diff options
Diffstat (limited to 'example')
| -rw-r--r-- | example/ndpiReader.c | 48 | ||||
| -rw-r--r-- | example/reader_util.c | 177 | ||||
| -rw-r--r-- | example/reader_util.h | 8 |
3 files changed, 213 insertions, 20 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 17a1a2457..b98bb3374 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -144,6 +144,8 @@ static int enable_malloc_bins = 0; static int max_malloc_bins = 14; int malloc_size_stats = 0; +int monitoring_enabled; + struct flow_info { struct ndpi_flow_info *flow; u_int16_t thread_id; @@ -1605,18 +1607,30 @@ void print_bin(FILE *fout, const char *label, struct ndpi_bin *b) { /* ********************************** */ -static void print_ndpi_address_port_file(FILE *out, const char *label, ndpi_address_port *ap) { - if(ap->port != 0) { - char buf[INET6_ADDRSTRLEN]; +static void print_ndpi_address_port_list_file(FILE *out, const char *label, ndpi_address_port_list *list) { + unsigned int i; + ndpi_address_port *ap; - if(ap->is_ipv6) { - inet_ntop(AF_INET6, &ap->address, buf, sizeof(buf)); - fprintf(out, "[%s: [%s]:%u]", label, buf, ap->port); - } else { - inet_ntop(AF_INET, &ap->address, buf, sizeof(buf)); - fprintf(out, "[%s: %s:%u]", label, buf, ap->port); + if(list->num_aps == 0) + return; + fprintf(out, "[%s: ", label); + for(i = 0; i < list->num_aps; i++) { + ap = &list->aps[i]; + if(ap->port != 0) { + char buf[INET6_ADDRSTRLEN]; + + if(ap->is_ipv6) { + inet_ntop(AF_INET6, &ap->address, buf, sizeof(buf)); + fprintf(out, "[%s]:%u", buf, ap->port); + } else { + inet_ntop(AF_INET, &ap->address, buf, sizeof(buf)); + fprintf(out, "%s:%u", buf, ap->port); + } + if(i != list->num_aps - 1) + fprintf(out, ", "); } } + fprintf(out, "]"); } /* ********************************** */ @@ -1989,11 +2003,11 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } } - print_ndpi_address_port_file(out, "Mapped IP/Port", &flow->stun.mapped_address); - print_ndpi_address_port_file(out, "Peer IP/Port", &flow->stun.peer_address); - print_ndpi_address_port_file(out, "Relayed IP/Port", &flow->stun.relayed_address); - print_ndpi_address_port_file(out, "Rsp Origin IP/Port", &flow->stun.response_origin); - print_ndpi_address_port_file(out, "Other IP/Port", &flow->stun.other_address); + print_ndpi_address_port_list_file(out, "Mapped IP/Port", &flow->stun.mapped_address); + print_ndpi_address_port_list_file(out, "Peer IP/Port", &flow->stun.peer_address); + print_ndpi_address_port_list_file(out, "Relayed IP/Port", &flow->stun.relayed_address); + print_ndpi_address_port_list_file(out, "Rsp Origin IP/Port", &flow->stun.response_origin); + print_ndpi_address_port_list_file(out, "Other IP/Port", &flow->stun.other_address); if(flow->http.url[0] != '\0') { ndpi_risk_enum risk = ndpi_validate_url(flow->http.url); @@ -2986,6 +3000,12 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle, fprintf(stderr, "Error ndpi_finalize_initialization: %d\n", ret); exit(-1); } + + char buf[16]; + if(ndpi_get_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, "stun", "monitoring", buf, sizeof(buf)) != NULL) { + if(atoi(buf)) + monitoring_enabled = 1; + } } /* *********************************************** */ diff --git a/example/reader_util.c b/example/reader_util.c index 702ff4dc7..28596eb4f 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -84,6 +84,7 @@ extern char *addr_dump_path; u_int8_t enable_doh_dot_detection = 0; extern bool do_load_lists; extern int malloc_size_stats; +extern int monitoring_enabled; /* ****************************************************** */ @@ -554,6 +555,27 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) { ndpi_free(flow->ssh_tls.ja4_client_raw); flow->ssh_tls.ja4_client_raw = NULL; } + + if(flow->stun.mapped_address.aps) { + ndpi_free(flow->stun.mapped_address.aps); + flow->stun.mapped_address.aps = NULL; + } + if(flow->stun.other_address.aps) { + ndpi_free(flow->stun.other_address.aps); + flow->stun.other_address.aps = NULL; + } + if(flow->stun.peer_address.aps) { + ndpi_free(flow->stun.peer_address.aps); + flow->stun.peer_address.aps = NULL; + } + if(flow->stun.relayed_address.aps) { + ndpi_free(flow->stun.relayed_address.aps); + flow->stun.relayed_address.aps = NULL; + } + if(flow->stun.response_origin.aps) { + ndpi_free(flow->stun.response_origin.aps); + flow->stun.response_origin.aps = NULL; + } } /* ***************************************************** */ @@ -1117,6 +1139,143 @@ static void dump_flow_fingerprint(struct ndpi_workflow * workflow, ndpi_term_serializer(&serializer); } + +static void add_to_address_port_list(ndpi_address_port_list *list, ndpi_address_port *ap) +{ + int new_num; + void *new_buf; + unsigned int i; + + if(ap->port == 0) + return; + + /* Avoid saving duplicates */ + for(i = 0; i < list->num_aps; i++) + if(memcmp(&list->aps[i], ap, sizeof(*ap)) == 0) + return; + + if(list->num_aps == list->num_aps_allocated) { + new_num = 1 + list->num_aps_allocated * 2; + new_buf = ndpi_realloc(list->aps, list->num_aps_allocated * sizeof(ndpi_address_port), + new_num * sizeof(ndpi_address_port)); + if(!new_buf) + return; + list->aps = new_buf; + list->num_aps_allocated = new_num; + } + memcpy(&list->aps[list->num_aps++], ap, sizeof(ndpi_address_port)); +} + +/* ****************************************************** */ + +static void process_ndpi_monitoring_info(struct ndpi_flow_info *flow) { + if(!flow->ndpi_flow || !flow->ndpi_flow->monit) + return; + + /* In theory, we should check only for STUN. + However since we sometimes might not have STUN in protocol classification + (because we have only two protocols in flow->ndpi_flow->detected_protocol_stack[]) + we need to check also for the other "master" protocols set by STUN dissector + See at the beginning of the STUN c file for further details + */ + if(flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_STUN || + flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_STUN || + flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_DTLS || + flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_DTLS || + flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_SRTP || + flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_SRTP) { + + add_to_address_port_list(&flow->stun.mapped_address, &flow->ndpi_flow->monit->protos.dtls_stun_rtp.mapped_address); + add_to_address_port_list(&flow->stun.other_address, &flow->ndpi_flow->monit->protos.dtls_stun_rtp.other_address); + add_to_address_port_list(&flow->stun.peer_address, &flow->ndpi_flow->monit->protos.dtls_stun_rtp.peer_address); + add_to_address_port_list(&flow->stun.relayed_address, &flow->ndpi_flow->monit->protos.dtls_stun_rtp.relayed_address); + add_to_address_port_list(&flow->stun.response_origin, &flow->ndpi_flow->monit->protos.dtls_stun_rtp.response_origin); + } + +} + +/* ****************************************************** */ + +static void serialize_monitoring_metadata(struct ndpi_flow_info *flow) +{ + unsigned int i; + char buf[64]; + + if(!flow->ndpi_flow->monit) + return; + + ndpi_serialize_start_of_block(&flow->ndpi_flow_serializer, "monitoring"); + + switch(flow->detected_protocol.proto.master_protocol ? flow->detected_protocol.proto.master_protocol : flow->detected_protocol.proto.app_protocol) { + case NDPI_PROTOCOL_STUN: + case NDPI_PROTOCOL_DTLS: + case NDPI_PROTOCOL_SRTP: + + ndpi_serialize_start_of_block(&flow->ndpi_flow_serializer, "stun"); + + if(flow->stun.mapped_address.num_aps > 0) { + ndpi_serialize_start_of_list(&flow->ndpi_flow_serializer, "mapped_address"); + for(i = 0; i < flow->stun.mapped_address.num_aps; i++) { + if(flow->stun.mapped_address.aps[i].port > 0) { + ndpi_serialize_string_string(&flow->ndpi_flow_serializer, "mapped_address", + print_ndpi_address_port(&flow->stun.mapped_address.aps[i], buf, sizeof(buf))); + } + } + ndpi_serialize_end_of_list(&flow->ndpi_flow_serializer); + } + + if(flow->stun.other_address.num_aps > 0) { + ndpi_serialize_start_of_list(&flow->ndpi_flow_serializer, "other_address"); + for(i = 0; i < flow->stun.other_address.num_aps; i++) { + if(flow->stun.other_address.aps[i].port > 0) { + ndpi_serialize_string_string(&flow->ndpi_flow_serializer, "other_address", + print_ndpi_address_port(&flow->stun.other_address.aps[i], buf, sizeof(buf))); + } + } + ndpi_serialize_end_of_list(&flow->ndpi_flow_serializer); + } + + if(flow->stun.peer_address.num_aps > 0) { + ndpi_serialize_start_of_list(&flow->ndpi_flow_serializer, "peer_address"); + for(i = 0; i < flow->stun.peer_address.num_aps; i++) { + if(flow->stun.peer_address.aps[i].port > 0) { + ndpi_serialize_string_string(&flow->ndpi_flow_serializer, "peer_address", + print_ndpi_address_port(&flow->stun.peer_address.aps[i], buf, sizeof(buf))); + } + } + ndpi_serialize_end_of_list(&flow->ndpi_flow_serializer); + } + + if(flow->stun.relayed_address.num_aps > 0) { + ndpi_serialize_start_of_list(&flow->ndpi_flow_serializer, "relayed_address"); + for(i = 0; i < flow->stun.relayed_address.num_aps; i++) { + if(flow->stun.relayed_address.aps[i].port > 0) { + ndpi_serialize_string_string(&flow->ndpi_flow_serializer, "relayed_address", + print_ndpi_address_port(&flow->stun.relayed_address.aps[i], buf, sizeof(buf))); + } + } + ndpi_serialize_end_of_list(&flow->ndpi_flow_serializer); + } + + if(flow->stun.response_origin.num_aps > 0) { + ndpi_serialize_start_of_list(&flow->ndpi_flow_serializer, "response_origin"); + for(i = 0; i < flow->stun.response_origin.num_aps; i++) { + if(flow->stun.response_origin.aps[i].port > 0) { + ndpi_serialize_string_string(&flow->ndpi_flow_serializer, "response_origin", + print_ndpi_address_port(&flow->stun.response_origin.aps[i], buf, sizeof(buf))); + } + } + ndpi_serialize_end_of_list(&flow->ndpi_flow_serializer); + } + + ndpi_serialize_end_of_block(&flow->ndpi_flow_serializer); /* stun */ + + break; + } + + ndpi_serialize_end_of_block(&flow->ndpi_flow_serializer); +} + /* ****************************************************** */ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { @@ -1416,11 +1575,13 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } - memcpy(&flow->stun.mapped_address, &flow->ndpi_flow->stun.mapped_address, sizeof(ndpi_address_port)); - memcpy(&flow->stun.peer_address, &flow->ndpi_flow->stun.peer_address, sizeof(ndpi_address_port)); - memcpy(&flow->stun.relayed_address, &flow->ndpi_flow->stun.relayed_address, sizeof(ndpi_address_port)); - memcpy(&flow->stun.response_origin, &flow->ndpi_flow->stun.response_origin, sizeof(ndpi_address_port)); - memcpy(&flow->stun.other_address, &flow->ndpi_flow->stun.other_address, sizeof(ndpi_address_port)); + if(!monitoring_enabled) { + add_to_address_port_list(&flow->stun.mapped_address, &flow->ndpi_flow->stun.mapped_address); + add_to_address_port_list(&flow->stun.peer_address, &flow->ndpi_flow->stun.peer_address); + add_to_address_port_list(&flow->stun.relayed_address, &flow->ndpi_flow->stun.relayed_address); + add_to_address_port_list(&flow->stun.response_origin, &flow->ndpi_flow->stun.response_origin); + add_to_address_port_list(&flow->stun.other_address, &flow->ndpi_flow->stun.other_address); + } flow->multimedia_flow_type = flow->ndpi_flow->flow_multimedia_type; @@ -1478,6 +1639,10 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "detection_completed", flow->detection_completed); ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "check_extra_packets", flow->check_extra_packets); + if(flow->ndpi_flow->monitoring) { + serialize_monitoring_metadata(flow); + } + if(flow->server_hostname) ndpi_serialize_string_string(&flow->ndpi_flow_serializer, "server_hostname", flow->server_hostname); } @@ -1792,6 +1957,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time_ms, &input_info); + if(monitoring_enabled) + process_ndpi_monitoring_info(flow); enough_packets |= ndpi_flow->fail_with_unknown; if(enough_packets || (flow->detected_protocol.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) diff --git a/example/reader_util.h b/example/reader_util.h index 03a1b8d5f..9eb49accd 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -172,6 +172,12 @@ enum info_type { INFO_NATPMP, }; +typedef struct { + ndpi_address_port *aps; + unsigned int num_aps; + unsigned int num_aps_allocated; +} ndpi_address_port_list; + // flow tracking typedef struct ndpi_flow_info { u_int32_t flow_id; @@ -303,7 +309,7 @@ typedef struct ndpi_flow_info { } http; struct { - ndpi_address_port mapped_address, peer_address, + ndpi_address_port_list mapped_address, peer_address, relayed_address, response_origin, other_address; } stun; |