aboutsummaryrefslogtreecommitdiff
path: root/example
diff options
context:
space:
mode:
Diffstat (limited to 'example')
-rw-r--r--example/config.txt2
-rw-r--r--example/ndpiReader.c573
-rw-r--r--example/ndpiSimpleIntegration.c10
-rw-r--r--example/obfuscation.conf5
-rw-r--r--example/only_classification.conf26
-rw-r--r--example/protos.txt8
-rw-r--r--example/protos_huge.txt3026
-rw-r--r--example/reader_util.c252
-rw-r--r--example/reader_util.h42
9 files changed, 3626 insertions, 318 deletions
diff --git a/example/config.txt b/example/config.txt
index bf48e22b8..6de41d8da 100644
--- a/example/config.txt
+++ b/example/config.txt
@@ -8,6 +8,6 @@ packets_limit_per_flow,32
ookla,dpi.aggressiveness,0x1
tls,metadata.sha1_fingerprint,1
-lru.bittorrent.ttl,0
+lru.bittorrent.ttl,300
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 9e4c67b60..d164f5159 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1,7 +1,7 @@
/*
* ndpiReader.c
*
- * Copyright (C) 2011-24 - ntop.org
+ * Copyright (C) 2011-25 - ntop.org
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
@@ -68,6 +68,9 @@
#define HEURISTICS_CODE 1
+/* Necessary to make sure protocols are properly defined */
+#define PROTO_DEBUG 1
+
/** Client parameters **/
static char *_pcap_file[MAX_NUM_READER_THREADS]; /**< Ingress pcap file/interfaces */
@@ -92,6 +95,7 @@ static ndpi_serialization_format serialization_format = ndpi_serialization_forma
static char* domain_to_check = NULL;
static char* ip_port_to_check = NULL;
static u_int8_t ignore_vlanid = 0;
+extern char *protocolsDirPath; /**< Directory containing protocol files */
FILE *fingerprint_fp = NULL; /**< for flow fingerprint export */
#ifdef __linux__
static char *bind_mask = NULL;
@@ -128,6 +132,7 @@ u_int8_t max_num_udp_dissected_pkts = 24 /* 8 is enough for most protocols, Sign
static u_int32_t pcap_analysis_duration = (u_int32_t)-1;
static u_int32_t risk_stats[NDPI_MAX_RISK] = { 0 }, risks_found = 0, flows_with_risks = 0;
static struct ndpi_stats cumulative_stats;
+static int cumulative_stats_initialized = 0;
static u_int16_t decode_tunnels = 0;
static u_int16_t num_loops = 1;
static u_int8_t shutdown_app = 0, quiet_mode = 0;
@@ -158,6 +163,8 @@ int malloc_size_stats = 0;
int monitoring_enabled;
+char *protocolsDirPath;
+
struct flow_info {
struct ndpi_flow_info *flow;
u_int16_t thread_id;
@@ -239,7 +246,6 @@ struct receiver *receivers = NULL, *topReceivers = NULL;
#define WIRESHARK_METADATA_SERVERNAME 0x01
#define WIRESHARK_METADATA_JA4C 0x02
-#define WIRESHARK_METADATA_TLS_HEURISTICS_MATCHING_FINGERPRINT 0x03
struct ndpi_packet_tlv {
u_int16_t type;
@@ -299,9 +305,8 @@ static int dpdk_port_id = 0, dpdk_run_capture = 1;
void test_lib(); /* Forward */
extern void ndpi_report_payload_stats(FILE *out);
-extern int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask,
- int inverted_logic);
extern u_int8_t is_ndpi_proto(struct ndpi_flow_info *flow, u_int16_t id);
+static char const *ndpi_cfg_error2string(ndpi_cfg_error const err);
/* ********************************** */
@@ -397,6 +402,40 @@ static u_int check_bin_doh_similarity(struct ndpi_bin *bin, float *similarity) {
/* *********************************************** */
+static char _proto_delim[] = " \t,:;";
+static int enable_disable_protocols_list(struct ndpi_detection_module_struct *ndpi_str, char *str, int inverted_logic) {
+ char *n;
+ char op;
+ ndpi_cfg_error rc;
+
+ if(!inverted_logic)
+ op = 1; /* Default action: enable protocol */
+ else
+ op = 0; /* Default action: disable protocol */
+
+ for(n = strtok(str,_proto_delim); n && *n; n = strtok(NULL,_proto_delim)) {
+ if(*n == '-') {
+ op = !inverted_logic ? 0 : 1;
+ n++;
+ } else if(*n == '+') {
+ op = !inverted_logic ? 1 : 0;
+ n++;
+ }
+ if(op)
+ rc = ndpi_set_config(ndpi_str, n, "enable", "1");
+ else
+ rc = ndpi_set_config(ndpi_str, n, "enable", "0");
+ if(rc != NDPI_CFG_OK) {
+ LOG(NDPI_LOG_ERROR, "Error enabling/disabling protocol [%s]: %s (%d)\n",
+ n, ndpi_cfg_error2string(rc), rc);
+ }
+ }
+
+ return 0;
+}
+
+/* *********************************************** */
+
void ndpiCheckHostStringMatch(char *testChar) {
ndpi_protocol_match_result match = { NDPI_PROTOCOL_UNKNOWN,
NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
@@ -404,14 +443,11 @@ void ndpiCheckHostStringMatch(char *testChar) {
char appBufStr[64];
ndpi_protocol detected_protocol;
struct ndpi_detection_module_struct *ndpi_str;
- NDPI_PROTOCOL_BITMASK all;
if(!testChar)
return;
ndpi_str = ndpi_init_detection_module(NULL);
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
ndpi_finalize_initialization(ndpi_str);
testRes = ndpi_match_string_subprotocol(ndpi_str,
@@ -473,14 +509,11 @@ static void ndpiCheckIPMatch(char *testChar) {
ndpi_protocol detected_protocol;
int i;
ndpi_cfg_error rc;
- NDPI_PROTOCOL_BITMASK all;
if(!testChar)
return;
ndpi_str = ndpi_init_detection_module(NULL);
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
if(_protoFilePath != NULL)
ndpi_load_protocols_file(ndpi_str, _protoFilePath);
@@ -645,90 +678,87 @@ static void help(u_int long_help) {
" [-r <file>][-R][-j <file>][-S <file>][-T <num>][-U <num>] [-x <domain>]\n"
" [-a <mode>][-B proto_list][-L <domain suffixes>]\n\n"
"Usage:\n"
- " -i <file.pcap|device> | Specify a pcap file/playlist to read packets from or a\n"
- " | device for live capture (comma-separated list)\n"
- " -f <BPF filter> | Specify a BPF filter for filtering selected traffic\n"
- " -s <duration> | Maximum capture duration in seconds (live traffic capture only)\n"
- " -m <duration> | Split analysis duration in <duration> max seconds\n"
- " -p <file>.protos | Specify a protocol file (eg. protos.txt)\n"
- " -l <num loops> | Number of detection loops (test only)\n"
- " -L <domain suffixes> | Domain suffixes (e.g. ../lists/public_suffix_list.dat)\n"
- " -n <num threads> | Number of threads. Default: number of interfaces in -i.\n"
- " | Ignored with pcap files.\n"
- " -N <path> | Address cache dump/restore pathxo.\n"
- " -b <num bin clusters> | Number of bin clusters\n"
- " -k <file> | Specify a file to write serialized detection results\n"
- " -K <format> | Specify the serialization format for `-k'\n"
- " | Valid formats are tlv, csv or json (default)\n"
+ " -i <file.pcap|device> | Specify a pcap file/playlist to read packets from or a\n"
+ " | device for live capture (comma-separated list)\n"
+ " -f <BPF filter> | Specify a BPF filter for filtering selected traffic\n"
+ " -s <duration> | Maximum capture duration in seconds (live traffic capture only)\n"
+ " -m <duration> | Split analysis duration in <duration> max seconds\n"
+ " -p <file>.protos | Specify a protocol file (eg. protos.txt)\n"
+ " -l <num loops> | Number of detection loops (test only)\n"
+ " -L <domain suffixes> | Domain suffixes (e.g. ../lists/public_suffix_list.dat)\n"
+ " -n <num threads> | Number of threads. Default: number of interfaces in -i.\n"
+ " | Ignored with pcap files.\n"
+ " -N <path> | Address cache dump/restore pathxo.\n"
+ " -b <num bin clusters> | Number of bin clusters\n"
+ " -k <file> | Specify a file to write serialized detection results\n"
+ " -K <format> | Specify the serialization format for `-k'\n"
+ " | Valid formats are tlv, csv or json (default)\n"
#ifdef __linux__
- " -g <id:id...> | Thread affinity mask (one core id per thread)\n"
+ " -g <id:id...> | Thread affinity mask (one core id per thread)\n"
#endif
- " -a <mode> | Generates option values for GUIs\n"
- " | 0 - List known protocols\n"
- " | 1 - List known categories\n"
- " | 2 - List known risks\n"
- " -d | Disable protocol guess (by ip and by port) and use only DPI.\n"
- " | It is a shortcut to --cfg=dpi.guess_on_giveup,0\n"
- " -e <len> | Min human readeable string match len. Default %u\n"
- " -q | Quiet mode\n"
- " -F | Enable flow stats\n"
- " -t | Dissect GTP/TZSP tunnels\n"
- " -P <a>:<b>:<c>:<d>:<e> | Enable payload analysis:\n"
- " | <a> = min pattern len to search\n"
- " | <b> = max pattern len to search\n"
- " | <c> = max num packets per flow\n"
- " | <d> = max packet payload dissection\n"
- " | <d> = max num reported payloads\n"
- " | Default: %u:%u:%u:%u:%u\n"
- " -c <path> | Load custom categories from the specified file\n"
- " -C <path> | Write output in CSV format on the specified file\n"
- " -E <path> | Write flow fingerprints on the specified file\n"
- " -r <path> | Load risky domain file\n"
- " -R | Print detected realtime protocols\n"
- " -j <path> | Load malicious JA4 fingeprints\n"
- " -S <path> | Load malicious SSL certificate SHA1 fingerprints\n"
- " -G <dir> | Bind domain names to categories loading files from <dir>\n"
- " -w <path> | Write test output on the specified file. This is useful for\n"
- " | testing purposes in order to compare results across runs\n"
- " -h | This help\n"
- " -H | This help plus some information about supported protocols/risks\n"
- " -v <1|2|3|4> | Verbose 'unknown protocol' packet print.\n"
- " | 1 = verbose\n"
- " | 2 = very verbose\n"
- " | 3 = port stats\n"
- " | 4 = hash stats\n"
- " -V <0-4> | nDPI logging level\n"
- " | 0 - error, 1 - trace, 2 - debug, 3 - extra debug\n"
- " | >3 - extra debug + log enabled for all protocols (i.e. '-u all')\n"
- " -u all|proto|num[,...] | Enable logging only for such protocol(s)\n"
- " | If this flag is present multiple times (directly, or via '-V'),\n"
- " | only the last instance will be considered\n"
- " -B all|proto|num[,...] | Disable such protocol(s). By defaul all protocols are enabled\n"
- " -T <num> | Max number of TCP processed packets before giving up [default: %u]\n"
- " -U <num> | Max number of UDP processed packets before giving up [default: %u]\n"
- " -D | Enable DoH traffic analysis based on content (no DPI)\n"
- " -x <domain> | Check domain name [Test only]\n"
- " -I | Ignore VLAN id for flow hash calculation\n"
- " -A | Dump internal statistics (LRU caches / Patricia trees / Ahocarasick automas / ...\n"
- " -M | Memory allocation stats on data-path (only by the library).\n"
- " | It works only on single-thread configuration\n"
- " --openvp_heuristics | Enable OpenVPN heuristics.\n"
- " | It is a shortcut to --cfg=openvpn,dpi.heuristics,0x01\n"
- " --tls_heuristics | Enable TLS heuristics.\n"
- " | It is a shortcut to --cfg=tls,dpi.heuristics,0x07\n"
- " --cfg=proto,param,value | Configure the specific attribute of this protocol\n"
- " --dump-fpc-stats | Print FPC statistics\n"
+ " -a <mode> | Generates option values for GUIs\n"
+ " | 0 - List known protocols\n"
+ " | 1 - List known categories\n"
+ " | 2 - List known risks\n"
+ " -d | Disable protocol guess (by ip and by port) and use only DPI.\n"
+ " | It is a shortcut to --cfg=dpi.guess_on_giveup,0\n"
+ " -e <len> | Min human readeable string match len. Default %u\n"
+ " -q | Quiet mode\n"
+ " -F | Enable flow stats\n"
+ " -t | Dissect GTP/TZSP tunnels\n"
+ " -P <a>:<b>:<c>:<d>:<e> | Enable payload analysis:\n"
+ " | <a> = min pattern len to search\n"
+ " | <b> = max pattern len to search\n"
+ " | <c> = max num packets per flow\n"
+ " | <d> = max packet payload dissection\n"
+ " | <e> = max num reported payloads\n"
+ " | Default: %u:%u:%u:%u:%u\n"
+ " -c <path> | Load custom categories from the specified file\n"
+ " -C <path> | Write output in CSV format on the specified file\n"
+ " -E <path> | Write flow fingerprints on the specified file\n"
+ " -r <path> | Load risky domain file\n"
+ " -R | Print detected realtime protocols\n"
+ " -j <path> | Load malicious JA4 fingeprints\n"
+ " -S <path> | Load malicious SSL certificate SHA1 fingerprints\n"
+ " -G <dir> | Bind domain names to categories loading files from <dir>\n"
+ " -w <path> | Write test output on the specified file. This is useful for\n"
+ " | testing purposes in order to compare results across runs\n"
+ " --protocols-list-dir <dir> | Directory containing protocols directory (e.g. ../lists/protocols)\n"
+ " -h | This help\n"
+ " -H | This help plus some information about supported protocols/risks\n"
+ " -v <1|2|3|4> | Verbose 'unknown protocol' packet print.\n"
+ " | 1 = verbose\n"
+ " | 2 = very verbose\n"
+ " | 3 = port stats\n"
+ " | 4 = hash stats\n"
+ " -V <0-4> | nDPI logging level\n"
+ " | 0 - error, 1 - trace, 2 - debug, 3 - extra debug\n"
+ " | >3 - extra debug + log enabled for all protocols (i.e. '-u all')\n"
+ " -u all|proto|num[,...] | Enable logging only for such protocol(s)\n"
+ " | If this flag is present multiple times (directly, or via '-V'),\n"
+ " | only the last instance will be considered\n"
+ " -B all|proto|num[,...] | Disable such protocol(s). By defaul all protocols are enabled\n"
+ " -T <num> | Max number of TCP processed packets before giving up [default: %u]\n"
+ " -U <num> | Max number of UDP processed packets before giving up [default: %u]\n"
+ " -D | Enable DoH traffic analysis based on content (no DPI)\n"
+ " -x <domain> | Check domain name [Test only]\n"
+ " -I | Ignore VLAN id for flow hash calculation\n"
+ " -A | Dump internal statistics (LRU caches / Patricia trees / Ahocarasick automas / ...\n"
+ " -M | Memory allocation stats on data-path (only by the library).\n"
+ " | It works only on single-thread configuration\n"
+ " --openvp_heuristics | Enable OpenVPN heuristics.\n"
+ " | It is a shortcut to --cfg=openvpn,dpi.heuristics,0x01\n"
+ " --tls_heuristics | Enable TLS heuristics.\n"
+ " | It is a shortcut to --cfg=tls,dpi.heuristics,0x07\n"
+ " --cfg=proto,param,value | Configure the specific attribute of this protocol\n"
+ " --dump-fpc-stats | Print FPC statistics\n"
,
human_readeable_string_len,
min_pattern_len, max_pattern_len, max_num_packets_per_flow, max_packet_payload_dissection,
max_num_reported_top_payloads, max_num_tcp_dissected_pkts, max_num_udp_dissected_pkts);
- NDPI_PROTOCOL_BITMASK all;
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
-
if(_protoFilePath != NULL)
ndpi_load_protocols_file(ndpi_str, _protoFilePath);
@@ -759,8 +789,8 @@ static void help(u_int long_help) {
sizeof(((struct ndpi_flow_struct *)0)->protos));
printf("\n\nnDPI supported protocols:\n");
- printf("%3s %8s %-22s %-10s %-8s %-12s %-18s %-31s %-31s \n",
- "Id", "Userd-id", "Protocol", "Layer_4", "Nw_Proto", "Breed", "Category","Def UDP Port/s","Def TCP Port/s");
+ printf("%3s %8s %-26s %-10s %-8s %-21s %-18s %-31s %-31s %6s\n",
+ "Id", "Userd-id", "Protocol", "Layer_4", "Nw_Proto", "Breed", "Category","Def UDP Port/s","Def TCP Port/s", "Custom");
num_threads = 1;
ndpi_dump_protocols(ndpi_str, stdout);
@@ -823,6 +853,7 @@ static struct option longopts[] = {
{ "payload-analysis", required_argument, NULL, 'P'},
{ "result-path", required_argument, NULL, 'w'},
{ "quiet", no_argument, NULL, 'q'},
+ { "protocols-list-dir", required_argument, NULL, 180},
{ "cfg", required_argument, NULL, OPTLONG_VALUE_CFG},
{ "openvpn_heuristics", no_argument, NULL, OPTLONG_VALUE_OPENVPN_HEURISTICS},
@@ -900,17 +931,13 @@ void extcap_config() {
u_int ndpi_num_supported_protocols;
int i;
ndpi_proto_defaults_t *proto_defaults;
- NDPI_PROTOCOL_BITMASK all;
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
if(!ndpi_str) exit(0);
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
-
- ndpi_finalize_initialization(ndpi_str);
+ if(ndpi_finalize_initialization(ndpi_str) != 0) exit(0);
- ndpi_num_supported_protocols = ndpi_get_ndpi_num_supported_protocols(ndpi_str);
+ ndpi_num_supported_protocols = ndpi_get_num_protocols(ndpi_str);
proto_defaults = ndpi_get_proto_defaults(ndpi_str);
/* -i <interface> */
@@ -1490,10 +1517,7 @@ static void parse_parameters(int argc, char **argv)
case '9':
{
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
- NDPI_PROTOCOL_BITMASK all;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
ndpi_finalize_initialization(ndpi_str);
extcap_packet_filter = ndpi_get_proto_by_name(ndpi_str, optarg);
@@ -1529,6 +1553,10 @@ static void parse_parameters(int argc, char **argv)
}
break;
+ case 180:
+ protocolsDirPath = optarg;
+ break;
+
default:
#ifdef DEBUG_TRACE
if(trace) fprintf(trace, " #### Unknown option -%c: skipping it #### \n", opt);
@@ -1726,8 +1754,10 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
flow->protocol,
f/1000.0, l/1000.0,
(l-f)/1000.0,
- flow->src_name, ntohs(flow->src_port),
- flow->dst_name, ntohs(flow->dst_port)
+ flow->src_name ? flow->src_name : "",
+ ntohs(flow->src_port),
+ flow->dst_name ? flow->dst_name : "",
+ ntohs(flow->dst_port)
);
fprintf(csv_fp, "%s|",
@@ -1834,10 +1864,12 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
fprintf(out, "%s%s%s:%u %s %s%s%s:%u ",
(flow->ip_version == 6) ? "[" : "",
- flow->src_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->src_port),
+ flow->src_name ? flow->src_name : "",
+ (flow->ip_version == 6) ? "]" : "", ntohs(flow->src_port),
flow->bidirectional ? "<->" : "->",
(flow->ip_version == 6) ? "[" : "",
- flow->dst_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->dst_port)
+ flow->dst_name ? flow->dst_name : "",
+ (flow->ip_version == 6) ? "]" : "", ntohs(flow->dst_port)
);
if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id);
@@ -1856,6 +1888,26 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(flow->tunnel_type != ndpi_no_tunnel)
fprintf(out, "%s:", ndpi_tunnel2str(flow->tunnel_type));
+#ifdef PROTO_DEBUG
+ if((flow->detected_protocol.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) &&
+ (flow->detected_protocol.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)
+ && (flow->detected_protocol.proto.app_protocol !=
+ flow->detected_protocol.proto.master_protocol)) {
+ if(ndpi_is_master_only_protocol(ndpi_thread_info[thread_id].workflow->ndpi_struct,
+ flow->detected_protocol.proto.app_protocol)) {
+ printf("[INTERNAL ERROR] %u/%s [%u.%u/%s] unexpected as application protocol\n",
+ flow->detected_protocol.proto.app_protocol,
+ ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct,
+ flow->detected_protocol.proto.app_protocol),
+ flow->detected_protocol.proto.master_protocol,
+ flow->detected_protocol.proto.app_protocol,
+ ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct,
+ flow->detected_protocol, buf1, sizeof(buf1))
+ );
+ }
+ }
+#endif
+
fprintf(out, "%s/%s][IP: %u/%s]",
ndpi_protocol2id(flow->detected_protocol, buf, sizeof(buf)),
ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct,
@@ -1870,6 +1922,25 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
fprintf(out, "[Stream Content: %s]", ndpi_multimedia_flowtype2str(content, sizeof(content), flow->multimedia_flow_types));
}
+ if((flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_RTP) || (flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_RTP))
+ {
+ if (flow->rtp[0 /* cli -> srv */].payload_detected || flow->rtp[1].payload_detected) {
+ fprintf(out, "[Payload Type: ");
+
+ if (flow->rtp[0].payload_detected)
+ fprintf(out, "%s (%u.%u)",
+ ndpi_rtp_payload_type2str(flow->rtp[0].payload_type, flow->rtp[0].evs_subtype), flow->rtp[0].payload_type, flow->rtp[0].evs_subtype);
+
+ if(flow->rtp[1 /* srv -> cli */].payload_detected) {
+ if (flow->rtp[0].payload_detected) fprintf(out, " / ");
+
+ fprintf(out, "%s (%u.%u)]",
+ ndpi_rtp_payload_type2str(flow->rtp[1].payload_type, flow->rtp[1].evs_subtype), flow->rtp[1].payload_type, flow->rtp[1].evs_subtype);
+ } else
+ fprintf(out, "]");
+ }
+ }
+
fprintf(out, "[%s]",
ndpi_is_encrypted_proto(ndpi_thread_info[thread_id].workflow->ndpi_struct,
flow->detected_protocol) ? "Encrypted" : "ClearText");
@@ -2036,6 +2107,22 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
}
}
break;
+
+ case INFO_FASTCGI:
+ if (flow->fast_cgi.url[0] != '\0')
+ {
+ fprintf(out, "[Url: %s]", flow->fast_cgi.url);
+ }
+ if (flow->fast_cgi.user_agent[0] != '\0')
+ {
+ fprintf(out, "[User-agent: %s]", flow->fast_cgi.user_agent);
+ }
+ break;
+
+ case INFO_BFCP:
+ fprintf(out, "[Conference Id: %d]", flow->bfcp.conference_id);
+ fprintf(out, "[User Id: %d]", flow->bfcp.user_id);
+ break;
}
if(flow->ssh_tls.advertised_alpns)
@@ -2050,6 +2137,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(flow->mining.currency[0] != '\0') fprintf(out, "[currency: %s]", flow->mining.currency);
if(flow->dns.geolocation_iata_code[0] != '\0') fprintf(out, "[GeoLocation: %s]", flow->dns.geolocation_iata_code);
+ if(flow->dns.transaction_id != 0) fprintf(out, "[DNS Id: 0x%.4x]", flow->dns.transaction_id);
+ if(flow->dns.ptr_domain_name[0] != '\0') fprintf(out, "[DNS Ptr: %s]", flow->dns.ptr_domain_name);
if((flow->src2dst_packets+flow->dst2src_packets) > 5) {
if(flow->iat_c_to_s && flow->iat_s_to_c) {
@@ -2087,14 +2176,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(flow->num_packets_before_monitoring > 0)
fprintf(out, "[RTP packets: %d/%d]", flow->stun.rtp_counters[0], flow->stun.rtp_counters[1]);
- if(flow->http.url[0] != '\0') {
- ndpi_risk_enum risk = ndpi_validate_url(flow->http.url);
-
- if(risk != NDPI_NO_RISK)
- NDPI_SET_BIT(flow->risk, risk);
-
- fprintf(out, "[URL: %s]", flow->http.url);
- }
+ if(flow->http.url[0] != '\0')
+ fprintf(out, "[URL: %s]", flow->http.url);
if(flow->http.response_status_code)
fprintf(out, "[StatusCode: %u]", flow->http.response_status_code);
@@ -2410,6 +2493,7 @@ static void node_print_known_proto_walker(const void *node,
static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) {
struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node;
u_int16_t thread_id = *((u_int16_t *) user_data), proto, fpc_proto;
+ ndpi_protocol_category_t category;
(void)depth;
@@ -2435,6 +2519,8 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept
fpc_proto = flow->fpc.proto.app_protocol ? flow->fpc.proto.app_protocol : flow->fpc.proto.master_protocol;
fpc_proto = ndpi_map_user_proto_id_to_ndpi_id(ndpi_thread_info[thread_id].workflow->ndpi_struct, fpc_proto);
+ category = flow->detected_protocol.category;
+
ndpi_thread_info[thread_id].workflow->stats.protocol_counter[proto] += flow->src2dst_packets + flow->dst2src_packets;
ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[proto] += flow->src2dst_bytes + flow->dst2src_bytes;
ndpi_thread_info[thread_id].workflow->stats.protocol_flows[proto]++;
@@ -2444,6 +2530,9 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept
ndpi_thread_info[thread_id].workflow->stats.fpc_protocol_counter_bytes[fpc_proto] += flow->src2dst_bytes + flow->dst2src_bytes;
ndpi_thread_info[thread_id].workflow->stats.fpc_protocol_flows[fpc_proto]++;
ndpi_thread_info[thread_id].workflow->stats.fpc_flow_confidence[flow->fpc.confidence]++;
+ ndpi_thread_info[thread_id].workflow->stats.category_counter[category] += flow->src2dst_packets + flow->dst2src_packets;
+ ndpi_thread_info[thread_id].workflow->stats.category_counter_bytes[category] += flow->src2dst_bytes + flow->dst2src_bytes;
+ ndpi_thread_info[thread_id].workflow->stats.category_flows[category]++;
}
}
@@ -2921,8 +3010,8 @@ static void dump_realtime_protocol(struct ndpi_workflow * workflow, struct ndpi_
inet_ntop(AF_INET, &flow->src_ip, srcip, sizeof(srcip));
inet_ntop(AF_INET, &flow->dst_ip, dstip, sizeof(dstip));
} else {
- snprintf(srcip, sizeof(srcip), "[%s]", flow->src_name);
- snprintf(dstip, sizeof(dstip), "[%s]", flow->dst_name);
+ snprintf(srcip, sizeof(srcip), "[%s]", flow->src_name ? flow->src_name : "");
+ snprintf(dstip, sizeof(dstip), "[%s]", flow->dst_name ? flow->dst_name : "");
}
ndpi_protocol2name(workflow->ndpi_struct, flow->detected_protocol, app_name, sizeof(app_name));
@@ -2951,7 +3040,6 @@ static void on_protocol_discovered(struct ndpi_workflow * workflow,
*/
static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle,
struct ndpi_global_context *g_ctx) {
- NDPI_PROTOCOL_BITMASK enabled_bitmask;
struct ndpi_workflow_prefs prefs;
int i, ret;
ndpi_cfg_error rc;
@@ -2968,10 +3056,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle,
serialization_format, g_ctx);
/* Protocols to enable/disable. Default: everything is enabled */
- NDPI_BITMASK_SET_ALL(enabled_bitmask);
if(_disabled_protocols != NULL) {
- if(parse_proto_name_list(_disabled_protocols, &enabled_bitmask, 1))
- exit(-1);
+ enable_disable_protocols_list(ndpi_thread_info[thread_id].workflow->ndpi_struct, _disabled_protocols, 1);
}
if(_categoriesDirPath) {
@@ -2984,7 +3070,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle,
if(_domain_suffixes)
ndpi_load_domain_suffixes(ndpi_thread_info[thread_id].workflow->ndpi_struct, _domain_suffixes);
-
+
if(_riskyDomainFilePath)
ndpi_load_risk_domain_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _riskyDomainFilePath);
@@ -3009,14 +3095,14 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle,
}
}
+ if(ndpi_thread_info[thread_id].workflow == NULL)
+ exit(-1); /* Some initialiation functions failed */
+
ndpi_thread_info[thread_id].workflow->g_ctx = g_ctx;
ndpi_workflow_set_flow_callback(ndpi_thread_info[thread_id].workflow,
on_protocol_discovered, NULL);
- /* Make sure to load lists before finalizing the initialization */
- ndpi_set_protocol_detection_bitmask2(ndpi_thread_info[thread_id].workflow->ndpi_struct, &enabled_bitmask);
-
if(_protoFilePath != NULL)
ndpi_load_protocols_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _protoFilePath);
@@ -3050,6 +3136,12 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle,
if(atoi(buf))
monitoring_enabled = 1;
}
+
+ unsigned int num_protocols = ndpi_get_num_protocols(ndpi_thread_info[thread_id].workflow->ndpi_struct);
+ if (!ndpi_stats_init(&ndpi_thread_info[thread_id].workflow->stats, num_protocols)) {
+ exit(-1);
+ }
+
}
/* *********************************************** */
@@ -3332,7 +3424,7 @@ static void printFlowsStats() {
ndpi_host_ja_fingerprints *newHost = ndpi_malloc(sizeof(ndpi_host_ja_fingerprints));
newHost->host_client_info_hasht = NULL;
newHost->host_server_info_hasht = NULL;
- newHost->ip_string = all_flows[i].flow->src_name;
+ newHost->ip_string = all_flows[i].flow->src_name ? all_flows[i].flow->src_name : NULL;
newHost->ip = all_flows[i].flow->src_ip;
newHost->dns_name = all_flows[i].flow->host_server_name;
@@ -3366,7 +3458,7 @@ static void printFlowsStats() {
ndpi_ip_dns *newHost = ndpi_malloc(sizeof(ndpi_ip_dns));
newHost->ip = all_flows[i].flow->src_ip;
- newHost->ip_string = all_flows[i].flow->src_name;
+ newHost->ip_string = all_flows[i].flow->src_name ? all_flows[i].flow->src_name : NULL;
newHost->dns_name = all_flows[i].flow->host_server_name;
ndpi_ja_fingerprints_host *newElement = ndpi_malloc(sizeof(ndpi_ja_fingerprints_host));
@@ -3383,7 +3475,7 @@ static void printFlowsStats() {
if(innerElement == NULL) {
ndpi_ip_dns *newInnerElement = ndpi_malloc(sizeof(ndpi_ip_dns));
newInnerElement->ip = all_flows[i].flow->src_ip;
- newInnerElement->ip_string = all_flows[i].flow->src_name;
+ newInnerElement->ip_string = all_flows[i].flow->src_name ? all_flows[i].flow->src_name : NULL;
newInnerElement->dns_name = all_flows[i].flow->host_server_name;
HASH_ADD_INT(hostByJAFound->ipToDNS_ht, ip, newInnerElement);
}
@@ -3398,7 +3490,7 @@ static void printFlowsStats() {
ndpi_host_ja_fingerprints *newHost = ndpi_malloc(sizeof(ndpi_host_ja_fingerprints));
newHost->host_client_info_hasht = NULL;
newHost->host_server_info_hasht = NULL;
- newHost->ip_string = all_flows[i].flow->dst_name;
+ newHost->ip_string = all_flows[i].flow->dst_name ? all_flows[i].flow->dst_name : NULL;
newHost->ip = all_flows[i].flow->dst_ip;
newHost->dns_name = all_flows[i].flow->ssh_tls.server_info;
@@ -3429,7 +3521,7 @@ static void printFlowsStats() {
ndpi_ip_dns *newHost = ndpi_malloc(sizeof(ndpi_ip_dns));
newHost->ip = all_flows[i].flow->dst_ip;
- newHost->ip_string = all_flows[i].flow->dst_name;
+ newHost->ip_string = all_flows[i].flow->dst_name ? all_flows[i].flow->dst_name : NULL;
newHost->dns_name = all_flows[i].flow->ssh_tls.server_info;;
ndpi_ja_fingerprints_host *newElement = ndpi_malloc(sizeof(ndpi_ja_fingerprints_host));
@@ -3447,7 +3539,7 @@ static void printFlowsStats() {
if(innerElement == NULL) {
ndpi_ip_dns *newInnerElement = ndpi_malloc(sizeof(ndpi_ip_dns));
newInnerElement->ip = all_flows[i].flow->dst_ip;
- newInnerElement->ip_string = all_flows[i].flow->dst_name;
+ newInnerElement->ip_string = all_flows[i].flow->dst_name ? all_flows[i].flow->dst_name : NULL;
newInnerElement->dns_name = all_flows[i].flow->ssh_tls.server_info;
HASH_ADD_INT(hostByJAFound->ipToDNS_ht, ip, newInnerElement);
}
@@ -3743,6 +3835,11 @@ static void printFlowsStats() {
#endif
for(i=0; i<num_flows; i++) {
+#ifdef PROTO_DEBUG
+ ndpi_normalize_protocol(ndpi_thread_info[all_flows[i].thread_id].workflow->ndpi_struct,
+ &all_flows[i].flow->detected_protocol.proto);
+#endif
+
#ifndef DIRECTION_BINS
if(enable_doh_dot_detection) {
/* Discard flows with few packets per direction */
@@ -3828,9 +3925,9 @@ static void printFlowsStats() {
i,
ndpi_protocol2name(ndpi_thread_info[0].workflow->ndpi_struct,
all_flows[i].flow->detected_protocol, buf, sizeof(buf)),
- all_flows[i].flow->src_name,
+ all_flows[i].flow->src_name ? all_flows[i].flow->src_name : "",
ntohs(all_flows[i].flow->src_port),
- all_flows[i].flow->dst_name,
+ all_flows[i].flow->dst_name ? all_flows[i].flow->dst_name : "",
ntohs(all_flows[i].flow->dst_port));
print_bin(out, NULL, &bins[i]);
@@ -3932,8 +4029,8 @@ static void printFlowsStats() {
}
}
- for(i=0; i<num_flows; i++)
- printFlowSerialized(all_flows[i].flow);
+ for(i=0; i<num_flows; i++)
+ printFlowSerialized(all_flows[i].flow);
}
ndpi_free(all_flows);
@@ -3953,7 +4050,14 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
long long unsigned int breed_stats_bytes[NUM_BREEDS] = { 0 };
long long unsigned int breed_stats_flows[NUM_BREEDS] = { 0 };
- memset(&cumulative_stats, 0, sizeof(cumulative_stats));
+ /* In ndpiReader all the contexts have the same configuration */
+ if (!cumulative_stats_initialized) {
+ unsigned int num_protocols = ndpi_get_num_protocols(ndpi_thread_info[0].workflow->ndpi_struct);
+ if (!ndpi_stats_init(&cumulative_stats, num_protocols)) {
+ return;
+ }
+ cumulative_stats_initialized = 1;
+ }
for(thread_id = 0; thread_id < num_threads; thread_id++) {
if((ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0)
@@ -3975,7 +4079,7 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
cumulative_stats.total_ip_bytes += ndpi_thread_info[thread_id].workflow->stats.total_ip_bytes;
cumulative_stats.total_discarded_bytes += ndpi_thread_info[thread_id].workflow->stats.total_discarded_bytes;
- for(i = 0; i < ndpi_get_num_supported_protocols(ndpi_thread_info[0].workflow->ndpi_struct); i++) {
+ for (i = 0; i < cumulative_stats.num_protocols; i++) {
cumulative_stats.protocol_counter[i] += ndpi_thread_info[thread_id].workflow->stats.protocol_counter[i];
cumulative_stats.protocol_counter_bytes[i] += ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[i];
cumulative_stats.protocol_flows[i] += ndpi_thread_info[thread_id].workflow->stats.protocol_flows[i];
@@ -3985,6 +4089,12 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
cumulative_stats.fpc_protocol_flows[i] += ndpi_thread_info[thread_id].workflow->stats.fpc_protocol_flows[i];
}
+ for(i = 0; i < NDPI_PROTOCOL_NUM_CATEGORIES; i++) {
+ cumulative_stats.category_counter[i] += ndpi_thread_info[thread_id].workflow->stats.category_counter[i];
+ cumulative_stats.category_counter_bytes[i] += ndpi_thread_info[thread_id].workflow->stats.category_counter_bytes[i];
+ cumulative_stats.category_flows[i] += ndpi_thread_info[thread_id].workflow->stats.category_flows[i];
+ }
+
cumulative_stats.ndpi_flow_count += ndpi_thread_info[thread_id].workflow->stats.ndpi_flow_count;
cumulative_stats.flow_count[0] += ndpi_thread_info[thread_id].workflow->stats.flow_count[0];
cumulative_stats.flow_count[1] += ndpi_thread_info[thread_id].workflow->stats.flow_count[1];
@@ -4352,7 +4462,7 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
}
if(!quiet_mode) printf("\n\nDetected protocols:\n");
- for(i = 0; i <= ndpi_get_num_supported_protocols(ndpi_thread_info[0].workflow->ndpi_struct); i++) {
+ for(i = 0; i < cumulative_stats.num_protocols; i++) {
ndpi_protocol_breed_t breed = ndpi_get_proto_breed(ndpi_thread_info[0].workflow->ndpi_struct,
ndpi_map_ndpi_id_to_user_proto_id(ndpi_thread_info[0].workflow->ndpi_struct, i));
@@ -4432,6 +4542,33 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
}
}
+ if(!quiet_mode) {
+ printf("\n\nCategory statistics:\n");
+
+ for(i = 0; i < NDPI_PROTOCOL_NUM_CATEGORIES; i++) {
+ if(cumulative_stats.category_counter[i] > 0) {
+ printf("\t%-20s packets: %-13llu bytes: %-13llu "
+ "flows: %-13llu\n",
+ ndpi_category_get_name(ndpi_thread_info[0].workflow->ndpi_struct, i),
+ (long long unsigned int)cumulative_stats.category_counter[i],
+ (long long unsigned int)cumulative_stats.category_counter_bytes[i],
+ (long long unsigned int)cumulative_stats.category_flows[i]);
+ }
+ }
+ }
+ if(results_file) {
+ fprintf(results_file, "\n");
+ for(i = 0; i < NDPI_PROTOCOL_NUM_CATEGORIES; i++) {
+ if(cumulative_stats.category_counter[i] > 0) {
+ fprintf(results_file, "%-20s %13llu %-13llu %-13llu\n",
+ ndpi_category_get_name(ndpi_thread_info[0].workflow->ndpi_struct, i),
+ (long long unsigned int)cumulative_stats.category_counter[i],
+ (long long unsigned int)cumulative_stats.category_counter_bytes[i],
+ (long long unsigned int)cumulative_stats.category_flows[i]);
+ }
+ }
+ }
+
printRiskStats();
printFlowsStats();
@@ -4473,6 +4610,8 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us
deletePortsStats(dstStats);
dstStats = NULL;
}
+
+ ndpi_stats_reset(&cumulative_stats);
}
/**
@@ -4537,7 +4676,7 @@ static int getNextPcapFileFromPlaylist(u_int16_t thread_id, char filename[], u_i
static void configurePcapHandle(pcap_t * pcap_handle) {
if(!pcap_handle)
return;
-
+
if(bpfFilter != NULL) {
if(!bpf_cfilter) {
if(pcap_compile(pcap_handle, &bpf_code, bpfFilter, 1, 0xFFFFFF00) < 0) {
@@ -4546,7 +4685,7 @@ static void configurePcapHandle(pcap_t * pcap_handle) {
}
bpf_cfilter = &bpf_code;
}
-
+
if(pcap_setfilter(pcap_handle, bpf_cfilter) < 0) {
printf("pcap_setfilter error: '%s'\n", pcap_geterr(pcap_handle));
} else {
@@ -4758,22 +4897,6 @@ static void ndpi_process_packet(u_char *args,
tot_len += 4 + htons(tlv->length);
tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len];
}
- if(flow->ssh_tls.obfuscated_heur_matching_set.pkts[0] != 0) {
- tlv->type = ntohs(WIRESHARK_METADATA_TLS_HEURISTICS_MATCHING_FINGERPRINT);
- tlv->length = ntohs(sizeof(struct ndpi_tls_obfuscated_heuristic_matching_set));
- struct ndpi_tls_obfuscated_heuristic_matching_set *s = (struct ndpi_tls_obfuscated_heuristic_matching_set *)tlv->data;
- s->bytes[0] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[0]);
- s->bytes[1] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[1]);
- s->bytes[2] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[2]);
- s->bytes[3] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[3]);
- s->pkts[0] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[0]);
- s->pkts[1] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[1]);
- s->pkts[2] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[2]);
- s->pkts[3] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[3]);
- /* TODO: boundary check */
- tot_len += 4 + htons(tlv->length);
- tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len];
- }
flow->detection_completed = 2; /* Avoid exporting metadata again.
