Extended filter produced by -b flag

1 files changed, 121 insertions, 22 deletions

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index e0dda2cab..1d1215548 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1375,6 +1375,9 @@ static int port_stats_sort(void *_a, void *_b) {
   struct port_stats *a = (struct port_stats*)_a;
   struct port_stats *b = (struct port_stats*)_b;
 
+  if(b->num_pkts == 0 && a->num_pkts == 0)
+    return(b->num_flows - a->num_flows);
+
   return(b->num_pkts - a->num_pkts);
 }
 
@@ -2317,15 +2320,13 @@ void automataUnitTest() {
 }
 
 /* *********************************************** */
-
 /**
- * @brief Produce bpf filter to filter ports and hosts,
- * save it in .json format
+ * @brief Produce bpf filter to filter ports and hosts
+ * in order to remove a peak in terms of number of packets
+ * sent by source hosts.
  */
 #ifdef HAVE_JSON_C
-void bpf_filter_produce_filter(int port_array[], int p_size, const char *host_array[48], int h_size, char *filePath) {
-  FILE *fp = NULL;
-  char _filterFilePath[1024];
+void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], int p_size, const char *host_array[16], int h_size) {
   char filter[2048];
   int produced = 0;
   int i = 0;
@@ -2355,9 +2356,9 @@ void bpf_filter_produce_filter(int port_array[], int p_size, const char *host_ar
     int l;
     
     if(port_array[0] != INIT_VAL)
-      strncat(filter, " and not (host ", sizeof(" and not (host "));
+      strncat(filter, " and not (src ", sizeof(" and not (src "));
     else
-      strcpy(filter, "not (host ");
+      strcpy(filter, "not (src ");
     
     i=0;
 
@@ -2377,24 +2378,57 @@ void bpf_filter_produce_filter(int port_array[], int p_size, const char *host_ar
     produced = 1;
   }
 
-  snprintf(_filterFilePath, sizeof(_filterFilePath), "%s.bpf", filePath);
+  if(produced)
+    json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string(filter));
+  else
+    json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string(""));
 
-  if((fp = fopen(_filterFilePath,"w")) == NULL) {
-    printf("Error creating .json file %s\n", _filterFilePath);
-    exit(-1);
-  } 
+  /*if(produced)
+    fprintf(fp,"%s\n",filter);
+  else
+    fprintf(fp,"");*/
+
+}
+#endif
+
+/* *********************************************** */
+/**
+ * @brief Produce bpf filter to filter ports and hosts
+ * in order to remove a peak in terms of number of source
+ * addresses.
+ */
+#ifdef HAVE_JSON_C
+void bpf_filter_host_peak_filter(json_object **jObj_bpfFilter, const char *host_array[16], int h_size) {
+  char filter[2048];
+  int produced = 0;
+  int i = 0;
 
-  json_object *jObj_bpfFilter = json_object_new_object();
+
+  if(host_array[0] != NULL) {
+    int l;
+
+    strcpy(filter, "not (dst ");
+
+    while(i < h_size && host_array[i] != NULL) {
+      l = strlen(filter);
+	
+      if(i+1 == h_size || host_array[i+1] == NULL)
+	snprintf(&filter[l], sizeof(filter)-l, "%s", host_array[i]);
+      else
+	snprintf(&filter[l], sizeof(filter)-l, "%s or ", host_array[i]);
+
+      i++;
+    }
+    
+    l = strlen(filter);
+    snprintf(&filter[l], sizeof(filter)-l, "%s", ")");
+    produced = 1;
+  }
 
   if(produced)
-    json_object_object_add(jObj_bpfFilter, "filter", json_object_new_string(filter));
+    json_object_object_add(*jObj_bpfFilter, "host.peak.filter", json_object_new_string(filter));
   else
-    json_object_object_add(jObj_bpfFilter, "filter", json_object_new_string(""));
-
-  fprintf(fp,"%s\n",json_object_to_json_string(jObj_bpfFilter));
-  fclose(fp);
-  
-  printf("created: %s\n", _filterFilePath);
+    json_object_object_add(*jObj_bpfFilter, "host.peak.filter", json_object_new_string(""));
 }
 #endif
 
@@ -2546,7 +2580,42 @@ void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, const
 #endif
 
