Add support for flow client/server information (#1671)

In a lot of places in ndPI we use *packet* source/dest info
(address/port/direction) when we are interested in *flow* client/server
info, instead.

Add basic logic to autodetect this kind of information.

nDPI doesn't perform any "flow management" itself but this task is
delegated to the external application. It is then likely that the
application might provide more reliable hints about flow
client/server direction and about the TCP handshake presence: in that case,
these information might be (optionally) passed to the library, disabling
the internal "autodetect" logic.

These new fields have been used in some LRU caches and in the "guessing"
algorithm.
It is quite likely that some other code needs to be updated.

4 files changed, 10 insertions, 31 deletions

diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index d2cfa93f5..435dc1089 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -126,34 +126,25 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc
   if(ndpi_struct->bittorrent_cache && packet->iph) {
     u_int32_t key1, key2, i;
 
-    if(packet->udp)
-      key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->udp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->udp->dest);
-    else
-      key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->tcp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->tcp->dest);
+    key1 = ndpi_ip_port_hash_funct(flow->c_address.v4, flow->c_port), key2 = ndpi_ip_port_hash_funct(flow->s_address.v4, flow->s_port);
     
     ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT);
     ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key2, NDPI_PROTOCOL_BITTORRENT);
 
     /* Now add hosts as twins */
     ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache,
-			  packet->iph->saddr + packet->iph->daddr,
+			  flow->c_address.v4 + flow->s_address.v4,
 			  NDPI_PROTOCOL_BITTORRENT);
     
     /* Also add +2 ports of the sender in order to catch additional sockets open by the same client */
     for(i=0; i<2; i++) {
-      if(packet->udp)
-	key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->udp->source)+1+i));
-      else
-	key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->tcp->source)+1+i));
+      key1 = ndpi_ip_port_hash_funct(flow->c_address.v4, htons(ntohs(flow->c_port)+1+i));
 
       ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT);
     }
     
 #ifdef BITTORRENT_CACHE_DEBUG
-    if(packet->udp)
-      printf("[BitTorrent] [UDP] *** ADDED ports %u / %u [%u][%u]\n", ntohs(packet->udp->source), ntohs(packet->udp->dest), key1, key2);
-    else
-      printf("[BitTorrent] [TCP] *** ADDED ports %u / %u [%u][%u]\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest), key1, key2);
+    printf("[BitTorrent] [%s] *** ADDED ports %u / %u [%u][%u]\n", flow->l4_proto == IPPROTO_TCP ? "TCP" : "UDP", ntohs(flow->c_port), ntohs(flow->s_port), key1, key2);
 #endif
   }
 }
@@ -455,14 +446,7 @@ static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) {
 static void ndpi_skip_bittorrent(struct ndpi_detection_module_struct *ndpi_struct,
 				 struct ndpi_flow_struct *flow,
 				 struct ndpi_packet_struct *packet) {
-  u_int16_t sport, dport;
-
-  if(packet->udp)
-    sport = packet->udp->source, dport = packet->udp->dest;
-  else
-    sport = packet->tcp->source, dport = packet->tcp->dest;
-  
-  if(packet->iph && ndpi_search_into_bittorrent_cache(ndpi_struct, flow, packet->iph->saddr, sport, packet->iph->daddr, dport))
+  if(packet->iph && ndpi_search_into_bittorrent_cache(ndpi_struct, flow, flow->c_address.v4, flow->c_port, flow->s_address.v4, flow->s_port))
     ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, NDPI_CONFIDENCE_DPI_CACHE);
   else
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c
index 4a3ad973d..2c3f06d97 100644
--- a/src/lib/protocols/ftp_data.c
+++ b/src/lib/protocols/ftp_data.c
@@ -232,7 +232,7 @@ static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct
     Make sure we see the beginning of the connection as otherwise we might have
     false positive results
   */
-  if(flow->l4.tcp.seen_syn) {
+  if(ndpi_seen_flow_beginning(flow)) {
     if((packet->payload_packet_len > 0)
        && (ndpi_match_file_header(ndpi_struct, flow)
 	   || ndpi_match_ftp_data_directory(ndpi_struct, flow) 
diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c
index ce8b20c12..c8dac6b48 100644
--- a/src/lib/protocols/icecast.c
+++ b/src/lib/protocols/icecast.c
@@ -60,14 +60,12 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s
     }
   }
 
-  if(flow == NULL) return;
-    
-  if((packet->packet_direction == flow->setup_packet_direction)
+  if(ndpi_current_pkt_from_client_to_server(packet, flow)
       && (flow->packet_counter < 10)) {
     return;
   }
 
-  if(packet->packet_direction != flow->setup_packet_direction) {
+  if(ndpi_current_pkt_from_server_to_client(packet, flow)) {
     /* server answer, now test Server for Icecast */
 
     ndpi_parse_packet_line_info(ndpi_struct, flow);
diff --git a/src/lib/protocols/lotus_notes.c b/src/lib/protocols/lotus_notes.c
index ff5c9cf71..376507f23 100644
--- a/src/lib/protocols/lotus_notes.c
+++ b/src/lib/protocols/lotus_notes.c
@@ -37,11 +37,8 @@ static void ndpi_check_lotus_notes(struct ndpi_detection_module_struct *ndpi_str
 
   flow->l4.tcp.lotus_notes_packet_id++;
   
-  if((flow->l4.tcp.lotus_notes_packet_id == 1)
-     /* We have seen the 3-way handshake */
-     && flow->l4.tcp.seen_syn
-     && flow->l4.tcp.seen_syn_ack
-     && flow->l4.tcp.seen_ack) {
+  if((flow->l4.tcp.lotus_notes_packet_id == 1) &&
+     ndpi_seen_flow_beginning(flow)) {
     if(payload_len > 16) {
       char lotus_notes_header[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x40, 0x02, 0x0F };