aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--example/ndpiReader.c43
-rw-r--r--example/ndpi_util.c39
-rw-r--r--example/ndpi_util.h4
3 files changed, 64 insertions, 22 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index fe2355f75..e4dde12c6 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -58,7 +58,9 @@
#include "ndpi_util.h"
+
/** Client parameters **/
+
static char *_pcap_file[MAX_NUM_READER_THREADS]; /**< Ingress pcap file/interfaces */
static FILE *playlist_fp[MAX_NUM_READER_THREADS] = { NULL }; /**< Ingress playlist */
static FILE *results_file = NULL;
@@ -831,6 +833,15 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(flow->bittorent_hash[0] != '\0') fprintf(out, "[BT Hash: %s]", flow->bittorent_hash);
if(flow->dhcp_fingerprint[0] != '\0') fprintf(out, "[DHCP Fingerprint: %s]", flow->dhcp_fingerprint);
+ //fprintf(out, "[Num_Packt_Human_Readable_String: %d]", flow->n_pckt_human_readable_string);
+
+
+ //if( (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_HTTP ) && (flow->n_pckt_human_readable_string == 0) ) printf("!WARNING!");
+ //if( (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_FTP_CONTROL) && (flow->n_pckt_human_readable_string == 0) ) printf("!WARNING!");
+ //if( (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_NTP ) && (flow->n_pckt_human_readable_string != 0) ) printf("!WARNING!");
+ //if( (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_IP_ICMP ) && (flow->n_pckt_human_readable_string != 0) ) printf("!WARNING!");
+ //if( (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_VNC ) && (flow->n_pckt_human_readable_string != 0 ) ) printf("!WARNING!");
+
fprintf(out, "\n");
} else {
#ifdef HAVE_JSON_C
@@ -1934,7 +1945,7 @@ void printPortStats(struct port_stats *stats) {
/* *********************************************** */
-static void printFlowsStats() {
+static void printFlowsStats() {
if(verbose) {
int thread_id;
FILE *out = results_file ? results_file : stdout;
@@ -1998,10 +2009,10 @@ static void printFlowsStats() {
} else {
//host already in the hash table
ndpi_ja3_info *infoFound = NULL;
-
+
HASH_FIND_STR(ja3ByHostFound->host_client_info_hasht,
all_flows[i].flow->ssh_ssl.ja3_client, infoFound);
-
+
if(infoFound == NULL){
ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info));
newJA3->ja3 = all_flows[i].flow->ssh_ssl.ja3_client;
@@ -2040,7 +2051,7 @@ static void printFlowsStats() {
}
}
}
-
+
if(all_flows[i].flow->ssh_ssl.ja3_server[0] != '\0'){
//looking if the host is already in the hash table
HASH_FIND_INT(ja3ByHostsHashT, &(all_flows[i].flow->dst_ip), ja3ByHostFound);
@@ -2112,7 +2123,7 @@ static void printFlowsStats() {
ndpi_ja3_fingerprints_host *tmp3 = NULL;
ndpi_ip_dns *innerHashEl = NULL;
ndpi_ip_dns *tmp4 = NULL;
-
+
if(verbose == 2) {
/* for each host the number of flow with a ja3 fingerprint is printed */
i = 1;
@@ -2268,7 +2279,7 @@ static void printFlowsStats() {
HASH_DEL(hostByJA3C_ht, hostByJA3Element);
free(hostByJA3Element);
}
-
+
hostByJA3Element = NULL;
HASH_ITER(hh, hostByJA3S_ht, hostByJA3Element, tmp3) {
HASH_ITER(hh, hostByJA3S_ht->ipToDNS_ht, innerHashEl, tmp4) {
@@ -2282,14 +2293,14 @@ static void printFlowsStats() {
}
/* Print all flows stats */
-
+
qsort(all_flows, num_flows, sizeof(struct flow_info), cmpFlows);
if(verbose > 1) {
- for(i=0; i<num_flows; i++)
- printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id);
+ for(i=0; i<num_flows; i++)
+ printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id);
}
-
+
for(thread_id = 0; thread_id < num_threads; thread_id++) {
if(ndpi_thread_info[thread_id].workflow->stats.protocol_counter[0 /* 0 = Unknown */] > 0) {
if(!json_flag) {
@@ -2319,7 +2330,7 @@ static void printFlowsStats() {
printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id);
free(all_flows);
- }
+ }
}
/* *********************************************** */
@@ -2793,7 +2804,10 @@ static void ndpi_process_packet(u_char *args,
/* allocate an exact size buffer to check overflows */
uint8_t *packet_checked = malloc(header->caplen);
- /* ndpi_has_human_readeable_string(ndpi_info_mod, (char*)packet, header->caplen, 3); */
+ ndpi_thread_info[thread_id].workflow->hrs = 0;
+ if (ndpi_has_human_readeable_string(ndpi_info_mod, (char*)packet, header->caplen) == 1) {
+ ndpi_thread_info[thread_id].workflow->hrs = 1;
+ }
memcpy(packet_checked, packet, header->caplen);
p = ndpi_workflow_process_packet(ndpi_thread_info[thread_id].workflow, header, packet_checked);
