diff options
| -rw-r--r-- | example/ndpiReader.c | 43 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 18 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 26 | ||||
| -rw-r--r-- | tests/result/EAQ.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/KakaoTalk_chat.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/Torcedor.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/mpeg.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/quickplay.pcap.out | 30 |
8 files changed, 81 insertions, 52 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index e0a46829d..80c6a7ac1 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -176,7 +176,7 @@ typedef struct ndpi_flow { u_int32_t packets; // result only, not used for flow identification - u_int32_t detected_protocol; + u_int16_t detected_protocol, detected_masterprotocol; char host_server_name[256]; @@ -489,9 +489,17 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow *flow) { if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); - fprintf(out, "[proto: %u/%s][%u pkts/%llu bytes]", - flow->detected_protocol, - ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol), + if(flow->detected_masterprotocol) + fprintf(out, "[proto: %u.%u/%s.%s]", + flow->detected_masterprotocol, flow->detected_protocol, + ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_masterprotocol), + ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol)); + else + fprintf(out, "[proto: %u/%s]", + flow->detected_protocol, + ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol)); + + fprintf(out, "[%u pkts/%llu bytes]", flow->packets, (long long unsigned int)flow->bytes); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); @@ -509,8 +517,23 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow *flow) { json_object_object_add(jObj,"host_a.port",json_object_new_int(ntohs(flow->lower_port))); json_object_object_add(jObj,"host_b.name",json_object_new_string(flow->upper_name)); json_object_object_add(jObj,"host_n.port",json_object_new_int(ntohs(flow->upper_port))); + + if(flow->detected_masterprotocol) + json_object_object_add(jObj,"detected.masterprotocol",json_object_new_int(flow->detected_masterprotocol)); + json_object_object_add(jObj,"detected.protocol",json_object_new_int(flow->detected_protocol)); - json_object_object_add(jObj,"detected.protocol.name",json_object_new_string(ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol))); + + if(flow->detected_masterprotocol) { + char tmp[256]; + + snprintf(tmp, sizeof(tmp), "%s.%s", + ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_masterprotocol), + ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol)); + + json_object_object_add(jObj,"detected.protocol.name",json_object_new_string(tmp)); + } else + json_object_object_add(jObj,"detected.protocol.name",json_object_new_string(ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol))); + json_object_object_add(jObj,"packets",json_object_new_int(flow->packets)); json_object_object_add(jObj,"bytes",json_object_new_int(flow->bytes)); @@ -581,8 +604,7 @@ static void node_print_known_proto_walker(const void *node, ndpi_VISIT