Initial work towards detection via TLS of browser types

3 files changed, 10 insertions, 0 deletions

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 806fb4a69..1736b4fa3 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1474,6 +1474,11 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa
     }
   }
 
+#ifdef EURISTICS_CODE
+  if(flow->ssh_tls.browser_euristics.is_safari_tls)  fprintf(out, "[Safari]");
+  if(flow->ssh_tls.browser_euristics.is_firefox_tls) fprintf(out, "[Firefox]");
+#endif
+  
   if(flow->ssh_tls.notBefore && flow->ssh_tls.notAfter) {
     char notBefore[32], notAfter[32];
     struct tm a, b;
diff --git a/example/reader_util.c b/example/reader_util.c
index af58d8db5..18c8c6e2a 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1170,6 +1170,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
       flow->ssh_tls.sha1_cert_fingerprint_set = 1;
     }
 
+    flow->ssh_tls.browser_euristics = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.browser_euristics;
+    
     if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn) {
       if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn)) != NULL)
 	correct_csv_data_field(flow->ssh_tls.tls_alpn);
diff --git a/example/reader_util.h b/example/reader_util.h
index c54d68aa4..5175e868d 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -211,10 +211,13 @@ typedef struct ndpi_flow_info {
       ja3_client[33], ja3_server[33],
       sha1_cert_fingerprint[20];
     u_int8_t sha1_cert_fingerprint_set;
+    struct tls_euristics browser_euristics;
+    
     struct {
       u_int16_t cipher_suite;
       char *esni;
     } encrypted_sni;    
+
     time_t notBefore, notAfter;
     u_int16_t server_cipher;
     ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher;