diff options
Diffstat (limited to 'example')
| -rw-r--r-- | example/ndpiReader.c | 92 | ||||
| -rw-r--r-- | example/reader_util.c | 138 | ||||
| -rw-r--r-- | example/reader_util.h | 6 |
3 files changed, 139 insertions, 97 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 0c0c2c8a6..f70ebd785 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -89,7 +89,7 @@ static u_int8_t stats_flag = 0, bpf_filter_flag = 0; static u_int8_t file_first_time = 1; #endif u_int8_t human_readeable_string_len = 5; -u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 10; +u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 32 /* due to telnet */; static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; @@ -998,6 +998,23 @@ static char* is_unsafe_cipher(ndpi_cipher_weakness c) { /* ********************************** */ +char* printUrlRisk(ndpi_url_risk risk) { + switch(risk) { + case ndpi_url_no_problem: + return(""); + break; + case ndpi_url_possible_xss: + return(" ** XSS **"); + break; + case ndpi_url_possible_sql_injection: + return(" ** SQL Injection **"); + break; + } + + return(""); +} +/* ********************************** */ + /** * @brief Print the flow */ @@ -1007,9 +1024,9 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa #endif FILE *out = results_file ? results_file : stdout; u_int8_t known_tls; + char buf[32], buf1[64]; if(csv_fp != NULL) { - char buf[32]; float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes); float f = (float)flow->first_seen, l = (float)flow->last_seen; @@ -1071,9 +1088,13 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(!json_flag) { u_int i; - - fprintf(out, "\t%u", id); +#if 1 + fprintf(out, "\t%u", id); +#else + fprintf(out, "\t%u(%u)", id, flow->flow_id); +#endif + fprintf(out, "\t%s ", ipProto2Name(flow->protocol)); fprintf(out, "%s%s%s:%u %s %s%s%s:%u ", @@ -1093,18 +1114,12 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa fflush(out); fprintf(out, "[score: %.4f]", flow->entropy.score); } - - if(flow->detected_protocol.master_protocol) { - char buf[64]; - - fprintf(out, "[proto: %u.%u/%s]", - flow->detected_protocol.master_protocol, flow->detected_protocol.app_protocol, - ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, - flow->detected_protocol, buf, sizeof(buf))); - } else - fprintf(out, "[proto: %u/%s]", - flow->detected_protocol.app_protocol, - ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol.app_protocol)); + + fprintf(out, "[proto: %s/%s]", + ndpi_protocol2id(ndpi_thread_info[thread_id].workflow->ndpi_struct, + flow->detected_protocol, buf, sizeof(buf)), + ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, + flow->detected_protocol, buf1, sizeof(buf1))); if(flow->detected_protocol.category != 0) fprintf(out, "[cat: %s/%u]", @@ -1117,6 +1132,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa (flow->dst2src_packets > 0) ? "<->" : "->", flow->dst2src_packets, (long long unsigned int) flow->dst2src_bytes); + if(flow->telnet.username[0] != '\0') fprintf(out, "[Username: %s]", flow->telnet.username); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); @@ -1144,8 +1160,11 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa } if(flow->http.url[0] != '\0') - fprintf(out, "[URL: %s][StatusCode: %u]", - flow->http.url, flow->http.response_status_code); + fprintf(out, "[URL: %s%s][StatusCode: %u][ContentType: %s][UserAgent: %s]", + flow->http.url, + printUrlRisk(ndpi_validate_url(flow->http.url)), + flow->http.response_status_code, + flow->http.content_type, flow->http.user_agent); if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls)); if(flow->ssh_tls.client_info[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_info); @@ -1273,7 +1292,9 @@ static void node_print_unknown_proto_walker(const void *node, struct ndpi_flow_info *flow = *(struct ndpi_flow_info**)node; u_int16_t thread_id = *((u_int16_t*)user_data); - if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) return; + if((flow->detected_protocol.master_protocol != NDPI_PROTOCOL_UNKNOWN) + || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) + return; if((which == ndpi_preorder) || (which == ndpi_leaf)) { /* Avoid walking the same node multiple times */ @@ -1292,7 +1313,9 @@ static void node_print_known_proto_walker(const void *node, struct ndpi_flow_info *flow = *(struct ndpi_flow_info**)node; u_int16_t thread_id = *((u_int16_t*)user_data); - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) return; + if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_UNKNOWN) + && (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN)) + return; if((which == ndpi_preorder) || (which == ndpi_leaf)) { /* Avoid walking the same node multiple times */ @@ -1308,7 +1331,7 @@ static void node_print_known_proto_walker(const void *node, */ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) { struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node; - u_int16_t thread_id = *((u_int16_t *) user_data); + u_int16_t thread_id = *((u_int16_t *) user_data), proto; if((which == ndpi_preorder) || (which == ndpi_leaf)) { /* Avoid walking the same node multiple times */ if((!flow->detection_completed) && flow->ndpi_flow) { @@ -1320,9 +1343,11 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept process_ndpi_collected_info(ndpi_thread_info[thread_id].workflow, flow); - ndpi_thread_info[thread_id].workflow->stats.protocol_counter[flow->detected_protocol.app_protocol] += flow->src2dst_packets + flow->dst2src_packets; - ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[flow->detected_protocol.app_protocol] += flow->src2dst_bytes + flow->dst2src_bytes; - ndpi_thread_info[thread_id].workflow->stats.protocol_flows[flow->detected_protocol.app_protocol]++; + proto = flow->detected_protocol.app_protocol ? flow->detected_protocol.app_protocol : flow->detected_protocol.master_protocol; + + ndpi_thread_info[thread_id].workflow->stats.protocol_counter[proto] += flow->src2dst_packets + flow->dst2src_packets; + ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[proto] += flow->src2dst_bytes + flow->dst2src_bytes; + ndpi_thread_info[thread_id].workflow->stats.protocol_flows[proto]++; } } @@ -1699,7 +1724,7 @@ static void deleteScanners(struct single_flow_info *scanners) { HASH_ITER(hh, scanners, s, tmp) { HASH_ITER(hh, s->ports, p, tmp2) { - HASH_DEL(s->ports, p); + if(s->ports) HASH_DEL(s->ports, p); free(p); } HASH_DEL(scanners, s); @@ -1860,11 +1885,6 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { ndpi_thread_info[thread_id].workflow = ndpi_workflow_init(&prefs, pcap_handle); /* Preferences */ - ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, - ndpi_pref_http_dont_dissect_response, 0); - ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, - ndpi_pref_dns_dont_dissect_response, 0); - ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, (void *)(uintptr_t)thread_id); @@ -2601,11 +2621,13 @@ static void printFlowsStats() { //freeing the hash table HASH_ITER(hh, ja3ByHostsHashT, ja3ByHost_element, tmp) { HASH_ITER(hh, ja3ByHost_element->host_client_info_hasht, info_of_element, tmp2) { - HASH_DEL(ja3ByHost_element->host_client_info_hasht, info_of_element); + if(ja3ByHost_element->host_client_info_hasht) + HASH_DEL(ja3ByHost_element->host_client_info_hasht, info_of_element); free(info_of_element); } HASH_ITER(hh, ja3ByHost_element->host_server_info_hasht, info_of_element, tmp2) { - HASH_DEL(ja3ByHost_element->host_server_info_hasht, info_of_element); + if(ja3ByHost_element->host_server_info_hasht) + HASH_DEL(ja3ByHost_element->host_server_info_hasht, info_of_element); free(info_of_element); } HASH_DEL(ja3ByHostsHashT, ja3ByHost_element); @@ -2614,7 +2636,8 @@ static void printFlowsStats() { HASH_ITER(hh, hostByJA3C_ht, hostByJA3Element, tmp3) { HASH_ITER(hh, hostByJA3C_ht->ipToDNS_ht, innerHashEl, tmp4) { - HASH_DEL(hostByJA3Element->ipToDNS_ht, innerHashEl); + if(hostByJA3Element->ipToDNS_ht) + HASH_DEL(hostByJA3Element->ipToDNS_ht, innerHashEl); free(innerHashEl); } HASH_DEL(hostByJA3C_ht, hostByJA3Element); @@ -2624,7 +2647,8 @@ static void printFlowsStats() { hostByJA3Element = NULL; HASH_ITER(hh, hostByJA3S_ht, hostByJA3Element, tmp3) { HASH_ITER(hh, hostByJA3S_ht->ipToDNS_ht, innerHashEl, tmp4) { - HASH_DEL(hostByJA3Element->ipToDNS_ht, innerHashEl); + if(hostByJA3Element->ipToDNS_ht) + HASH_DEL(hostByJA3Element->ipToDNS_ht, innerHashEl); free(innerHashEl); } HASH_DEL(hostByJA3S_ht, hostByJA3Element); diff --git a/example/reader_util.c b/example/reader_util.c index 8f879b0b6..44e02616e 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -123,7 +123,6 @@ void ndpi_analyze_payload(struct ndpi_flow_info *flow, u_int16_t payload_len, u_int32_t packet_id) { struct payload_stats *ret; - u_int i; struct flow_id_stats *f; struct packet_id_stats *p; @@ -919,15 +918,25 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo /* ****************************************************** */ +static u_int8_t is_ndpi_proto(struct ndpi_flow_info *flow, u_int16_t id) { + if((flow->detected_protocol.master_protocol == id) + || (flow->detected_protocol.app_protocol == id)) + return(1); + else + return(0); +} + +/* ****************************************************** */ + void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { if(!flow->ndpi_flow) return; snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", flow->ndpi_flow->host_server_name); - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_DHCP) { + if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP)) { snprintf(flow->dhcp_fingerprint, sizeof(flow->dhcp_fingerprint), "%s", flow->ndpi_flow->protos.dhcp.fingerprint); - } else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_BITTORRENT) { + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_BITTORRENT)) { u_int i, j, n = 0; for(i=0, j = 0; j < sizeof(flow->bittorent_hash)-1; i++) { @@ -940,25 +949,25 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(n == 0) flow->bittorent_hash[0] = '\0'; } /* MDNS */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MDNS) { + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_MDNS)) { snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.mdns.answer); } /* UBNTAC2 */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UBNTAC2) { + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_UBNTAC2)) { snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version); } /* FTP */ - else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_FTP_CONTROL) - || /* IMAP */ (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MAIL_IMAP) - || /* POP */ (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MAIL_POP) - || /* SMTP */ (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MAIL_SMTP)) { + else if((is_ndpi_proto(flow, NDPI_PROTOCOL_FTP_CONTROL)) + || /* IMAP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_IMAP) + || /* POP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_POP) + || /* SMTP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_SMTP)) { if(flow->ndpi_flow->protos.ftp_imap_pop_smtp.username[0] != '\0') snprintf(flow->info, sizeof(flow->info), "User: %s][Pwd: %s", flow->ndpi_flow->protos.ftp_imap_pop_smtp.username, flow->ndpi_flow->protos.ftp_imap_pop_smtp.password); } /* KERBEROS */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_KERBEROS) { + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_KERBEROS)) { if(flow->ndpi_flow->protos.kerberos.cname[0] != '\0') { snprintf(flow->info, sizeof(flow->info), "%s (%s)", flow->ndpi_flow->protos.kerberos.cname, @@ -966,51 +975,52 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } /* HTTP */ - else if(flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) { + else if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) + || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP)) { if(flow->ndpi_flow->http.url != NULL) { snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url); flow->http.response_status_code = flow->ndpi_flow->http.response_status_code; + snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : ""); + snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : ""); } + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) { + snprintf(flow->telnet.username, sizeof(flow->telnet.username), "%s", flow->ndpi_flow->protos.telnet.username); + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) { + snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", + flow->ndpi_flow->protos.ssh.client_signature); + snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", + flow->ndpi_flow->protos.ssh.server_signature); + snprintf(flow->ssh_tls.client_hassh, sizeof(flow->ssh_tls.client_hassh), "%s", + flow->ndpi_flow->protos.ssh.hassh_client); + snprintf(flow->ssh_tls.server_hassh, sizeof(flow->ssh_tls.server_hassh), "%s", + flow->ndpi_flow->protos.ssh.hassh_server); } - else if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_DNS) { - /* SSH */ - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) { - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", - flow->ndpi_flow->protos.ssh.client_signature); - snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", - flow->ndpi_flow->protos.ssh.server_signature); - snprintf(flow->ssh_tls.client_hassh, sizeof(flow->ssh_tls.client_hassh), "%s", - flow->ndpi_flow->protos.ssh.hassh_client); - snprintf(flow->ssh_tls.server_hassh, sizeof(flow->ssh_tls.server_hassh), "%s", - flow->ndpi_flow->protos.ssh.hassh_server); - } - /* TLS */ - else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') - ) { - flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); - snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); - snprintf(flow->ssh_tls.server_organization, sizeof(flow->ssh_tls.server_organization), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); - flow->ssh_tls.notBefore = flow->ndpi_flow->protos.stun_ssl.ssl.notBefore; - flow->ssh_tls.notAfter = flow->ndpi_flow->protos.stun_ssl.ssl.notAfter; - snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client); - snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); - flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; - flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; - memcpy(flow->ssh_tls.sha1_cert_fingerprint, - flow->ndpi_flow->l4.tcp.tls_sha1_certificate_fingerprint, 20); - } - } + /* TLS */ + else if((is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') + ) { + flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; + snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); + snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); + snprintf(flow->ssh_tls.server_organization, sizeof(flow->ssh_tls.server_organization), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); + flow->ssh_tls.notBefore = flow->ndpi_flow->protos.stun_ssl.ssl.notBefore; + flow->ssh_tls.notAfter = flow->ndpi_flow->protos.stun_ssl.ssl.notAfter; + snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client); + snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); + flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; + flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; + memcpy(flow->ssh_tls.sha1_cert_fingerprint, + flow->ndpi_flow->l4.tcp.tls_sha1_certificate_fingerprint, 20); + } if(flow->detection_completed && (!flow->check_extra_packets)) { - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + if(is_ndpi_proto(flow, NDPI_PROTOCOL_UNKNOWN)) { if(workflow->__flow_giveup_callback != NULL) workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); } else { @@ -1175,11 +1185,11 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if((proto == IPPROTO_TCP) && ( - (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) - ) { + is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + ) { if((flow->src2dst_packets+flow->dst2src_packets) < 10 /* MIN_NUM_ENCRYPT_SKIP_PACKETS */) skip = 1; } @@ -1194,10 +1204,10 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } else { if((proto == IPPROTO_TCP) && ( - (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) ) flow->has_human_readeable_strings = 0; } @@ -1210,25 +1220,29 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, u_int enough_packets = (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_udp_dissected_pkts)) || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_tcp_dissected_pkts))) ? 1 : 0; - + +#if 0 + printf("%s()\n", __FUNCTION__); +#endif + flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time, src, dst); if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) - // TODO: remove the line below - && (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) && ndpi_extra_dissection_possible(workflow->ndpi_struct, ndpi_flow)) ; /* Wait for certificate fingerprint */ else { /* New protocol detected or give up */ flow->detection_completed = 1; +#if 0 /* Check if we should keep checking extra packets */ if(ndpi_flow && ndpi_flow->check_extra_packets) flow->check_extra_packets = 1; - +#endif + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { u_int8_t proto_guessed; @@ -1424,7 +1438,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, ip_offset += 4; vlan_packet = 1; // double tagging for 802.1Q - if(type == 0x8100) { + while((type == 0x8100) && (ip_offset < header->caplen)) { vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; ip_offset += 4; diff --git a/example/reader_util.h b/example/reader_util.h index 3374f993f..93df6b03a 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -194,10 +194,14 @@ typedef struct ndpi_flow_info { } ssh_tls; struct { - char url[256]; + char url[256], content_type[64], user_agent[128]; u_int response_status_code; } http; + struct { + char username[32]; + } telnet; + void *src_id, *dst_id; struct ndpi_entropy entropy; |