which, in /* ***************************************************** */ -static unsigned int node_guess_undetected_protocol(u_int16_t thread_id, - struct ndpi_flow *flow) { +static u_int16_t node_guess_undetected_protocol(u_int16_t thread_id, struct ndpi_flow *flow) { flow->detected_protocol = ndpi_guess_undetected_protocol(ndpi_thread_info[thread_id].ndpi_struct, flow->protocol, ntohl(flow->lower_ip), @@ -968,9 +990,10 @@ static unsigned int packet_processing(u_int16_t thread_id, protocol = (const u_int32_t)ndpi_detection_process_packet(ndpi_thread_info[thread_id].ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time, src, dst); - - flow->detected_protocol = protocol; - + + if(protocol != NDPI_PROTOCOL_UNKNOWN) + flow->detected_protocol = protocol, flow->detected_masterprotocol = ndpi_get_flow_masterprotocol(ndpi_thread_info[thread_id].ndpi_struct, ndpi_flow); + if((flow->detected_protocol != NDPI_PROTOCOL_UNKNOWN) || ((proto == IPPROTO_UDP) && (flow->packets > 8)) || ((proto == IPPROTO_TCP) && (flow->packets > 10))) { diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 78c3e604d..5ec188be5 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -123,14 +123,16 @@ extern "C" { * @param dst void pointer to the destination subscriber state machine * @return returns the detected ID of the protocol */ - unsigned int - ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - const unsigned char *packet, - const unsigned short packetlen, - const u_int64_t current_tick, - struct ndpi_id_struct *src, - struct ndpi_id_struct *dst); + u_int16_t ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const unsigned char *packet, + const unsigned short packetlen, + const u_int64_t current_tick, + struct ndpi_id_struct *src, + struct ndpi_id_struct *dst); + + u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); #define NDPI_DETECTION_ONLY_IPV4 ( 1 << 0 ) #define NDPI_DETECTION_ONLY_IPV6 ( 1 << 1 ) diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c02cd56b9..11145512d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4264,13 +4264,13 @@ void check_ndpi_flow_func(struct ndpi_detection_module_struct *ndpi_struct, check_ndpi_other_flow_func(ndpi_struct, flow, ndpi_selection_packet); } -unsigned int ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - const unsigned char *packet, - const unsigned short packetlen, - const u_int64_t current_tick_l, - struct ndpi_id_struct *src, - struct ndpi_id_struct *dst) +u_int16_t ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const unsigned char *packet, + const unsigned short packetlen, + const u_int64_t current_tick_l, + struct ndpi_id_struct *src, + struct ndpi_id_struct *dst) { NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; u_int32_t a; @@ -4904,6 +4904,11 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct } } +u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + return(flow->detected_protocol_stack[1]); +} + void ndpi_int_change_flow_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, @@ -5313,11 +5318,10 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str if(matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) { /* Move