Improved sflow protocol detection false-positives. (#1518)

Signed-off-by: lns <matzeton@googlemail.com>
author: Toni <matzeton@googlemail.com> 2022-04-19 17:46:40 +0200
committer: GitHub <noreply@github.com> 2022-04-19 17:46:40 +0200
commit: fa79f07d1552490a2dc0710059d56d3bb4b1efbe (patch)
tree: 82c1d8de75d6fee761f74613393c69e7ddc6c8d9 /src
parent: 739dfc54b06a6995bc4d286eb400e2675b480feb (diff)
1 files changed, 13 insertions, 4 deletions
diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c
index 7151e6ad7..cf0b9fcad 100644
--- a/src/lib/protocols/sflow.c
+++ b/src/lib/protocols/sflow.c
@@ -35,10 +35,19 @@ void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct
   if((packet->udp != NULL)
      && (payload_len >= 24)
      /* Version */
-     && (packet->payload[0] == 0) && (packet->payload[1] == 0) && (packet->payload[2] == 0)
-     && ((packet->payload[3] == 2) || (packet->payload[3] == 5))) {
-    NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+     && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000005
+     /* Agent Address type: IPv4 / IPv6 */
+     && (ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000001 ||
+         ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000002)) {
+    NDPI_LOG_INFO(ndpi_struct, "found (probably) sflow\n");
+    if (flow->packet_counter >= 2)
+    {
+      NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
+      ndpi_set_detected_protocol(ndpi_struct, flow,
+                                 NDPI_PROTOCOL_SFLOW,
+                                 NDPI_PROTOCOL_UNKNOWN,
+                                 NDPI_CONFIDENCE_DPI);
+    }
     return;
   }
author	Toni <matzeton@googlemail.com>	2022-04-19 17:46:40 +0200
committer	GitHub <noreply@github.com>	2022-04-19 17:46:40 +0200
commit	fa79f07d1552490a2dc0710059d56d3bb4b1efbe (patch)
tree	82c1d8de75d6fee761f74613393c69e7ddc6c8d9 /src
parent	739dfc54b06a6995bc4d286eb400e2675b480feb (diff)