diff options
| -rw-r--r-- | example/ndpiReader.c | 10 | ||||
| -rw-r--r-- | example/ndpiSimpleIntegration.c | 39 | ||||
| -rw-r--r-- | example/reader_util.c | 2 | ||||
| -rw-r--r-- | example/reader_util.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_api.h.in | 6 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 35 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 26 |
8 files changed, 91 insertions, 35 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 99b24874b..b44346506 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -61,7 +61,7 @@ #define ntohl64(x) ( ( (uint64_t)(ntohl( (uint32_t)((x << 32) >> 32) )) << 32) | ntohl( ((uint32_t)(x >> 32)) ) ) #define htonl64(x) ntohl64(x) -#define EURISTICS_CODE 1 +#define HEURISTICS_CODE 1 /** Client parameters **/ @@ -1484,10 +1484,10 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } } -#ifdef EURISTICS_CODE - if(flow->ssh_tls.browser_euristics.is_safari_tls) fprintf(out, "[Safari]"); - if(flow->ssh_tls.browser_euristics.is_firefox_tls) fprintf(out, "[Firefox]"); - if(flow->ssh_tls.browser_euristics.is_chrome_tls) fprintf(out, "[Chrome]"); +#ifdef HEURISTICS_CODE + if(flow->ssh_tls.browser_heuristics.is_safari_tls) fprintf(out, "[Safari]"); + if(flow->ssh_tls.browser_heuristics.is_firefox_tls) fprintf(out, "[Firefox]"); + if(flow->ssh_tls.browser_heuristics.is_chrome_tls) fprintf(out, "[Chrome]"); #endif if(flow->ssh_tls.notBefore && flow->ssh_tls.notAfter) { diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index dd679125c..42784697a 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -65,7 +65,8 @@ struct nDPI_flow_info { uint8_t detection_completed:1; uint8_t tls_client_hello_seen:1; uint8_t tls_server_hello_seen:1; - uint8_t reserved_00:2; + uint8_t flow_info_printed:1; + uint8_t reserved_00:1; uint8_t l4_protocol; struct ndpi_proto detected_l7_protocol; @@ -857,10 +858,12 @@ static void ndpi_process_packet(uint8_t * const args, flow_to_process->detection_completed == 0) { if (flow_to_process->detected_l7_protocol.master_protocol != NDPI_PROTOCOL_UNKNOWN || - flow_to_process->detected_l7_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) { - flow_to_process->detection_completed = 1; - workflow->detected_flow_protocols++; - printf("[%8llu, %d, %4d][DETECTED] protocol: %s | app protocol: %s | category: %s\n", + flow_to_process->detected_l7_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) + { + flow_to_process->detection_completed = 1; + workflow->detected_flow_protocols++; + + printf("[%8llu, %d, %4d][DETECTED] protocol: %s | app protocol: %s | category: %s\n", workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id, @@ -885,6 +888,20 @@ static void ndpi_process_packet(uint8_t * const args, * EoE - End of Example */ + if (flow_to_process->flow_info_printed == 0) + { + char const * const flow_info = ndpi_get_flow_info(flow_to_process->ndpi_flow, &flow_to_process->detected_l7_protocol); + if (flow_info != NULL) + { + printf("[%8llu, %d, %4d] info: %s\n", + workflow->packets_captured, + reader_thread->array_index, + flow_to_process->flow_id, + flow_info); + flow_to_process->flow_info_printed = 1; + } + } + if (flow_to_process->detected_l7_protocol.master_protocol == NDPI_PROTOCOL_TLS || flow_to_process->detected_l7_protocol.app_protocol == NDPI_PROTOCOL_TLS) { @@ -916,8 +933,10 @@ static void ndpi_process_packet(uint8_t * const args, ndpi_ssl_version2str(flow_to_process->ndpi_flow, flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.ssl_version, &unknown_tls_version), - flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len, - flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names, + (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len == 0 ? + 1 : flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len), + (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names == NULL ? + "-" : flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names), (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN != NULL ? flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN : "-"), (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.subjectDN != NULL ? @@ -957,7 +976,7 @@ static void * processing_thread(void * const ndpi_thread_arg) struct nDPI_reader_thread const * const reader_thread = (struct nDPI_reader_thread *)ndpi_thread_arg; - printf("Starting ThreadID %d\n", reader_thread->array_index); + printf("Starting Thread %d\n", reader_thread->array_index); run_pcap_loop(reader_thread); reader_thread->workflow->error_or_eof = 1; return NULL; @@ -1089,9 +1108,11 @@ int main(int argc, char ** argv) "----------------------------------\n" "nDPI version: %s\n" " API version: %u\n" + "libgcrypt...: %s\n" "----------------------------------\n", argv[0], - ndpi_revision(), ndpi_get_api_version()); + ndpi_revision(), ndpi_get_api_version(), + (ndpi_get_gcrypt_version() == NULL ? "-" : ndpi_get_gcrypt_version())); if (setup_reader_threads((argc >= 2 ? argv[1] : NULL)) != 0) { fprintf(stderr, "%s: setup_reader_threads failed\n", argv[0]); diff --git a/example/reader_util.c b/example/reader_util.c index 89a3fcfff..b67a45092 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1176,7 +1176,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ssh_tls.sha1_cert_fingerprint_set = 1; } - flow->ssh_tls.browser_euristics = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.browser_euristics; + flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.browser_heuristics; if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn) { if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn)) != NULL) diff --git a/example/reader_util.h