1 files changed, 26 insertions, 8 deletions

diff --git a/example/reader_util.c b/example/reader_util.c
index 82251e85d..2fdf14b35 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1,7 +1,7 @@
 /*
- * ndpi_util.c
+ * reader_util.c
  *
- * Copyright (C) 2011-18 - ntop.org
+ * Copyright (C) 2011-19 - ntop.org
  *
  * This file is part of nDPI, an open source deep packet inspection
  * library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -669,6 +669,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
     l3 = (const u_int8_t*)iph6;
   }
 
+  *proto = iph->protocol;
+
   if(l4_packet_len < 64)
     workflow->stats.packet_len[0]++;
   else if(l4_packet_len >= 64 && l4_packet_len < 128)
@@ -685,10 +687,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
   if(l4_packet_len > workflow->stats.max_packet_len)
     workflow->stats.max_packet_len = l4_packet_len;
 
-  *proto = iph->protocol;
   l4 = ((const u_int8_t *) l3 + l4_offset);
 
-  if(iph->protocol == IPPROTO_TCP && l4_packet_len >= 20) {
+  if(*proto == IPPROTO_TCP && l4_packet_len >= sizeof(struct ndpi_tcphdr)) {
     u_int tcp_len;
 
     // tcp
@@ -699,7 +700,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
     *payload = (u_int8_t*)&l4[tcp_len];
     *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff);
     l4_data_len = l4_packet_len - sizeof(struct ndpi_tcphdr);
-  } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= 8) {
+  } else if(*proto == IPPROTO_UDP && l4_packet_len >= sizeof(struct ndpi_udphdr)) {
     // udp
 
     workflow->stats.udp_count++;
@@ -708,6 +709,14 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
     *payload = (u_int8_t*)&l4[sizeof(struct ndpi_udphdr)];
     *payload_len = (l4_packet_len > sizeof(struct ndpi_udphdr)) ? l4_packet_len-sizeof(struct ndpi_udphdr) : 0;
     l4_data_len = l4_packet_len - sizeof(struct ndpi_udphdr);
+  } else if(*proto == IPPROTO_ICMP) {
+    *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmphdr )];
+    *payload_len = (l4_packet_len > sizeof(struct ndpi_icmphdr)) ? l4_packet_len-sizeof(struct ndpi_icmphdr) : 0;
+    l4_data_len = l4_packet_len - sizeof(struct ndpi_icmphdr);
+  } else if (*proto == IPPROTO_ICMPV6) {
+    *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmp6hdr)];
+    *payload_len = (l4_packet_len > sizeof(struct ndpi_icmp6hdr)) ? l4_packet_len-sizeof(struct ndpi_icmp6hdr) : 0;
+    l4_data_len = l4_packet_len - sizeof(struct ndpi_icmp6hdr);
   } else {
     // non tcp/udp protocols
     *sport = *dport = 0;
@@ -718,7 +727,12 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
   flow.src_ip = iph->saddr, flow.dst_ip = iph->daddr;
   flow.src_port = htons(*sport), flow.dst_port = htons(*dport);
   flow.hashval = hashval = flow.protocol + flow.vlan_id + flow.src_ip + flow.dst_ip + flow.src_port + flow.dst_port;
-  /* printf("hashval=%u [%u][%u][%u:%u][%u:%u]\n", hashval, flow.protocol, flow.vlan_id, flow.src_ip, flow.src_port, flow.dst_ip, flow.dst_port); */
+
+#if 0
+  printf("hashval=%u [%u][%u][%u:%u][%u:%u]\n", hashval, flow.protocol, flow.vlan_id,
+	 flow.src_ip, flow.src_port, flow.dst_ip, flow.dst_port);
+#endif
+  
   idx = hashval % workflow->prefs.num_roots;
   ret = ndpi_tfind(&flow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp);
 
@@ -1031,6 +1045,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
   u_int16_t sport, dport, payload_len;
   u_int8_t *payload;
   u_int8_t src_to_dst_direction = 1;
+  u_int8_t begin_or_end_tcp = 0;
   struct ndpi_proto nproto = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN };
 
   if(iph)
@@ -1054,6 +1069,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
       workflow->stats.total_ip_bytes += rawsize;
     ndpi_flow = flow->ndpi_flow;
 
+    if((tcph != NULL) && (tcph->fin || tcph->rst || tcph->syn))
+      begin_or_end_tcp = 1;
+    
     if(flow->flow_last_pkt_time.tv_sec) {
       ndpi_timer_sub(&when, &flow->flow_last_pkt_time, &tdiff);
 
@@ -1067,7 +1085,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
     memcpy(&flow->flow_last_pkt_time, &when, sizeof(when));
 
     if(src_to_dst_direction) {
-      if(flow->src2dst_last_pkt_time.tv_sec) {
+      if(flow->src2dst_last_pkt_time.tv_sec && (!begin_or_end_tcp)) {
 	ndpi_timer_sub(&when, &flow->src2dst_last_pkt_time, &tdiff);
 
 	if(flow->iat_c_to_s) {
@@ -1082,7 +1100,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
       flow->src2dst_l4_bytes += payload_len;
       memcpy(&flow->src2dst_last_pkt_time, &when, sizeof(when));
     } else {
-      if(flow->dst2src_last_pkt_time.tv_sec) {
+      if(flow->dst2src_last_pkt_time.tv_sec && (!begin_or_end_tcp)) {
 	ndpi_timer_sub(&when, &flow->dst2src_last_pkt_time, &tdiff);
 
 	if(flow->iat_s_to_c) {