If we really want to have the metadata on Wireshark for *all*
@@ -4816,9 +4939,8 @@ static void ndpi_process_packet(u_char *args,
for(i=0; i<ndpi_thread_info[thread_id].workflow->prefs.num_roots; i++) {
ndpi_tdestroy(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], ndpi_flow_info_freer);
ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i] = NULL;
-
- memset(&ndpi_thread_info[thread_id].workflow->stats, 0, sizeof(struct ndpi_stats));
}
+ ndpi_stats_reset(&ndpi_thread_info[thread_id].workflow->stats);
if(!quiet_mode)
printf("\n-------------------------------------------\n\n");
@@ -5173,26 +5295,20 @@ static void dgaUnitTest() {
NULL
};
int debug = 0, i;
- NDPI_PROTOCOL_BITMASK all;
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
assert(ndpi_str != NULL);
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
-
- ndpi_finalize_initialization(ndpi_str);
-
- assert(ndpi_str != NULL);
+ assert(ndpi_finalize_initialization(ndpi_str) ==0);
for(i=0; non_dga[i] != NULL; i++) {
if(debug) printf("Checking non DGA %s\n", non_dga[i]);
- assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)non_dga[i], 1, 1) == 0);
+ assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)non_dga[i], 1, 1, 0) == 0);
}
for(i=0; dga[i] != NULL; i++) {
if(debug) printf("Checking DGA %s\n", non_dga[i]);
- assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)dga[i], 1, 1) == 1);
+ assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)dga[i], 1, 1, 0) == 1);
}
ndpi_exit_detection_module(ndpi_str);
@@ -6125,6 +6241,60 @@ void memmemUnitTest(void) {
/* *********************************************** */
+void memcasecmpUnitTest(void)
+{
+ /* Test 1: NULL pointers */
+ assert(ndpi_memcasecmp(NULL, NULL, 5) == 0);
+ assert(ndpi_memcasecmp(NULL, "string", 6) == -1);
+ assert(ndpi_memcasecmp("string", NULL, 6) == 1);
+
+ /* Test 2: Zero length */
+ assert(ndpi_memcasecmp("string", "different", 0) == 0);
+
+ /* Test 3: Single byte comparison */
+ assert(ndpi_memcasecmp("a", "a", 1) == 0);
+ assert(ndpi_memcasecmp("a", "A", 1) == 0);
+ assert(ndpi_memcasecmp("a", "b", 1) < 0);
+ assert(ndpi_memcasecmp("b", "a", 1) > 0);
+
+ /* Test 4: Case insensitivity */
+ assert(ndpi_memcasecmp("STRING", "string", 6) == 0);
+ assert(ndpi_memcasecmp("String", "sTrInG", 6) == 0);
+
+ /* Test 5: Various string comparisons */
+ assert(ndpi_memcasecmp("string", "string", 6) == 0);
+ assert(ndpi_memcasecmp("string", "strong", 6) < 0);
+ assert(ndpi_memcasecmp("strong", "string", 6) > 0);
+ assert(ndpi_memcasecmp("abc", "abcd", 3) == 0);
+ assert(ndpi_memcasecmp("abcd", "abc", 3) == 0);
+
+ /* Test 6: Optimization for checking first and last bytes */
+ assert(ndpi_memcasecmp("aBc", "abc", 3) == 0);
+ assert(ndpi_memcasecmp("abc", "abC", 3) == 0);
+ assert(ndpi_memcasecmp("abc", "def", 3) < 0);
+ assert(ndpi_memcasecmp("abz", "abx", 3) > 0);
+ assert(ndpi_memcasecmp("axc", "ayc", 3) < 0);
+
+ /* Test 7: Edge cases with non-printable characters and embedded zeros */
+ const char str1[] = {0, 'a', 'b', 'c'};
+ const char str2[] = {0, 'a', 'b', 'c'};
+ assert(ndpi_memcasecmp(str1, str2, 4) == 0);
+
+ const char str3[] = {0, 'a', 'b', 'c'};
+ const char str4[] = {1, 'a', 'b', 'c'};
+ assert(ndpi_memcasecmp(str3, str4, 4) < 0);
+
+ const char str5[] = {'a', 'b', 'c', 0};
+ const char str6[] = {'a', 'b', 'c', 1};
+ assert(ndpi_memcasecmp(str5, str6, 4) < 0);
+
+ const char str7[] = {'a', 'b', 0, 'd'};
+ const char str8[] = {'a', 'b', 1, 'd'};
+ assert(ndpi_memcasecmp(str7, str8, 4) < 0);
+}
+
+/* *********************************************** */
+
void mahalanobisUnitTest()
{
/* Example based on: https://supplychenmanagement.com/2019/03/06/calculating-mahalanobis-distance/ */
@@ -6144,6 +6314,36 @@ void mahalanobisUnitTest()
/* *********************************************** */
+void bitmaskUnitTest()
+{
+ struct ndpi_bitmask b;
+ int i;
+
+ assert(ndpi_bitmask_alloc(&b, 512) == 0);
+ for(i = 0; i < b.max_bits; i++) {
+ ndpi_bitmask_set(&b, i);
+ assert(ndpi_bitmask_is_set(&b, i));
+ }
+ for(i = 0; i < b.max_bits; i++) {
+ ndpi_bitmask_clear(&b, i);
+ assert(!ndpi_bitmask_is_set(&b, i));
+ }
+ ndpi_bitmask_set_all(&b);
+ for(i = 0; i < b.max_bits; i++)
+ assert(ndpi_bitmask_is_set(&b, i));
+ ndpi_bitmask_reset(&b);
+ for(i = 0; i < b.max_bits; i++)
+ assert(!ndpi_bitmask_is_set(&b, i));
+ for(i = 0; i < b.max_bits; i++) {
+ ndpi_bitmask_set(&b, i);
+ assert(ndpi_bitmask_is_set(&b, i));
+ }
+
+ ndpi_bitmask_free(&b);
+}
+
+/* *********************************************** */
+
void filterUnitTest() {
ndpi_filter* f = ndpi_filter_alloc();
u_int32_t v, i;
@@ -6283,17 +6483,13 @@ void outlierUnitTest() {
void loadStressTest() {
struct ndpi_detection_module_struct *ndpi_struct_shadow = ndpi_init_detection_module(NULL);
- NDPI_PROTOCOL_BITMASK all;
if(ndpi_struct_shadow) {
int i;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_struct_shadow, &all);
-
for(i=1; i<100000; i++) {
char name[32];
- ndpi_protocol_category_t id = CUSTOM_CATEGORY_MALWARE;
+ ndpi_protocol_category_t id = NDPI_PROTOCOL_CATEGORY_MALWARE;
u_int8_t value = (u_int8_t)i;
snprintf(name, sizeof(name), "%d.com", i);
@@ -6397,7 +6593,7 @@ void ballTreeUnitTest() {
/* *********************************************** */
void cryptDecryptUnitTest() {
- u_char enc_dec_key[64] = "9dedb817e5a8805c1de62eb8982665b9a2b4715174c34d23b9a46ffafacfb2a7" /* SHA256("nDPI") */;
+ u_char enc_dec_key[] = "9dedb817e5a8805c1de62eb8982665b9a2b4715174c34d23b9a46ffafacfb2a7" /* SHA256("nDPI") */;
const char *test_string = "The quick brown fox jumps over the lazy dog";
char *enc, *dec;
u_int16_t e_len, d_len, t_len = strlen(test_string);
@@ -6417,7 +6613,6 @@ void cryptDecryptUnitTest() {
/* *********************************************** */
void encodeDomainsUnitTest() {
- NDPI_PROTOCOL_BITMASK all;
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
const char *lists_path = "../lists/public_suffix_list.dat";
struct stat st;
@@ -6428,9 +6623,6 @@ void encodeDomainsUnitTest() {
char *str;
ndpi_protocol_category_t id;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
-
assert(ndpi_load_domain_suffixes(ndpi_str, (char*)lists_path) == 0);
ndpi_get_host_domain_suffix(ndpi_str, "lcb.it", &suffix_id);
@@ -6449,7 +6641,19 @@ void encodeDomainsUnitTest() {
str = (char*)"222.0grand-casino.com"; assert(ndpi_get_custom_category_match(ndpi_str, str, strlen(str), &id) == 0); assert(id == 107);
str = (char*)"10bet.com"; assert(ndpi_get_custom_category_match(ndpi_str, str, strlen(str), &id) == 0); assert(id == 107);
str = (char*)"www.ntop.org"; assert(ndpi_get_custom_category_match(ndpi_str, str, strlen(str), &id) == -1); assert(id == 0);
- str = (char*)"www.andrewpope.com"; assert(ndpi_get_custom_category_match(ndpi_str, str, strlen(str), &id) == 0); assert(id == 100);
+ str = (char*)"lifyqyi.com"; assert(ndpi_get_custom_category_match(ndpi_str, str, strlen(str), &id) == 0); assert(id == 100);
+ }
+
+ ndpi_exit_detection_module(ndpi_str);
+}
+
+/* *********************************************** */
+
+void checkProtocolIDsUnitTest() {
+ struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
+
+ if(ndpi_str != NULL) {
+ assert(ndpi_load_protocols_dir(ndpi_str, "../lists/protocols"));
}
ndpi_exit_detection_module(ndpi_str);
@@ -6458,7 +6662,6 @@ void encodeDomainsUnitTest() {
/* *********************************************** */
void domainsUnitTest() {
- NDPI_PROTOCOL_BITMASK all;
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
const char *lists_path = "../lists/public_suffix_list.dat";
struct stat st;
@@ -6466,11 +6669,11 @@ void domainsUnitTest() {
if(stat(lists_path, &st) == 0) {
u_int16_t suffix_id;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
-
assert(ndpi_load_domain_suffixes(ndpi_str, (char*)lists_path) == 0);
+ assert(strcmp(ndpi_get_host_domain(ndpi_str, "1.0.0.127.in-addr.arpa"), "in-addr.arpa") == 0);
+ assert(strcmp(ndpi_get_host_domain(ndpi_str, "fe80::fd:5447:b2d1:40e0"), "fe80::fd:5447:b2d1:40e0") == 0);
+ assert(strcmp(ndpi_get_host_domain(ndpi_str, "192.168.1.2"), "192.168.1.2") == 0);
assert(strcmp(ndpi_get_host_domain(ndpi_str, "extension.femetrics.grammarly.io"), "grammarly.io") == 0);
assert(strcmp(ndpi_get_host_domain(ndpi_str, "www.ovh.commander1.com"), "commander1.com") == 0);
@@ -6497,14 +6700,11 @@ void domainSearchUnitTest() {
u_int16_t class_id;
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
u_int8_t trace = 0;
- NDPI_PROTOCOL_BITMASK all;
assert(ndpi_str);
assert(sc);
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
- ndpi_finalize_initialization(ndpi_str);
+ assert(ndpi_finalize_initialization(ndpi_str) == 0);
ndpi_domain_classify_add(ndpi_str, sc, NDPI_PROTOCOL_NTOP, ".ntop.org");
ndpi_domain_classify_add(ndpi_str, sc, NDPI_PROTOCOL_NTOP, domain);
@@ -6533,14 +6733,11 @@ void domainSearchUnitTest2() {
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL);
ndpi_domain_classify *c = ndpi_domain_classify_alloc();
u_int16_t class_id = 9;
- NDPI_PROTOCOL_BITMASK all;
assert(ndpi_str);
assert(c);
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
- ndpi_finalize_initialization(ndpi_str);
+ assert(ndpi_finalize_initialization(ndpi_str) == 0);
ndpi_domain_classify_add(ndpi_str, c, class_id, "ntop.org");
ndpi_domain_classify_add(ndpi_str, c, class_id, "apple.com");
@@ -6605,6 +6802,9 @@ int main(int argc, char **argv) {
int skip_unit_tests = 1;
#endif
+
+ //checkProtocolIDsUnitTest(); return(0);
+
#ifdef DEBUG_TRACE
trace = fopen("/tmp/ndpiReader.log", "a");
@@ -6667,7 +6867,6 @@ int main(int argc, char **argv) {
automataUnitTest();
automataDomainsUnitTest();
analyzeUnitTest();
- ndpi_self_check_host_match(stderr);
analysisUnitTest();
compressedBitmapUnitTest();
strtonumUnitTest();
@@ -6675,7 +6874,9 @@ int main(int argc, char **argv) {
strnstrUnitTest();
strncasestrUnitTest();
memmemUnitTest();
+ memcasecmpUnitTest();
mahalanobisUnitTest();
+ bitmaskUnitTest();
#endif
}
@@ -6691,7 +6892,7 @@ int main(int argc, char **argv) {
ndpiCheckHostStringMatch(domain_to_check);
exit(0);
}
-
+
if(ip_port_to_check) {
ndpiCheckIPMatch(ip_port_to_check);
exit(0);
@@ -6708,7 +6909,7 @@ int main(int argc, char **argv) {
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../nDPI-custom/ndpiReader_init.c"
#endif
-
+
if(!quiet_mode) {
printf("\n-----------------------------------------------------------\n"
"* NOTE: This is demo app to show *some* nDPI features.\n"
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
index e51ceba3f..f526e1d26 100644
--- a/example/ndpiSimpleIntegration.c
+++ b/example/ndpiSimpleIntegration.c
@@ -1,6 +1,6 @@
/*
*
- * Copyright (C) 2011-22 - ntop.org
+ * Copyright (C) 2011-25 - ntop.org
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
@@ -210,10 +210,10 @@ static struct nDPI_workflow * init_workflow(char const * const file_or_device)
return NULL;
}
- NDPI_PROTOCOL_BITMASK protos;
- NDPI_BITMASK_SET_ALL(protos);
- ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &protos);
- ndpi_finalize_initialization(workflow->ndpi_struct);
+ if(ndpi_finalize_initialization(workflow->ndpi_struct) != 0) {
+ free_workflow(&workflow);
+ return NULL;
+ }
return workflow;
}
diff --git a/example/obfuscation.conf b/example/obfuscation.conf
index 4d7d078fb..0a453c5d7 100644
--- a/example/obfuscation.conf
+++ b/example/obfuscation.conf
@@ -1,7 +1,12 @@
#Useful ndpiReader configuration to analyse VPN and/or obfuscated traffic
+#Flow risk info: only about obfuscation
+--cfg=flow_risk.all.info,0 --cfg=flow_risk.obfuscated.info,1
+
#Generic limits
--cfg=packets_limit_per_flow,255 -U 0 -T 0
+#Fully encrypted protocols
+--cfg=fully_encrypted_heuristic,1
#TLS heuristics
--cfg=tls,dpi.heuristics,0x07 --cfg=tls,dpi.heuristics.max_packets_extra_dissection,25
#OpenVPN heuristic
diff --git a/example/only_classification.conf b/example/only_classification.conf
new file mode 100644
index 000000000..0b93b3188
--- /dev/null
+++ b/example/only_classification.conf
@@ -0,0 +1,26 @@
+#Example of configuration if you are interested ONLY in flow (sub)-classification
+#(i.e. no metadata at all and no flow risks)
+
+#No flow risks
+--cfg=flow_risk.all,0
+
+#General metadata
+--cfg=metadata.tcp_fingerprint,0
+#BITTORRENT
+--cfg=bittorrent,metadata.hash,0
+#SSDP
+--cfg=ssdp,metadata,0
+#TLS
+--cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=tls,metadata.cert_server_names,0 --cfg=tls,metadata.cert_validity,0 --cfg=tls,metadata.cert_issuer,0 --cfg=tls,metadata.cert_subject,0 --cfg=tls,metadata.alpn_negotiated,0 --cfg=tls,metadata.versions_supported,0 --cfg=tls,metadata.cipher,0 --cfg=tls,metadata.browser,0
+#SIP
+--cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0
+#STUN
+--cfg=stun,metadata.attribute.mapped_address,0 --cfg=stun,metadata.attribute.peer_address,0 --cfg=stun,metadata.attribute.relayed_address,0 --cfg=stun,metadata.attribute.response_origin,0 --cfg=stun,metadata.attribute.other_address,0
+#HTTP
+--cfg=http,metadata.request_content_type,0 --cfg=http,metadata.referer,0 --cfg=http,metadata.host,0 --cfg=http,metadata.username,0 --cfg=http,metadata.password,0
+
+#DNS:we need only the request for sub-classification
+--cfg=dns,process_response,0 #Note that this option has an huge impact on FPC!
