Minor changes in `ndpi_detection_giveup()` (#1861)

Check the mining cache at the end of the function, like all the others LRU caches. Rewrite the STUN checks: same identical semantic but in a cleaner way, hopefully
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2023-01-19 21:45:35 +0100
committer: GitHub <noreply@github.com> 2023-01-19 21:45:35 +0100
commit: c4274a4aecac5b86a575c48f4f3b6971c35bb8b8 (patch)
tree: fe753fdce59608083616e208b6c93465e45b63b8 /src/lib/ndpi_main.c
parent: f5c2f9280cbf06b716a5849cc4f9005a37c49f19 (diff)
1 files changed, 39 insertions, 51 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 13a800183..10a479896 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6000,6 +6000,7 @@ static void ndpi_add_connection_as_zoom(struct ndpi_detection_module_struct *ndp
 ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
 				    u_int8_t enable_guess, u_int8_t *protocol_was_guessed) {
   ndpi_protocol ret = NDPI_PROTOCOL_NULL;
+  u_int16_t cached_proto;
 
   /* *** We can't access ndpi_str->packet from this function!! *** */
 
@@ -6009,7 +6010,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
     return(ret);
 
   /* Init defaults */
-  ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+  ret.master_protocol = flow->detected_protocol_stack[1];
+  ret.app_protocol = flow->detected_protocol_stack[0];
   ret.protocol_by_ip = flow->guessed_protocol_id_by_ip;
   ret.category = flow->category;
 
@@ -6017,60 +6019,46 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
   if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)
     return(ret);
 
-  /* TODO: this lookup seems in the wrong place here...
-     Move it somewhere else (?) or setting flow->guessed_protocol_id directly in the mining dissector? */
-  if(ndpi_str->mining_cache) {
-    u_int16_t cached_proto;
-
-    if(ndpi_lru_find_cache(ndpi_str->mining_cache, make_mining_key(flow),
-			   &cached_proto, 0 /* Don't remove it as it can be used for other connections */,
-			   ndpi_get_current_time(flow))) {
-      ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
-      ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
-      ndpi_fill_protocol_category(ndpi_str, flow, &ret);
-      return(ret);
-    }
-  }
-
-  if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)
-    goto check_stun_export;
-  else if(enable_guess) {
-    if(flow->stun.num_binding_requests > 0 &&
-       flow->stun.num_processed_pkts > 0) {
-      *protocol_was_guessed = 1;
-      ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL);
-    }
-  }
-
-  if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) &&
-     (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) {
-  check_stun_export:
-    *protocol_was_guessed = 1;
+  if((flow->guessed_protocol_id == NDPI_PROTOCOL_STUN) ||
+     (enable_guess &&
+      flow->stun.num_binding_requests > 0 &&
+      flow->stun.num_processed_pkts > 0)) {
     ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL);
+    ret.app_protocol = flow->detected_protocol_stack[0];
   }
 
-  ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+  /* Check some caches */
 
-  if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN)
-     && (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)) {
-    /* Check some caches */
-    if(ndpi_search_into_bittorrent_cache(ndpi_str, flow,
-					 flow->c_address.v4, flow->c_port,
-					 flow->s_address.v4, flow->s_port)) {
-      /* This looks like BitTorrent */
-      ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
-      ret.app_protocol = NDPI_PROTOCOL_BITTORRENT;
-    } else if((flow->l4_proto == IPPROTO_UDP) && /* Zoom/UDP used for video */
-	      ((ntohs(flow->s_port) == 8801 && ndpi_search_into_zoom_cache(ndpi_str, flow, 1)) ||
-	       (ntohs(flow->c_port) == 8801 && ndpi_search_into_zoom_cache(ndpi_str, flow, 0)))) {
-      /* This looks like Zoom */
-      ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
-      ret.app_protocol = NDPI_PROTOCOL_ZOOM;
-    } else if(stun_search_into_zoom_cache(ndpi_str, flow)) {
-      /* This looks like Zoom */
-      ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
-      ret.app_protocol = flow->detected_protocol_stack[0];
-    }
+  /* Does it looks like BitTorrent? */
+  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
+     ndpi_search_into_bittorrent_cache(ndpi_str, flow,
+                                       flow->c_address.v4, flow->c_port,
+                                       flow->s_address.v4, flow->s_port)) {
+    ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
+    ret.app_protocol = flow->detected_protocol_stack[0];
+  }
+  /* Does it looks like some Mining protocols? */
+  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
+     ndpi_str->mining_cache &&
+     ndpi_lru_find_cache(ndpi_str->mining_cache, make_mining_key(flow),
+			 &cached_proto, 0 /* Don't remove it as it can be used for other connections */,
+			 ndpi_get_current_time(flow))) {
+    ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
+    ret.app_protocol = flow->detected_protocol_stack[0];
+  }
+  /* Does it looks like Zoom? */
+  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
+     flow->l4_proto == IPPROTO_UDP && /* Zoom/UDP used for video */
+     ((ntohs(flow->s_port) == 8801 && ndpi_search_into_zoom_cache(ndpi_str, flow, 1)) ||
+      (ntohs(flow->c_port) == 8801 && ndpi_search_into_zoom_cache(ndpi_str, flow, 0)))) {
+    ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
+    ret.app_protocol = flow->detected_protocol_stack[0];
+  }
+  /* Does it looks like Zoom (via STUN)? */
+  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
+     stun_search_into_zoom_cache(ndpi_str, flow)) {
+    ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
+    ret.app_protocol = flow->detected_protocol_stack[0];
   }
 
   /* Classification by-port is the last resort */
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2023-01-19 21:45:35 +0100
committer	GitHub <noreply@github.com>	2023-01-19 21:45:35 +0100
commit	c4274a4aecac5b86a575c48f4f3b6971c35bb8b8 (patch)
tree	fe753fdce59608083616e208b6c93465e45b63b8 /src/lib/ndpi_main.c
parent	f5c2f9280cbf06b716a5849cc4f9005a37c49f19 (diff)