diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-10-14 18:05:35 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-14 18:05:35 +0200 |
| commit | 521d0ca7a0196889f5452a2e725f8e01ddf79efb (patch) | |
| tree | 06b76aa973aa8cf380c064750c4b9a052af82e29 /src/include | |
| parent | 44d0d9454c5db4e7863ed0b83c94de08eb19e132 (diff) | |
Add monitoring capability (#2588)
Allow nDPI to process the entire flows and not only the first N packets.
Usefull when the application is interested in some metadata spanning the
entire life of the session.
As initial step, only STUN flows can be put in monitoring.
See `doc/monitoring.md` for further details.
This feature is disabled by default.
Close #2583
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ndpi_private.h | 3 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 20 |
2 files changed, 20 insertions, 3 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 2278428a5..a72a956d7 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -284,6 +284,7 @@ struct ndpi_detection_module_config_struct { NDPI_PROTOCOL_BITMASK debug_bitmask; NDPI_PROTOCOL_BITMASK ip_list_bitmask; + NDPI_PROTOCOL_BITMASK monitoring; int flow_risk_lists_enabled; int risk_anonymous_subscriber_list_icloudprivaterelay_enabled; @@ -637,6 +638,8 @@ bool ndpi_cache_address(struct ndpi_detection_module_struct *ndpi_struct, ndpi_ip_addr_t ip_addr, char *hostname, u_int32_t epoch_now, u_int32_t ttl); +int is_monitoring_enabled(struct ndpi_detection_module_struct *ndpi_str, int protoId); + /* TLS */ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, uint32_t quic_version); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index b401aad11..82eaabcc3 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1232,6 +1232,18 @@ struct ndpi_risk_information { char *info; }; +struct ndpi_metadata_monitoring { + union { + struct { + ndpi_address_port mapped_address; + ndpi_address_port peer_address; + ndpi_address_port relayed_address; + ndpi_address_port response_origin; + ndpi_address_port other_address; + } dtls_stun_rtp; + } protos; +}; + struct ndpi_flow_struct { u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; @@ -1239,6 +1251,7 @@ struct ndpi_flow_struct { u_int16_t guessed_protocol_id, guessed_protocol_id_by_ip, guessed_category, guessed_header_category; u_int8_t l4_proto, protocol_id_already_guessed:1, fail_with_unknown:1, init_finished:1, client_packet_direction:1, packet_direction:1, is_ipv6:1, first_pkt_fully_encrypted:1, skip_entropy_check: 1; + u_int8_t monitoring: 1, _pad:7; u_int16_t num_dissector_calls; ndpi_confidence_t confidence; /* ndpi_confidence_t */ @@ -1486,7 +1499,8 @@ struct ndpi_flow_struct { } slp; } protos; - /*** ALL protocol specific 64 bit variables here ***/ + /* **Packet** metadata for flows where monitoring is enabled. It is reset after each packet! */ + struct ndpi_metadata_monitoring *monit; /* protocols which have marked a connection as this connection cannot be protocol XXX, multiple u_int64_t */ NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask; @@ -1573,8 +1587,8 @@ struct ndpi_flow_struct { _Static_assert(sizeof(((struct ndpi_flow_struct *)0)->protos) <= 264, "Size of the struct member protocols increased to more than 264 bytes, " "please check if this change is necessary."); -_Static_assert(sizeof(struct ndpi_flow_struct) <= 1160, - "Size of the flow struct increased to more than 1160 bytes, " +_Static_assert(sizeof(struct ndpi_flow_struct) <= 1176, + "Size of the flow struct increased to more than 1176 bytes, " "please check if this change is necessary."); #endif #endif |