+
+#RTP
+--cfg=rtp,max_packets_extra_dissection,0
diff --git a/example/protos.txt b/example/protos.txt
index 810ea1911..2dc3b3318 100644
--- a/example/protos.txt
+++ b/example/protos.txt
@@ -4,8 +4,7 @@
tcp:81,tcp:8181@HTTP
udp:5062@SIP
tcp:860,udp:860,tcp:3260,udp:3260@iSCSI
-tcp:3000@ntop
-tcp:9002@Elasticsearch
+tcp:9200@Elasticsearch
tcp:5601@Kibana
tcp:65535@TestProto
@@ -64,6 +63,11 @@ ipv6:[fe80::76ac:b9ff:fe6c:c124]:12717@CustomProtocolG=2050
ipv6:[fe80::76ac:b9ff:fe6c:c124]:12718@CustomProtocolH=65535
ipv6:[fe80::76ac:b9ff:fe6c:c124]:12719@CustomProtocolI=65534
+ipv6:[2001:db8::c2fd:b817:5ca8:82dd]:16690@CustomProtocolJ,breed=1
+ipv6:[2001:db8::cba5:51b2:8733:6d9e]:38542@CustomProtocolK,cat=3
+ipv6:[2001:db8::cc14:67e6:fcd:b96d]:37464@CustomProtocolL=3002,cat=5,breed=3
+ipv6:[2003:db8::4]@CustomProtocolM=3003,cat=106,breed=5
+
#
# You can use symbolic IP addreses if you want
#
diff --git a/example/protos_huge.txt b/example/protos_huge.txt
new file mode 100644
index 000000000..ef2346151
--- /dev/null
+++ b/example/protos_huge.txt
@@ -0,0 +1,3026 @@
+# 3com-amp3
+tcp:629@3com-amp3
+udp:629@3com-amp3
+
+# 3com-tsmux
+tcp:106@3com-tsmux
+udp:106@3com-tsmux
+
+# 914c/g
+tcp:211@914c/g
+udp:211@914c/g
+
+# 9pfs
+tcp:564@9pfs
+udp:564@9pfs
+
+# acap
+tcp:674@acap
+udp:674@acap
+
+# acas
+tcp:62@acas
+udp:62@acas
+
+# accessbuilder
+tcp:888@accessbuilder
+udp:888@accessbuilder
+
+# accessnetwork
+tcp:699@accessnetwork
+udp:699@accessnetwork
+
+# aci
+tcp:187@aci
+udp:187@aci
+
+# acp
+tcp:599@acp
+udp:599@acp
+
+# acr-nema
+tcp:104@acr-nema
+udp:104@acr-nema
+
+# activesync
+tcp:1034@activesync
+udp:1034@activesync
+
+# adobeserver
+tcp:1102-1103.0@adobeserver
+udp:1102@adobeserver
+
+# aed-512
+tcp:149@aed-512
+udp:149@aed-512
+
+# afp
+tcp:548@afp
+udp:548@afp
+
+# afrog
+tcp:1042@afrog
+udp:1042@afrog
+
+# agentx
+tcp:705@agentx
+udp:705@agentx
+
+# alpes
+tcp:463@alpes
+udp:463@alpes
+
+# ampr-rcmd
+tcp:459@ampr-rcmd
+udp:459@ampr-rcmd
+
+# ams
+tcp:1037@ams
+udp:1037@ams
+
+# amt-esd-prot
+tcp:1082@amt-esd-prot
+udp:1082@amt-esd-prot
+
+# anet
+tcp:212@anet
+udp:212@anet
+
+# ansanotify
+tcp:116@ansanotify
+udp:116@ansanotify
+
+# ansatrader
+tcp:124@ansatrader
+udp:124@ansatrader
+
+# ansoft-lm
+tcp:1083-1084.0@ansoft-lm
+udp:1083@ansoft-lm
+
+# ansyslmd
+tcp:1055@ansyslmd
+udp:1055@ansyslmd
+
+# aodv
+tcp:654@aodv
+udp:654@aodv
+
+# aol
+tcp:5190@aol
+udp:5190@aol
+
+# apertus
+tcp:539@apertus
+udp:539@apertus
+
+# apex
+tcp:912-913.0@apex
+udp:912@apex
+
+# apple-game
+udp:4398@apple-game
+
+# apple-push
+tcp:2195-2196.0@apple-push
+
+# appleqtc
+tcp:458@appleqtc
+udp:458@appleqtc
+
+# appleqtc
+tcp:545@appleqtc
+udp:545@appleqtc
+
+# apple-sasl
+tcp:3659@apple-sasl
+udp:3659@apple-sasl
+
+# AppleTalk
+tcp:201-208.0@AppleTalk
+udp:201@AppleTalk
+
+# apple-ugcontrol
+tcp:2336@apple-ugcontrol
+udp:2336@apple-ugcontrol
+
+# arcisdms
+tcp:262@arcisdms
+udp:262@arcisdms
+
+# arcp
+tcp:7070@arcp
+udp:7070@arcp
+
+# ardus
+tcp:1115-1117.0@ardus
+udp:1115@ardus
+
+# ariel
+tcp:419@ariel
+udp:419@ariel
+
+# ariel
+tcp:421-422.0@ariel
+udp:421@ariel
+
+# arns
+tcp:384@arns
+udp:384@arns
+
+# asa
+tcp:386@asa
+udp:386@asa
+
+# asa-appl-proto
+tcp:502@asa-appl-proto
+udp:502@asa-appl-proto
+
+# asap-tls
+tcp:3864@asap-tls
+
+# asia
+tcp:626@asia
+udp:626@asia
+
+# asip
+tcp:311@asip
+udp:311@asip
+
+# asipwismar
+tcp:687@asipwismar
+udp:687@asipwismar
+
+# asprovatalk
+tcp:1079@asprovatalk
+udp:1079@asprovatalk
+
+# as-servermap
+tcp:449@as-servermap
+udp:449@as-servermap
+
+# audit
+tcp:182@audit
+udp:182@audit
+
+# auditd
+tcp:48@auditd
+udp:48@auditd
+
+# aurora
+tcp:364@aurora
+udp:364@aurora
+
+# aurp
+tcp:387@aurp
+udp:387@aurp
+
+# auth
+tcp:113@auth
+udp:113@auth
+
+# availant-mgr
+tcp:1122@availant-mgr
+udp:1122@availant-mgr
+
+# avian
+tcp:486@avian
+udp:486@avian
+
+# avocent-proxy
+tcp:1078@avocent-proxy
+udp:1078@avocent-proxy
+
+# awacs-ice
+tcp:4488@awacs-ice
+udp:4488@awacs-ice
+
+# banyan
+tcp:567@banyan
+udp:567@banyan
+
+# banyan
+tcp:573@banyan
+udp:573@banyan
+
+# bdp
+tcp:581@bdp
+udp:581@bdp
+
+# bftp
+tcp:152@bftp
+udp:152@bftp
+
+# bgmp
+tcp:264@bgmp
+udp:264@bgmp
+
+# bgp
+tcp:179@bgp
+udp:179@bgp
+
+# bgs-nsi
+tcp:482@bgs-nsi
+udp:482@bgs-nsi
+
+# bh611
+tcp:354@bh611
+udp:354@bh611
+
+# bhevent
+tcp:357@bhevent
+udp:357@bhevent
+
+# bhfhs
+tcp:248@bhfhs
+udp:248@bhfhs
+
+# bhmds
+tcp:310@bhmds
+udp:310@bhmds
+
+# bitTorrent
+tcp:6881-6888.0@bitTorrent
+udp:6881@bitTorrent
+
+# bl-idm
+tcp:142@bl-idm
+udp:142@bl-idm
+
+# bmpp
+tcp:632@bmpp
+udp:632@bmpp
+
+# bnet
+tcp:415@bnet
+udp:415@bnet
+
+# bootp
+tcp:67-68.0@bootp
+udp:67@bootp
+
+# borland-dsj
+tcp:707@borland-dsj
+udp:707@borland-dsj
+
+# busboy/puparp
+tcp:998@busboy/puparp
+udp:998@busboy/puparp
+
+# cableport-ax
+tcp:282@cableport-ax
+udp:282@cableport-ax
+
+# cab-protocol
+tcp:595@cab-protocol
+udp:595@cab-protocol
+
+# cadlock
+tcp:770@cadlock
+udp:770@cadlock
+
+# cadlock2
+tcp:1000@cadlock2
+udp:1000@cadlock2
+
+# cadview-3d
+tcp:649@cadview-3d
+udp:649@cadview-3d
+
+# CAIlic
+tcp:216@CAIlic
+udp:216@CAIlic
+
+# cal
+tcp:588@cal
+udp:588@cal
+
+# carboncopy
+tcp:1023@carboncopy
+
+# cdc
+tcp:223@cdc
+udp:223@cdc
+
+# cert-responder
+tcp:1640@cert-responder
+udp:1640@cert-responder
+
+# cfdptkt
+tcp:120@cfdptkt
+udp:120@cfdptkt
+
+# chargen
+tcp:19@chargen
+udp:19@chargen
+
+# CheckMK_DistrMon
+tcp:6557@CheckMK_DistrMon
+
+# chshell
+tcp:562@chshell
+udp:562@chshell
+
+# cimplex
+tcp:673@cimplex
+udp:673@cimplex
+
+# cisco-fna
+tcp:130-132.0@cisco-fna
+udp:130@cisco-fna
+
+# cisco-tdp
+tcp:711@cisco-tdp
+udp:711@cisco-tdp
+
+# citadel
+tcp:504@citadel
+udp:504@citadel
+
+# citrix_ica
+tcp:1494@citrix_ica
+udp:1494@citrix_ica
+
+# citrix_ica
+tcp:2598@citrix_ica
+udp:2598@citrix_ica
+
+# citrix_rtp
+udp:16500-16509.0@citrix_rtp
+
+# cl/1
+tcp:172@cl/1
+udp:172@cl/1
+
+# clearcase
+tcp:371@clearcase
+udp:371@clearcase
+
+# cloanto
+tcp:356@cloanto
+udp:356@cloanto
+
+# cmip
+tcp:163-164.0@cmip
+udp:163@cmip
+
+# codaauth2
+tcp:370@codaauth2
+udp:370@codaauth2
+
+# collaborator
+tcp:622@collaborator
+udp:622@collaborator
+
+# commerce
+tcp:542@commerce
+udp:542@commerce
+
+# compaq-evm
+tcp:619@compaq-evm
+udp:619@compaq-evm
+
+# compressnet
+tcp:2-3.0@compressnet
+udp:2@compressnet
+
+# comscm
+tcp:437@comscm
+udp:437@comscm
+
+# con
+tcp:759@con
+udp:759@con
+
+# conference
+tcp:531@conference
+udp:531@conference
+
+# connendp
+tcp:693@connendp
+udp:693@connendp
+
+# corba-iiop
+tcp:683-684.0@corba-iiop
+udp:683@corba-iiop
+
+# corerjd
+tcp:284@corerjd
+udp:284@corerjd
+
+# courier
+tcp:530@courier
+udp:530@courier
+
+# covia
+tcp:64@covia
+udp:64@covia
+
+# creative
+tcp:453-455.0@creative
+udp:453@creative
+
+# crs
+tcp:507@crs
+udp:507@crs
+
+# cryptoadmin
+tcp:624@cryptoadmin
+udp:624@cryptoadmin
+
+# csi-sgwp
+tcp:348@csi-sgwp
+udp:348@csi-sgwp
+
+# cso
+tcp:105@cso
+udp:105@cso
+
+# csoftragent
+tcp:3004@csoftragent
+udp:3004@csoftragent
+
+# ctf
+tcp:84@ctf
+udp:84@ctf
+
+# CU-SeeMe
+tcp:7648-7649.0@CU-SeeMe
+udp:7648@CU-SeeMe
+
+# custix
+tcp:528@custix
+udp:528@custix
+
+# cvc_hostd
+tcp:442@cvc_hostd
+udp:442@cvc_hostd
+
+# cvspserver
+tcp:2401@cvspserver
+udp:2401@cvspserver
+
+# cybercash
+tcp:551@cybercash
+udp:551@cybercash
+
+# cycleserv
+tcp:763@cycleserv
+udp:763@cycleserv
+
+# cycleserv2
+tcp:772@cycleserv2
+udp:772@cycleserv2
+
+# dantz
+tcp:497@dantz
+udp:497@dantz
+
+# dasp
+tcp:439@dasp
+udp:439@dasp
+
+# datasurf
+tcp:461-462.0@datasurf
+udp:461@datasurf
+
+# datex
+tcp:355@datex
+udp:355@datex
+
+# daytime
+tcp:13@daytime
+udp:13@daytime
+
+# dbase
+tcp:217@dbase
+udp:217@dbase
+
+# dcp
+tcp:93@dcp
+udp:93@dcp
+
+# dctp
+tcp:675@dctp
+udp:675@dctp
+
+# ddm
+tcp:446-448.0@ddm
+udp:446@ddm
+
+# dec_dlm
+tcp:625@dec_dlm
+udp:625@dec_dlm
+
+# decap
+tcp:403@decap
+udp:403@decap
+
+# decauth
+tcp:316@decauth
+udp:316@decauth
+
+# decbsrv
+tcp:579@decbsrv
+udp:579@decbsrv
+
+# decladebug
+tcp:410@decladebug
+udp:410@decladebug
+
+# decvms-sysmgt
+tcp:441@decvms-sysmgt
+udp:441@decvms-sysmgt
+
+# dei
+tcp:618@dei
+udp:618@dei
+
+# deos
+tcp:76@deos
+udp:76@deos
+
+# device
+tcp:801@device
+udp:801@device
+
+# devshr-nts
+tcp:552@devshr-nts
+udp:552@devshr-nts
+
+# dhcp-failover
+tcp:647@dhcp-failover
+udp:647@dhcp-failover
+
+# dhcp-failover
+tcp:847@dhcp-failover
+udp:847@dhcp-failover
+
+# dhcpv6
+tcp:546-547.0@dhcpv6
+udp:546@dhcpv6
+
+# diameter
+tcp:3868@diameter
+
+# digital-vrc
+tcp:466@digital-vrc
+udp:466@digital-vrc
+
+# direct
+tcp:242@direct
+udp:242@direct
+
+# discard
+tcp:9@discard
+udp:9@discard
+
+# disclose
+tcp:667@disclose
+udp:667@disclose
+
+# distcc
+tcp:3632@distcc
+udp:3632@distcc
+
+# dixie
+tcp:96@dixie
+udp:96@dixie
+
+# dls
+tcp:197-198.0@dls
+udp:197@dls
+
+# dna-cml
+tcp:436@dna-cml
+udp:436@dna-cml
+
+# dns6
+tcp:195-196.0@dns6
+udp:195@dns6
+
+# dnsix
+tcp:90@dnsix
+udp:90@dnsix
+
+# domain
+tcp:53@domain
+udp:53@domain
+
+# dpsi
+tcp:315@dpsi
+udp:315@dpsi
+
+# dra
+tcp:630@dra
+udp:630@dra
+
+# dsf
+tcp:555@dsf
+udp:555@dsf
+
+# dsfgw
+tcp:438@dsfgw
+udp:438@dsfgw
+
+# dsp
+tcp:33@dsp
+udp:33@dsp
+
+# dsp3270
+tcp:246@dsp3270
+udp:246@dsp3270
+
+# dtag-ste
+tcp:352@dtag-ste
+udp:352@dtag-ste
+
+# dtk
+tcp:365@dtk
+udp:365@dtk
+
+# dwr
+tcp:644@dwr
+udp:644@dwr
+
+# eai
+tcp:52100-52102.0@eai
+
+# eai
+tcp:53100-53102.0@eai
+
+# echo
+tcp:7@echo
+udp:7@echo
+
+# eDonkey
+tcp:4662@eDonkey
+
+# eDonkey
+tcp:4665@eDonkey
+
+# efs/router
+tcp:520@efs/router
+udp:520@efs/router
+
+# elcsd
+tcp:704@elcsd
+udp:704@elcsd
+
+# embl-ndt
+tcp:394@embl-ndt
+udp:394@embl-ndt
+
+# emfis
+tcp:140-141.0@emfis
+udp:140@emfis
+
+# enrp
+udp:9901-9902.0@enrp
+
+# entomb/acmaint_transd
+tcp:775@entomb/acmaint_transd
+udp:775@entomb/acmaint_transd
+
+# entrust
+tcp:680-681.0@entrust
+udp:680@entrust
+
+# entrust
+tcp:709-710.0@entrust
+udp:709@entrust
+
+# entrust-sps
+tcp:640@entrust-sps
+udp:640@entrust-sps
+
+# entrusttime
+tcp:309@entrusttime
+udp:309@entrusttime
+
+# epmap
+tcp:135@epmap
+udp:135@epmap
+
+# epp
+tcp:700@epp
+udp:700@epp
+
+# eppc
+tcp:3031@eppc
+udp:3031@eppc
+
+# erpc
+tcp:121@erpc
+udp:121@erpc
+
+# escp-ip
+tcp:621@escp-ip
+udp:621@escp-ip
+
+# esro
+tcp:259@esro
+udp:259@esro
+
+# esro-emsdp
+tcp:642@esro-emsdp
+udp:642@esro-emsdp
+
+# ETOS
+tcp:377-378.0@ETOS
+udp:377@ETOS
+
+# eudora-set
+tcp:592@eudora-set
+udp:592@eudora-set
+
+# exec/comsat
+tcp:512@exec/comsat
+udp:512@exec/comsat
+
+# exp1
+tcp:1021@exp1
+udp:1021@exp1
+
+# exp2
+tcp:1022@exp2
+udp:1022@exp2
+
+# eyelink
+tcp:589@eyelink
+udp:589@eyelink
+
+# fatserv
+tcp:347@fatserv
+udp:347@fatserv
+
+# fcp
+tcp:510@fcp
+udp:510@fcp
+
+# fcp-udp
+tcp:810@fcp-udp
+udp:810@fcp-udp
+
+# finger
+tcp:79@finger
+udp:79@finger
+
+# flexlm
+tcp:744@flexlm
+udp:744@flexlm
+
+# fln-spx
+tcp:221@fln-spx
+udp:221@fln-spx
+
+# fmpro-internal
+tcp:5003@fmpro-internal
+udp:5003@fmpro-internal
+
+# ftp
+tcp:20-21.0@ftp
+udp:20@ftp
+
+# ftp-agent
+tcp:574@ftp-agent
+udp:574@ftp-agent
+
+# ftps
+tcp:989-990.0@ftps
+udp:989@ftps
+
+# fujitsu-dev
+tcp:747@fujitsu-dev
+udp:747@fujitsu-dev
+
+# fxp
+tcp:286@fxp
+udp:286@fxp
+
+# gacp
+tcp:190@gacp
+udp:190@gacp
+
+# garcon/applix
+tcp:999@garcon/applix
+udp:999@garcon/applix
