpi_entropy last_entropy = flow->last_entropy; fflush(out); @@ -270,38 +271,38 @@ flowGetBDMeanandVariance(struct ndpi_flow_info* flow) { * if this flow is bidirectional */ if (!flow->bidirectional) { - array = flow->src2dst_byte_count; - num_bytes = flow->src2dst_l4_bytes; + array = last_entropy.src2dst_byte_count; + num_bytes = last_entropy.src2dst_l4_bytes; for (i=0; i<256; i++) { - tmp[i] = flow->src2dst_byte_count[i]; + tmp[i] = last_entropy.src2dst_byte_count[i]; } - if (flow->src2dst_num_bytes != 0) { - mean = flow->src2dst_bd_mean; - variance = flow->src2dst_bd_variance/(flow->src2dst_num_bytes - 1); + if (last_entropy.src2dst_num_bytes != 0) { + mean = last_entropy.src2dst_bd_mean; + variance = last_entropy.src2dst_bd_variance/(last_entropy.src2dst_num_bytes - 1); variance = sqrt(variance); - if (flow->src2dst_num_bytes == 1) { + if (last_entropy.src2dst_num_bytes == 1) { variance = 0.0; } } } else { for (i=0; i<256; i++) { - tmp[i] = flow->src2dst_byte_count[i] + flow->dst2src_byte_count[i]; + tmp[i] = last_entropy.src2dst_byte_count[i] + last_entropy.dst2src_byte_count[i]; } array = tmp; - num_bytes = flow->src2dst_l4_bytes + flow->dst2src_l4_bytes; + num_bytes = last_entropy.src2dst_l4_bytes + last_entropy.dst2src_l4_bytes; - if (flow->src2dst_num_bytes + flow->dst2src_num_bytes != 0) { - mean = ((double)flow->src2dst_num_bytes)/((double)(flow->src2dst_num_bytes+flow->dst2src_num_bytes))*flow->src2dst_bd_mean + - ((double)flow->dst2src_num_bytes)/((double)(flow->dst2src_num_bytes+flow->src2dst_num_bytes))*flow->dst2src_bd_mean; + if (last_entropy.src2dst_num_bytes + last_entropy.dst2src_num_bytes != 0) { + mean = ((double)last_entropy.src2dst_num_bytes)/((double)(last_entropy.src2dst_num_bytes+last_entropy.dst2src_num_bytes))*last_entropy.src2dst_bd_mean + + ((double)last_entropy.dst2src_num_bytes)/((double)(last_entropy.dst2src_num_bytes+last_entropy.src2dst_num_bytes))*last_entropy.dst2src_bd_mean; - variance = ((double)flow->src2dst_num_bytes)/((double)(flow->src2dst_num_bytes+flow->dst2src_num_bytes))*flow->src2dst_bd_variance + - ((double)flow->dst2src_num_bytes)/((double)(flow->dst2src_num_bytes+flow->src2dst_num_bytes))*flow->dst2src_bd_variance; + variance = ((double)last_entropy.src2dst_num_bytes)/((double)(last_entropy.src2dst_num_bytes+last_entropy.dst2src_num_bytes))*last_entropy.src2dst_bd_variance + + ((double)last_entropy.dst2src_num_bytes)/((double)(last_entropy.dst2src_num_bytes+last_entropy.src2dst_num_bytes))*last_entropy.dst2src_bd_variance; - variance = variance/((double)(flow->src2dst_num_bytes + flow->dst2src_num_bytes - 1)); + variance = variance/((double)(last_entropy.src2dst_num_bytes + last_entropy.dst2src_num_bytes - 1)); variance = sqrt(variance); - if (flow->src2dst_num_bytes + flow->dst2src_num_bytes == 1) { + if (last_entropy.src2dst_num_bytes + last_entropy.dst2src_num_bytes == 1) { variance = 0.0; } } @@ -321,13 +322,10 @@ flowGetBDMeanandVariance(struct ndpi_flow_info* flow) { /* Output the mean */ if(num_bytes != 0) { - fprintf(out, "][byte_dist_mean: %f", mean); - fprintf(out, "][byte_dist_std: %f]", variance); - } - - if(num_bytes != 0) { double entropy = ndpi_flow_get_byte_count_entropy(array, num_bytes); + fprintf(out, "][byte_dist_mean: %f", mean); + fprintf(out, "][byte_dist_std: %f]", variance); fprintf(out, "[entropy: %f]", entropy); fprintf(out, "[total_entropy: %f]", entropy * num_bytes); } @@ -1086,7 +1084,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa /* Print entropy values for monitored flows. */ flowGetBDMeanandVariance(flow); fflush(out); - fprintf(out, "[score: %.4f]", flow->score); + fprintf(out, "[score: %.4f]", flow->entropy.score); } if(flow->detected_protocol.master_protocol) { diff --git a/example/reader_util.c b/example/reader_util.c index 1cfedf1a6..a5a40905d 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -109,7 +109,7 @@ struct payload_stats { struct payload_stats *pstats = NULL; -u_int32_t max_num_packets_per_flow = 32; +u_int32_t max_num_packets_per_flow = 10; /* ETTA requires min 10 pkts for record. */ u_int32_t max_packet_payload_dissection = 128; u_int32_t max_num_reported_top_payloads = 25; u_int16_t min_pattern_len = 4; @@ -185,7 +185,7 @@ void ndpi_payload_analyzer(struct ndpi_flow_info *flow, u_int16_t i, j; u_int16_t scan_len = ndpi_min(max_packet_payload_dissection, payload_len); - if((flow->src2dst_pkt_count+flow->dst2src_pkt_count) < max_num_packets_per_flow) { + if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { #ifdef DEBUG_PAYLOAD printf("[hashval: %u][proto: %u][vlan: %u][%s:%u <-> %s:%u][direction: %s][payload_len: %u]\n", flow->hashval, flow->protocol, flow->vlan_id, @@ -543,23 +543,25 @@ ndpi_flow_update_byte_count(struct ndpi_flow_info *flow, const void *x, * the 4000th octet has been seen for a flow. */ - /* octet count was already incremented before processing this payload */ - if(src_to_dst_direction) { - current_count = flow->src2dst_l4_bytes - len; - } else { - current_count = flow->dst2src_l4_bytes - len; - } + if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { + /* octet count was already incremented before processing this payload */ + if(src_to_dst_direction) { + current_count = flow->entropy.src2dst_l4_bytes - len; + } else { + current_count = flow->entropy.dst2src_l4_bytes - len; + } - if(current_count < ETTA_MIN_OCTETS) { - for(i=0; i<len; i++) { - if(src_to_dst_direction) { - flow->src2dst_byte_count[data[i]]++; - } else { - flow->dst2src_byte_count[data[i]]++; - } - current_count++; - if(current_count >= ETTA_MIN_OCTETS) { - break; + if(current_count < ETTA_MIN_OCTETS) { + for(i=0; i<len; i++) { + if(src_to_dst_direction) { + flow->entropy.src2dst_byte_count[data[i]]++; + } else { + flow->entropy.dst2src_byte_count[data[i]]++; + } + current_count++; + if(current_count >= ETTA_MIN_OCTETS) { + break; + } } } } @@ -581,17 +583,19 @@ ndpi_flow_update_byte_dist_mean_var(ndpi_flow_info_t *flow, const void *x, double delta; unsigned int i; - for(i=0; i<len; i++) { - if(src_to_dst_direction) { - flow->src2dst_num_bytes += 1; - delta = ((double)data[i] - flow->src2dst_bd_mean); - flow->src2dst_bd_mean += delta/((double)flow->src2dst_num_bytes); - flow->src2dst_bd_variance += delta*((double)data[i] - flow->src2dst_bd_mean); - } else { - flow->dst2src_num_bytes += 1; - delta = ((double)data[i] - flow->dst2src_bd_mean); - flow->dst2src_bd_mean += delta/((double)flow->dst2src_num_bytes); - flow->dst2src_bd_variance += delta*((double)data[i] - flow->dst2src_bd_mean); + if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { + for(i=0; i<len; i++) { + if(src_to_dst_direction) { + flow->entropy.src2dst_num_bytes += 1; + delta = ((double)data[i] - flow->entropy.src2dst_bd_mean); + flow->entropy.src2dst_bd_mean += delta/((double)flow->entropy.src2dst_num_bytes); + flow->entropy.src2dst_bd_variance += delta*((double)data[i] - flow->entropy.src2dst_bd_mean); + } else { + flow->entropy.dst2src_num_bytes += 