diff options
| author | Luca <deri@ntop.org> | 2018-11-29 08:44:41 +0100 |
|---|---|---|
| committer | Luca <deri@ntop.org> | 2018-11-29 08:44:41 +0100 |
| commit | c09284ba276a3caf9dd4a8d9440e35e2808d5551 (patch) | |
| tree | 9b5b82ceca28b6f89ef37f73069e2c624cee1fca /src/lib | |
| parent | 622519e90ec2327ce8507783fb3858397bd42c07 (diff) | |
Improved heuristics
Used the host guessed protocol if upper protocol has not been detected
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 9 | ||||
| -rw-r--r-- | src/lib/protocols/skype.c | 5 |
3 files changed, 14 insertions, 4 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 7ea9927ec..45cd46484 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -118,8 +118,6 @@ static ndpi_network host_protocol_list[] = { { 0x67071E25 /* 103.7.30.37/32 */, 32, NDPI_PROTOCOL_WECHAT }, { 0XCBCDB000 /* 203.205.176.0/20 */, 20, NDPI_PROTOCOL_WECHAT }, { 0XCBCDC000 /* 203.205.192.0/18 */, 18, NDPI_PROTOCOL_WECHAT }, - - /* OpenDNS, LLC @@ -814,7 +812,7 @@ static ndpi_network host_protocol_list[] = { /* Canonical Ltd (Ubuntu) - origin AS41231 + origin AS41231z */ { 0x5BBD5800 /* 91.189.88.0/21 */, 21, NDPI_PROTOCOL_UBUNTUONE }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 00707cd8a..0812e63ac 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5179,6 +5179,15 @@ void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, if(upper_detected_protocol == lower_detected_protocol) lower_detected_protocol = NDPI_PROTOCOL_UNKNOWN; + if((upper_detected_protocol != NDPI_PROTOCOL_UNKNOWN) + && (lower_detected_protocol == NDPI_PROTOCOL_UNKNOWN)) { + if((flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) + && (upper_detected_protocol != flow->guessed_host_protocol_id)) { + lower_detected_protocol = upper_detected_protocol; + upper_detected_protocol = flow->guessed_host_protocol_id; + } + } + ndpi_int_change_flow_protocol(ndpi_struct, flow, upper_detected_protocol, lower_detected_protocol); ndpi_int_change_packet_protocol(ndpi_struct, flow, diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index faeac17c5..0f5e8c780 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -72,7 +72,10 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; // TCP check - } else if(packet->tcp != NULL) { + } else if((packet->tcp != NULL) + /* As the TCP skype heuristic is weak, we need to make sure no other protocols overlap */ + && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) + && (flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)) { flow->l4.tcp.skype_packet_id++; if(flow->l4.tcp.skype_packet_id < 3) { |