FPC: add DPI information (#2514)

If the flow is classified (via DPI) after the first packet, we should
use this information as FPC

2 files changed, 11 insertions, 0 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index cbdc8c2b4..a05026e87 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1000,6 +1000,7 @@ typedef enum {
   NDPI_FPC_CONFIDENCE_UNKNOWN           = 0,    /* Unknown First Packet Classification */
   NDPI_FPC_CONFIDENCE_IP,                       /* FPC based on IP address */
   NDPI_FPC_CONFIDENCE_DNS,                      /* FPC based on DNS information */
+  NDPI_FPC_CONFIDENCE_DPI,                      /* FPC based on DPI information (i.e. flow classified via DPI with only one packet)*/
 
   /*
     IMPORTANT
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index ea0c0687f..4239f3064 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -8385,6 +8385,13 @@ static void fpc_check_eval(struct ndpi_detection_module_struct *ndpi_str,
 
   /* Order by most reliable logic */
 
+  /* DPI */
+  if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
+    fpc_update(ndpi_str, flow, flow->detected_protocol_stack[1],
+               flow->detected_protocol_stack[0], NDPI_FPC_CONFIDENCE_DPI);
+    return;
+  }
+
   /* Check via fpc DNS cache */
   if(ndpi_str->fpc_dns_cache &&
      ndpi_lru_find_cache(ndpi_str->fpc_dns_cache, make_fpc_dns_cache_key(flow),
@@ -9517,6 +9524,9 @@ const char *ndpi_fpc_confidence_get_name(ndpi_fpc_confidence_t fpc_confidence)
   case NDPI_FPC_CONFIDENCE_DNS:
     return "DNS";
 
+  case NDPI_FPC_CONFIDENCE_DPI:
+    return "DPI";
+
   default:
     return "Invalid"; /* Out of sync with ndpi_fpc_confidence_t definition */
   }