1; + delta = ((double)data[i] - flow->entropy.dst2src_bd_mean); + flow->entropy.dst2src_bd_mean += delta/((double)flow->entropy.dst2src_num_bytes); + flow->entropy.dst2src_bd_variance += delta*((double)data[i] - flow->entropy.dst2src_bd_mean); + } } } } @@ -826,63 +830,70 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow workflow->stats.ndpi_flow_count++; *src = newflow->src_id, *dst = newflow->dst_id; - newflow->src2dst_pkt_len[newflow->src2dst_pkt_count] = l4_packet_len; - newflow->src2dst_pkt_time[newflow->src2dst_pkt_count] = when; - if(newflow->src2dst_pkt_count == 0) { - newflow->src2dst_start = when; + newflow->entropy.src2dst_pkt_len[newflow->entropy.src2dst_pkt_count] = l4_data_len; + newflow->entropy.src2dst_pkt_time[newflow->entropy.src2dst_pkt_count] = when; + if (newflow->entropy.src2dst_pkt_count == 0) { + newflow->entropy.src2dst_start = when; } - newflow->src2dst_pkt_count++; - if(l4_data_len != 0XFEEDFACE) { - newflow->src2dst_opackets++; + newflow->entropy.src2dst_pkt_count++; + // Non zero app data. + if (l4_data_len != 0XFEEDFACE && l4_data_len != 0) { + newflow->entropy.src2dst_opackets++; + newflow->entropy.src2dst_l4_bytes += l4_data_len; } return newflow; } } else { - struct ndpi_flow_info *flow = *(struct ndpi_flow_info**)ret; + struct ndpi_flow_info *rflow = *(struct ndpi_flow_info**)ret; if(is_changed) { - if(flow->src_ip == iph->saddr - && flow->dst_ip == iph->daddr - && flow->src_port == htons(*sport) - && flow->dst_port == htons(*dport) + if(rflow->src_ip == iph->saddr + && rflow->dst_ip == iph->daddr + && rflow->src_port == htons(*sport) + && rflow->dst_port == htons(*dport) ) - *src = flow->dst_id, *dst = flow->src_id, *src_to_dst_direction = 0, flow->bidirectional = 1; + *src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1; else - *src = flow->src_id, *dst = flow->dst_id, *src_to_dst_direction = 1; + *src = rflow->src_id, *dst = rflow->dst_id, *src_to_dst_direction = 1; } else { - if(flow->src_ip == iph->saddr - && flow->dst_ip == iph->daddr - && flow->src_port == htons(*sport) - && flow->dst_port == htons(*dport) + if(rflow->src_ip == iph->saddr + && rflow->dst_ip == iph->daddr + && rflow->src_port == htons(*sport) + && rflow->dst_port == htons(*dport) ) - *src = flow->src_id, *dst = flow->dst_id, *src_to_dst_direction = 1; + *src = rflow->src_id, *dst = rflow->dst_id, *src_to_dst_direction = 1; else - *src = flow->dst_id, *dst = flow->src_id, *src_to_dst_direction = 0, flow->bidirectional = 1; + *src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1; } - if(src_to_dst_direction) { - if(flow->src2dst_pkt_count < MAX_NUM_PKTS) { - flow->src2dst_pkt_len[flow->src2dst_pkt_count] = l4_packet_len; - flow->src2dst_pkt_time[flow->src2dst_pkt_count] = when; - flow->src2dst_pkt_count++; + if (src_to_dst_direction) { + if (rflow->entropy.src2dst_pkt_count < max_num_packets_per_flow) { + rflow->entropy.src2dst_pkt_len[rflow->entropy.src2dst_pkt_count] = l4_data_len; + rflow->entropy.src2dst_pkt_time[rflow->entropy.src2dst_pkt_count] = when; + rflow->entropy.src2dst_l4_bytes += l4_data_len; + rflow->entropy.src2dst_pkt_count++; } - if(l4_data_len != 0XFEEDFACE) { - flow->src2dst_opackets++; + // Non zero app data. + if (l4_data_len != 0XFEEDFACE && l4_data_len != 0) { + rflow->entropy.src2dst_opackets++; } } else { - if(flow->dst2src_pkt_count < MAX_NUM_PKTS) { - flow->dst2src_pkt_len[flow->dst2src_pkt_count] = l4_packet_len; - flow->dst2src_pkt_time[flow->dst2src_pkt_count] = when; - if(flow->dst2src_pkt_count == 0) { - flow->dst2src_start = when; + if (rflow->entropy.dst2src_pkt_count < max_num_packets_per_flow) { + rflow->entropy.dst2src_pkt_len[rflow->entropy.dst2src_pkt_count] = l4_data_len; + rflow->entropy.dst2src_pkt_time[rflow->entropy.dst2src_pkt_count] = when; + if (rflow->entropy.dst2src_pkt_count == 0) { + rflow->entropy.dst2src_start = when; } - flow->dst2src_pkt_count++; + rflow->entropy.dst2src_l4_bytes += l4_data_len; + rflow->entropy.dst2src_pkt_count++; } - if(l4_data_len != 0XFEEDFACE) { - flow->dst2src_opackets++; + // Non zero app data. + if (l4_data_len != 0XFEEDFACE && l4_data_len != 0) { + rflow->entropy.dst2src_opackets++; } } - return flow; + + return(rflow); } } @@ -927,27 +938,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo /* ****************************************************** */ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { - if(enable_joy_stats) { - /* Update SPLT scores. */ - - if(flow->bidirectional) - flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time, - flow->dst2src_pkt_len, flow->dst2src_pkt_time, - flow->src2dst_start, flow->dst2src_start, - MAX_NUM_PKTS, flow->src_port, flow->dst_port, - flow->src2dst_packets, flow->dst2src_packets, - flow->src2dst_opackets, flow->dst2src_opackets, - flow->src2dst_l4_bytes, flow->dst2src_l4_bytes, 1, - flow->src2dst_byte_count, flow->dst2src_byte_count); - else - flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time, - NULL, NULL, flow->src2dst_start, flow->src2dst_start, - MAX_NUM_PKTS, flow->src_port, flow->dst_port, - flow->src2dst_packets, 0, - flow->src2dst_opackets, 0, - flow->src2dst_l4_bytes, 0, 1, - flow->src2dst_byte_count, NULL); - } if(!flow->ndpi_flow) return; @@ -1036,6 +1026,19 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl /* ****************************************************** */ /** + * @brief Clear entropy stats if it meets prereq. + */ +static void +ndpi_clear_entropy_stats(struct ndpi_flow_info *flow) +{ + if(flow->entropy.src2dst_pkt_count + flow->entropy.dst2src_pkt_count == max_num_packets_per_flow) { + memcpy(&flow->last_entropy, &flow->entropy, sizeof(struct ndpi_entropy)); + memset(&flow->entropy, 0x00, sizeof(struct ndpi_entropy)); + } +} + +/* ****************************************************** */ +/** Function to process the packet: determine the flow of a packet and try to decode it @return: 0 if success; else != 0 @@ -1088,9 +1091,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if((tcph != NULL) && (tcph->fin || tcph->rst || tcph->syn)) begin_or_end_tcp = 1; - if(flow->flow_last_pkt_time.tv_sec) { - ndpi_timer_sub(&when, &flow->flow_last_pkt_time, &tdiff); - + if(flow->entropy.flow_last_pkt_time.tv_sec) { + ndpi_timer_sub(&when, &flow->entropy.flow_last_pkt_time, &tdiff); + if(flow->iat_flow) { u_int32_t ms = ndpi_timeval_to_milliseconds(tdiff); @@ -1098,11 +1101,11 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ndpi_data_add_value(flow->iat_flow, ms); } } - memcpy(&flow->flow_last_pkt_time, &when, sizeof(when)); + memcpy(&flow->entropy.flow_last_pkt_time, &when, sizeof(when)); if(src_to_dst_direction) { - if(flow->src2dst_last_pkt_time.tv_sec && (!begin_or_end_tcp)) { - ndpi_timer_sub(&when, &flow->src2dst_last_pkt_time, &tdiff); + if(flow->entropy.src2dst_last_pkt_time.tv_sec) { + ndpi_timer_sub(&when, &flow->entropy.src2dst_last_pkt_time, &tdiff); if(flow->iat_c_to_s) { u_int32_t ms = ndpi_timeval_to_milliseconds(tdiff); @@ -1113,11 +1116,10 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ndpi_data_add_value(flow->pktlen_c_to_s, rawsize); flow->src2dst_packets++, flow->src2dst_bytes += rawsize; - flow->src2dst_l4_bytes += payload_len; - memcpy(&flow->src2dst_last_pkt_time, &when, sizeof(when)); + memcpy(&flow->entropy.src2dst_last_pkt_time, &when, sizeof(when)); } else { - if(flow->dst2src_last_pkt_time.tv_sec && (!begin_or_end_tcp)) { - ndpi_timer_sub(&when, &flow->dst2src_last_pkt_time, &tdiff); + if(flow->entropy.dst2src_last_pkt_time.tv_sec && (!begin_or_end_tcp)) { + ndpi_timer_sub(&when, &flow->entropy.dst2src_last_pkt_time, &tdiff); if(flow->iat_s_to_c) { u_int32_t ms = ndpi_timeval_to_milliseconds(tdiff); @@ -1128,8 +1130,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ndpi_data_add_value(flow->pktlen_s_to_c, rawsize); flow->dst2src_packets++, flow->dst2src_bytes += rawsize; - flow->dst2src_l4_bytes += payload_len; - memcpy(&flow->dst2src_last_pkt_time, &when, sizeof(when)); + memcpy(&flow->entropy.dst2src_last_pkt_time, &when, sizeof(when)); } if(enable_payload_analyzer && (payload_len > 0)) @@ -1141,6 +1142,26 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, /* Update BD, distribution and mean. */ ndpi_flow_update_byte_count(flow, payload, payload_len, src_to_dst_direction); ndpi_flow_update_byte_dist_mean_var(flow, payload, payload_len, src_to_dst_direction); + /* Update SPLT scores for first 32 packets. */ + if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { + if(flow->bidirectional) + flow->entropy.score = ndpi_classify(flow->entropy.src2dst_pkt_len, flow->entropy.src2dst_pkt_time, + flow->entropy.dst2src_pkt_len, flow->entropy.dst2src_pkt_time, + flow->entropy.src2dst_start, flow->entropy.dst2src_start, + max_num_packets_per_flow, flow->src_port, flow->dst_port, + flow->src2dst_packets, flow->dst2src_packets, + flow->entropy.src2dst_opackets, flow->entropy.dst2src_opackets, + flow->entropy.src2dst_l4_bytes, flow->entropy.dst2src_l4_bytes, 1, + flow->entropy.src2dst_byte_count, flow->entropy.dst2src_byte_count); + else + flow->entropy.score = ndpi_classify(flow->entropy.src2dst_pkt_len, flow->entropy.src2dst_pkt_time, + NULL, NULL, flow->entropy.src2dst_start, flow->entropy.src2dst_start, + max_num_packets_per_flow, flow->src_port, flow->dst_port, + flow->src2dst_packets, 0, + flow->entropy.src2dst_opackets, 0, + flow->entropy.src2dst_l4_bytes, 0, 1, + flow->entropy.src2dst_byte_count, NULL); + } } if(flow->first_seen == 0) @@ -1148,6 +1169,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->last_seen = time; + /* Copy packets entropy if num packets count == 10 */ + ndpi_clear_entropy_stats(flow); + if(!flow->has_human_readeable_strings) { u_int8_t skip = 0; @@ -1163,8 +1187,6 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } if(!skip) { - char outbuf[64] = { '\0' }; - if(ndpi_has_human_readeable_string(workflow->ndpi_struct, (char*)packet, header->caplen, human_readeable_string_len, flow->human_readeable_string_buffer, @@ -1527,10 +1549,10 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, /* https://en.wikipedia.org/wiki/TZSP */ u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); u_int8_t version = packet[offset]; - u_int8_t type = packet[offset+1]; + u_int8_t ts_type = packet[offset+1]; u_int16_t encapsulates = ntohs(*((u_int16_t*)&packet[offset+2])); - if((version == 1) && (type == 0) && (encapsulates == 1)) { + if((version == 1) && (ts_type == 0) && (encapsulates == 