diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-09-20 22:24:47 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-20 22:24:47 +0200 |
| commit | a7c2734b387f6817088593f7c4e78d01dd6e0b74 (patch) | |
| tree | b112686c6ff07ae8210567f6079f415e8fb7ff2d /src/lib/protocols | |
| parent | 174cd739dbb1358ab012c4779e42e0221bef835c (diff) | |
Remove classification "by-ip" from protocol stack (#1743)
Basically:
* "classification by-ip" (i.e. `flow->guessed_protocol_id_by_ip` is
NEVER returned in the protocol stack (i.e.
`flow->detected_protocol_stack[]`);
* if the application is interested into such information, it can access
`ndpi_protocol->protocol_by_ip` itself.
There are mainly 4 points in the code that set the "classification
by-ip" in the protocol stack: the generic `ndpi_set_detected_protocol()`/
`ndpi_detection_giveup()` functions and the HTTP/STUN dissectors.
In the unit tests output, a print about `ndpi_protocol->protocol_by_ip`
has been added for each flow: the huge diff of this commit is mainly due
to that.
Strictly speaking, this change is NOT an API/ABI breakage, but there are
important differences in the classification results. For examples:
* TLS flows without the initial handshake (or without a matching
SNI/certificate) are simply classified as `TLS`;
* similar for HTTP or QUIC flows;
* DNS flows without a matching request domain are simply classified as
`DNS`; we don't have `DNS/Google` anymore just because the server is
8.8.8.8 (that was an outrageous behaviour...);
* flows previusoly classified only "by-ip" are now classified as
`NDPI_PROTOCOL_UNKNOWN`.
See #1425 for other examples of why adding the "classification by-ip" in
the protocol stack is a bad idea.
Please, note that IPV6 is not supported :( (long standing issue in nDPI) i.e.
`ndpi_protocol->protocol_by_ip` wil be always `NDPI_PROTOCOL_UNKNOWN` for
IPv6 flows.
Define `NDPI_CONFIDENCE_MATCH_BY_IP` has been removed.
Close #1687
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/ajp.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/alicloud.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 14 | ||||
| -rw-r--r-- | src/lib/protocols/mongodb.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 12 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/websocket.c | 2 |
7 files changed, 15 insertions, 23 deletions
diff --git a/src/lib/protocols/ajp.c b/src/lib/protocols/ajp.c index 88782c9ec..97313f4a1 100644 --- a/src/lib/protocols/ajp.c +++ b/src/lib/protocols/ajp.c @@ -63,7 +63,7 @@ static void set_ajp_detected(struct ndpi_detection_module_struct *ndpi_struct, /* If no custom protocol has been detected */ /* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) */ ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/alicloud.c b/src/lib/protocols/alicloud.c index add82dbe8..8530db4a2 100644 --- a/src/lib/protocols/alicloud.c +++ b/src/lib/protocols/alicloud.c @@ -30,7 +30,7 @@ static void ndpi_int_alicloud_add_connection(struct ndpi_detection_module_struct { NDPI_LOG_INFO(ndpi_struct, "found alicloud\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_protocol_id_by_ip, NDPI_PROTOCOL_ALICLOUD, + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ALICLOUD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 6fd70d9b6..b50967a3c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -335,22 +335,12 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd struct ndpi_flow_struct *flow, u_int16_t http_protocol, ndpi_protocol_category_t category) { - u_int16_t master_protocol, app_protocol; + u_int16_t master_protocol; #ifdef HTTP_DEBUG printf("=> %s()\n", __FUNCTION__); #endif - app_protocol = flow->guessed_protocol_id_by_ip; - /* If no custom protocol has been detected */ - if((app_protocol == NDPI_PROTOCOL_UNKNOWN) - || ((http_protocol != NDPI_PROTOCOL_HTTP) && - (http_protocol != NDPI_PROTOCOL_HTTP_CONNECT) && - (http_protocol != NDPI_PROTOCOL_HTTP_PROXY)) - ) - app_protocol = http_protocol; - - // ndpi_int_reset_protocol(flow); master_protocol = NDPI_PROTOCOL_HTTP; if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) master_protocol = flow->detected_protocol_stack[1]; @@ -363,7 +353,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd sub-protocol via the (content-matched) subprotocols logic (i.e. MPEGDASH, SOAP, ....) */ if(flow->detected_protocol_stack[1] == 0) - ndpi_set_detected_protocol(ndpi_struct, flow, app_protocol, + ndpi_set_detected_protocol(ndpi_struct, flow, http_protocol, master_protocol, NDPI_CONFIDENCE_DPI); diff --git a/src/lib/protocols/mongodb.c b/src/lib/protocols/mongodb.c index 1ed4fdcb1..1404cf3ba 100644 --- a/src/lib/protocols/mongodb.c +++ b/src/lib/protocols/mongodb.c @@ -58,7 +58,7 @@ static void set_mongodb_detected(struct ndpi_detection_module_struct *ndpi_struc /* If no custom protocol has been detected */ /* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) */ ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 070939b87..b0826fd4b 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -51,10 +51,12 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd struct ndpi_packet_struct *packet = &ndpi_struct->packet; ndpi_confidence_t confidence = NDPI_CONFIDENCE_DPI; - if(app_proto == NDPI_PROTOCOL_GOOGLE) - app_proto = NDPI_PROTOCOL_HANGOUT_DUO; - else if(app_proto == NDPI_PROTOCOL_FACEBOOK) - app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP; + if(app_proto == NDPI_PROTOCOL_UNKNOWN) { + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_GOOGLE) + app_proto = NDPI_PROTOCOL_HANGOUT_DUO; + else if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_FACEBOOK) + app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP; + } if(ndpi_struct->stun_cache == NULL) ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); @@ -424,7 +426,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_DBG(ndpi_struct, "search stun\n"); - app_proto = flow->guessed_protocol_id_by_ip; + app_proto = NDPI_PROTOCOL_UNKNOWN; if(packet->tcp) { /* STUN may be encapsulated in TCP packets */ diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 4397bf705..3cfe70e3a 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -309,7 +309,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { - ndpi_protocol ret = { __get_master(ndpi_struct, flow), cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { __get_master(ndpi_struct, flow), cached_proto, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); @@ -689,7 +689,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(rc == 0) { /* Match found */ u_int16_t proto_id = (u_int16_t)val; - ndpi_protocol ret = { __get_master(ndpi_struct, flow), proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { __get_master(ndpi_struct, flow), proto_id, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index 1438825b5..304fa6833 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -53,7 +53,7 @@ static void set_websocket_detected(struct ndpi_detection_module_struct *ndpi_str ndpi_search_tcp_or_udp(ndpi_struct, flow); ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } } |