2 files changed, 49 insertions, 26 deletions

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index b5b787aa7..e800391de 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -90,6 +90,7 @@ static u_int8_t stats_flag = 0, bpf_filter_flag = 0;
 static u_int8_t file_first_time = 1;
 #endif
 u_int8_t human_readeable_string_len = 5;
+u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 10;
 static u_int32_t pcap_analysis_duration = (u_int32_t)-1;
 static u_int16_t decode_tunnels = 0;
 static u_int16_t num_loops = 1;
@@ -341,7 +342,8 @@ static void help(u_int long_help) {
 #endif
 	 "[-f <filter>][-s <duration>][-m <duration>]\n"
 	 "          [-p <protos>][-l <loops> [-q][-d][-J][-h][-e <len>][-t][-v <level>]\n"
-	 "          [-n <threads>][-w <file>][-c <file>][-j <file>][-x <file>]\n\n"
+	 "          [-n <threads>][-w <file>][-c <file>][-j <file>][-x <file>]\n"
+	 "          [-T <num>][-U <num>]\n\n"
 	 "Usage:\n"
 	 "  -i <file.pcap|device>     | Specify a pcap file/playlist to read packets from or a\n"
 	 "                            | device for live capture (comma-separated list)\n"
@@ -376,8 +378,13 @@ static void help(u_int long_help) {
 	 "                            | >3 - full debug + dbg_proto = all\n"
 	 "  -b <file.json>            | Specify a file to write port based diagnose statistics\n"
 	 "  -x <file.json>            | Produce bpf filters for specified diagnose file. Use\n"
-	 "                            | this option only for .json files generated with -b flag.\n",
-	 human_readeable_string_len);
+	 "                            | this option only for .json files generated with -b flag.\n"
+	 "  -T <num>                  | Max number of TCP processed packets before giving up [default: %u]\n"
+	 "  -U <num>                  | Max number of UDP processed packets before giving up [default: %u]\n"
+	 ,
+	 human_readeable_string_len,
+	 max_num_tcp_dissected_pkts,
+	 max_num_udp_dissected_pkts);
 
 #ifndef WIN32
   printf("\nExcap (wireshark) options:\n"
@@ -584,7 +591,8 @@ static void parseOptions(int argc, char **argv) {
   }
 #endif
 
-  while((opt = getopt_long(argc, argv, "e:c:df:g:i:hp:l:s:tv:V:n:j:Jrp:w:q0123:456:7:89:m:b:x:", longopts, &option_idx)) != EOF) {
+  while((opt = getopt_long(argc, argv, "e:c:df:g:i:hp:l:s:tv:V:n:j:Jrp:w:q0123:456:7:89:m:b:x:T:U:",
+			   longopts, &option_idx)) != EOF) {
 #ifdef DEBUG_TRACE
     if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : "");
 #endif
@@ -745,6 +753,16 @@ static void parseOptions(int argc, char **argv) {
       _debug_protocols = strdup(optarg);
       break;
 
+    case 'T':
+      max_num_tcp_dissected_pkts = atoi(optarg);
+      if(max_num_tcp_dissected_pkts < 3) max_num_tcp_dissected_pkts = 3;
+      break;
+      
+    case 'U':
+      max_num_udp_dissected_pkts = atoi(optarg);
+      if(max_num_udp_dissected_pkts < 3) max_num_udp_dissected_pkts = 3;
+      break;
+      
     default:
       help(0);
       break;
diff --git a/example/reader_util.c b/example/reader_util.c
index 8fdca1311..fba2dfa38 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -79,6 +79,7 @@
 
 extern u_int8_t enable_protocol_guess, enable_joy_stats;
 extern u_int8_t verbose, human_readeable_string_len;
+extern u_int8_t max_num_udp_dissected_pkts /* 8 */, max_num_tcp_dissected_pkts /* 10 */;
 
 /* ***************************************************** */
 
@@ -657,26 +658,28 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo
 
 void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) {
 
-  /* Update SPLT scores. */
-  if (flow->bidirectional) {
-    flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time,
-                                flow->dst2src_pkt_len, flow->dst2src_pkt_time,
-                                flow->src2dst_start, flow->dst2src_start,
-                                MAX_NUM_PKTS, flow->src_port, flow->dst_port,
-                                flow->src2dst_packets, flow->dst2src_packets,
-                                flow->src2dst_opackets, flow->dst2src_opackets,
-                                flow->src2dst_l4_bytes, flow->dst2src_l4_bytes, 1,
-                                flow->src2dst_byte_count, flow->dst2src_byte_count);
-  } else {
-    flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time,
-                           NULL, NULL, flow->src2dst_start, flow->src2dst_start,
-                           MAX_NUM_PKTS, flow->src_port, flow->dst_port,
-                           flow->src2dst_packets, 0,
-                           flow->src2dst_opackets, 0,
-                           flow->src2dst_l4_bytes, 0, 1,
-                           flow->src2dst_byte_count, NULL);
+  if(enable_joy_stats) {
+    /* Update SPLT scores. */
+
+    if(flow->bidirectional)
+      flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time,
+				  flow->dst2src_pkt_len, flow->dst2src_pkt_time,
+				  flow->src2dst_start, flow->dst2src_start,
+				  MAX_NUM_PKTS, flow->src_port, flow->dst_port,
+				  flow->src2dst_packets, flow->dst2src_packets,
+				  flow->src2dst_opackets, flow->dst2src_opackets,
+				  flow->src2dst_l4_bytes, flow->dst2src_l4_bytes, 1,
+				  flow->src2dst_byte_count, flow->dst2src_byte_count);
+    else
+      flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time,
+				  NULL, NULL, flow->src2dst_start, flow->src2dst_start,
+				  MAX_NUM_PKTS, flow->src_port, flow->dst_port,
+				  flow->src2dst_packets, 0,
+				  flow->src2dst_opackets, 0,
+				  flow->src2dst_l4_bytes, 0, 1,
+				  flow->src2dst_byte_count, NULL);
   }
-
+  
   if(!flow->ndpi_flow) return;
 
   snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s",
@@ -714,7 +717,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
     }
     /* TLS */
     else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)
-	    || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)) {
+	    || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
+	    || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0')
+      ) {
       flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version;
       snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s",
 	       flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate);
@@ -849,8 +854,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
 
   if(!flow->detection_completed) {
     u_int enough_packets =
-      (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8))
-       || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) ? 1 : 0;
+      (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_udp_dissected_pkts))
+       || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_tcp_dissected_pkts))) ? 1 : 0;
 
     flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow,
 							    iph ? (uint8_t *)iph : (uint8_t *)iph6,