@@ -3125,7 +3139,7 @@ void serializerUnitTest() {
vs.str[vs.str_len] = bkp;
}
break;
-
+
case ndpi_serialization_string_string:
assert(ndpi_deserialize_string_string(&deserializer, &ks, &vs) != -1);
if(trace) {
@@ -3783,11 +3797,14 @@ int orginal_main(int argc, char **argv) {
for(i=0; i<num_loops; i++)
test_lib();
+
+
if(results_path) free(results_path);
if(results_file) fclose(results_file);
if(extcap_dumper) pcap_dump_close(extcap_dumper);
if(ndpi_info_mod) ndpi_exit_detection_module(ndpi_info_mod);
+
return 0;
}
diff --git a/example/ndpi_util.c b/example/ndpi_util.c
index c055df317..97ac16790 100644
--- a/example/ndpi_util.c
+++ b/example/ndpi_util.c
@@ -263,7 +263,7 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) {
)
)
return(0);
-
+
if(fa->src_ip < fb->src_ip ) return(-1); else { if(fa->src_ip > fb->src_ip ) return(1); }
if(fa->src_port < fb->src_port) return(-1); else { if(fa->src_port > fb->src_port) return(1); }
if(fa->dst_ip < fb->dst_ip ) return(-1); else { if(fa->dst_ip > fb->dst_ip ) return(1); }
@@ -459,11 +459,32 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
*src = newflow->src_id, *dst = newflow->dst_id;
+ if(workflow->hrs == 1){
+ /* count if no SSL protocol */
+ if((newflow->detected_protocol.app_protocol != NDPI_PROTOCOL_SSL)
+ && (newflow->detected_protocol.master_protocol != NDPI_PROTOCOL_SSL)){
+ newflow->n_pckt_human_readable_string++;
+ }
+ }
+
return newflow;
}
} else {
struct ndpi_flow_info *flow = *(struct ndpi_flow_info**)ret;
+ if(workflow->hrs == 1){
+ /* count if no SSL protocol */
+ if((flow->detected_protocol.app_protocol != NDPI_PROTOCOL_SSL)
+ && (flow->detected_protocol.master_protocol != NDPI_PROTOCOL_SSL)){
+ flow->n_pckt_human_readable_string++;
+ }
+
+ }
+ if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL)
+ || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)){
+ flow->n_pckt_human_readable_string = 0;
+ }
+
if(is_changed) {
if(flow->src_ip == iph->saddr
&& flow->dst_ip == iph->daddr
@@ -572,7 +593,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s",
flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate);
snprintf(flow->ssh_ssl.server_organization, sizeof(flow->ssh_ssl.server_organization), "%s",
- flow->ndpi_flow->protos.stun_ssl.ssl.server_organization);
+ flow->ndpi_flow->protos.stun_ssl.ssl.server_organization);
snprintf(flow->ssh_ssl.ja3_client, sizeof(flow->ssh_ssl.ja3_client), "%s",
flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client);
snprintf(flow->ssh_ssl.ja3_server, sizeof(flow->ssh_ssl.ja3_server), "%s",
@@ -656,11 +677,11 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
u_int enough_packets =
(((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8))
|| ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) ? 1 : 0;
-
+
flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow,
iph ? (uint8_t *)iph : (uint8_t *)iph6,
ipsize, time, src, dst);
-
+
if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) {
if((!enough_packets)
&& (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)
@@ -669,20 +690,20 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
else {
/* New protocol detected or give up */
flow->detection_completed = 1;
-
+
/* Check if we should keep checking extra packets */
if(ndpi_flow && ndpi_flow->check_extra_packets)
flow->check_extra_packets = 1;
-
+
if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN)
flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow,
enable_protocol_guess);
-
+
process_ndpi_collected_info(workflow, flow);
}
}
}
-
+
return(flow->detected_protocol);
}
@@ -759,7 +780,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
#else
datalink_type = (int)pcap_datalink(workflow->pcap_handle);
#endif
-
+
datalink_check:
switch(datalink_type) {
case DLT_NULL:
diff --git a/example/ndpi_util.h b/example/ndpi_util.h
index 696679674..aed63efe3 100644
--- a/example/ndpi_util.h
+++ b/example/ndpi_util.h
@@ -128,6 +128,7 @@ typedef struct ndpi_flow_info {
u_int64_t last_seen;
u_int64_t src2dst_bytes, dst2src_bytes;
u_int32_t src2dst_packets, dst2src_packets;
+ u_int32_t n_pckt_human_readable_string;
// result only, not used for flow identification
ndpi_protocol detected_protocol;
@@ -199,6 +200,9 @@ typedef struct ndpi_workflow {
void **ndpi_flows_root;
struct ndpi_detection_module_struct *ndpi_struct;
u_int32_t num_allocated_flows;
+
+ int hrs;
+
} ndpi_workflow_t;
Powered by cgit, Themed by Ted Yin.