4 files changed, 57 insertions, 11 deletions

diff --git a/example/reader_util.c b/example/reader_util.c
index 67d349040..2fdf14b35 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -669,6 +669,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
     l3 = (const u_int8_t*)iph6;
   }
 
+  *proto = iph->protocol;
+
   if(l4_packet_len < 64)
     workflow->stats.packet_len[0]++;
   else if(l4_packet_len >= 64 && l4_packet_len < 128)
@@ -685,10 +687,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
   if(l4_packet_len > workflow->stats.max_packet_len)
     workflow->stats.max_packet_len = l4_packet_len;
 
-  *proto = iph->protocol;
   l4 = ((const u_int8_t *) l3 + l4_offset);
 
-  if(iph->protocol == IPPROTO_TCP && l4_packet_len >= 20) {
+  if(*proto == IPPROTO_TCP && l4_packet_len >= sizeof(struct ndpi_tcphdr)) {
     u_int tcp_len;
 
     // tcp
@@ -699,7 +700,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
     *payload = (u_int8_t*)&l4[tcp_len];
     *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff);
     l4_data_len = l4_packet_len - sizeof(struct ndpi_tcphdr);
-  } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= 8) {
+  } else if(*proto == IPPROTO_UDP && l4_packet_len >= sizeof(struct ndpi_udphdr)) {
     // udp
 
     workflow->stats.udp_count++;
@@ -708,6 +709,14 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
     *payload = (u_int8_t*)&l4[sizeof(struct ndpi_udphdr)];
     *payload_len = (l4_packet_len > sizeof(struct ndpi_udphdr)) ? l4_packet_len-sizeof(struct ndpi_udphdr) : 0;
     l4_data_len = l4_packet_len - sizeof(struct ndpi_udphdr);
+  } else if(*proto == IPPROTO_ICMP) {
+    *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmphdr )];
+    *payload_len = (l4_packet_len > sizeof(struct ndpi_icmphdr)) ? l4_packet_len-sizeof(struct ndpi_icmphdr) : 0;
+    l4_data_len = l4_packet_len - sizeof(struct ndpi_icmphdr);
+  } else if (*proto == IPPROTO_ICMPV6) {
+    *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmp6hdr)];
+    *payload_len = (l4_packet_len > sizeof(struct ndpi_icmp6hdr)) ? l4_packet_len-sizeof(struct ndpi_icmp6hdr) : 0;
+    l4_data_len = l4_packet_len - sizeof(struct ndpi_icmp6hdr);
   } else {
     // non tcp/udp protocols
     *sport = *dport = 0;
diff --git a/src/include/ndpi_classify.h b/src/include/ndpi_classify.h
index 9b5f2841f..cd03027d8 100644
--- a/src/include/ndpi_classify.h
+++ b/src/include/ndpi_classify.h
@@ -87,6 +87,7 @@ unsigned int ndpi_timer_lt(const struct timeval *a, const struct timeval *b);
 void ndpi_timer_sub(const struct timeval *a, const struct timeval *b, struct timeval *result);
 void ndpi_timer_clear(struct timeval *a);
 unsigned int ndpi_timeval_to_milliseconds(struct timeval ts);
+unsigned int ndpi_timeval_to_microseconds(struct timeval ts);
 void ndpi_log_timestamp(char *log_ts, u_int log_ts_len);
 
 #endif /* NDPI_CLASSIFY_H */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index d9da6205d..ccc4faec7 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -348,6 +348,20 @@ struct ndpi_icmphdr {
   } un;
 } PACK_OFF;
 
+/* +++++++++++++++++++++++ ICMP6 header +++++++++++++++++++++++ */
+
+PACK_ON
+struct ndpi_icmp6hdr {
+  uint8_t     icmp6_type;   /* type field */
+  uint8_t     icmp6_code;   /* code field */
+  uint16_t    icmp6_cksum;  /* checksum field */
+  union {
+    uint32_t  icmp6_un_data32[1]; /* type-specific field */
+    uint16_t  icmp6_un_data16[2]; /* type-specific field */
+    uint8_t   icmp6_un_data8[4];  /* type-specific field */
+  } icmp6_dataun;
+} PACK_OFF;
+
 /* +++++++++++++++++++++++ VXLAN header +++++++++++++++++++++++ */
 
 PACK_ON
diff --git a/src/lib/ndpi_classify.c b/src/lib/ndpi_classify.c
index 96b2ecbb0..7a814f7ce 100644
--- a/src/lib/ndpi_classify.c
+++ b/src/lib/ndpi_classify.c
@@ -299,6 +299,8 @@ ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time,
             tmp = pkt_time_twin[r];
             ndpi_timer_sub(&tmp, &ts_start, &tmp_r);
             merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r);
+            if (merged_times[s+r] == 0)
+                merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r);
             ts_start = tmp;
             r++;
         } else if (r >= r_idx) {
@@ -306,27 +308,35 @@ ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time,
             tmp = pkt_time[s];
             ndpi_timer_sub(&tmp, &ts_start, &tmp_r);
             merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r);
+            if (merged_times[s+r] == 0)
+                merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r);
             ts_start = tmp;
             s++;
         } else {
             if (ndpi_timer_lt(&pkt_time[s], &pkt_time_twin[r])) {
                 merged_lens[s+r] = pkt_len[s];
-	               tmp = pkt_time[s];
-	               ndpi_timer_sub(&tmp, &ts_start, &tmp_r);
-	               merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r);
-	               ts_start = tmp;
+	        tmp = pkt_time[s];
+	        ndpi_timer_sub(&tmp, &ts_start, &tmp_r);
+	        merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r);
+                if (merged_times[s+r] == 0)
+                    merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r);
+	        ts_start = tmp;
                 s++;
             } else {
                 merged_lens[s+r] = pkt_len_twin[r];
-	               tmp = pkt_time_twin[r];
-	               ndpi_timer_sub(&tmp, &ts_start, &tmp_r);
-	               merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r);
-	               ts_start = tmp;
+	        tmp = pkt_time_twin[r];
+	        ndpi_timer_sub(&tmp, &ts_start, &tmp_r);
+	        merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r);
+                if (merged_times[s+r] == 0)
+                    merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r);
+	        ts_start = tmp;
                 r++;
             }
         }
     }
     merged_times[0] = ndpi_timeval_to_milliseconds(start_m);
+    if (merged_times[0] == 0)
+        merged_times[0] = ndpi_timeval_to_microseconds(start_m);
 }
 
 /* transform lens array to Markov chain */
@@ -656,6 +666,18 @@ ndpi_timeval_to_milliseconds(struct timeval ts)
     return result;
 }
 
+/**
+ * \brief Calculate the microseconds representation of a timeval.
+ * \param ts Timeval
+ * \return unsigned int - Milliseconds
+ */
+unsigned int
+ndpi_timeval_to_microseconds(struct timeval ts)
+{
+    unsigned int result = ts.tv_usec + ts.tv_sec * 1000 * 1000;
+    return result;
+}
+
 void
 ndpi_log_timestamp(char *log_ts, u_int log_ts_len)
 {