Added unidirectional traffic flow risk

3 files changed, 44 insertions, 2 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index faf8a5621..74e937138 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -117,7 +117,10 @@ typedef enum {
   NDPI_ERROR_CODE_DETECTED,
   NDPI_HTTP_CRAWLER_BOT,
   NDPI_ANONYMOUS_SUBSCRIBER,
-
+  NDPI_UNIDIRECTIONAL_TRAFFIC, /* NOTE: as nDPI can detect a protocol with one packet, make sure
+				  your app will clear this risk if future packets (not sent to nDPI)
+				  are received in the opposite direction */
+  
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
 } ndpi_risk_enum;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f22887d6a..cb7e93d26 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -153,6 +153,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_ERROR_CODE_DETECTED,                   NDPI_RISK_LOW,    CLIENT_LOW_RISK_PERCENTAGE  },
   { NDPI_HTTP_CRAWLER_BOT,                      NDPI_RISK_LOW,    CLIENT_LOW_RISK_PERCENTAGE  },
   { NDPI_ANONYMOUS_SUBSCRIBER,                  NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_UNIDIRECTIONAL_TRAFFIC,                NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
@@ -4975,6 +4976,29 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str,
 
 /* ************************************************ */
 
+static u_int8_t ndpi_is_multi_or_broadcast(struct ndpi_packet_struct *packet) {
+
+  if(packet->iph) {
+    /* IPv4 */
+    u_int32_t daddr = ntohl(packet->iph->daddr);
+
+    if(((daddr & 0xE0000000) == 0xE0000000 /* multicast */)
+       || ((daddr & 0x000000FF) == 0x000000FF /* last byte is 0xFF, not super correct, but a good approximation */)
+       || ((daddr & 0x000000FF) == 0x00000000 /* last byte is 0x00, not super correct, but a good approximation */)
+       || (daddr == 0xFFFFFFFF))
+      return(1);
+  } else if(packet->iphv6) {
+    /* IPv6 */
+    
+    if((ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) & 0xFF000000) == 0xFF000000)
+      return(1);
+  }
+
+  return(0);
+}
+
+/* ************************************************ */
+
 void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
 			      struct ndpi_flow_struct *flow) {
   if(!flow) {
@@ -5014,7 +5038,6 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
     }
 
     if(tcph != NULL) {
-
       flow->sport = tcph->source, flow->dport = tcph->dest; /* (*#*) */
 
       if(!ndpi_str->direction_detect_disable)
@@ -5092,6 +5115,18 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
       flow->packet_direction_counter[packet->packet_direction]++;
     }
 
+    if(ndpi_is_multi_or_broadcast(packet))
+      ; /* multicast or broadcast */
+    else {
+      if(flow->packet_direction_counter[0] == 0)
+	ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); /* Should never happen */
+      else if(flow->packet_direction_counter[1] == 0)
+	ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No server to client traffic");
+      else {
+	flow->risk &= ~(1UL << NDPI_UNIDIRECTIONAL_TRAFFIC); /* Clear bit */
+      }
+    }
+    
     if(flow->byte_counter[packet->packet_direction] + packet->payload_packet_len >
        flow->byte_counter[packet->packet_direction]) {
       flow->byte_counter[packet->packet_direction] += packet->payload_packet_len;
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index e5339712b..c75ecf151 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1914,6 +1914,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
     return("Anonymous Subscriber");
     break;
 
+  case NDPI_UNIDIRECTIONAL_TRAFFIC:
+    return("Unidirectional Traffic");
+    break;
+
   default:
     ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);