diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-27 18:51:47 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-27 18:51:47 +0200 |
| commit | e2ed23a72ae6027a52f7d92a0e96c56af8459600 (patch) | |
| tree | 9acb189766f25f7a7e161459ba7b87005f295b5f /src/lib/ndpi_main.c | |
| parent | 9c35627d874c4f6aca50abce037b55fc279fab68 (diff) | |
Let the library returning the packet direction calculated internally (#2572)
wireshark, lua: add basic analysis of possible obfuscated flows
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 3e16ca5c1..ef5bab840 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6804,7 +6804,7 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str, const u_int64_t current_time_ms, const unsigned char *packet_data, unsigned short packetlen, - const struct ndpi_flow_input_info *input_info) { + struct ndpi_flow_input_info *input_info) { struct ndpi_packet_struct *packet = &ndpi_str->packet; const struct ndpi_iphdr *decaps_iph = NULL; u_int16_t l3len; @@ -7261,6 +7261,14 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s ndpi_unset_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC); /* Clear bit */ } } + + if(ndpi_str->input_info && + ndpi_str->input_info->in_pkt_dir == NDPI_IN_PKT_DIR_UNKNOWN) { + if(current_pkt_from_client_to_server(ndpi_str, flow)) + ndpi_str->input_info->in_pkt_dir = NDPI_IN_PKT_DIR_C_TO_S; + else + ndpi_str->input_info->in_pkt_dir = NDPI_IN_PKT_DIR_S_TO_C; + } } /* ************************************************ */ @@ -7959,7 +7967,7 @@ void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, const unsigned short packetlen, const u_int64_t current_time_ms, - const struct ndpi_flow_input_info *input_info) { + struct ndpi_flow_input_info *input_info) { if(flow == NULL) return; @@ -8562,7 +8570,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio const unsigned char *packet_data, const unsigned short packetlen, const u_int64_t current_time_ms, - const struct ndpi_flow_input_info *input_info) { + struct ndpi_flow_input_info *input_info) { struct ndpi_packet_struct *packet; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; u_int32_t num_calls = 0; @@ -8593,6 +8601,10 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if(ndpi_str->cfg.max_packets_to_process > 0 && flow->num_processed_pkts >= ndpi_str->cfg.max_packets_to_process) { flow->extra_packets_func = NULL; /* To allow ndpi_extra_dissection_possible() to fail */ flow->fail_with_unknown = 1; + /* Let's try to update ndpi_str->input_info->in_pkt_dir even in this case. + * It is quite uncommon, so we are not going to spend a lot of resources here... */ + if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen, input_info) == 0) + ndpi_connection_tracking(ndpi_str, flow); return(ret); /* Avoid spending too much time with this flow */ } @@ -8892,7 +8904,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, const unsigned short packetlen, const u_int64_t current_time_ms, - const struct ndpi_flow_input_info *input_info) { + struct ndpi_flow_input_info *input_info) { ndpi_protocol p = ndpi_internal_detection_process_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms, input_info); |