+
+# gdoi
+tcp:848@gdoi
+udp:848@gdoi
+
+# gdomap
+tcp:538@gdomap
+udp:538@gdomap
+
+# genie
+tcp:402@genie
+udp:402@genie
+
+# genrad
+tcp:176@genrad
+udp:176@genrad
+
+# ggf-ncp
+tcp:678@ggf-ncp
+udp:678@ggf-ncp
+
+# ginad
+tcp:634@ginad
+udp:634@ginad
+
+# gist
+udp:270@gist
+
+# git
+tcp:9418@git
+udp:9418@git
+
+# gnutella
+tcp:6346-6347.0@gnutella
+udp:6346@gnutella
+
+# go-login
+tcp:491@go-login
+udp:491@go-login
+
+# gopher
+tcp:70@gopher
+udp:70@gopher
+
+# GoToMeeting
+tcp:8200@GoToMeeting
+udp:8200@GoToMeeting
+
+# gppitnp
+tcp:103@gppitnp
+udp:103@gppitnp
+
+# graphics
+tcp:41@graphics
+udp:41@graphics
+
+# gss
+tcp:488@gss
+udp:488@gss
+
+# gss-xlicen
+tcp:128@gss-xlicen
+udp:128@gss-xlicen
+
+# ha-cluster
+tcp:694@ha-cluster
+udp:694@ha-cluster
+
+# hap
+tcp:661@hap
+udp:661@hap
+
+# hassle
+tcp:375@hassle
+udp:375@hassle
+
+# hcp-wismar
+tcp:686@hcp-wismar
+udp:686@hcp-wismar
+
+# hdap
+tcp:263@hdap
+udp:263@hdap
+
+# hello-port
+tcp:652@hello-port
+udp:652@hello-port
+
+# hems
+tcp:151@hems
+udp:151@hems
+
+# hmmp
+tcp:612-613.0@hmmp
+udp:612@hmmp
+
+# hostname
+tcp:101@hostname
+udp:101@hostname
+
+# hp
+tcp:381-383.0@hp
+udp:381@hp
+
+# hp-3000-telnet
+tcp:2564@hp-3000-telnet
+
+# http
+tcp:80-81.0@http
+udp:80@http
+
+# http
+tcp:8000@http
+udp:8000@http
+
+# http
+tcp:8080@http
+udp:8080@http
+
+# http-alt
+tcp:591@http-alt
+udp:591@http-alt
+
+# http-mgm
+tcp:280@http-mgm
+udp:280@http-mgm
+
+# http-rpc-epmap
+tcp:593@http-rpc-epmap
+udp:593@http-rpc-epmap
+
+# https
+tcp:443@https
+
+# http-s_alt
+tcp:8008@http-s_alt
+udp:8008@http-s_alt
+
+# http-s_alt
+tcp:9443@http-s_alt
+udp:9443@http-s_alt
+
+# hybrid-pop
+tcp:473@hybrid-pop
+udp:473@hybrid-pop
+
+# hyper-g
+tcp:418@hyper-g
+udp:418@hyper-g
+
+# hyperwave-isp
+tcp:692@hyperwave-isp
+udp:692@hyperwave-isp
+
+# iaf
+tcp:479-480.0@iaf
+udp:479@iaf
+
+# iasd
+tcp:432@iasd
+udp:432@iasd
+
+# IBM_i_as
+tcp:8470-8476.0@IBM_i_as
+
+# IBM_i_as
+tcp:9470-9476.0@IBM_i_as
+
+# IBM_WebSphere-App
+tcp:9080@IBM_WebSphere-App
+udp:9080@IBM_WebSphere-App
+
+# ibm-app
+tcp:385@ibm-app
+udp:385@ibm-app
+
+# ibm-db2
+tcp:523@ibm-db2
+udp:523@ibm-db2
+
+# icad-elL
+tcp:425@icad-elL
+udp:425@icad-elL
+
+# iclcnet
+tcp:886-887.0@iclcnet
+udp:886@iclcnet
+
+# icq
+tcp:4000@icq
+
+# ideafarm
+tcp:902-903.0@ideafarm
+udp:902@ideafarm
+
+# idfp
+tcp:549@idfp
+udp:549@idfp
+
+# idxp
+tcp:603@idxp
+udp:603@idxp
+
+# ieee-mms
+tcp:651@ieee-mms
+udp:651@ieee-mms
+
+# ieee-mms-ssl
+tcp:695@ieee-mms-ssl
+udp:695@ieee-mms-ssl
+
+# iiop
+tcp:535@iiop
+udp:535@iiop
+
+# imap
+tcp:143@imap
+udp:143@imap
+
+# imap3
+tcp:220@imap3
+udp:220@imap3
+
+# imaps
+tcp:993@imaps
+udp:993@imaps
+
+# imsp
+tcp:406@imsp
+udp:406@imsp
+
+# inbusiness
+tcp:244@inbusiness
+udp:244@inbusiness
+
+# infoseek
+tcp:414@infoseek
+udp:414@infoseek
+
+# ingres-net
+tcp:134@ingres-net
+udp:134@ingres-net
+
+# intecourier
+tcp:495@intecourier
+udp:495@intecourier
+
+# integra
+tcp:484@integra
+udp:484@integra
+
+# intrinsa
+tcp:503@intrinsa
+udp:503@intrinsa
+
+# ipcd
+tcp:576@ipcd
+udp:576@ipcd
+
+# ipcserver
+tcp:600@ipcserver
+udp:600@ipcserver
+
+# ipdd
+tcp:578@ipdd
+udp:578@ipdd
+
+# ipfixs
+tcp:4740@ipfixs
+udp:4740@ipfixs
+
+# ipp
+tcp:631@ipp
+udp:631@ipp
+
+# ipsec-nat-t
+tcp:4500@ipsec-nat-t
+udp:4500@ipsec-nat-t
+
+# IpswitchIM
+tcp:5177@IpswitchIM
+udp:5177@IpswitchIM
+
+# IPSwitch_IMail
+tcp:8181@IPSwitch_IMail
+udp:8181@IPSwitch_IMail
+
+# IPSwitch_IMail
+tcp:8383@IPSwitch_IMail
+udp:8383@IPSwitch_IMail
+
+# ipx
+tcp:213@ipx
+udp:213@ipx
+
+# irc
+tcp:6667@irc
+
+# irc
+tcp:194@irc
+udp:194@irc
+
+# ircs
+tcp:994@ircs
+udp:994@ircs
+
+# irc-serv
+tcp:529@irc-serv
+udp:529@irc-serv
+
+# iris
+tcp:713-715.0@iris
+udp:713@iris
+
+# is99
+tcp:379-380.0@is99
+udp:379@is99
+
+# isakmp
+tcp:500@isakmp
+udp:500@isakmp
+
+# iscsi
+tcp:860@iscsi
+udp:860@iscsi
+
+# isi-gl
+tcp:55@isi-gl
+udp:55@isi-gl
+
+# iso-ill
+tcp:499@iso-ill
+udp:499@iso-ill
+
+# iso-tp
+tcp:146-147.0@iso-tp
+udp:146@iso-tp
+
+# iso-tsap
+tcp:102@iso-tsap
+udp:102@iso-tsap
+
+# iso-tsap-c2
+tcp:399@iso-tsap-c2
+udp:399@iso-tsap-c2
+
+# itm-mcell-s
+tcp:828@itm-mcell-s
+udp:828@itm-mcell-s
+
+# iTunes
+tcp:3689@iTunes
+udp:3689@iTunes
+
+# jargon
+tcp:148@jargon
+udp:148@jargon
+
+# jserv
+tcp:8007@jserv
+
+# Kazaa
+tcp:1214@Kazaa
+udp:1214@Kazaa
+
+# k-block
+tcp:287@k-block
+udp:287@k-block
+
+# kerberos
+tcp:88@kerberos
+udp:88@kerberos
+
+# kerberos
+tcp:749@kerberos
+udp:749@kerberos
+
+# kermit
+tcp:1649@kermit
+udp:1649@kermit
+
+# keyserver
+tcp:584@keyserver
+udp:584@keyserver
+
+# kink
+tcp:910@kink
+udp:910@kink
+
+# kis
+tcp:185-186.0@kis
+udp:185@kis
+
+# klogin
+tcp:543@klogin
+udp:543@klogin
+
+# knet
+tcp:157@knet
+udp:157@knet
+
+# kpasswd
+tcp:464@kpasswd
+udp:464@kpasswd
+
+# kryptolan
+tcp:398@kryptolan
+udp:398@kryptolan
+
+# kshell
+tcp:544@kshell
+udp:544@kshell
+
+# l2f
+tcp:1701@l2f
+udp:1701@l2f
+
+# la-maint
+tcp:51@la-maint
+udp:51@la-maint
+
+# lanserver
+tcp:637@lanserver
+udp:637@lanserver
+
+# laplink
+tcp:1547@laplink
+
+# ldap
+tcp:389@ldap
+udp:389@ldap
+
+# ldaps
+tcp:636@ldaps
+udp:636@ldaps
+
+# ldp
+tcp:646@ldp
+udp:646@ldp
+
+# legent
+tcp:373-374.0@legent
+udp:373@legent
+
+# link
+tcp:245@link
+udp:245@link
+
+# ljk-login
+tcp:472@ljk-login
+udp:472@ljk-login
+
+# lmp
+tcp:701-702.0@lmp
+udp:701@lmp
+
+# locus
+tcp:125@locus
+udp:125@locus
+
+# locus
+tcp:127@locus
+udp:127@locus
+
+# login/who
+tcp:513@login/who
+udp:513@login/who
+
+# lotusnote
+tcp:1352@lotusnote
+udp:1352@lotusnote
+
+# lutcp
+tcp:4913@lutcp
+
+# m2pa
+tcp:3565@m2pa
+
+# m3ua
+tcp:2905@m3ua
+
+# macom
+tcp:456@macom
+udp:456@macom
+
+# mac-srvr
+tcp:660@mac-srvr
+udp:660@mac-srvr
+
+# madcap
+tcp:2535@madcap
+udp:2535@madcap
+
+# magenta
+tcp:313@magenta
+udp:313@magenta
+
+# mailbox-lm
+tcp:505@mailbox-lm
+udp:505@mailbox-lm
+
+# mailq
+tcp:174@mailq
+udp:174@mailq
+
+# maitrd
+tcp:997@maitrd
+udp:997@maitrd
+
+# manet
+tcp:269@manet
+udp:269@manet
+
+# masqdialer
+tcp:224@masqdialer
+udp:224@masqdialer
+
+# matip
+tcp:350-351.0@matip
+udp:350@matip
+
+# mcidas
+tcp:112@mcidas
+udp:112@mcidas
+
+# mcns-sec
+tcp:638@mcns-sec
+udp:638@mcns-sec
+
+# mdbs_daemon
+tcp:800@mdbs_daemon
+udp:800@mdbs_daemon
+
+# mdc-portmapper
+tcp:685@mdc-portmapper
+udp:685@mdc-portmapper
+
+# mdqs
+tcp:666@mdqs
+udp:666@mdqs
+
+# mecomm
+tcp:668@mecomm
+udp:668@mecomm
+
+# menandmice_noh
+tcp:4151@menandmice_noh
+udp:4151@menandmice_noh
+
+# meraki
+udp:7351@meraki
+
+# meraki
+tcp:7734@meraki
+
+# meraki
+tcp:7752@meraki
+
+# meregister
+tcp:669@meregister
+udp:669@meregister
+
+# meta5
+tcp:393@meta5
+udp:393@meta5
+
+# metagram
+tcp:99@metagram
+udp:99@metagram
+
+# meter
+tcp:570-571.0@meter
+udp:570@meter
+
+# mfcobol
+tcp:86@mfcobol
+udp:86@mfcobol
+
+# mftp
+tcp:349@mftp
+udp:349@mftp
+
+# micom
+tcp:490@micom
+udp:490@micom
+
+# microsoft-ds
+tcp:445@microsoft-ds
+udp:445@microsoft-ds
+
+# mira
+tcp:3454@mira
+
+# mit-dov
+tcp:91@mit-dov
+udp:91@mit-dov
+
+# mit-ml
+tcp:83@mit-ml
+udp:83@mit-ml
+
+# mit-ml
+tcp:85@mit-ml
+udp:85@mit-ml
+
+# mobileip
+tcp:434-435.0@mobileip
+udp:434@mobileip
+
+# mondex
+tcp:471@mondex
+udp:471@mondex
+
+# monitor
+tcp:560-561.0@monitor
+udp:560@monitor
+
+# mortgageware
+tcp:367@mortgageware
+udp:367@mortgageware
+
+# mpm
+tcp:44-45.0@mpm
+udp:44@mpm
+
+# mpm-send
+tcp:46@mpm-send
+udp:46@mpm-send
+
+# mpp
+tcp:218@mpp
+udp:218@mpp
+
+# mptn
+tcp:397@mptn
+udp:397@mptn
+
+# mrm
+tcp:679@mrm
+udp:679@mrm
+
+# MSNetShow
+tcp:1755@MSNetShow
+udp:1755@MSNetShow
+
+# ms-cluster-net
+tcp:3343@ms-cluster-net
+udp:3343@ms-cluster-net
+
+# msdp
+tcp:639@msdp
+udp:639@msdp
+
+# msexch-routing
+tcp:691@msexch-routing
+udp:691@msexch-routing
+
+# msft-gc
+tcp:3268-3269.0@msft-gc
+udp:3268@msft-gc
+
+# msg
+tcp:29@msg
+udp:29@msg
+
+# msg
+tcp:31@msg
+udp:31@msg
+
+# msmq
+tcp:1801@msmq
+udp:1801@msmq
+
+# MSN
+tcp:1863@MSN
+
+# msnmessenger
+tcp:6901@msnmessenger
+udp:6901@msnmessenger
+
+# msp
+tcp:18@msp
+udp:18@msp
+
+# ms-rome
+tcp:569@ms-rome
+udp:569@ms-rome
+
+# ms-shuttle
+tcp:568@ms-shuttle
+udp:568@ms-shuttle
+
+# ms-sql
+tcp:1433-1434.0@ms-sql
+udp:1433@ms-sql
+
+# MulticastDNS
+tcp:5353@MulticastDNS
+udp:5353@MulticastDNS
+
+# multiling-http
+tcp:777@multiling-http
+udp:777@multiling-http
+
+# multiplex
+tcp:171@multiplex
+udp:171@multiplex
+
+# mumps
+tcp:188@mumps
+udp:188@mumps
+
+# mylex-mapd
+tcp:467@mylex-mapd
+udp:467@mylex-mapd
+
+# mysql
+tcp:3306@mysql
+udp:3306@mysql
+
+# namp
+tcp:167@namp
+udp:167@namp
+
+# nas
+tcp:991@nas
+udp:991@nas
+
+# nced
+tcp:404@nced
+udp:404@nced
+
+# ncld
+tcp:405@ncld
+udp:405@ncld
+
+# ncp
+tcp:524@ncp
+udp:524@ncp
+
+# ndsauth
+tcp:353@ndsauth
+udp:353@ndsauth
+
+# NessusSecScan
+tcp:3001@NessusSecScan
+
+# nest
+tcp:489@nest
+udp:489@nest
+
+# Net2Phone
+tcp:6800@Net2Phone
+
+# Net2Phone
+udp:6801@Net2Phone
+
+# net-assistant
+tcp:3283@net-assistant
+udp:3283@net-assistant
+
+# netbios
+tcp:137-139.0@netbios
+udp:137@netbios
+
+# netconf
+tcp:830-833.0@netconf
+udp:830@netconf
+
+# netcp
+tcp:395@netcp
+udp:395@netcp
+
+# NetFlow
+udp:2055@NetFlow
+
+# NetFlow_WU_local
+udp:9999@NetFlow_WU_local
+
+# netgw
+tcp:741@netgw
+udp:741@netgw
+
+# netmeeting
+tcp:1503@netmeeting
+
+# netmeeting
+tcp:1720@netmeeting
+
+# netmeeting
+tcp:1731@netmeeting
+
+# netnews
+tcp:532@netnews
+udp:532@netnews
+
+# netrcs
+tcp:742@netrcs
+udp:742@netrcs
+
+# netrjs
+tcp:71-74.0@netrjs
+udp:71@netrjs
+
+# netsc
+tcp:154-155.0@netsc
+udp:154@netsc
+
+# netviewdm
+tcp:729-731.0@netviewdm
+udp:729@netviewdm
+
+# netwall
+tcp:533@netwall
+udp:533@netwall
+
+# netware-ip
+tcp:396@netware-ip
+udp:396@netware-ip
+
+# new-rwho
+tcp:550@new-rwho
+udp:550@new-rwho
+
+# nextstep
+tcp:178@nextstep
+udp:178@nextstep
+
+# nfs
+tcp:2049@nfs
+udp:2049@nfs
+
+# nfsd
+tcp:1110@nfsd
+
+# nicname
+tcp:43@nicname
+udp:43@nicname
+
+# ni-ftp
+tcp:47@ni-ftp
+udp:47@ni-ftp
+
+# nilinkanalyst
+tcp:25902@nilinkanalyst
+
+# ni-mail
+tcp:61@ni-mail
+udp:61@ni-mail
+
+# nip
+tcp:376@nip
+udp:376@nip
+
+# nlogin
+tcp:758@nlogin
+udp:758@nlogin
+
+# nmap
+tcp:689@nmap
+udp:689@nmap
+
+# nmsp
+tcp:537@nmsp
+udp:537@nmsp
+
+# nnsp
+tcp:433@nnsp
+udp:433@nnsp
+
+# nntp
+tcp:119@nntp
+udp:119@nntp
+
+# nntps
+tcp:563@nntps
+udp:563@nntps
+
+# novastorbakcup
+tcp:308@novastorbakcup
+udp:308@novastorbakcup
+
+# npmp
+tcp:609-611.0@npmp
+udp:609@npmp
+
+# npp
+tcp:92@npp
+udp:92@npp
+
+# nqs
+tcp:607@nqs
+udp:607@nqs
+
+# ns
+tcp:760@ns
+udp:760@ns
+
+# nsiiops
+tcp:261@nsiiops
+udp:261@nsiiops
+
+# nsrmp
+tcp:359@nsrmp
+udp:359@nsrmp
+
+# nss-routing
+tcp:159@nss-routing
+udp:159@nss-routing
+
+# nsw-fe
+tcp:27@nsw-fe
+udp:27@nsw-fe
+
+# ntalk
+tcp:518@ntalk
+udp:518@ntalk
+
+# ntp
+tcp:123@ntp
+udp:123@ntp
+
+# nxedit
+tcp:126@nxedit
+udp:126@nxedit
+
+# obex
+tcp:650@obex
+udp:650@obex
+
+# objcall
+tcp:94@objcall
+udp:94@objcall
+
+# ocbinder
+tcp:183@ocbinder
+udp:183@ocbinder
+
+# ocs
+tcp:428-429.0@ocs
+udp:428@ocs
+
+# ocserver
+tcp:184@ocserver
+udp:184@ocserver
+
+# odmr
+tcp:366@odmr
+udp:366@odmr
+
+# ohimsrv
+tcp:506@ohimsrv
+udp:506@ohimsrv
+
+# olsr
+tcp:698@olsr
+udp:698@olsr
+
+# omginitialrefs
+tcp:900@omginitialrefs
+udp:900@omginitialrefs
+
+# omserv
+tcp:764@omserv
