diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2022-08-12 16:40:41 +0200 |
|---|---|---|
| committer | Toni <matzeton@googlemail.com> | 2022-09-14 17:51:39 +0200 |
| commit | 7571f48392ef3b79eb25b94f1da6932a137c4f02 (patch) | |
| tree | cf983fb14349660a262b611035ddabb2ac7718ae /src/lib/protocols | |
| parent | b4f52437169b8b3c92811566af3965719b4e0c2c (diff) | |
Dissectors shouldn't update `flow->guessed_host_protocol_id`
The field `flow->guessed_host_protocol_id` is set at the beginning of
the flow analysis and it represents the "classification by ip" of the flow
itself.
This field should never be changed. Dissectors which want to provide an
"hint" about the classification, should update `flow->guessed_protocol_id`
instead. Such "hint" is useless if the dissector set the "extra-dissection"
data-path.
Rename such field to `guessed_protocol_id_by_ip` to better describe its
role.
Preliminary work necessary for #1687
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/ajp.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/alicloud.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 27 | ||||
| -rw-r--r-- | src/lib/protocols/mongodb.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tcp_udp.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/telnet.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/websocket.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/wireguard.c | 3 |
11 files changed, 26 insertions, 24 deletions
diff --git a/src/lib/protocols/ajp.c b/src/lib/protocols/ajp.c index f2a9ec920..88782c9ec 100644 --- a/src/lib/protocols/ajp.c +++ b/src/lib/protocols/ajp.c @@ -63,7 +63,7 @@ static void set_ajp_detected(struct ndpi_detection_module_struct *ndpi_struct, /* If no custom protocol has been detected */ /* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) */ ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/alicloud.c b/src/lib/protocols/alicloud.c index b8ce58d81..add82dbe8 100644 --- a/src/lib/protocols/alicloud.c +++ b/src/lib/protocols/alicloud.c @@ -30,7 +30,7 @@ static void ndpi_int_alicloud_add_connection(struct ndpi_detection_module_struct { NDPI_LOG_INFO(ndpi_struct, "found alicloud\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_ALICLOUD, + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_protocol_id_by_ip, NDPI_PROTOCOL_ALICLOUD, NDPI_CONFIDENCE_DPI); } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index dd494702a..6fd70d9b6 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -335,22 +335,20 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd struct ndpi_flow_struct *flow, u_int16_t http_protocol, ndpi_protocol_category_t category) { - u_int16_t master_protocol; + u_int16_t master_protocol, app_protocol; #ifdef HTTP_DEBUG printf("=> %s()\n", __FUNCTION__); #endif - if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) - return; /* Nothing new to add */ - + app_protocol = flow->guessed_protocol_id_by_ip; /* If no custom protocol has been detected */ - if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) + if((app_protocol == NDPI_PROTOCOL_UNKNOWN) || ((http_protocol != NDPI_PROTOCOL_HTTP) && (http_protocol != NDPI_PROTOCOL_HTTP_CONNECT) && (http_protocol != NDPI_PROTOCOL_HTTP_PROXY)) ) - flow->guessed_host_protocol_id = http_protocol; + app_protocol = http_protocol; // ndpi_int_reset_protocol(flow); master_protocol = NDPI_PROTOCOL_HTTP; @@ -365,7 +363,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd sub-protocol via the (content-matched) subprotocols logic (i.e. MPEGDASH, SOAP, ....) */ if(flow->detected_protocol_stack[1] == 0) - ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, + ndpi_set_detected_protocol(ndpi_struct, flow, app_protocol, master_protocol, NDPI_CONFIDENCE_DPI); @@ -408,27 +406,36 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + u_int16_t master_protocol; + if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); if(double_col) double_col[0] = '\0'; + master_protocol = NDPI_PROTOCOL_HTTP; + if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) + master_protocol = flow->detected_protocol_stack[1]; + else if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_CONNECT || + flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_PROXY) + master_protocol = flow->detected_protocol_stack[0]; + if(ndpi_match_hostname_protocol(ndpi_struct, flow, - flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN ? flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP, + master_protocol, flow->host_server_name, strlen(flow->host_server_name)) == 0) { if(flow->http.url && ((strstr(flow->http.url, ":8080/downloading?n=0.") != NULL) || (strstr(flow->http.url, ":8080/upload?n=0.") != NULL))) { /* This looks like Ookla speedtest */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, master_protocol, NDPI_CONFIDENCE_DPI); } } if (flow->http.url != NULL && strstr(flow->http.url, "micloud.xiaomi.net") != NULL) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XIAOMI, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XIAOMI, master_protocol, NDPI_CONFIDENCE_DPI); } } } diff --git a/src/lib/protocols/mongodb.c b/src/lib/protocols/mongodb.c index 1f1619141..1ed4fdcb1 100644 --- a/src/lib/protocols/mongodb.c +++ b/src/lib/protocols/mongodb.c @@ -58,7 +58,7 @@ static void set_mongodb_detected(struct ndpi_detection_module_struct *ndpi_struc /* If no custom protocol has been detected */ /* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) */ ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 36e950ce1..935ec3cc7 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -209,8 +209,6 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct if(flow->extra_packets_func != NULL) return; - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; - flow->max_extra_packets_to_check = 12; flow->extra_packets_func = search_ssh_again; @@ -445,7 +443,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct #endif NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; #ifdef SSH_DEBUG printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index beec5a508..070939b87 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -424,7 +424,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_DBG(ndpi_struct, "search stun\n"); - app_proto = flow->guessed_host_protocol_id; + app_proto = flow->guessed_protocol_id_by_ip; if(packet->tcp) { /* STUN may be encapsulated in TCP packets */ diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 03965d1c2..dd25292f5 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -40,7 +40,7 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc } if(flow) - return(flow->guessed_host_protocol_id); + return(flow->guessed_protocol_id_by_ip); else { host.s_addr = htonl(saddr); if((rc = ndpi_network_ptree_match(ndpi_struct, &host)) != NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index ed0808596..5bec572e6 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -130,8 +130,6 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_TELNET; - flow->max_extra_packets_to_check = 64; flow->extra_packets_func = search_telnet_again; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index fe36555ed..4397bf705 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -2491,7 +2491,7 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st #ifdef DEBUG_TLS printf("==>> %s() %u [len: %u][version: %u]\n", __FUNCTION__, - flow->guessed_host_protocol_id, + flow->guessed_protocol_id_by_ip, packet->payload_packet_len, flow->protos.tls_quic.ssl_version); #endif diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index e009e7916..1438825b5 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -53,7 +53,7 @@ static void set_websocket_detected(struct ndpi_detection_module_struct *ndpi_str ndpi_search_tcp_or_udp(ndpi_struct, flow); ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/wireguard.c b/src/lib/protocols/wireguard.c index a2e2291bc..8a0d15e00 100644 --- a/src/lib/protocols/wireguard.c +++ b/src/lib/protocols/wireguard.c @@ -140,8 +140,7 @@ void ndpi_search_wireguard(struct ndpi_detection_module_struct u_int32_t receiver_index = get_u_int32_t(payload, 4); /* We speculate this is wireguard, so let's remember it */ - if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) - flow->guessed_host_protocol_id = NDPI_PROTOCOL_WIREGUARD; + flow->guessed_protocol_id = NDPI_PROTOCOL_WIREGUARD; if (flow->l4.udp.wireguard_stage == 0) { flow->l4.udp.wireguard_stage = 3 + packet->packet_direction; |