diff options
Diffstat (limited to 'example')
| -rw-r--r-- | example/ndpiReader.c | 17 | ||||
| -rw-r--r-- | example/reader_util.c | 4 | ||||
| -rw-r--r-- | example/reader_util.h | 2 |
3 files changed, 23 insertions, 0 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 0de290724..65ddb4ca3 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -228,6 +228,7 @@ struct receiver *receivers = NULL, *topReceivers = NULL; #define WIRESHARK_METADATA_SERVERNAME 0x01 #define WIRESHARK_METADATA_JA4C 0x02 +#define WIRESHARK_METADATA_TLS_HEURISTICS_MATCHING_FINGERPRINT 0x03 struct ndpi_packet_tlv { u_int16_t type; @@ -4674,6 +4675,22 @@ static void ndpi_process_packet(u_char *args, tot_len += 4 + htons(tlv->length); tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len]; } + if(flow->ssh_tls.obfuscated_heur_matching_set.pkts[0] != 0) { + tlv->type = ntohs(WIRESHARK_METADATA_TLS_HEURISTICS_MATCHING_FINGERPRINT); + tlv->length = ntohs(sizeof(struct ndpi_tls_obfuscated_heuristic_matching_set)); + struct ndpi_tls_obfuscated_heuristic_matching_set *s = (struct ndpi_tls_obfuscated_heuristic_matching_set *)tlv->data; + s->bytes[0] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[0]); + s->bytes[1] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[1]); + s->bytes[2] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[2]); + s->bytes[3] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[3]); + s->pkts[0] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[0]); + s->pkts[1] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[1]); + s->pkts[2] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[2]); + s->pkts[3] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[3]); + /* TODO: boundary check */ + tot_len += 4 + htons(tlv->length); + tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len]; + } flow->detection_completed = 2; /* Avoid exporting metadata again. If we really want to have the metadata on Wireshark for *all* diff --git a/example/reader_util.c b/example/reader_util.c index efa42da22..6c463fdbb 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1583,6 +1583,10 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } + if(flow->ndpi_flow->tls_quic.obfuscated_heur_state && flow->ndpi_flow->tls_quic.obfuscated_heur_matching_set) + memcpy(&flow->ssh_tls.obfuscated_heur_matching_set, flow->ndpi_flow->tls_quic.obfuscated_heur_matching_set, + sizeof(struct ndpi_tls_obfuscated_heuristic_matching_set)); + if(!monitoring_enabled) { add_to_address_port_list(&flow->stun.mapped_address, &flow->ndpi_flow->stun.mapped_address); add_to_address_port_list(&flow->stun.peer_address, &flow->ndpi_flow->stun.peer_address); diff --git a/example/reader_util.h b/example/reader_util.h index 5c4acbb90..eea3ce454 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -302,6 +302,8 @@ typedef struct ndpi_flow_info { ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher; u_int32_t quic_version; + + struct ndpi_tls_obfuscated_heuristic_matching_set obfuscated_heur_matching_set; } ssh_tls; struct { |