the protocol on slot 0 down one position */ packet->detected_protocol_stack[1] = packet->detected_protocol_stack[0]; - packet->detected_protocol_stack[0] = matching_protocol_id; - - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - flow->detected_protocol_stack[0] = packet->detected_protocol_stack[0]; + + flow->detected_protocol_stack[0] = packet->detected_protocol_stack[0], + flow->detected_protocol_stack[1] = packet->detected_protocol_stack[1]; return(packet->detected_protocol_stack[0]); } diff --git a/tests/result/EAQ.pcap.out b/tests/result/EAQ.pcap.out index 926bc0bb3..b3afccfc0 100644 --- a/tests/result/EAQ.pcap.out +++ b/tests/result/EAQ.pcap.out @@ -1,10 +1,10 @@ Google 23 11743 2 EAQ 174 10092 29 - 1 TCP 10.8.0.1:40467 <-> 173.194.119.24:80 [proto: 126/Google][14 pkts/10589 bytes][Host: www.google.com.br] + 1 TCP 10.8.0.1:40467 <-> 173.194.119.24:80 [proto: 7.126/HTTP.Google][14 pkts/10589 bytes][Host: www.google.com.br] 2 UDP 10.8.0.1:34687 <-> 200.194.141.68:6000 [proto: 190/EAQ][5 pkts/290 bytes] 3 UDP 10.8.0.1:36577 <-> 200.194.149.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] - 4 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 126/Google][9 pkts/1154 bytes][Host: www.google.com] + 4 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 7.126/HTTP.Google][9 pkts/1154 bytes][Host: www.google.com] 5 UDP 10.8.0.1:37985 <-> 200.194.129.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] 6 UDP 10.8.0.1:39221 <-> 200.194.137.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] 7 UDP 10.8.0.1:39185 <-> 200.194.132.67:6000 [proto: 190/EAQ][10 pkts/580 bytes] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index c3f1c87f6..75fff57b2 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -20,8 +20,8 @@ KakaoTalk 55 9990 15 10 UDP 10.188.1.1:53 <-> 10.24.82.188:25117 [proto: 193/KakaoTalk][2 pkts/208 bytes][Host: up-gp.talk.kakao.com] 11 UDP 10.188.1.1:53 <-> 10.24.82.188:29029 [proto: 193/KakaoTalk][2 pkts/205 bytes][Host: up-a.talk.kakao.com] 12 UDP 10.188.1.1:53 <-> 10.24.82.188:35603 [proto: 193/KakaoTalk][2 pkts/215 bytes][Host: ac-talk.kakao.com] - 13 TCP 31.13.68.84:80 <-> 10.24.82.188:37553 [proto: 119/Facebook][10 pkts/1058 bytes][Host: www.facebook.com] - 14 TCP 31.13.68.84:80 <-> 10.24.82.188:37557 [proto: 119/Facebook][11 pkts/1114 bytes][Host: www.facebook.com] + 13 TCP 31.13.68.84:80 <-> 10.24.82.188:37553 [proto: 7.119/HTTP.Facebook][10 pkts/1058 bytes][Host: www.facebook.com] + 14 TCP 31.13.68.84:80 <-> 10.24.82.188:37557 [proto: 7.119/HTTP.Facebook][11 pkts/1114 bytes][Host: www.facebook.com] 15 UDP 10.188.1.1:53 <-> 10.24.82.188:41909 [proto: 193/KakaoTalk][2 pkts/214 bytes][Host: booking.loco.kakao.com] 16 UDP 10.188.1.1:53 <-> 10.24.82.188:43077 [proto: 193/KakaoTalk][2 pkts/178 bytes][Host: dn-l.talk.kakao.com] 17 UDP 10.188.1.1:53 <-> 10.24.82.188:61011 [proto: 193/KakaoTalk][2 pkts/200 bytes][Host: plus-talk.kakao.com] diff --git a/tests/result/Torcedor.pcap.out b/tests/result/Torcedor.pcap.out index 0c5ec9e16..17528c48c 100644 --- a/tests/result/Torcedor.pcap.out +++ b/tests/result/Torcedor.pcap.out @@ -2,9 +2,9 @@ HTTP 4 216 1 SSL 26 1558 2 Torcedor 55 67338 3 - 1 TCP 10.8.0.1:55944 <-> 52.25.136.177:80 [proto: 192/Torcedor][7 pkts/1118 bytes][Host: usuario.timtorcedor.com.br] + 1 TCP 10.8.0.1:55944 <-> 52.25.136.177:80 [proto: 7.192/HTTP.Torcedor][7 pkts/1118 bytes][Host: usuario.timtorcedor.com.br] 2 TCP 10.8.0.1:53114 <-> 31.13.85.8:443 [proto: 91/SSL][4 pkts/216 bytes] - 3 TCP 10.8.0.1:56117 <-> 52.25.136.177:80 [proto: 192/Torcedor][23 pkts/33056 bytes][Host: usuario.timtorcedor.com.br] + 3 TCP 10.8.0.1:56117 <-> 52.25.136.177:80 [proto: 7.192/HTTP.Torcedor][23 pkts/33056 bytes][Host: usuario.timtorcedor.com.br] 4 TCP 10.8.0.1:40016 <-> 158.85.58.105:443 [proto: 91/SSL][22 pkts/1342 bytes] 5 TCP 10.8.0.1:33415 <-> 187.109.32.201:80 [proto: 7/HTTP][4 pkts/216 bytes] - 6 TCP 10.8.0.1:39422 <-> 54.149.207.220:80 [proto: 192/Torcedor][25 pkts/33164 bytes][Host: usuario.timtorcedor.com.br] + 6 TCP 10.8.0.1:39422 <-> 54.149.207.220:80 [proto: 7.192/HTTP.Torcedor][25 pkts/33164 bytes][Host: usuario.timtorcedor.com.br] diff --git a/tests/result/mpeg.pcap.out b/tests/result/mpeg.pcap.out index f286efacd..f6f36acbf 100644 --- a/tests/result/mpeg.pcap.out +++ b/tests/result/mpeg.pcap.out @@ -1,3 +1,3 @@ MPEG 19 10643 1 - 1 TCP 46.101.157.119:80 <-> 192.168.80.160:55804 [proto: 42/MPEG][19 pkts/10643 bytes][Host: luca.ntop.org] + 1 TCP 46.101.157.119:80 <-> 192.168.80.160:55804 [proto: 7.42/HTTP.MPEG][19 pkts/10643 bytes][Host: luca.ntop.org] diff --git a/tests/result/quickplay.pcap.out b/tests/result/quickplay.pcap.out index cba0bd016..535a917e1 100644 --- a/tests/result/quickplay.pcap.out +++ b/tests/result/quickplay.pcap.out @@ -4,24 +4,24 @@ Google 2 378 1 HTTP_Proxy 12 4781 5 QuickPlay 133 96179 11 - 1 TCP 120.28.26.231:80 <-> 10.54.169.250:33277 [proto: 126/Google][2 pkts/378 bytes][Host: clients3.google.com] - 2 TCP 120.28.35.41:80 <-> 10.54.169.250:50669 [proto: 196/QuickPlay][4 pkts/3680 bytes][Host: api-singtelhawk.quickplay.com] - 3 TCP 120.28.35.40:80 <-> 10.54.169.250:52007 [proto: 196/QuickPlay][4 pkts/2735 bytes][Host: vod-singtelhawk.quickplay.com] - 4 TCP 120.28.35.40:80 <-> 10.54.169.250:52009 [proto: 196/QuickPlay][65 pkts/45902 bytes][Host: vod-singtelhawk.quickplay.com] - 5 TCP 120.28.35.40:80 <-> 10.54.169.250:52017 [proto: 196/QuickPlay][8 pkts/6032 bytes][Host: vod-singtelhawk.quickplay.com] - 6 TCP 120.28.35.40:80 <-> 10.54.169.250:52019 [proto: 196/QuickPlay][25 pkts/19606 bytes][Host: vod-singtelhawk.quickplay.com] - 7 TCP 120.28.35.40:80 <-> 10.54.169.250:52021 [proto: 196/QuickPlay][4 pkts/2754 bytes][Host: vod-singtelhawk.quickplay.com] + 1 TCP 120.28.26.231:80 <-> 10.54.169.250:33277 [proto: 7.126/HTTP.Google][2 pkts/378 bytes][Host: clients3.google.com] + 2 TCP 120.28.35.41:80 <-> 10.54.169.250:50669 [proto: 7.196/HTTP.QuickPlay][4 pkts/3680 bytes][Host: api-singtelhawk.quickplay.com] + 3 TCP 120.28.35.40:80 <-> 10.54.169.250:52007 [proto: 7.196/HTTP.QuickPlay][4 pkts/2735 bytes][Host: vod-singtelhawk.quickplay.com] + 4 TCP 120.28.35.40:80 <-> 10.54.169.250:52009 [proto: 7.196/HTTP.QuickPlay][65 pkts/45902 bytes][Host: vod-singtelhawk.quickplay.com] + 