diff options
| -rw-r--r-- | src/include/ndpi_typedefs.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 42 | ||||
| -rw-r--r-- | src/lib/protocols/ajp.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/alicloud.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 27 | ||||
| -rw-r--r-- | src/lib/protocols/mongodb.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tcp_udp.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/telnet.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/websocket.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/wireguard.c | 3 |
13 files changed, 50 insertions, 48 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index a71a01332..360173d25 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1260,9 +1260,9 @@ struct ndpi_flow_struct { u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; /* init parameter, internal used to set up timestamp,... */ - u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category, guessed_header_category; - u_int8_t l4_proto, protocol_id_already_guessed:1, host_already_guessed:1, fail_with_unknown:1, - init_finished:1, client_packet_direction:1, packet_direction:1, is_ipv6:1, _pad1: 1; + u_int16_t guessed_protocol_id, guessed_protocol_id_by_ip, guessed_category, guessed_header_category; + u_int8_t l4_proto, protocol_id_already_guessed:1, fail_with_unknown:1, + init_finished:1, client_packet_direction:1, packet_direction:1, is_ipv6:1, _pad1: 2; u_int16_t num_dissector_calls; ndpi_confidence_t confidence; /* ndpi_confidence_t */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 3922b0517..c44391c85 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2270,7 +2270,7 @@ u_int8_t ndpi_is_tor_flow(struct ndpi_detection_module_struct *ndpi_str, struct if(packet->tcp != NULL) { if(packet->iph) { - if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_TOR) + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_TOR) return(1); } } @@ -5072,7 +5072,7 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str, */ if(packet->tcp->syn != 0 && packet->tcp->ack == 0 && flow->init_finished != 0 && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - u_int16_t guessed_protocol_id, guessed_host_protocol_id; + u_int16_t guessed_protocol_id, guessed_protocol_id_by_ip; u_int16_t packet_direction_counter[2]; u_int8_t num_processed_pkts; @@ -5083,7 +5083,7 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str, flow_save(packet_direction_counter[1]); flow_save(num_processed_pkts); flow_save(guessed_protocol_id); - flow_save(guessed_host_protocol_id); + flow_save(guessed_protocol_id_by_ip); ndpi_free_flow_data(flow); memset(flow, 0, sizeof(*(flow))); @@ -5095,7 +5095,7 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str, flow_restore(packet_direction_counter[1]); flow_restore(num_processed_pkts); flow_restore(guessed_protocol_id); - flow_restore(guessed_host_protocol_id); + flow_restore(guessed_protocol_id_by_ip); #undef flow_save #undef flow_restore @@ -5758,13 +5758,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL); } else if(enable_guess) { - guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id; + guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_protocol_id_by_ip; if((guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) && ((flow->l4_proto == IPPROTO_UDP) && NDPI_ISSET(&flow->excluded_protocol_bitmask, guessed_host_protocol_id) && is_udp_guessable_protocol(guessed_host_protocol_id))) - flow->guessed_host_protocol_id = guessed_host_protocol_id = NDPI_PROTOCOL_UNKNOWN; + guessed_host_protocol_id = NDPI_PROTOCOL_UNKNOWN; /* Ignore guessed protocol if they have been discarded */ if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) @@ -5811,16 +5811,16 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st flow->confidence = NDPI_CONFIDENCE_MATCH_BY_PORT; } - if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + if(flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { *protocol_was_guessed = 1; - flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; + flow->detected_protocol_stack[0] = flow->guessed_protocol_id_by_ip; flow->confidence = NDPI_CONFIDENCE_MATCH_BY_IP; } if((flow->detected_protocol_stack[1] == flow->detected_protocol_stack[0]) && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) { *protocol_was_guessed = 1; - flow->detected_protocol_stack[1] = flow->guessed_host_protocol_id; + flow->detected_protocol_stack[1] = flow->guessed_protocol_id_by_ip; flow->confidence = NDPI_CONFIDENCE_MATCH_BY_IP; } } @@ -5829,7 +5829,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) { check_stun_export: *protocol_was_guessed = 1; - ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_STUN, NDPI_CONFIDENCE_DPI_PARTIAL); + ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id_by_ip, NDPI_PROTOCOL_STUN, NDPI_CONFIDENCE_DPI_PARTIAL); } ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; @@ -6174,7 +6174,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n /* guess protocol */ flow->guessed_protocol_id = (int16_t) ndpi_guess_protocol_id(ndpi_str, flow, flow->l4_proto, ntohs(flow->c_port), ntohs(flow->s_port), &user_defined_proto); - flow->guessed_host_protocol_id = ndpi_guess_host_protocol_id(ndpi_str, flow); + flow->guessed_protocol_id_by_ip = ndpi_guess_host_protocol_id(ndpi_str, flow); if(ndpi_str->custom_categories.categories_loaded && packet->iph) { if(ndpi_str->ndpi_num_custom_protocols != 0) @@ -6186,17 +6186,17 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n if(flow->guessed_protocol_id >= NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ ret->master_protocol = NDPI_PROTOCOL_UNKNOWN, - ret->app_protocol = flow->guessed_protocol_id ? flow->guessed_protocol_id : flow->guessed_host_protocol_id; + ret->app_protocol = flow->guessed_protocol_id ? flow->guessed_protocol_id : flow->guessed_protocol_id_by_ip; flow->confidence = NDPI_CONFIDENCE_MATCH_BY_PORT; /* TODO */ ndpi_fill_protocol_category(ndpi_str, flow, ret); return(-1); } if(user_defined_proto && flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) { - if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + if(flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { u_int8_t protocol_was_guessed; - /* ret->master_protocol = flow->guessed_protocol_id , ret->app_protocol = flow->guessed_host_protocol_id; /\* ****** *\/ */ + /* ret->master_protocol = flow->guessed_protocol_id , ret->app_protocol = flow->guessed_protocol_id_by_ip; /\* ****** *\/ */ *ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed); } @@ -6205,11 +6205,11 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n } } - if(flow->guessed_host_protocol_id >= NDPI_MAX_SUPPORTED_PROTOCOLS) { + if(flow->guessed_protocol_id_by_ip >= NDPI_MAX_SUPPORTED_PROTOCOLS) { NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet = {0}; /* This is a custom protocol and it has priority over everything else */ - ret->master_protocol = flow->guessed_protocol_id, ret->app_protocol = flow->guessed_host_protocol_id; + ret->master_protocol = flow->guessed_protocol_id, ret->app_protocol = flow->guessed_protocol_id_by_ip; flow->num_dissector_calls += ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet); @@ -6339,9 +6339,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct #if 0 /* See https://github.com/ntop/nDPI/pull/1425 */ if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) && (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) && - (flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) { + (flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN)) { ret.master_protocol = ret.app_protocol; - ret.app_protocol = flow->guessed_host_protocol_id; + ret.app_protocol = flow->guessed_protocol_id_by_ip; } #endif @@ -7147,11 +7147,11 @@ static void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_s lower_detected_protocol = NDPI_PROTOCOL_UNKNOWN; if((upper_detected_protocol != NDPI_PROTOCOL_UNKNOWN) && (lower_detected_protocol == NDPI_PROTOCOL_UNKNOWN)) { - if((flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) && - (upper_detected_protocol != flow->guessed_host_protocol_id)) { + if((flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) && + (upper_detected_protocol != flow->guessed_protocol_id_by_ip)) { if(ndpi_str->proto_defaults[upper_detected_protocol].subprotocol_count > 0) { lower_detected_protocol = upper_detected_protocol; - upper_detected_protocol = flow->guessed_host_protocol_id; + upper_detected_protocol = flow->guessed_protocol_id_by_ip; } } } diff --git a/src/lib/protocols/ajp.c b/src/lib/protocols/ajp.c index f2a9ec920..88782c9ec 100644 --- a/src/lib/protocols/ajp.c +++ b/src/lib/protocols/ajp.c @@ -63,7 +63,7 @@ static void set_ajp_detected(struct ndpi_detection_module_struct *ndpi_struct, /* If no custom protocol has been detected */ /* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) */ ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/alicloud.c b/src/lib/protocols/alicloud.c index b8ce58d81..add82dbe8 100644 --- a/src/lib/protocols/alicloud.c +++ b/src/lib/protocols/alicloud.c @@ -30,7 +30,7 @@ static void ndpi_int_alicloud_add_connection(struct ndpi_detection_module_struct { NDPI_LOG_INFO(ndpi_struct, "found alicloud\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_ALICLOUD, + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_protocol_id_by_ip, NDPI_PROTOCOL_ALICLOUD, NDPI_CONFIDENCE_DPI); } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index dd494702a..6fd70d9b6 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -335,22 +335,20 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd struct ndpi_flow_struct *flow, u_int16_t http_protocol, ndpi_protocol_category_t category) { - u_int16_t master_protocol; + u_int16_t master_protocol, app_protocol; #ifdef HTTP_DEBUG printf("=> %s()\n", __FUNCTION__); #endif - if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) - return; /* Nothing new to add */ - + app_protocol = flow->guessed_protocol_id_by_ip; /* If no custom protocol has been detected */ - if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) + if((app_protocol == NDPI_PROTOCOL_UNKNOWN) || ((http_protocol != NDPI_PROTOCOL_HTTP) && (http_protocol != NDPI_PROTOCOL_HTTP_CONNECT) && (http_protocol != NDPI_PROTOCOL_HTTP_PROXY)) ) - flow->guessed_host_protocol_id = http_protocol; + app_protocol = http_protocol; // ndpi_int_reset_protocol(flow); master_protocol = NDPI_PROTOCOL_HTTP; @@ -365,7 +363,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd sub-protocol via the (content-matched) subprotocols logic (i.e. MPEGDASH, SOAP, ....) */ if(flow->detected_protocol_stack[1] == 0) - ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, + ndpi_set_detected_protocol(ndpi_struct, flow, app_protocol, master_protocol, NDPI_CONFIDENCE_DPI); @@ -408,27 +406,36 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + u_int16_t master_protocol; + if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); if(double_col) double_col[0] = '\0'; + master_protocol = NDPI_PROTOCOL_HTTP; + if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) + master_protocol = flow->detected_protocol_stack[1]; + else if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_CONNECT || + flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_PROXY) + master_protocol = flow->detected_protocol_stack[0]; + if(ndpi_match_hostname_protocol(ndpi_struct, flow, - flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN ? flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP, + master_protocol, flow->host_server_name, strlen(flow->host_server_name)) == 0) { if(flow->http.url && ((strstr(flow->http.url, ":8080/downloading?n=0.") != NULL) || (strstr(flow->http.url, ":8080/upload?n=0.") != NULL))) { /* This looks like Ookla speedtest */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, master_protocol, NDPI_CONFIDENCE_DPI); } } if (flow->http.url != NULL && strstr(flow->http.url, "micloud.xiaomi.net") != NULL) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XIAOMI, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XIAOMI, master_protocol, NDPI_CONFIDENCE_DPI); } } } diff --git a/src/lib/protocols/mongodb.c b/src/lib/protocols/mongodb.c index 1f1619141..1ed4fdcb1 100644 --- a/src/lib/protocols/mongodb.c +++ b/src/lib/protocols/mongodb.c @@ -58,7 +58,7 @@ static void set_mongodb_detected(struct ndpi_detection_module_struct *ndpi_struc /* If no custom protocol has been detected */ /* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) */ ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 36e950ce1..935ec3cc7 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -209,8 +209,6 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct if(flow->extra_packets_func != NULL) return; - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; - flow->max_extra_packets_to_check = 12; flow->extra_packets_func = search_ssh_again; @@ -445,7 +443,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct #endif NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; #ifdef SSH_DEBUG printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index beec5a508..070939b87 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -424,7 +424,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_DBG(ndpi_struct, "search stun\n"); - app_proto = flow->guessed_host_protocol_id; + app_proto = flow->guessed_protocol_id_by_ip; if(packet->tcp) { /* STUN may be encapsulated in TCP packets */ diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 03965d1c2..dd25292f5 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -40,7 +40,7 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc } if(flow) - return(flow->guessed_host_protocol_id); + return(flow->guessed_protocol_id_by_ip); else { host.s_addr = htonl(saddr); if((rc = ndpi_network_ptree_match(ndpi_struct, &host)) != NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index ed0808596..5bec572e6 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -130,8 +130,6 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_TELNET; - flow->max_extra_packets_to_check = 64; flow->extra_packets_func = search_telnet_again; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index fe36555ed..4397bf705 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -2491,7 +2491,7 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st #ifdef DEBUG_TLS printf("==>> %s() %u [len: %u][version: %u]\n", __FUNCTION__, - flow->guessed_host_protocol_id, + flow->guessed_protocol_id_by_ip, packet->payload_packet_len, flow->protos.tls_quic.ssl_version); #endif diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index e009e7916..1438825b5 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -53,7 +53,7 @@ static void set_websocket_detected(struct ndpi_detection_module_struct *ndpi_str ndpi_search_tcp_or_udp(ndpi_struct, flow); ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, flow->guessed_protocol_id_by_ip, NDPI_CONFIDENCE_DPI); } } diff --git a/src/lib/protocols/wireguard.c b/src/lib/protocols/wireguard.c index a2e2291bc..8a0d15e00 100644 --- a/src/lib/protocols/wireguard.c +++ b/src/lib/protocols/wireguard.c @@ -140,8 +140,7 @@ void ndpi_search_wireguard(struct ndpi_detection_module_struct u_int32_t receiver_index = get_u_int32_t(payload, 4); /* We speculate this is wireguard, so let's remember it */ - if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) - flow->guessed_host_protocol_id = NDPI_PROTOCOL_WIREGUARD; + flow->guessed_protocol_id = NDPI_PROTOCOL_WIREGUARD; if (flow->l4.udp.wireguard_stage == 0) { flow->l4.udp.wireguard_stage = 3 + packet->packet_direction; |