+udp:764@omserv
+
+# onmux
+tcp:417@onmux
+udp:417@onmux
+
+# oob-ws-http/asf-rmcp
+tcp:623@oob-ws-http/asf-rmcp
+udp:623@oob-ws-http/asf-rmcp
+
+# oob-ws-https/asf-secure-rmcp
+tcp:664@oob-ws-https/asf-secure-rmcp
+udp:664@oob-ws-https/asf-secure-rmcp
+
+# opalis-robot
+tcp:314@opalis-robot
+udp:314@opalis-robot
+
+# opc-job
+tcp:423-424.0@opc-job
+udp:423@opc-job
+
+# openport
+tcp:260@openport
+udp:260@openport
+
+# openvms
+tcp:557@openvms
+udp:557@openvms
+
+# OpenVPN
+tcp:1194@OpenVPN
+udp:1194@OpenVPN
+
+# opolis
+tcp:536@opolis
+udp:536@opolis
+
+# oracle
+tcp:1521@oracle
+
+# oracle_1522-1546
+tcp:1522-1546.0@oracle_1522-1546
+
+# osu-nms
+tcp:192@osu-nms
+udp:192@osu-nms
+
+# owamp-control
+tcp:861@owamp-control
+udp:861@owamp-control
+
+# pana
+udp:716@pana
+
+# passgo
+tcp:511@passgo
+udp:511@passgo
+
+# passgo-tivoli
+tcp:627@passgo-tivoli
+udp:627@passgo-tivoli
+
+# password-chg
+tcp:586@password-chg
+udp:586@password-chg
+
+# pawserv
+tcp:345@pawserv
+udp:345@pawserv
+
+# pcanywhere
+tcp:5631-5632.0@pcanywhere
+udp:5631@pcanywhere
+
+# pcmail
+tcp:158@pcmail
+udp:158@pcmail
+
+# pcsync-https
+tcp:8443@pcsync-https
+udp:8443@pcsync-https
+
+# pdap
+tcp:344@pdap
+udp:344@pdap
+
+# perforce
+tcp:1666@perforce
+
+# personal-link
+tcp:281@personal-link
+udp:281@personal-link
+
+# pftp
+tcp:662@pftp
+udp:662@pftp
+
+# ph
+tcp:481@ph
+udp:481@ph
+
+# philips-vc
+tcp:583@philips-vc
+udp:583@philips-vc
+
+# phonebook
+tcp:767@phonebook
+udp:767@phonebook
+
+# photuris
+tcp:468@photuris
+udp:468@photuris
+
+# pim-rp-disc
+tcp:496@pim-rp-disc
+udp:496@pim-rp-disc
+
+# pip
+tcp:321@pip
+udp:321@pip
+
+# pirp
+tcp:553@pirp
+udp:553@pirp
+
+# pkix-3-ca-ra
+tcp:829@pkix-3-ca-ra
+udp:829@pkix-3-ca-ra
+
+# pkix-timestamp
+tcp:318@pkix-timestamp
+udp:318@pkix-timestamp
+
+# pop2
+tcp:109@pop2
+udp:109@pop2
+
+# pop3
+tcp:110@pop3
+udp:110@pop3
+
+# pop3s
+tcp:995@pop3s
+udp:995@pop3s
+
+# port301
+tcp:301@port301
+udp:301@port301
+
+# postgresql
+tcp:5432@postgresql
+udp:5432@postgresql
+
+# pov-ray
+tcp:494@pov-ray
+udp:494@pov-ray
+
+# pptp
+tcp:1723@pptp
+udp:1723@pptp
+
+# printer
+tcp:515@printer
+udp:515@printer
+
+# printer_pdl
+tcp:9100@printer_pdl
+udp:9100@printer_pdl
+
+# print-srv
+tcp:170@print-srv
+udp:170@print-srv
+
+# prm
+tcp:408-409.0@prm
+udp:408@prm
+
+# profile
+tcp:136@profile
+udp:136@profile
+
+# Prolin
+tcp:30998-30999.0@Prolin
+udp:30998@Prolin
+
+# Prolin
+tcp:5555@Prolin
+udp:5555@Prolin
+
+# Prolin
+tcp:30980@Prolin
+udp:30980@Prolin
+
+# Prolin
+tcp:40999@Prolin
+udp:40999@Prolin
+
+# prospero
+tcp:191@prospero
+udp:191@prospero
+
+# pssc
+tcp:645@pssc
+udp:645@pssc
+
+# ptcnameservice
+tcp:597@ptcnameservice
+udp:597@ptcnameservice
+
+# ptp
+tcp:319-320.0@ptp
+udp:319@ptp
+
+# pt-tls
+tcp:271@pt-tls
+
+# pump
+tcp:751@pump
+udp:751@pump
+
+# purenoise
+tcp:663@purenoise
+udp:663@purenoise
+
+# pwdgen
+tcp:129@pwdgen
+udp:129@pwdgen
+
+# pwerburst
+tcp:485@pwerburst
+udp:485@pwerburst
+
+# qbikgdp
+tcp:368@qbikgdp
+udp:368@qbikgdp
+
+# qft
+tcp:189@qft
+udp:189@qft
+
+# qmqp
+tcp:628@qmqp
+udp:628@qmqp
+
+# qmtp
+tcp:209@qmtp
+udp:209@qmtp
+
+# qotd
+tcp:17@qotd
+udp:17@qotd
+
+# qrh
+tcp:752@qrh
+udp:752@qrh
+
+# qt-serveradmin
+tcp:1220@qt-serveradmin
+udp:1220@qt-serveradmin
+
+# quake
+tcp:26000@quake
+udp:26000@quake
+
+# quake
+tcp:27950@quake
+udp:27950@quake
+
+# quake
+tcp:28004@quake
+udp:28004@quake
+
+# quic_443_udp
+udp:443@quic_443_udp
+
+# quotad
+tcp:762@quotad
+udp:762@quotad
+
+# radan-http
+tcp:8088@radan-http
+udp:8088@radan-http
+
+# radius
+tcp:1812-1813.0@radius
+udp:1812@radius
+
+# rap
+tcp:38@rap
+udp:38@rap
+
+# rap
+tcp:256@rap
+udp:256@rap
+
+# rcip-itu
+tcp:2225@rcip-itu
+
+# rcp
+tcp:469@rcp
+udp:469@rcp
+
+# real
+tcp:688@real
+udp:688@real
+
+# re-mail-ck
+tcp:50@re-mail-ck
+udp:50@re-mail-ck
+
+# remotedesktop
+tcp:3389@remotedesktop
+udp:3389@remotedesktop
+
+# remotefs
+tcp:556@remotefs
+udp:556@remotefs
+
+# repcmd
+tcp:641@repcmd
+udp:641@repcmd
+
+# repscmd
+tcp:653@repscmd
+udp:653@repscmd
+
+# rescap
+tcp:283@rescap
+udp:283@rescap
+
+# rfile/loadav
+tcp:750@rfile/loadav
+udp:750@rfile/loadav
+
+# ripng
+tcp:521@ripng
+udp:521@ripng
+
+# ris
+tcp:180@ris
+udp:180@ris
+
+# ris-cm
+tcp:748@ris-cm
+udp:748@ris-cm
+
+# rje
+tcp:5@rje
+udp:5@rje
+
+# rlp
+tcp:39@rlp
+udp:39@rlp
+
+# rlzdbase
+tcp:635@rlzdbase
+udp:635@rlzdbase
+
+# rmc
+tcp:657@rmc
+udp:657@rmc
+
+# rmi
+tcp:1098-1099.0@rmi
+udp:1098@rmi
+
+# rmt
+tcp:411@rmt
+udp:411@rmt
+
+# rpasswd/acmaint_dbd
+tcp:774@rpasswd/acmaint_dbd
+udp:774@rpasswd/acmaint_dbd
+
+# rpc2portmap
+tcp:369@rpc2portmap
+udp:369@rpc2portmap
+
+# rpki
+tcp:323-324.0@rpki
+udp:323@rpki
+
+# rrac
+tcp:5678@rrac
+udp:5678@rrac
+
+# rrh
+tcp:753@rrh
+udp:753@rrh
+
+# rrp
+tcp:648@rrp
+udp:648@rrp
+
+# rsh-spx
+tcp:222@rsh-spx
+udp:222@rsh-spx
+
+# rsvd
+tcp:168@rsvd
+udp:168@rsvd
+
+# rsvp
+tcp:363@rsvp
+udp:363@rsvp
+
+# rsync
+tcp:873@rsync
+udp:873@rsync
+
+# rtelnet
+tcp:107@rtelnet
+udp:107@rtelnet
+
+# rtip
+tcp:771@rtip
+udp:771@rtip
+
+# rtmp
+tcp:1935@rtmp
+
+# rtp
+tcp:5004-5005.0@rtp
+udp:5004@rtp
+
+# rtsp
+tcp:554@rtsp
+udp:554@rtsp
+
+# rtsps
+tcp:322@rtsps
+udp:322@rtsps
+
+# rushd
+tcp:696@rushd
+udp:696@rushd
+
+# rxe
+tcp:761@rxe
+udp:761@rxe
+
+# saft
+tcp:487@saft
+udp:487@saft
+
+# saiseh
+tcp:1644@saiseh
+
+# sanity
+tcp:643@sanity
+udp:643@sanity
+
+# sccm_wsus_rm
+tcp:10123@sccm_wsus_rm
+
+# sccm_wsus_rm
+tcp:8530-8531.0@sccm_wsus_rm
+
+# sccm_wsus_rm
+tcp:5985-5986.0@sccm_wsus_rm
+
+# scc-security
+tcp:582@scc-security
+udp:582@scc-security
+
+# sco
+tcp:615-617.0@sco
+udp:615@sco
+
+# sco
+tcp:620@sco
+udp:620@sco
+
+# scohelp
+tcp:457@scohelp
+udp:457@scohelp
+
+# scoi2odialog
+tcp:360@scoi2odialog
+udp:360@scoi2odialog
+
+# sco-websrvrmg3
+tcp:598@sco-websrvrmg3
+udp:598@sco-websrvrmg3
+
+# scx-proxy
+tcp:470@scx-proxy
+udp:470@scx-proxy
+
+# sdnskmp
+tcp:558@sdnskmp
+udp:558@sdnskmp
+
+# semantix
+tcp:361@semantix
+udp:361@semantix
+
+# send
+tcp:169@send
+udp:169@send
+
+# servstat
+tcp:633@servstat
+udp:633@servstat
+
+# set
+tcp:257@set
+udp:257@set
+
+# sfs
+tcp:451-452.0@sfs
+udp:451@sfs
+
+# sftp
+tcp:115@sftp
+udp:115@sftp
+
+# sgcp
+tcp:440@sgcp
+udp:440@sgcp
+
+# sgmp
+tcp:153@sgmp
+udp:153@sgmp
+
+# sgmp
+tcp:160@sgmp
+udp:160@sgmp
+
+# shell/syslog
+tcp:514@shell/syslog
+udp:514@shell/syslog
+
+# shrinkwrap
+tcp:358@shrinkwrap
+udp:358@shrinkwrap
+
+# siam
+tcp:498@siam
+udp:498@siam
+
+# sift-uft
+tcp:608@sift-uft
+udp:608@sift-uft
+
+# silc
+tcp:706@silc
+udp:706@silc
+
+# silverplatter
+tcp:416@silverplatter
+udp:416@silverplatter
+
+# simco
+tcp:8009@simco
+
+# simco
+tcp:7626@simco
+
+# sip
+tcp:5060@sip
+udp:5060@sip
+
+# sip_secure
+tcp:5061@sip_secure
+
+# skip-cert
+tcp:6455-6456.0@skip-cert
+udp:6455@skip-cert
+
+# skronk
+tcp:460@skronk
+udp:460@skronk
+
+# smakynet
+tcp:122@smakynet
+udp:122@smakynet
+
+# smartsdp
+tcp:426@smartsdp
+udp:426@smartsdp
+
+# smpnameres
+tcp:901@smpnameres
+udp:901@smpnameres
+
+# smpte
+tcp:420@smpte
+udp:420@smpte
+
+# sms
+tcp:2701-2704.0@sms
+udp:2701@sms
+
+# smsd
+tcp:596@smsd
+udp:596@smsd
+
+# smsp
+tcp:413@smsp
+udp:413@smsp
+
+# smtp
+tcp:25@smtp
+udp:25@smtp
+
+# smux
+tcp:199@smux
+udp:199@smux
+
+# snagas
+tcp:108@snagas
+udp:108@snagas
+
+# snare
+tcp:509@snare
+udp:509@snare
+
+# s-net
+tcp:166@s-net
+udp:166@s-net
+
+# snmp
+tcp:161-162.0@snmp
+udp:161@snmp
+
+# snpp
+tcp:444@snpp
+udp:444@snpp
+
+# sntp-heartbeat
+tcp:580@sntp-heartbeat
+udp:580@sntp-heartbeat
+
+# soap-beep
+tcp:605@soap-beep
+udp:605@soap-beep
+
+# socalia
+tcp:5100@socalia
+udp:5100@socalia
+
+# Socks
+tcp:1080@Socks
+
+# softpc
+tcp:215@softpc
+udp:215@softpc
+
+# sonar
+tcp:572@sonar
+udp:572@sonar
+
+# spmp
+tcp:656@spmp
+udp:656@spmp
+
+# spsc
+tcp:478@spsc
+udp:478@spsc
+
+# sql*net
+tcp:66@sql*net
+udp:66@sql*net
+
+# sql*net
+tcp:150@sql*net
+udp:150@sql*net
+
+# sql*net
+tcp:156@sql*net
+udp:156@sql*net
+
+# sqlserv
+tcp:118@sqlserv
+udp:118@sqlserv
+
+# squid-proxy
+tcp:3128@squid-proxy
+udp:3128@squid-proxy
+
+# src
+tcp:200@src
+udp:200@src
+
+# srmp
+tcp:193@srmp
+udp:193@srmp
+
+# srssend
+tcp:362@srssend
+udp:362@srssend
+
+# ss7ns
+tcp:477@ss7ns
+udp:477@ss7ns
+
+# ssdp
+tcp:1900@ssdp
+udp:1900@ssdp
+
+# ssh
+tcp:22@ssh
+udp:22@ssh
+
+# sshell
+tcp:614@sshell
+udp:614@sshell
+
+# sst
+tcp:266@sst
+udp:266@sst
+
+# statsrv
+tcp:133@statsrv
+udp:133@statsrv
+
+# stmf
+tcp:501@stmf
+udp:501@stmf
+
+# streettalk
+tcp:566@streettalk
+udp:566@streettalk
+
+# stun/turn
+udp:3478-3481.0@stun/turn
+
+# stx
+tcp:527@stx
+udp:527@stx
+
+# submission
+tcp:587@submission
+udp:587@submission
+
+# submit/notify
+tcp:773@submit/notify
+udp:773@submit/notify
+
+# subntbcst
+tcp:247@subntbcst
+udp:247@subntbcst
+
+# su-mit-tg
+tcp:89@su-mit-tg
+udp:89@su-mit-tg
+
+# sun-dr
+tcp:665@sun-dr
+udp:665@sun-dr
+
+# sunrpc
+tcp:111@sunrpc
+udp:111@sunrpc
+
+# sunwebadmin
+tcp:8800@sunwebadmin
+udp:8800@sunwebadmin
+
+# supdup
+tcp:95@supdup
+udp:95@supdup
+
+# surf
+tcp:1010@surf
+udp:1010@surf
+
+# sur-meas
+tcp:243@sur-meas
+udp:243@sur-meas
+
+# svn
+tcp:3690@svn
+udp:3690@svn
+
+# svrloc
+tcp:427@svrloc
+udp:427@svrloc
+
+# swift
+tcp:97@swift
+udp:97@swift
+
+# synoptics
+tcp:412@synoptics
+udp:412@synoptics
+
+# synotics
+tcp:391-392.0@synotics
+udp:391@synotics
+
+# syslog-conn
+tcp:601@syslog-conn
+udp:601@syslog-conn
+
+# systat
+tcp:11@systat
+udp:11@systat
+
+# tacacs
+tcp:49@tacacs
+udp:49@tacacs
+
+# tacacs
+tcp:65@tacacs
+udp:65@tacacs
+
+# tacnews
+tcp:98@tacnews
+udp:98@tacnews
+
+# talk
+tcp:517@talk
+udp:517@talk
+
+# tbrpf
+tcp:712@tbrpf
+udp:712@tbrpf
+
+# tcpmux
+tcp:1@tcpmux
+udp:1@tcpmux
+
+# tcpnethaspsrv
+tcp:475@tcpnethaspsrv
+udp:475@tcpnethaspsrv
+
+# td
+tcp:267-268.0@td
+udp:267@td
+
+# teamviewer
+tcp:5938@teamviewer
+udp:5938@teamviewer
+
+# teedtap
+tcp:559@teedtap
+udp:559@teedtap
+
+# tell
+tcp:754@tell
+udp:754@tell
+
+# telnet
+tcp:23@telnet
+udp:23@telnet
+
+# telnets
+tcp:992@telnets
+udp:992@telnets
+
+# tempo
+tcp:526@tempo
+udp:526@tempo
+
+# tenfold
+tcp:658@tenfold
+udp:658@tenfold
+
+# texar
+tcp:333@texar
+udp:333@texar
+
+# tftp
+tcp:69@tftp
+udp:69@tftp
+
+# ticf
+tcp:492-493.0@ticf
+udp:492@ticf
+
+# timbuktu
+tcp:407@timbuktu
+udp:407@timbuktu
+
+# time
+tcp:37@time
+udp:37@time
+
+# timed
+tcp:525@timed
+udp:525@timed
+
+# tinc
+tcp:655@tinc
+udp:655@tinc
+
+# tns-cml
+tcp:590@tns-cml
+udp:590@tns-cml
+
+# tn-tl
+tcp:474@tn-tl
+udp:474@tn-tl
+
+# tn-tl-fd1
+tcp:476@tn-tl-fd1
+udp:476@tn-tl-fd1
+
+# tpip
+tcp:594@tpip
+udp:594@tpip
+
+# tserver
+tcp:450@tserver
+udp:450@tserver
+
+# tunnel
+tcp:604@tunnel
+udp:604@tunnel
+
+# twamp-control
+tcp:862@twamp-control
+udp:862@twamp-control
+
+# uaac
+tcp:145@uaac
+udp:145@uaac
+
+# uarps
+tcp:219@uarps
+udp:219@uarps
+
+# udp_8888
+udp:8888@udp_8888
+
+# uis
+tcp:390@uis
+udp:390@uis
+
+# ulistproc
+tcp:372@ulistproc
+udp:372@ulistproc
+
+# ulp
+tcp:522@ulp
+udp:522@ulp
+
+# ulpnet
+tcp:483@ulpnet
+udp:483@ulpnet
+
+# uma
+tcp:144@uma
+udp:144@uma
+
+# Unclassified
+tcp:0@Unclassified
+udp:0@Unclassified
+
+# unidata
+tcp:388@unidata
+udp:388@unidata
+
+# unify
+tcp:181@unify
+udp:181@unify
+
+# ups
+tcp:401@ups
+udp:401@ups
+
+# urd/igmpv3lite