5 TCP 120.28.35.40:80 <-> 10.54.169.250:52017 [proto: 7.196/HTTP.QuickPlay][8 pkts/6032 bytes][Host: vod-singtelhawk.quickplay.com] + 6 TCP 120.28.35.40:80 <-> 10.54.169.250:52019 [proto: 7.196/HTTP.QuickPlay][25 pkts/19606 bytes][Host: vod-singtelhawk.quickplay.com] + 7 TCP 120.28.35.40:80 <-> 10.54.169.250:52021 [proto: 7.196/HTTP.QuickPlay][4 pkts/2754 bytes][Host: vod-singtelhawk.quickplay.com] 8 TCP 203.205.147.215:80 <-> 10.54.169.250:35670 [proto: 131/HTTP_Proxy][2 pkts/943 bytes][Host: hkminorshort.weixin.qq.com] 9 TCP 203.205.129.101:80 <-> 10.54.169.250:42762 [proto: 131/HTTP_Proxy][2 pkts/877 bytes][Host: hkextshort.weixin.qq.com] - 10 TCP 173.252.74.22:80 <-> 10.54.169.250:52285 [proto: 119/Facebook][2 pkts/582 bytes][Host: www.facebook.com] - 11 TCP 31.13.68.49:80 <-> 10.54.169.250:44793 [proto: 119/Facebook][2 pkts/576 bytes][Host: www.facebook.com] - 12 TCP 120.28.5.18:80 <-> 10.54.169.250:33064 [proto: 196/QuickPlay][2 pkts/467 bytes][Host: api-singtelhawk.quickplay.com] + 10 TCP 173.252.74.22:80 <-> 10.54.169.250:52285 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] + 11 TCP 31.13.68.49:80 <-> 10.54.169.250:44793 [proto: 7.119/HTTP.Facebook][2 pkts/576 bytes][Host: www.facebook.com] + 12 TCP 120.28.5.18:80 <-> 10.54.169.250:33064 [proto: 7.196/HTTP.QuickPlay][2 pkts/467 bytes][Host: api-singtelhawk.quickplay.com] 13 TCP 54.179.140.65:80 <-> 10.54.169.250:56381 [proto: 7/HTTP][2 pkts/1469 bytes][Host: api.account.xiaomi.com] - 14 TCP 120.28.5.41:80 <-> 10.54.169.250:44256 [proto: 196/QuickPlay][3 pkts/2311 bytes][Host: play-singtelhawk.quickplay.com] - 15 TCP 120.28.35.41:80 <-> 10.54.169.250:50668 [proto: 196/QuickPlay][4 pkts/3360 bytes][Host: api-singtelhawk.quickplay.com] - 16 TCP 120.28.35.40:80 <-> 10.54.169.250:52018 [proto: 196/QuickPlay][7 pkts/5048 bytes][Host: vod-singtelhawk.quickplay.com] - 17 TCP 120.28.35.40:80 <-> 10.54.169.250:52022 [proto: 196/QuickPlay][7 pkts/4284 bytes][Host: vod-singtelhawk.quickplay.com] + 14 TCP 120.28.5.41:80 <-> 10.54.169.250:44256 [proto: 7.196/HTTP.QuickPlay][3 pkts/2311 bytes][Host: play-singtelhawk.quickplay.com] + 15 TCP 120.28.35.41:80 <-> 10.54.169.250:50668 [proto: 7.196/HTTP.QuickPlay][4 pkts/3360 bytes][Host: api-singtelhawk.quickplay.com] + 16 TCP 120.28.35.40:80 <-> 10.54.169.250:52018 [proto: 7.196/HTTP.QuickPlay][7 pkts/5048 bytes][Host: vod-singtelhawk.quickplay.com] + 17 TCP 120.28.35.40:80 <-> 10.54.169.250:52022 [proto: 7.196/HTTP.QuickPlay][7 pkts/4284 bytes][Host: vod-singtelhawk.quickplay.com] 18 TCP 203.205.129.101:80 <-> 10.54.169.250:42761 [proto: 131/HTTP_Proxy][2 pkts/641 bytes][Host: hkextshort.weixin.qq.com] - 19 TCP 173.252.74.22:80 <-> 10.54.169.250:52288 [proto: 119/Facebook][2 pkts/582 bytes][Host: www.facebook.com] + 19 TCP 173.252.74.22:80 <-> 10.54.169.250:52288 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] 20 TCP 203.205.151.160:80 <-> 10.54.169.250:54883 [proto: 131/HTTP_Proxy][3 pkts/1337 bytes][Host: hkextshort.weixin.qq.com] 21 TCP 203.205.151.160:80 <-> 10.54.169.250:54885 [proto: 131/HTTP_Proxy][3 pkts/983 bytes][Host: hkextshort.weixin.qq.com] |