diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-16 22:19:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-16 22:19:20 +0200 |
| commit | 1197cbdf58d54a56a5ac520a619861f70b9622c0 (patch) | |
| tree | ae980c0dc8460161ce6a465c4e44f72df1a5f681 /example | |
| parent | 0ddbda1f829a2d1b27d7e6519900201111702823 (diff) | |
wireshark: extcap: rework trailer header (#2557)
Diffstat (limited to 'example')
| -rw-r--r-- | example/ndpiReader.c | 31 |
1 files changed, 9 insertions, 22 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index a8518d0df..7f6271435 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -220,12 +220,11 @@ struct receiver { struct receiver *receivers = NULL, *topReceivers = NULL; #define WIRESHARK_NTOP_MAGIC 0x19680924 -#define WIRESHARK_METADATA_SIZE 256 +#define WIRESHARK_METADATA_SIZE 192 +#define WIRESHARK_FLOW_RISK_INFO_SIZE 128 #define WIRESHARK_METADATA_SERVERNAME 0x01 -#define WIRESHARK_METADATA_JA3C 0x02 -#define WIRESHARK_METADATA_JA3S 0x03 -#define WIRESHARK_METADATA_JA4C 0x04 +#define WIRESHARK_METADATA_JA4C 0x02 struct ndpi_packet_tlv { u_int16_t type; @@ -237,12 +236,14 @@ PACK_ON struct ndpi_packet_trailer { u_int32_t magic; /* WIRESHARK_NTOP_MAGIC */ ndpi_master_app_protocol proto; + char name[16]; ndpi_risk flow_risk; u_int16_t flow_score; - char flow_risk_info[32]; - char name[16]; + u_int16_t flow_risk_info_len; + char flow_risk_info[WIRESHARK_FLOW_RISK_INFO_SIZE]; /* TLV of attributes. Having a max and fixed size for all the metadata is not efficient but greatly improves detection of the trailer by Wireshark */ + u_int16_t metadata_len; unsigned char metadata[WIRESHARK_METADATA_SIZE]; } PACK_OFF; @@ -4565,6 +4566,7 @@ static void ndpi_process_packet(u_char *args, trailer->magic = htonl(WIRESHARK_NTOP_MAGIC); trailer->flow_risk = htonl64(flow_risk); trailer->flow_score = htons(ndpi_risk2score(flow_risk, &cli_score, &srv_score)); + trailer->flow_risk_info_len = ntohs(WIRESHARK_FLOW_RISK_INFO_SIZE); if(flow->risk_str) { strncpy(trailer->flow_risk_info, flow->risk_str, sizeof(trailer->flow_risk_info)); trailer->flow_risk_info[sizeof(trailer->flow_risk_info) - 1] = '\0'; @@ -4577,6 +4579,7 @@ static void ndpi_process_packet(u_char *args, We export them only once */ /* TODO: boundary check. Right now there is always enough room, but we should check it if we are going to extend the list of the metadata exported */ + trailer->metadata_len = ntohs(WIRESHARK_METADATA_SIZE); struct ndpi_packet_tlv *tlv = (struct ndpi_packet_tlv *)trailer->metadata; int tot_len = 0; if(flow && flow->detection_completed == 1) { @@ -4588,22 +4591,6 @@ static void ndpi_process_packet(u_char *args, tot_len += 4 + htons(tlv->length); tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len]; } - if(flow->ssh_tls.ja3_client[0] != '\0') { - tlv->type = ntohs(WIRESHARK_METADATA_JA3C); - tlv->length = ntohs(sizeof(flow->ssh_tls.ja3_client)); - memcpy(tlv->data, flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client)); - /* TODO: boundary check */ - tot_len += 4 + htons(tlv->length); - tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len]; - } - if(flow->ssh_tls.ja3_server[0] != '\0') { - tlv->type = ntohs(WIRESHARK_METADATA_JA3S); - tlv->length = ntohs(sizeof(flow->ssh_tls.ja3_server)); - memcpy(tlv->data, flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server)); - /* TODO: boundary check */ - tot_len += 4 + htons(tlv->length); - tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len]; - } if(flow->ssh_tls.ja4_client[0] != '\0') { tlv->type = ntohs(WIRESHARK_METADATA_JA4C); tlv->length = ntohs(sizeof(flow->ssh_tls.ja4_client)); |