diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-01-06 18:58:24 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-06 18:58:24 +0100 |
| commit | c34b692a4b33886525c147a94469745609f416ad (patch) | |
| tree | b542c9af20e9ed4fd549f0cf5d8fd5003636bc1a /src/lib | |
| parent | 1d99eb37d7ca382b8e77cc4694e3aaf36d3987db (diff) | |
Classifications "by-port"/"by-ip" should never change (#2656)
Add a new variable to keep track of internal partial classification
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 22 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/mail_imap.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/mail_pop.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 9 | ||||
| -rw-r--r-- | src/lib/protocols/wireguard.c | 2 |
7 files changed, 22 insertions, 18 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 8c05084fe..c8f483da9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7427,8 +7427,11 @@ static u_int32_t check_ndpi_detection_func(struct ndpi_detection_module_struct * int is_tcp_without_payload) { void *func = NULL; u_int32_t num_calls = 0; - u_int16_t proto_index = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoIdx; - u_int16_t proto_id = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoId; + /* First callback is associated to classification by-port, + if we don't already have a partial classification */ + u_int16_t fast_callback_protocol_id = flow->fast_callback_protocol_id ? flow->fast_callback_protocol_id : flow->guessed_protocol_id; + u_int16_t proto_index = ndpi_str->proto_defaults[fast_callback_protocol_id].protoIdx; + u_int16_t proto_id = ndpi_str->proto_defaults[fast_callback_protocol_id].protoId; NDPI_PROTOCOL_BITMASK detection_bitmask; u_int32_t a; @@ -7441,14 +7444,14 @@ static u_int32_t check_ndpi_detection_func(struct ndpi_detection_module_struct * (ndpi_str->callback_buffer[proto_index].ndpi_selection_bitmask & ndpi_selection_packet) == ndpi_str->callback_buffer[proto_index].ndpi_selection_bitmask) { - if((flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) && - (ndpi_str->proto_defaults[flow->guessed_protocol_id].func != NULL) && + if((fast_callback_protocol_id != NDPI_PROTOCOL_UNKNOWN) && + (ndpi_str->proto_defaults[fast_callback_protocol_id].func != NULL) && (is_tcp_without_payload == 0 || ((ndpi_str->callback_buffer[proto_index].ndpi_selection_bitmask & NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) == 0))) { - ndpi_str->proto_defaults[flow->guessed_protocol_id].func(ndpi_str, flow); - func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func; + ndpi_str->proto_defaults[fast_callback_protocol_id].func(ndpi_str, flow); + func = ndpi_str->proto_defaults[fast_callback_protocol_id].func; num_calls++; } } @@ -8013,6 +8016,12 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) return(ret); + /* Partial classification */ + if(flow->fast_callback_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + ndpi_set_detected_protocol(ndpi_str, flow, flow->fast_callback_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL); + ret.proto.app_protocol = flow->detected_protocol_stack[0]; + } + /* Check some caches */ /* Does it looks like BitTorrent? */ @@ -8549,6 +8558,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n ntohs(flow->c_port), ntohs(flow->s_port), &user_defined_proto); flow->guessed_protocol_id_by_ip = ndpi_guess_host_protocol_id(ndpi_str, flow); + flow->fast_callback_protocol_id = NDPI_PROTOCOL_UNKNOWN; ret->protocol_by_ip = flow->guessed_protocol_id_by_ip; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 80ea122fd..644af63f7 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1148,9 +1148,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); } - if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) - flow->guessed_protocol_id = NDPI_PROTOCOL_HTTP; - ndpi_check_http_header(ndpi_struct, flow); } diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 1b8b31287..2c7095942 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -33,7 +33,6 @@ static void ndpi_int_mail_imap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t protocol) { - flow->guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN; /* Avoid IMAPS to be used s sub-protocol */ ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 5741eba0e..b51ad629c 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -49,7 +49,6 @@ static void ndpi_int_mail_pop_add_connection(struct ndpi_detection_module_struct u_int16_t protocol) { NDPI_LOG_INFO(ndpi_struct, "mail_pop identified\n"); - flow->guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN; /* Avoid POP3S to be used s sub-protocol */ ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index bf2af2aac..bdca8c059 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -441,7 +441,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct #endif NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); - flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + flow->fast_callback_protocol_id = NDPI_PROTOCOL_SSH; #ifdef SSH_DEBUG printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index db0f2b419..073e22dcd 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1299,9 +1299,9 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) - flow->guessed_protocol_id = __get_master(ndpi_struct, flow); + struct ndpi_flow_struct *flow) { + if(flow->fast_callback_protocol_id == NDPI_PROTOCOL_UNKNOWN) + flow->fast_callback_protocol_id = __get_master(ndpi_struct, flow); } /* **************************************** */ @@ -3352,9 +3352,8 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st int rc = 0; #ifdef DEBUG_TLS - printf("==>> %s() %u [len: %u][version: %u]\n", + printf("==>> %s() [len: %u][version: %u]\n", __FUNCTION__, - flow->guessed_protocol_id_by_ip, packet->payload_packet_len, flow->protos.tls_quic.ssl_version); #endif diff --git a/src/lib/protocols/wireguard.c b/src/lib/protocols/wireguard.c index f8abf31cb..90d814464 100644 --- a/src/lib/protocols/wireguard.c +++ b/src/lib/protocols/wireguard.c @@ -174,7 +174,7 @@ static void ndpi_search_wireguard(struct ndpi_detection_module_struct *ndpi_stru u_int32_t receiver_index = get_u_int32_t(payload, 4); /* We speculate this is wireguard, so let's remember it */ - flow->guessed_protocol_id = NDPI_PROTOCOL_WIREGUARD; + flow->fast_callback_protocol_id = NDPI_PROTOCOL_WIREGUARD; if (flow->l4.udp.wireguard_stage == 0) { flow->l4.udp.wireguard_stage = 3 + packet->packet_direction; |