+tcp:465@urd/igmpv3lite
+udp:465@urd/igmpv3lite
+
+# urm
+tcp:606@urm
+udp:606@urm
+
+# utime
+tcp:519@utime
+udp:519@utime
+
+# utmp
+tcp:430-431.0@utmp
+udp:430@utmp
+
+# uucp
+tcp:540-541.0@uucp
+udp:540@uucp
+
+# uucp-path
+tcp:117@uucp-path
+udp:117@uucp-path
+
+# uuidgen
+tcp:697@uuidgen
+udp:697@uuidgen
+
+# vacdsm
+tcp:670-671.0@vacdsm
+udp:670@vacdsm
+
+# vatp
+tcp:690@vatp
+udp:690@vatp
+
+# vemmi
+tcp:575@vemmi
+udp:575@vemmi
+
+# vettcp
+tcp:78@vettcp
+udp:78@vettcp
+
+# vid
+tcp:769@vid
+udp:769@vid
+
+# videotex
+tcp:516@videotex
+udp:516@videotex
+
+# vmnet
+tcp:175@vmnet
+udp:175@vmnet
+
+# vmpwscs
+tcp:214@vmpwscs
+udp:214@vmpwscs
+
+# vnas
+tcp:577@vnas
+udp:577@vnas
+
+# vnc
+tcp:5800@vnc
+udp:5800@vnc
+
+# vnc
+tcp:5900@vnc
+udp:5900@vnc
+
+# VocalTecphone
+tcp:1490@VocalTecphone
+udp:1490@VocalTecphone
+
+# vonage
+udp:5061@vonage
+
+# vpp
+tcp:676-677.0@vpp
+udp:676@vpp
+
+# vpps-qua
+tcp:672@vpps-qua
+udp:672@vpps-qua
+
+# vsinet
+tcp:996@vsinet
+udp:996@vsinet
+
+# vslmp
+tcp:312@vslmp
+udp:312@vslmp
+
+# Waste
+tcp:1337@Waste
+udp:1337@Waste
+
+# wbem-http
+tcp:5988@wbem-http
+udp:5988@wbem-http
+
+# webobjects
+tcp:1085@webobjects
+udp:1085@webobjects
+
+# webster
+tcp:765@webster
+udp:765@webster
+
+# WhatsUp
+tcp:9051@WhatsUp
+
+# WhatsUp
+tcp:9394@WhatsUp
+
+# WhatsUp
+tcp:8733@WhatsUp
+
+# whoami
+tcp:565@whoami
+udp:565@whoami
+
+# whois
+tcp:63@whois
+udp:63@whois
+
+# windream
+tcp:534@windream
+udp:534@windream
+
+# winfs
+tcp:5009@winfs
+udp:5009@winfs
+
+# WinMX
+udp:6257@WinMX
+
+# WinMX
+udp:6699@WinMX
+
+# wins
+tcp:42@wins
+udp:42@wins
+
+# work-sol
+tcp:400@work-sol
+udp:400@work-sol
+
+# WorldofWarcraft
+tcp:3724@WorldofWarcraft
+
+# wpages
+tcp:776@wpages
+udp:776@wpages
+
+# wpgs
+tcp:780@wpgs
+udp:780@wpgs
+
+# XWindow
+tcp:6000@XWindow
+udp:6000@XWindow
+
+# xact-backup
+tcp:911@xact-backup
+udp:911@xact-backup
+
+# x-bone
+tcp:265@x-bone
+udp:265@x-bone
+
+# xbox
+tcp:3074@xbox
+udp:3074@xbox
+
+# xdmcp
+tcp:177@xdmcp
+udp:177@xdmcp
+
+# xfer
+tcp:82@xfer
+udp:82@xfer
+
+# xfr
+tcp:682@xfr
+udp:682@xfr
+
+# xgrid
+tcp:4111@xgrid
+udp:4111@xgrid
+
+# xmlrpc-beep
+tcp:602@xmlrpc-beep
+udp:602@xmlrpc-beep
+
+# xmpp/jabber
+tcp:5222@xmpp/jabber
+udp:5222@xmpp/jabber
+
+# xmpp/jabber
+tcp:5269@xmpp/jabber
+udp:5269@xmpp/jabber
+
+# xns
+tcp:56@xns
+udp:56@xns
+
+# xns
+tcp:58@xns
+udp:58@xns
+
+# xns
+tcp:165@xns
+udp:165@xns
+
+# xns-ch
+tcp:54@xns-ch
+udp:54@xns-ch
+
+# xns-time
+tcp:52@xns-time
+udp:52@xns-time
+
+# xvttp
+tcp:508@xvttp
+udp:508@xvttp
+
+# xyplex-mux
+tcp:173@xyplex-mux
+udp:173@xyplex-mux
+
+# YahooMessenger
+tcp:5010@YahooMessenger
+
+# YahooMessenger
+tcp:5050@YahooMessenger
+
+# z39.50
+tcp:210@z39.50
+udp:210@z39.50
+
+# zannet
+tcp:317@zannet
+udp:317@zannet
+
+# zserv
+tcp:346@zserv
+udp:346@zserv
+
diff --git a/example/reader_util.c b/example/reader_util.c
index ce013a4b6..edfe7bad1 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1,7 +1,7 @@
/*
* reader_util.c
*
- * Copyright (C) 2011-24 - ntop.org
+ * Copyright (C) 2011-25 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -85,6 +85,7 @@ u_int8_t enable_doh_dot_detection = 0;
extern bool do_load_lists;
extern int malloc_size_stats;
extern int monitoring_enabled;
+extern char *protocolsDirPath;
/* ****************************************************** */
@@ -206,8 +207,10 @@ void ndpi_payload_analyzer(struct ndpi_flow_info *flow,
#ifdef DEBUG_PAYLOAD
printf("[hashval: %u][proto: %u][vlan: %u][%s:%u <-> %s:%u][direction: %s][payload_len: %u]\n",
flow->hashval, flow->protocol, flow->vlan_id,
- flow->src_name, flow->src_port,
- flow->dst_name, flow->dst_port,
+ flow->src_name ? flow->src_name : "",
+ flow->src_port,
+ flow->dst_name ? flow->dst_name : "",
+ flow->dst_port,
src_to_dst_direction ? "s2d" : "d2s",
payload_len);
#endif
@@ -334,97 +337,91 @@ void ndpi_free_flow_info_half(struct ndpi_flow_info *flow) {
/* ***************************************************** */
-static uint16_t ndpi_get_proto_id(struct ndpi_detection_module_struct *ndpi_mod, const char *name) {
- uint16_t proto_id;
- char *e;
- unsigned long p = strtol(name,&e,0);
- ndpi_proto_defaults_t *proto_defaults = ndpi_get_proto_defaults(ndpi_mod);
+bool load_public_lists(struct ndpi_detection_module_struct *ndpi_str) {
+ char *lists_path = "../lists/public_suffix_list.dat";
+ struct stat st;
- if(e && !*e) {
- if(p < NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS &&
- proto_defaults[p].protoName) return (uint16_t)p;
- return NDPI_PROTOCOL_UNKNOWN;
- }
+ if(stat(lists_path, &st) != 0)
+ lists_path = &lists_path[1]; /* use local file */
- for(proto_id=NDPI_PROTOCOL_UNKNOWN; proto_id < NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS; proto_id++) {
- if(proto_defaults[proto_id].protoName &&
- !strcasecmp(proto_defaults[proto_id].protoName,name))
- return proto_id;
+ if(stat(lists_path, &st) == 0) {
+ if(ndpi_load_domain_suffixes(ndpi_str, (char*)lists_path) == 0)
+ return(true);
}
- return NDPI_PROTOCOL_UNKNOWN;
+
+ return(false);
}
/* ***************************************************** */
-static char _proto_delim[] = " \t,:;";
-int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask, int inverted_logic) {
- char *n;
- uint16_t proto;
- char op;
- struct ndpi_detection_module_struct *module;
- NDPI_PROTOCOL_BITMASK all;
-
- if(!inverted_logic)
- op = 1; /* Default action: add to the bitmask */
- else
- op = 0; /* Default action: remove from the bitmask */
- /* Use a temporary module with all protocols enabled */
- module = ndpi_init_detection_module(NULL);
- if(!module)
- return 1;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(module, &all);
- /* Try to be fast: we need only the protocol name -> protocol id mapping! */
- ndpi_set_config(module, "any", "ip_list.load", "0");
- ndpi_set_config(module, NULL, "flow_risk_lists.load", "0");
- ndpi_finalize_initialization(module);
-
- for(n = strtok(str,_proto_delim); n && *n; n = strtok(NULL,_proto_delim)) {
- if(*n == '-') {
- op = !inverted_logic ? 0 : 1;
- n++;
- } else if(*n == '+') {
- op = !inverted_logic ? 1 : 0;
- n++;
- }
- if(!strcmp(n,"all")) {
- if(op)
- NDPI_BITMASK_SET_ALL(*bitmask);
- else
- NDPI_BITMASK_RESET(*bitmask);
- continue;
- }
- proto = ndpi_get_proto_id(module, n);
- if(proto == NDPI_PROTOCOL_UNKNOWN && strcmp(n,"unknown") && strcmp(n,"0")) {
- LOG(NDPI_LOG_ERROR, "Invalid protocol %s\n", n);
- ndpi_exit_detection_module(module);
- return 1;
- }
- if(op)
- NDPI_BITMASK_ADD(*bitmask,proto);
- else
- NDPI_BITMASK_DEL(*bitmask,proto);
- }
+void ndpi_stats_free(ndpi_stats_t *s) {
+ if (s->protocol_counter) ndpi_free(s->protocol_counter);
+ if (s->protocol_counter_bytes) ndpi_free(s->protocol_counter_bytes);
+ if (s->protocol_flows) ndpi_free(s->protocol_flows);
+ if (s->fpc_protocol_counter) ndpi_free(s->fpc_protocol_counter);
+ if (s->fpc_protocol_counter_bytes) ndpi_free(s->fpc_protocol_counter_bytes);
+ if (s->fpc_protocol_flows) ndpi_free(s->fpc_protocol_flows);
- ndpi_exit_detection_module(module);
- return 0;
+ s->num_protocols = 0;
}
-/* ***************************************************** */
+int ndpi_stats_init(ndpi_stats_t *s, uint32_t num_protocols) {
+ memset(s, 0, sizeof(*s));
+ s->num_protocols = num_protocols;
-bool load_public_lists(struct ndpi_detection_module_struct *ndpi_str) {
- char *lists_path = "../lists/public_suffix_list.dat";
- struct stat st;
+ s->protocol_counter = ndpi_calloc(num_protocols, sizeof(u_int64_t));
+ s->protocol_counter_bytes = ndpi_calloc(num_protocols, sizeof(u_int64_t));
+ s->protocol_flows = ndpi_calloc(num_protocols, sizeof(u_int32_t));
+ s->fpc_protocol_counter = ndpi_calloc(num_protocols, sizeof(u_int64_t));
+ s->fpc_protocol_counter_bytes = ndpi_calloc(num_protocols, sizeof(u_int64_t));
+ s->fpc_protocol_flows = ndpi_calloc(num_protocols, sizeof(u_int32_t));
- if(stat(lists_path, &st) != 0)
- lists_path = &lists_path[1]; /* use local file */
+ if(!s->protocol_counter || !s->protocol_counter_bytes || !s->protocol_flows ||
+ !s->fpc_protocol_counter || !s->fpc_protocol_counter_bytes || !s->fpc_protocol_flows) {
- if(stat(lists_path, &st) == 0) {
- if(ndpi_load_domain_suffixes(ndpi_str, (char*)lists_path) == 0)
- return(true);
+ ndpi_stats_free(s);
+
+ LOG(NDPI_LOG_ERROR, "[NDPI] %s: error allocating memory for ndpi_stats\n", __FUNCTION__);
+ return 0;
}
+ return 1;
+}
- return(false);
+void ndpi_stats_reset(ndpi_stats_t *s) {
+ memset(s->flow_count, 0, sizeof(s->flow_count));
+ s->guessed_flow_protocols = 0;
+ s->raw_packet_count = 0;
+ s->ip_packet_count = 0;
+ s->total_wire_bytes = 0;
+ s->total_ip_bytes = 0;
+ s->total_discarded_bytes = 0;
+ s->ndpi_flow_count = 0;
+ s->tcp_count = 0;
+ s->udp_count = 0;
+ s->mpls_count = 0;
+ s->pppoe_count = 0;
+ s->vlan_count = 0;
+ s->fragmented_count = 0;
+ s->max_packet_len = 0;
+ s->num_dissector_calls = 0;
+
+ memset(s->packet_len, 0, sizeof(s->packet_len));
+ memset(s->dpi_packet_count, 0, sizeof(s->dpi_packet_count));
+ memset(s->flow_confidence, 0, sizeof(s->flow_confidence));
+ memset(s->fpc_flow_confidence, 0, sizeof(s->fpc_flow_confidence));
+ memset(s->category_counter, 0, sizeof(s->category_counter));
+ memset(s->category_counter_bytes, 0, sizeof(s->category_counter_bytes));
+ memset(s->category_flows, 0, sizeof(s->category_flows));
+ memset(s->lru_stats, 0, sizeof(s->lru_stats));
+ memset(s->automa_stats, 0, sizeof(s->automa_stats));
+ memset(s->patricia_stats, 0, sizeof(s->patricia_stats));
+
+ if (s->protocol_counter) memset(s->protocol_counter, 0, sizeof(u_int64_t) * s->num_protocols);
+ if (s->protocol_counter_bytes) memset(s->protocol_counter_bytes, 0, sizeof(u_int64_t) * s->num_protocols);
+ if (s->protocol_flows) memset(s->protocol_flows, 0, sizeof(u_int32_t) * s->num_protocols);
+ if (s->fpc_protocol_counter) memset(s->fpc_protocol_counter, 0, sizeof(u_int64_t) * s->num_protocols);
+ if (s->fpc_protocol_counter_bytes) memset(s->fpc_protocol_counter_bytes, 0, sizeof(u_int64_t) * s->num_protocols);
+ if (s->fpc_protocol_flows) memset(s->fpc_protocol_flows, 0, sizeof(u_int32_t) * s->num_protocols);
}
/* ***************************************************** */
@@ -443,6 +440,9 @@ struct ndpi_workflow* ndpi_workflow_init(const struct ndpi_workflow_prefs * pref
return NULL;
}
+ if(protocolsDirPath != NULL)
+ ndpi_load_protocols_dir(module, protocolsDirPath);
+
workflow = ndpi_calloc(1, sizeof(struct ndpi_workflow));
if(workflow == NULL) {
LOG(NDPI_LOG_ERROR, "global structure initialization failed\n");
@@ -604,6 +604,8 @@ void ndpi_flow_info_free_data(struct ndpi_flow_info *flow) {
ndpi_free_bin(&flow->payload_len_bin);
#endif
+ if(flow->src_name) ndpi_free(flow->src_name);
+ if(flow->dst_name) ndpi_free(flow->dst_name);
if(flow->tcp_fingerprint) ndpi_free(flow->tcp_fingerprint);
if(flow->risk_str) ndpi_free(flow->risk_str);
if(flow->flow_payload) ndpi_free(flow->flow_payload);
@@ -622,6 +624,9 @@ void ndpi_workflow_free(struct ndpi_workflow * workflow) {
ndpi_exit_detection_module(workflow->ndpi_struct);
ndpi_free(workflow->ndpi_flows_root);
+
+ ndpi_stats_free(&workflow->stats);
+
ndpi_free(workflow);
}
@@ -912,18 +917,29 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
ndpi_init_bin(&newflow->payload_len_bin, ndpi_bin_family8, PLEN_NUM_BINS);