1)) { u_int8_t stop = 0; offset += 4; diff --git a/example/reader_util.h b/example/reader_util.h index 309e51d08..3374f993f 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -57,7 +57,7 @@ extern int dpdk_port_init(int port, struct rte_mempool *mbuf_pool); /** maximum line length */ #define LINEMAX 512 #define MAX_BYTE_COUNT_ARRAY_LENGTH 256 -#define MAX_NUM_PKTS 100 +#define MAX_NUM_PKTS 10 #define MAX_NUM_READER_THREADS 16 #define IDLE_SCAN_PERIOD 10 /* msec (use TICK_RESOLUTION = 1000) */ @@ -124,6 +124,32 @@ struct flow_metrics { float entropy, average, stddev; }; +struct ndpi_entropy { + // Entropy fields + struct timeval src2dst_last_pkt_time, dst2src_last_pkt_time, flow_last_pkt_time; + u_int16_t src2dst_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ + struct timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ + u_int16_t dst2src_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ + struct timeval dst2src_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ + struct timeval src2dst_start; /*!< first packet arrival time */ + struct timeval dst2src_start; /*!< first packet arrival time */ + u_int32_t src2dst_opackets; /*!< non-zero packet counts */ + u_int32_t dst2src_opackets; /*!< non-zero packet counts */ + u_int16_t src2dst_pkt_count; /*!< packet counts */ + u_int16_t dst2src_pkt_count; /*!< packet counts */ + u_int32_t src2dst_l4_bytes; /*!< packet counts */ + u_int32_t dst2src_l4_bytes; /*!< packet counts */ + u_int32_t src2dst_byte_count[MAX_BYTE_COUNT_ARRAY_LENGTH]; /*!< number of occurences of each byte */ + u_int32_t dst2src_byte_count[MAX_BYTE_COUNT_ARRAY_LENGTH]; /*!< number of occurences of each byte */ + u_int32_t src2dst_num_bytes; + u_int32_t dst2src_num_bytes; + double src2dst_bd_mean; + double src2dst_bd_variance; + double dst2src_bd_mean; + double dst2src_bd_variance; + float score; +}; + // flow tracking typedef struct ndpi_flow_info { u_int32_t flow_id; @@ -140,7 +166,6 @@ typedef struct ndpi_flow_info { u_int64_t first_seen, last_seen; u_int64_t src2dst_bytes, dst2src_bytes; u_int32_t src2dst_packets, dst2src_packets; - u_int32_t src2dst_opackets, dst2src_opackets; u_int32_t has_human_readeable_strings; char human_readeable_string_buffer[32]; @@ -175,28 +200,9 @@ typedef struct ndpi_flow_info { void *src_id, *dst_id; - struct timeval src2dst_last_pkt_time, dst2src_last_pkt_time, flow_last_pkt_time; + struct ndpi_entropy entropy; + struct ndpi_entropy last_entropy; - // Entropy fields - u_int16_t src2dst_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ - struct timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ - u_int16_t dst2src_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ - struct timeval dst2src_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ - struct timeval src2dst_start; /*!< first packet arrival time */ - struct timeval dst2src_start; /*!< first packet arrival time */ - u_int16_t src2dst_pkt_count; /*!< packet counts */ - u_int16_t dst2src_pkt_count; /*!< packet counts */ - u_int32_t src2dst_l4_bytes; /*!< packet counts */ - u_int32_t dst2src_l4_bytes; /*!< packet counts */ - u_int32_t src2dst_byte_count[256]; /*!< number of occurences of each byte */ - u_int32_t dst2src_byte_count[256]; /*!< number of occurences of each byte */ - u_int32_t src2dst_num_bytes; - u_int32_t dst2src_num_bytes; - double src2dst_bd_mean; - double src2dst_bd_variance; - double dst2src_bd_mean; - double dst2src_bd_variance; - float score; } ndpi_flow_info_t; |