diff options
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ndpi_api.h | 3 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 18 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 24 |
3 files changed, 19 insertions, 26 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 775665dab..9a0c240f8 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -211,11 +211,10 @@ extern "C" { * indipendent detection contexts) but all these calls MUST NOT run * in parallel * - * @par prefs = load preferences * @return the initialized detection module * */ - struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs prefs); + struct ndpi_detection_module_struct *ndpi_init_detection_module(void); /** * Completes the initialization (2nd step) diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 50a84ffc3..7fac6d981 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -149,6 +149,24 @@ typedef struct { struct ndpi_detection_module_config_struct { int max_packets_to_process; int direction_detect_enabled; + /* In some networks, there are some anomalous TCP flows where + the smallest ACK packets have some kind of zero padding. + It looks like the IP and TCP headers in those frames wrongly consider the + 0x00 Ethernet padding bytes as part of the TCP payload. + While this kind of packets is perfectly valid per-se, in some conditions + they might be treated by the TCP reassembler logic as (partial) overlaps, + deceiving the classification engine. + Add an heuristic to detect these packets and to ignore them, allowing + correct detection/classification. + See #1946 for other details */ + int tcp_ack_paylod_heuristic; + /* Heuristic to detect fully encrypted sessions, i.e. flows where every bytes of + the payload is encrypted in an attempt to “look like nothing”. + This heuristic only analyzes the first packet of the flow. + See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf */ + int fully_encrypted_heuristic; + int track_payload_enabled; + int libgcrypt_init; char filename_config[CFG_MAX_LEN]; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 02a104d81..7fc5ce0de 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1505,30 +1505,6 @@ typedef struct { u_int16_t value; } ndpi_network6; -typedef u_int32_t ndpi_init_prefs; - -typedef enum { - ndpi_no_prefs = 0, - ndpi_dont_init_libgcrypt = (1 << 1), - ndpi_track_flow_payload = (1 << 16), - /* In some networks, there are some anomalous TCP flows where - the smallest ACK packets have some kind of zero padding. - It looks like the IP and TCP headers in those frames wrongly consider the - 0x00 Ethernet padding bytes as part of the TCP payload. - While this kind of packets is perfectly valid per-se, in some conditions - they might be treated by the TCP reassembler logic as (partial) overlaps, - deceiving the classification engine. - Add an heuristic to detect these packets and to ignore them, allowing - correct detection/classification. - See #1946 for other details */ - ndpi_enable_tcp_ack_payload_heuristic = (1 << 17), - /* Heuristic to detect fully encrypted sessions, i.e. flows where every bytes of - the payload is encrypted in an attempt to “look like nothing”. - This heuristic only analyzes the first packet of the flow. - See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf */ - ndpi_disable_fully_encrypted_heuristic = (1 << 20), - } ndpi_prefs; - typedef struct { u_int32_t protocol_id; ndpi_protocol_category_t protocol_category; |