#endif
- if(version == IPVERSION) {
- inet_ntop(AF_INET, &newflow->src_ip, newflow->src_name, sizeof(newflow->src_name));
- inet_ntop(AF_INET, &newflow->dst_ip, newflow->dst_name, sizeof(newflow->dst_name));
- } else {
- newflow->src_ip6 = *(struct ndpi_in6_addr *)&iph6->ip6_src;
- inet_ntop(AF_INET6, &newflow->src_ip6,
- newflow->src_name, sizeof(newflow->src_name));
- newflow->dst_ip6 = *(struct ndpi_in6_addr *)&iph6->ip6_dst;
- inet_ntop(AF_INET6, &newflow->dst_ip6,
- newflow->dst_name, sizeof(newflow->dst_name));
- /* For consistency across platforms replace :0: with :: */
- ndpi_patchIPv6Address(newflow->src_name), ndpi_patchIPv6Address(newflow->dst_name);
+ if (version == 4 || version == 6) {
+ uint16_t inet_addrlen = (version == 4) ? INET_ADDRSTRLEN : INET6_ADDRSTRLEN;
+ newflow->src_name = ndpi_malloc(inet_addrlen);
+ newflow->dst_name = ndpi_malloc(inet_addrlen);
+
+ if(version == 4) {
+ if (newflow->src_name)
+ inet_ntop(AF_INET, &newflow->src_ip, newflow->src_name, inet_addrlen);
+ if (newflow->dst_name)
+ inet_ntop(AF_INET, &newflow->dst_ip, newflow->dst_name, inet_addrlen);
+ } else if (version == 6) {
+ newflow->src_ip6 = *(struct ndpi_in6_addr *)&iph6->ip6_src;
+ newflow->dst_ip6 = *(struct ndpi_in6_addr *)&iph6->ip6_dst;
+
+ if (newflow->src_name)
+ inet_ntop(AF_INET6, &newflow->src_ip6, newflow->src_name, inet_addrlen);
+ if (newflow->dst_name)
+ inet_ntop(AF_INET6, &newflow->dst_ip6, newflow->dst_name, inet_addrlen);
+
+ /* For consistency across platforms replace :0: with :: */
+ if (newflow->src_name) ndpi_patchIPv6Address(newflow->src_name);
+ if (newflow->dst_name) ndpi_patchIPv6Address(newflow->dst_name);
+ }
}
if((newflow->ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT)) == NULL) {
@@ -1116,9 +1132,9 @@ static void dump_flow_fingerprint(struct ndpi_workflow * workflow,
u_int32_t buffer_len;
ndpi_serialize_string_uint32(&serializer, "proto", flow->protocol);
- ndpi_serialize_string_string(&serializer, "cli_ip", flow->src_name);
+ ndpi_serialize_string_string(&serializer, "cli_ip", flow->src_name ? flow->src_name : "");
ndpi_serialize_string_uint32(&serializer, "cli_port", ntohs(flow->src_port));
- ndpi_serialize_string_string(&serializer, "srv_ip", flow->dst_name);
+ ndpi_serialize_string_string(&serializer, "srv_ip", flow->dst_name ? flow->dst_name : "");
ndpi_serialize_string_uint32(&serializer, "srv_port", ntohs(flow->dst_port));
ndpi_serialize_string_string(&serializer, "proto",
ndpi_protocol2name(workflow->ndpi_struct,
@@ -1216,7 +1232,6 @@ static void serialize_monitoring_metadata(struct ndpi_flow_info *flow)
case NDPI_PROTOCOL_STUN:
case NDPI_PROTOCOL_DTLS:
case NDPI_PROTOCOL_SRTP:
-
ndpi_serialize_start_of_block(&flow->ndpi_flow_serializer, "stun");
if(flow->stun.mapped_address.num_aps > 0) {
@@ -1418,6 +1433,11 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
if(flow->ndpi_flow->protos.dns.geolocation_iata_code[0] != '\0')
strcpy(flow->dns.geolocation_iata_code, flow->ndpi_flow->protos.dns.geolocation_iata_code);
+ if(flow->ndpi_flow->protos.dns.ptr_domain_name[0] != '\0')
+ strcpy(flow->dns.ptr_domain_name, flow->ndpi_flow->protos.dns.ptr_domain_name);
+
+ flow->dns.transaction_id = flow->ndpi_flow->protos.dns.transaction_id;
+
#if 0
if(0) {
u_int8_t i;
@@ -1499,6 +1519,12 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
if(flow->ndpi_flow->protos.sip.to_imsi[0] != '\0')
ndpi_snprintf(flow->sip.to_imsi, sizeof(flow->sip.to_imsi), "%s", flow->ndpi_flow->protos.sip.to_imsi);
}
+ /* BFCP */
+ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_BFCP)) {
+ flow->info_type = INFO_BFCP;
+ flow->bfcp.conference_id = flow->ndpi_flow->protos.bfcp.conference_id;
+ flow->bfcp.user_id = flow->ndpi_flow->protos.bfcp.user_id;
+ }
/* TELNET */
else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) {
if(flow->ndpi_flow->protos.telnet.username[0] != '\0')
@@ -1590,10 +1616,13 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
}
}
}
-
- if(flow->ndpi_flow->tls_quic.obfuscated_heur_state && flow->ndpi_flow->tls_quic.obfuscated_heur_matching_set)
- memcpy(&flow->ssh_tls.obfuscated_heur_matching_set, flow->ndpi_flow->tls_quic.obfuscated_heur_matching_set,
- sizeof(struct ndpi_tls_obfuscated_heuristic_matching_set));
+ /* FASTCGI */
+ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_FASTCGI)) {
+ flow->info_type = INFO_FASTCGI;
+ flow->fast_cgi.method = flow->ndpi_flow->protos.fast_cgi.method;
+ ndpi_snprintf(flow->fast_cgi.user_agent, sizeof(flow->fast_cgi.user_agent), "%s", flow->ndpi_flow->protos.fast_cgi.user_agent);
+ ndpi_snprintf(flow->fast_cgi.url, sizeof(flow->fast_cgi.url), "%s", flow->ndpi_flow->protos.fast_cgi.url);
+ }
if(!monitoring_enabled) {
add_to_address_port_list(&flow->stun.mapped_address, &flow->ndpi_flow->stun.mapped_address);
@@ -1632,6 +1661,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
ndpi_snprintf(flow->http.password, sizeof(flow->http.password), "%s", flow->ndpi_flow->http.password ? flow->ndpi_flow->http.password : "");
}
+ if(is_ndpi_proto(flow, NDPI_PROTOCOL_RTP))
+ memcpy(&flow->rtp, &flow->ndpi_flow->rtp, sizeof(flow->rtp));
+
ndpi_snprintf(flow->http.user_agent,
sizeof(flow->http.user_agent),
"%s", (flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : ""));
@@ -1928,13 +1960,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
if((human_readeable_string_len != 0) && (!flow->has_human_readeable_strings)) {
u_int8_t skip = 0;
- if((proto == IPPROTO_TCP)
- && (
- is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)
- || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_TLS)
- || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)
- || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_SSH))
- ) {
+ if(proto == IPPROTO_TCP &&
+ (is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) ||
+ is_ndpi_proto(flow, NDPI_PROTOCOL_SSH))) {
if((flow->src2dst_packets+flow->dst2src_packets) < 10 /* MIN_NUM_ENCRYPT_SKIP_PACKETS */)
skip = 1; /* Skip initial negotiation packets */
}
@@ -1947,13 +1975,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
flow->has_human_readeable_strings = 1;
}
} else {
- if((proto == IPPROTO_TCP)
- && (
- is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)
- || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_TLS)
- || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)
- || (flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_SSH))
- )
+ if(proto == IPPROTO_TCP &&
+ (is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) ||
+ is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)))
flow->has_human_readeable_strings = 0;
}
} else { // flow is NULL
@@ -1965,8 +1989,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
struct ndpi_flow_input_info input_info;
u_int enough_packets =
- ((proto == IPPROTO_UDP && (max_num_udp_dissected_pkts > 0 && flow->src2dst_packets + flow->dst2src_packets > max_num_udp_dissected_pkts)) ||
- (proto == IPPROTO_TCP && (max_num_tcp_dissected_pkts > 0 && flow->src2dst_packets + flow->dst2src_packets > max_num_tcp_dissected_pkts))) ? 1 : 0;
+ ((proto == IPPROTO_UDP && (max_num_udp_dissected_pkts > 0 && flow->src2dst_packets + flow->dst2src_packets >= max_num_udp_dissected_pkts)) ||
+ (proto == IPPROTO_TCP && (max_num_tcp_dissected_pkts > 0 && flow->src2dst_packets + flow->dst2src_packets >= max_num_tcp_dissected_pkts))) ? 1 : 0;
#if 0
printf("%s()\n", __FUNCTION__);
diff --git a/example/reader_util.h b/example/reader_util.h
index 5ade8250e..c49237b9f 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -1,7 +1,7 @@
/*
* ndpi_util.h
*
- * Copyright (C) 2011-22 - ntop.org
+ * Copyright (C) 2011-25 - ntop.org
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
@@ -171,6 +171,8 @@ enum info_type {
INFO_FTP_IMAP_POP_SMTP,
INFO_NATPMP,
INFO_SIP,
+ INFO_FASTCGI,
+ INFO_BFCP,
};
typedef struct {
@@ -193,7 +195,7 @@ typedef struct ndpi_flow_info {
u_int16_t vlan_id;
ndpi_packet_tunnel tunnel_type;
struct ndpi_flow_struct *ndpi_flow;
- char src_name[INET6_ADDRSTRLEN], dst_name[INET6_ADDRSTRLEN];
+ char *src_name, *dst_name;
u_int8_t ip_version;
u_int32_t cwr_count, src2dst_cwr_count, dst2src_cwr_count;
u_int32_t ece_count, src2dst_ece_count, dst2src_ece_count;
@@ -270,6 +272,17 @@ typedef struct ndpi_flow_info {
char to[256];
char to_imsi[16];
} sip;
+
+ struct {
+ ndpi_http_method method;
+ char user_agent[32];
+ char url[64];
+ } fast_cgi;
+
+ struct {
+ u_int32_t conference_id;
+ u_int16_t user_id;
+ } bfcp;
};
ndpi_serializer ndpi_flow_serializer;
@@ -307,7 +320,6 @@ typedef struct ndpi_flow_info {
u_int32_t quic_version;
- struct ndpi_tls_obfuscated_heuristic_matching_set obfuscated_heur_matching_set;
} ssh_tls;
struct {
@@ -316,6 +328,8 @@ typedef struct ndpi_flow_info {
u_int response_status_code;
} http;
+ struct rtp_info rtp[2 /* directions */];
+
struct {
ndpi_address_port_list mapped_address, peer_address,
relayed_address, response_origin, other_address;
@@ -328,6 +342,8 @@ typedef struct ndpi_flow_info {
struct {
char geolocation_iata_code[4];
+ char ptr_domain_name[64];
+ u_int16_t transaction_id;
} dns;
u_int8_t multimedia_flow_types;
@@ -356,12 +372,16 @@ typedef struct ndpi_stats {
u_int64_t raw_packet_count;
u_int64_t ip_packet_count;
u_int64_t total_wire_bytes, total_ip_bytes, total_discarded_bytes;
- u_int64_t protocol_counter[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
- u_int64_t protocol_counter_bytes[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
- u_int32_t protocol_flows[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
- u_int64_t fpc_protocol_counter[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
- u_int64_t fpc_protocol_counter_bytes[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
- u_int32_t fpc_protocol_flows[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
+ u_int32_t num_protocols;
+ u_int64_t *protocol_counter;
+ u_int64_t *protocol_counter_bytes;
+ u_int32_t *protocol_flows;
+ u_int64_t *fpc_protocol_counter;
+ u_int64_t *fpc_protocol_counter_bytes;
+ u_int32_t *fpc_protocol_flows;
+ u_int64_t category_counter[NDPI_PROTOCOL_NUM_CATEGORIES];
+ u_int64_t category_counter_bytes[NDPI_PROTOCOL_NUM_CATEGORIES];
+ u_int32_t category_flows[NDPI_PROTOCOL_NUM_CATEGORIES];
u_int32_t ndpi_flow_count;
u_int32_t flow_count[3];
u_int64_t tcp_count, udp_count;
@@ -417,6 +437,9 @@ typedef struct ndpi_workflow {
ndpi_serialization_format ndpi_serialization_format;
} ndpi_workflow_t;
+void ndpi_stats_free(ndpi_stats_t *s);
+int ndpi_stats_init(ndpi_stats_t *s, uint32_t num_protocols);
+void ndpi_stats_reset(ndpi_stats_t *s);
/* TODO: remove wrappers parameters and use ndpi global, when their initialization will be fixed... */
struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * prefs, pcap_t * pcap_handle, int do_init_flows_root, ndpi_serialization_format serialization_format, struct ndpi_global_context *g_ctx);
@@ -455,7 +478,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
void ndpi_flow_info_free_data(struct ndpi_flow_info *flow);
void ndpi_flow_info_freer(void *node);
const char* print_cipher_id(u_int32_t cipher);
-int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask, int inverted_logic);
extern int reader_log_level;
Powered by cgit, Themed by Ted Yin.