 /* *********************************************** */
+/*
+ * @brief add to the dstHostArray to filter destination 
+ * hosts which have more than 2 percent of flows per minute
+ */
+#ifdef HAVE_JSON_C
+void getTopReceiverHostsToFilter(struct json_object *jObj_stat, int duration, const char *dstHostArray[16], int size) {
+  int j;
 
+  for(j=0; j<json_object_array_length(jObj_stat); j++) {
+    json_object *scanner_stat = json_object_array_get_idx(jObj_stat, j);
+    json_object *jObj_host_address;
+    json_object *jObj_flows_percent;
+    json_bool res;
+
+    if((res = json_object_object_get_ex(scanner_stat, "flows.percent", &jObj_flows_percent)) == 0) {
+      fprintf(stderr, "ERROR: can't get \"flows.percent\", use -x flag only with .json files generated by ndpiReader -b flag.\n");
+      exit(-1);
+    }
+    double flows_percent = json_object_get_double(jObj_flows_percent);
+
+
+    if(flows_percent > 0.2) {
+      if((res = json_object_object_get_ex(scanner_stat, "aggressive.ip", &jObj_host_address)) == 0) {
+	fprintf(stderr, "ERROR: can't get \"aggressive.ip\", use -x flag only with .json files generated by ndpiReader -b flag.\n");
+	exit(-1);
+      }
+      const char *host_address = json_object_get_string(jObj_host_address);
+
+      bpf_filter_host_array_add(dstHostArray, size, host_address);
+
+    }
+  }
+}
+#endif
+
+/* *********************************************** */
 /*
  * @brief add ports which have more than 1000 flows per 
  * second to the srcHostArray to filter
@@ -2590,6 +2659,7 @@ static void produceBpfFilter(char *filePath) {
   void *fmap;
   int filterSrcPorts[PORT_ARRAY_SIZE]; /* ports to filter */
   const char *filterSrcHosts[48]; /* hosts to filter */
+  const char *filterDstHosts[48]; /* hosts to filter */
   json_object *jObj; /* entire json object from file */
   json_object *jObj_duration;
   json_object *jObj_statistics; /* json array */
@@ -2642,6 +2712,7 @@ static void produceBpfFilter(char *filePath) {
 
   bpf_filter_port_array_init(filterSrcPorts, PORT_ARRAY_SIZE);
   bpf_filter_host_array_init(filterSrcHosts, HOST_ARRAY_SIZE);
+  bpf_filter_host_array_init(filterDstHosts, HOST_ARRAY_SIZE);
 
 
   for(i=0; i<array_len; i++) {
@@ -2668,9 +2739,37 @@ static void produceBpfFilter(char *filePath) {
     }
     getHostBasedSourcePortsToFilter(val, duration, filterSrcPorts, PORT_ARRAY_SIZE);    
 
+    if((res = json_object_object_get_ex(stats, "top.dst.pkts.stats", &val)) == 0) {
+      fprintf(stderr,"ERROR: can't get \"top.dst.pkts.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n");
+      exit(-1);
+    }
+    getTopReceiverHostsToFilter(val, duration, filterDstHosts, HOST_ARRAY_SIZE);
+
   }
 
-  bpf_filter_produce_filter(filterSrcPorts, PORT_ARRAY_SIZE, filterSrcHosts, HOST_ARRAY_SIZE, filePath);
+
+  FILE *fp = NULL;
+  char *fileName;
+  char _filterFilePath[1024];
+
+  fileName = basename(filePath);
+  snprintf(_filterFilePath, sizeof(_filterFilePath), "%s.bpf", filePath);
+
+  if((fp = fopen(_filterFilePath,"w")) == NULL) {
+    printf("Error creating .json file %s\n", _filterFilePath);
+    exit(-1);
+  } 
+
+  json_object *jObj_bpfFilter = json_object_new_object();
+
+  bpf_filter_pkt_peak_filter(&jObj_bpfFilter, filterSrcPorts, PORT_ARRAY_SIZE, filterSrcHosts, HOST_ARRAY_SIZE);
+  bpf_filter_host_peak_filter(&jObj_bpfFilter, filterDstHosts, HOST_ARRAY_SIZE);
+
+  fprintf(fp,"%s\n",json_object_to_json_string(jObj_bpfFilter));
+  fclose(fp);
+  
+  printf("created: %s\n", _filterFilePath);
+
   
   json_object_put(jObj); /* free memory */
 }