diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-12-11 14:52:31 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-11 14:52:31 +0100 |
| commit | 673b6e73451cce242aa612c06e80b5865b243ed6 (patch) | |
| tree | 09e008ba8406c03682cb195bbaac736dd6c7d6ed /src | |
| parent | adf8982d8ec8a1f84bdf48b0129f5fccbb12e51b (diff) | |
HTTP: faster processing of asymmetric flows (#2198)
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 16 |
2 files changed, 15 insertions, 2 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 718fec834..e7338b0fc 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -798,6 +798,7 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_HTTP */ u_int32_t http_stage:3; + u_int32_t http_asymmetric_stage:2; /* NDPI_PROTOCOL_GNUTELLA */ u_int32_t gnutella_stage:2; // 0 - 2 diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 68ba42561..2d894f345 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1411,6 +1411,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct requests. The easiest (but costly) idea is to reset the state and process it (i.e. we keep the metadata of the last request that we have processed) */ + if(flow->l4.tcp.http_asymmetric_stage < 2) + flow->l4.tcp.http_asymmetric_stage++; reset(ndpi_struct, flow); process_request(ndpi_struct, flow, filename_start); return; @@ -1437,6 +1439,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG_DBG2(ndpi_struct, "Another piece of response\n"); if(is_response(ndpi_struct, flow)) { /* See the comment above about how we handle consecutive requests/responses */ + if(flow->l4.tcp.http_asymmetric_stage < 2) + flow->l4.tcp.http_asymmetric_stage++; reset(ndpi_struct, flow); process_response(ndpi_struct, flow); return; @@ -1467,8 +1471,16 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc NDPI_LOG_DBG(ndpi_struct, "search HTTP\n"); ndpi_check_http_tcp(ndpi_struct, flow); - if(flow->host_server_name[0] != '\0'&& - flow->http.response_status_code != 0) { + if((flow->host_server_name[0] != '\0'&& + flow->http.response_status_code != 0) || + /* We have found 3 consecutive requests (without the reply) or 3 + consecutive replies (without the request). If the traffic is really + asymmetric, stop here, because we will never find the metadata from + both the request and the reply. We wait for 3 events (instead of 2) + to avoid false positives triggered by missing/dropped packets */ + (flow->l4.tcp.http_asymmetric_stage == 2 && + (flow->packet_direction_complete_counter[0] == 0 || + flow->packet_direction_complete_counter[1] == 0))) { flow->extra_packets_func = NULL; /* We're good now */ if(flow->initial_binary_bytes_len) ndpi_analyze_content_signature(ndpi_struct, flow); |