diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-05-17 11:26:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-17 11:26:25 +0200 |
| commit | b1bcf1ff6018c55f8daaa107070e1c8503082b2b (patch) | |
| tree | bb1416b3e58237e7ecae8b27102e202328919491 /src | |
| parent | ace32c9dfefb2ea3130cfcdf086aacf22532c70c (diff) | |
Fix classification-by-ip in `ndpi_detection_giveup` (#1981)
Return the "classification-by-ip" as protocol results only if no other
results are available.
In particular, never return something like
"protocol_by_port/protocol_by_ip" (i.e. `NTP/Apple`,
BitTorrent/GoogleCloud`, `Zoom/AWS`) because this kind of classification
is quite confusing, if not plainly wrong.
Notes:
* the information about "classification-by-ip" is always available, so
no information is lost with this change;
* in the unit tests, the previous classifications with confidence
`NDPI_CONFIDENCE_DPI_PARTIAL` were wrong, as noted in #1957
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_main.c | 17 |
1 files changed, 5 insertions, 12 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 882b0f0da..6e6853d8f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6375,7 +6375,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ret.app_protocol = flow->detected_protocol_stack[0]; } - /* Classification by-port is the last resort */ + /* Classification by-port */ if(enable_guess && ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) { /* Ignore guessed protocol if they have been discarded */ @@ -6391,21 +6391,14 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st } } + /* Classification by-ip, as last effort */ + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { - if((flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) - && ((ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) || (ret.master_protocol == NDPI_PROTOCOL_UNKNOWN))) { - - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) ndpi_int_change_protocol(ndpi_str, flow, flow->guessed_protocol_id_by_ip, ret.master_protocol, NDPI_CONFIDENCE_MATCH_BY_IP); - else - /* master_protocol == NDPI_PROTOCOL_UNKNOWN) */ - ndpi_int_change_protocol(ndpi_str, flow, - flow->guessed_protocol_id_by_ip, ret.app_protocol, - NDPI_CONFIDENCE_DPI_PARTIAL); - - ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + ret.app_protocol = flow->detected_protocol_stack[0]; } if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) { |