b/example/reader_util.h index 28ea6029e..0c584b378 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -211,7 +211,7 @@ typedef struct ndpi_flow_info { ja3_client[33], ja3_server[33], sha1_cert_fingerprint[20]; u_int8_t sha1_cert_fingerprint_set; - struct tls_euristics browser_euristics; + struct tls_heuristics browser_heuristics; struct { u_int16_t cipher_suite; diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index df545a165..8cbbfc9e6 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -941,9 +941,6 @@ extern "C" { void set_ndpi_flow_free(void (*__ndpi_flow_free)(void *ptr)); void set_ndpi_debug_function(struct ndpi_detection_module_struct *ndpi_str, ndpi_debug_function_ptr ndpi_debug_printf); - //void * ndpi_malloc(size_t size); - //void * ndpi_calloc(unsigned long count, size_t size); - //void ndpi_free(void *ptr); u_int16_t ndpi_get_api_version(void); const char *ndpi_get_gcrypt_version(void); @@ -964,6 +961,9 @@ extern "C" { char *buffer, u_int buffer_size, u_int8_t min_string_match_len, /* Will return 0 if no string > min_string_match_len have been found */ char *outbuf, u_int outbuf_len); + /* Return a flow info string (summarized). Does only work for DNS/HTTP/TLS/QUIC. */ + const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow, + ndpi_protocol const * const l7_protocol); char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow, u_int16_t version, u_int8_t *unknown_tls_version); int ndpi_netbios_name_interpret(u_char *in, u_int in_len, u_char *out, u_int out_len); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index aeac33b30..f2a40db0a 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1242,9 +1242,9 @@ typedef enum { #define MAX_NUM_TLS_SIGNATURE_ALGORITHMS 16 -struct tls_euristics { +struct tls_heuristics { /* - TLS euristics for detecting browsers usage + TLS heuristics for detecting browsers usage NOTE: expect false positives */ u_int8_t is_safari_tls:1, is_firefox_tls:1, is_chrome_tls:1, notused:5; @@ -1361,7 +1361,7 @@ struct ndpi_flow_struct { u_int16_t client_signature_algorithms[MAX_NUM_TLS_SIGNATURE_ALGORITHMS]; #endif - struct tls_euristics browser_euristics; + struct tls_heuristics browser_heuristics; struct { u_int16_t cipher_suite; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 87b2b3e8a..43eacefb1 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -846,6 +846,41 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st /* ********************************** */ +static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const * const flow, + u_int16_t proto_id) +{ + switch (proto_id) + { + case NDPI_PROTOCOL_DNS: + case NDPI_PROTOCOL_HTTP: + return (char const *)flow->host_server_name; + case NDPI_PROTOCOL_QUIC: + case NDPI_PROTOCOL_TLS: + if (flow->l4.tcp.tls.hello_processed != 0) + { + return flow->protos.tls_quic_stun.tls_quic.client_requested_server_name; + } + break; + } + + return NULL; +} + +const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow, + ndpi_protocol const * const l7_protocol) +{ + char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->app_protocol); + + if (app_protocol_info != NULL) + { + return app_protocol_info; + } + + return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->master_protocol); +} + +/* ********************************** */ + char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow, u_int16_t version, u_int8_t *unknown_tls_version) { diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index b0730a1c3..752c4b780 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1593,12 +1593,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, this is time consuming and we want to avoid overhead whem possible */ if(this_is_not_safari) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0; else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur)) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; if(chrome_ciphers == 13) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 1; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 1; /* Note that both Safari and Chrome can overlap */ #ifdef DEBUG_HEURISTIC @@ -1865,7 +1865,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #endif switch(signature_algo) { case ECDSA_SECP521R1_SHA512: - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls = 1; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls = 1; break; case ECDSA_SECP256R1_SHA256: @@ -1891,23 +1891,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, safari_signature_algorithms, chrome_signature_algorithms); #endif - if(flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0, - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0; + if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls) + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0, + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0; if(safari_signature_algorithms != 8) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0; if((chrome_signature_algorithms != 8) || duplicate_found) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0; /* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */ - if(flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0; + if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls) + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0; - if((flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls == 0) + if((flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls == 0) && duplicate_found) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1; /* Safari */ + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */ #ifdef DEBUG_HEURISTIC printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n", |