diff options
| -rw-r--r-- | example/ndpiReader.c | 88 | ||||
| -rw-r--r-- | example/ndpi_util.h | 1 |
2 files changed, 74 insertions, 15 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 4b2caba0a..f1cb40c75 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2375,12 +2375,6 @@ void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string(filter)); else json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string("")); - - /*if(produced) - fprintf(fp,"%s\n",filter); - else - fprintf(fp,"");*/ - } #endif @@ -2491,6 +2485,62 @@ void bpf_filter_port_array_add(int filter_array[], int size, int port) { /* *********************************************** */ +float getAverage(struct json_object *jObj_stat, char *field){ + json_object *field_stat; + json_bool res; + float average; + float sum = 0; + int r; + int j; + + if((r = strcmp(field, "top.scanner.stats")) == 0){ + for(j=0; j<json_object_array_length(jObj_stat); j++) { + field_stat = json_object_array_get_idx(jObj_stat, j); + json_object *jObj_tot_flows_number; + + if((res = json_object_object_get_ex(field_stat, "total.flows.number", &jObj_tot_flows_number)) == 0) { + fprintf(stderr, "ERROR: can't get \"total.flows.number\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); + } + int tot_flows_number = json_object_get_int(jObj_tot_flows_number); + + sum += tot_flows_number; + } + } + + if(j == 0) return 0.0; + + return sum/j; +} +/* *********************************************** */ + +float getStdDeviation(struct json_object *jObj_stat, float average, char *field){ + json_object *field_stat; + json_bool res; + float sum = 0; + int j; + int r; + + if((r = strcmp(field, "top.scanner.stats")) == 0){ + for(j=0; j<json_object_array_length(jObj_stat); j++) { + field_stat = json_object_array_get_idx(jObj_stat, j); + json_object *jObj_tot_flows_number; + + if((res = json_object_object_get_ex(field_stat, "total.flows.number", &jObj_tot_flows_number)) == 0) { + fprintf(stderr, "ERROR: can't get \"total.flows.number\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); + } + int tot_flows_number = json_object_get_int(jObj_tot_flows_number); + + sum += pow((tot_flows_number - average), 2); + } + } + + return sqrt(sum/(float)j); +} + + +/* *********************************************** */ /* * @brief add ports which have (flows/packets > threshold) @@ -2542,7 +2592,9 @@ void getPacketBasedSourcePortsToFilter(struct json_object *jObj_stat, int srcPor * flows per second to the srcHostArray to filter */ #ifdef HAVE_JSON_C -void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, const char *srcHostArray[48], int size) { +void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, + const char *srcHostArray[48], int size, + float threshold) { int j; for(j=0; j<json_object_array_length(jObj_stat); j++) { @@ -2558,7 +2610,7 @@ void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, const int tot_flows_number = json_object_get_int(jObj_tot_flows_number); - if((tot_flows_number/duration) > 1000) { + if(((tot_flows_number/duration) > FLOWS_THRESHOLD) && tot_flows_number > threshold) { if((res = json_object_object_get_ex(scanner_stat, "ip.address", &jObj_host_address)) == 0) { fprintf(stderr, "ERROR: can't get \"ip.address\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); @@ -2647,16 +2699,18 @@ void getHostBasedSourcePortsToFilter(struct json_object *jObj_stat, int duration #ifdef HAVE_JSON_C static void produceBpfFilter(char *filePath) { - int fsock; - struct stat statbuf; - void *fmap; - int filterSrcPorts[PORT_ARRAY_SIZE]; /* ports to filter */ - const char *filterSrcHosts[48]; /* hosts to filter */ - const char *filterDstHosts[48]; /* hosts to filter */ json_object *jObj; /* entire json object from file */ json_object *jObj_duration; json_object *jObj_statistics; /* json array */ json_bool res; + int filterSrcPorts[PORT_ARRAY_SIZE]; + const char *filterSrcHosts[48]; + const char *filterDstHosts[48]; + struct stat statbuf; + void *fmap; + int fsock; + float average; + float deviation; int duration; int typeCheck; int array_len; @@ -2716,7 +2770,11 @@ static void produceBpfFilter(char *filePath) { fprintf(stderr,"ERROR: can't get \"top.scanner.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } - getScannerHostsToFilter(val, duration, filterSrcHosts, HOST_ARRAY_SIZE); + + if((average = getAverage(val, "top.scanner.stats")) != 0){ + deviation = getStdDeviation(val, average, "top.scanner.stats"); + getScannerHostsToFilter(val, duration, filterSrcHosts, HOST_ARRAY_SIZE, average+deviation); + } if((res = json_object_object_get_ex(stats, "top.src.pkts.stats", &val)) == 0) { diff --git a/example/ndpi_util.h b/example/ndpi_util.h index fd4c4b84d..eb54ac9fb 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -48,6 +48,7 @@ #define HOST_ARRAY_SIZE 20 #define FLOWS_PACKETS_THRESHOLD 0.9 #define FLOWS_PERCENT_THRESHOLD 1.0 +#define FLOWS_THRESHOLD 1000 #define INIT_VAL -1 // flow tracking |