4 files changed, 60 insertions, 34 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index d50d89006..93ba2ca8c 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -541,7 +541,8 @@ static ndpi_network host_protocol_list[] = {
   { 0xB909BC00 /* 185.9.188.0/22 */, 22, NDPI_PROTOCOL_NETFLIX },
   { 0xC0AD4000 /* 192.173.64.0/18 */, 18, NDPI_PROTOCOL_NETFLIX },
   { 0xC6266000 /* 198.38.96.0/19 */, 19, NDPI_PROTOCOL_NETFLIX },
-  { 0xC62D3000 /* 198.45.48.0/20 */, 20, NDPI_PROTOCOL_NETFLIX }, 
+  { 0xC62D3000 /* 198.45.48.0/20 */, 20, NDPI_PROTOCOL_NETFLIX },
+  { 0xD194D687 /* 209.148.214.135/21 */, 21, NDPI_PROTOCOL_NETFLIX }, 
 
   /*
     Cloudflare, Inc.
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index a42f8c3ce..d7c3467ca 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3777,7 +3777,6 @@ void ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struc
   ac_pattern.rep.number = (int)category;
   
   ac_automata_add(ndpi_struct->custom_categories.hostnames_shadow.ac_automa, &ac_pattern);
-  ac_automata_finalize(ndpi_struct->custom_categories.hostnames_shadow.ac_automa);
 }
 
 /* ********************************************************************************* */
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index bfd1c387e..0045fe69e 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -63,7 +63,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
       return;
     }
   } else if (flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) {
-    if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100
+    if (packet->payload_packet_len > 7 && packet->payload_packet_len < 500
 	&& memcmp(packet->payload, "SSH-", 4) == 0) {
       int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len);
       strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len);
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index 028ee8ea7..56fc01050 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -22,7 +22,7 @@
 -- cat /tmp/wireshark.sql | influx -database wireshark
 
 
-local ndpi_proto = Proto("ndpi", "nDPI", "nDPI Protocol Interpreter")
+local ndpi_proto = Proto("ndpi", "nDPI Protocol Interpreter")
 ndpi_proto.fields = {}
 
 local ndpi_fds    = ndpi_proto.fields
@@ -30,7 +30,7 @@ ndpi_fds.network_protocol     = ProtoField.new("nDPI Network Protocol", "ndpi.pr
 ndpi_fds.application_protocol = ProtoField.new("nDPI Application Protocol", "ndpi.protocol.application", ftypes.UINT8, nil, base.DEC)
 ndpi_fds.name                 = ProtoField.new("nDPI Protocol Name", "ndpi.protocol.name", ftypes.STRING)
 
-local ntop_proto = Proto("ntop", "ntop", "ntop Extensions")
+local ntop_proto = Proto("ntop", "ntop Extensions")
 ntop_proto.fields = {}
 
 local ntop_fds = ntop_proto.fields
@@ -117,6 +117,11 @@ local max_latency_discard    = 5000  -- 5 sec
 local max_appl_lat_discard   = 15000 -- 15 sec
 local debug                  = false
 
+local dump_timeseries = false
+
+local dump_file = "/tmp/wireshark-influx.txt"
+local file
+
 -- ##############################################
 
 function string.contains(String,Start)
@@ -373,6 +378,12 @@ function ndpi_proto.init()
 
    -- RPC
    rpc_ts                = {}   
+
+   if(dump_timeseries) then
+      file = assert(io.open(dump_file, "a"))
+      print("Writing to "..dump_file.."\n")
+      print('Load data with:\ncurl -i -XPOST "http://localhost:8086/write?db=wireshark" --data-binary @/tmp/wireshark-influx.txt\n')
+   end
 end
 
