aboutsummaryrefslogtreecommitdiff
path: root/example
diff options
context:
space:
mode:
Diffstat (limited to 'example')
-rw-r--r--example/intrusion_detection.h5
-rw-r--r--example/ndpiReader.c11
-rw-r--r--example/reader_util.c42
-rw-r--r--example/reader_util.h12
4 files changed, 47 insertions, 23 deletions
diff --git a/example/intrusion_detection.h b/example/intrusion_detection.h
index f78095e67..d07965484 100644
--- a/example/intrusion_detection.h
+++ b/example/intrusion_detection.h
@@ -21,6 +21,9 @@
*
*/
+#ifndef _INTRUSION_DETECTION_H_
+#define _INTRUSION_DETECTION_H_
+
/*
Code to detect attacks reported in
@@ -62,3 +65,5 @@ double Hearthbleed_score(struct ndpi_flow_info* flow);
double Infiltration_score(struct ndpi_flow_info* flow);
double Ssh_patator_score(struct ndpi_flow_info* flow);
+
+#endif /* _INTRUSION_DETECTION_H_ */
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 3e521edab..09fd0e887 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1777,9 +1777,7 @@ static void debug_printf(u_int32_t protocol, void *id_struct,
ndpi_log_level_t log_level,
const char *format, ...) {
va_list va_ap;
-#ifndef WIN32
struct tm result;
-#endif
if(log_level <= nDPI_LogLevel) {
char buf[8192], out_buf[8192];
@@ -1797,7 +1795,7 @@ static void debug_printf(u_int32_t protocol, void *id_struct,
extra_msg = "DEBUG: ";
memset(buf, 0, sizeof(buf));
- strftime(theDate, 32, "%d/%b/%Y %H:%M:%S", localtime_r(&theTime,&result) );
+ strftime(theDate, 32, "%d/%b/%Y %H:%M:%S", localtime_r(&theTime,&result));
vsnprintf(buf, sizeof(buf)-1, format, va_ap);
snprintf(out_buf, sizeof(out_buf), "%s %s%s", theDate, extra_msg, buf);
@@ -2504,7 +2502,8 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
float t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)processing_time_usec;
float b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)processing_time_usec;
float traffic_duration;
-
+ struct tm result;
+
if(live_capture) traffic_duration = processing_time_usec;
else traffic_duration = (pcap_end.tv_sec*1000000 + pcap_end.tv_usec) - (pcap_start.tv_sec*1000000 + pcap_start.tv_usec);
@@ -2512,9 +2511,9 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)traffic_duration;
b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)traffic_duration;
- strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime(&pcap_start.tv_sec));
+ strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime_r(&pcap_start.tv_sec, &result));
printf("\tAnalysis begin: %s\n", when);
- strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime(&pcap_end.tv_sec));
+ strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime_r(&pcap_end.tv_sec, &result));
printf("\tAnalysis end: %s\n", when);
printf("\tTraffic throughput: %s pps / %s/sec\n", formatPackets(t, buf), formatTraffic(b, 1, buf1));
printf("\tTraffic duration: %.3f sec\n", traffic_duration/1000000);
diff --git a/example/reader_util.c b/example/reader_util.c
index 53013df0d..cc44296d7 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -969,6 +969,17 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
if(n == 0) flow->bittorent_hash[0] = '\0';
}
+ /* DNS */
+ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_DNS)) {
+ if(flow->ndpi_flow->protos.dns.rsp_type == 0x1)
+ inet_ntop(AF_INET, &flow->ndpi_flow->protos.dns.rsp_addr.ipv4, flow->info, sizeof(flow->info));
+ else {
+ inet_ntop(AF_INET6, &flow->ndpi_flow->protos.dns.rsp_addr.ipv6, flow->info, sizeof(flow->info));
+
+ /* For consistency across platforms replace :0: with :: */
+ ndpi_patchIPv6Address(flow->info);
+ }
+ }
/* MDNS */
else if(is_ndpi_proto(flow, NDPI_PROTOCOL_MDNS)) {
snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.mdns.answer);
@@ -1061,6 +1072,15 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
flow->ndpi_flow->l4.tcp.tls.sha1_certificate_fingerprint, 20);
flow->ssh_tls.sha1_cert_fingerprint_set = 1;
}
+
+ if(flow->ndpi_flow->protos.stun_ssl.ssl.alpn
+ && flow->ndpi_flow->protos.stun_ssl.ssl.tls_supported_versions)
+ snprintf(flow->info, sizeof(flow->info), "ALPN: %s][TLS Supported Versions: %s",
+ flow->ndpi_flow->protos.stun_ssl.ssl.alpn,
+ flow->ndpi_flow->protos.stun_ssl.ssl.tls_supported_versions);
+ else if(flow->ndpi_flow->protos.stun_ssl.ssl.alpn)
+ snprintf(flow->info, sizeof(flow->info), "ALPN: %s",
+ flow->ndpi_flow->protos.stun_ssl.ssl.alpn);
}
if(flow->detection_completed && (!flow->check_extra_packets)) {
@@ -1279,11 +1299,11 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
if((proto == IPPROTO_TCP)
&& (
- is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)
- || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
- || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)
- || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH))
- ) {
+ is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)
+ || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
+ || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)
+ || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH))
+ ) {
if((flow->src2dst_packets+flow->dst2src_packets) < 10 /* MIN_NUM_ENCRYPT_SKIP_PACKETS */)
skip = 1;
}
@@ -1298,10 +1318,10 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
} else {
if((proto == IPPROTO_TCP)
&& (
- is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)
- || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
- || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)
- || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH))
+ is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)
+ || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
+ || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)
+ || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH))
)
flow->has_human_readeable_strings = 0;
}
@@ -1429,7 +1449,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
if(header->caplen < 40)
return(nproto); /* Too short */
-
+
datalink_check:
switch(datalink_type) {
case DLT_NULL:
@@ -1544,7 +1564,7 @@ ether_type_check:
vlan_packet = 1;
// double tagging for 802.1Q
- while((type == 0x8100) && (ip_offset < (u_int16_t)header->caplen)) {
+ while((type == 0x8100) && (ip_offset < ((u_int16_t)header->caplen))) {
vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF;
type = (packet[ip_offset+2] << 8) + packet[ip_offset+3];
ip_offset += 4;
diff --git a/example/reader_util.h b/example/reader_util.h
index c01682b8b..d54b4d611 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -180,14 +180,14 @@ typedef struct ndpi_flow_info {
u_int32_t src2dst_packets, dst2src_packets;
u_int32_t has_human_readeable_strings;
char human_readeable_string_buffer[32];
-
+
// result only, not used for flow identification
ndpi_protocol detected_protocol;
// Flow data analysis
struct ndpi_analyze_struct *iat_c_to_s, *iat_s_to_c, *iat_flow,
*pktlen_c_to_s, *pktlen_s_to_c;
-
+
char info[160];
char flow_extra_info[16];
char host_server_name[240];
@@ -204,22 +204,22 @@ typedef struct ndpi_flow_info {
u_int8_t sha1_cert_fingerprint_set;
time_t notBefore, notAfter;
u_int16_t server_cipher;
- ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher;
+ ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher;
} ssh_tls;
struct {
char url[256], content_type[64], user_agent[128];
u_int response_status_code;
} http;
-
+
struct {
char username[32], password[32];
} telnet;
-
+
void *src_id, *dst_id;
struct ndpi_entropy entropy;
- struct ndpi_entropy last_entropy;
+ struct ndpi_entropy last_entropy;
} ndpi_flow_info_t;
Powered by cgit, Themed by Ted Yin.