 function slen(str)
@@ -548,38 +559,51 @@ end
 
 -- ###############################################
 
-function flow_dissector(tvb, pinfo, tree)
-   local rev_key = getstring(pinfo.dst)..":"..getstring(pinfo.dst_port).."-"..getstring(pinfo.src)..":"..getstring(pinfo.src_port)
-   local k
-
-   -- 1522511601.2942
-   -- 15225115972358
-   -- 15246849200000 00000
-   
-   if(flows[rev_key] ~= nil) then
-      flows[rev_key][2] = flows[rev_key][2] + pinfo.len
-      k = rev_key
-   else
-      local key = getstring(pinfo.src)..":"..getstring(pinfo.src_port).."-"..getstring(pinfo.dst)..":"..getstring(pinfo.dst_port)
-
-      k = key
-      if(flows[key] == nil) then
-	 flows[key] = { pinfo.len, 0 } -- src -> dst  / dst -> src
-	 tot_flows = tot_flows + 1
+function timeseries_dissector(tvb, pinfo, tree)
+   if(pinfo.dst_port ~= 0) then
+      local rev_key = getstring(pinfo.dst)..":"..getstring(pinfo.dst_port).."-"..getstring(pinfo.src)..":"..getstring(pinfo.src_port)
+      local k
+            
+      if(flows[rev_key] ~= nil) then
+	 flows[rev_key][2] = flows[rev_key][2] + pinfo.len
+	 k = rev_key
       else
-	 flows[key][1] = flows[key][1] + pinfo.len
+	 local key = getstring(pinfo.src)..":"..getstring(pinfo.src_port).."-"..getstring(pinfo.dst)..":"..getstring(pinfo.dst_port)
+	 
+	 k = key
+	 if(flows[key] == nil) then
+	    flows[key] = { pinfo.len, 0 } -- src -> dst  / dst -> src
+	    tot_flows = tot_flows + 1
+	 else
+	    flows[key][1] = flows[key][1] + pinfo.len
+	 end
       end
-   end
+      
+      --k = pinfo.curr_proto..","..k
+      
+      local bytes = flows[k][1]+flows[k][2]
+      local row
 
-   local bytes = flows[k][1]+flows[k][2]
-   local row = "wireshark,"..k.." bytes=".. bytes .. " ".. (tonumber(pinfo.abs_ts)*10000).."00000\n"
-   
-   print(row)
-   file = io.open("/tmp/wireshark.sql", "a")
-   file:write(row)
-   file:close()
-   -- en0,metric=iface packets.rcvd=213 1524684920000000000
+      -- Prometheus
+      -- row = "wireshark {metric=\"bytes\", flow=\""..k.."\"} ".. bytes .. " ".. (tonumber(pinfo.abs_ts)*10000).."00000"
+
+      -- Influx      
+      row = "wireshark,flow="..k.." bytes=".. pinfo.len .. " ".. (tonumber(pinfo.abs_ts)*10000).."00000"   
+      file:write(row.."\n")
+
+      row = "wireshark,ndpi="..ndpi.protocol_name.." bytes=".. pinfo.len .. " ".. (tonumber(pinfo.abs_ts)*10000).."00000"   
+      file:write(row.."\n")
+
+      row = "wireshark,host="..getstring(pinfo.src).." sent=".. pinfo.len .. " ".. (tonumber(pinfo.abs_ts)*10000).."00000"   
+      file:write(row.."\n")
+
+      row = "wireshark,host="..getstring(pinfo.dst).." rcvd=".. pinfo.len .. " ".. (tonumber(pinfo.abs_ts)*10000).."00000"   
+      file:write(row.."\n")
    
+      -- print(row)
+
+      file:flush()
+   end
 end
 
 -- ###############################################
@@ -959,7 +983,9 @@ function ndpi_proto.dissector(tvb, pinfo, tree)
       --print("Processing packet "..pinfo.number .. "["..srckey.." / "..dstkey.."]")
    end
 
-   flow_dissector(tvb, pinfo, tree)
+   if(dump_timeseries) then
+      timeseries_dissector(tvb, pinfo, tree)
+   end
    mac_dissector(tvb, pinfo, tree)
    arp_dissector(tvb, pinfo, tree)
    vlan_dissector(tvb, pinfo, tree)