diff options
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 75 |
1 files changed, 41 insertions, 34 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b8e22abe6..557c5b455 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3505,7 +3505,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str if(flow->packet.l4_packet_len >=flow->packet.tcp->doff * 4) { flow->packet.payload_packet_len = flow->packet.l4_packet_len -flow->packet.tcp->doff * 4; - flow->packet.actual_payload_len =flow->packet.payload_packet_len; + flow->packet.actual_payload_len = flow->packet.payload_packet_len; flow->packet.payload = ((u_int8_t *)flow->packet.tcp) + (flow->packet.tcp->doff * 4); /* check for new tcp syn packets, here @@ -3515,15 +3515,17 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str && flow->packet.tcp->ack == 0 && flow->init_finished != 0 && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - if(flow->http.url) - ndpi_free(flow->http.url); - if(flow->http.content_type) - ndpi_free(flow->http.content_type); - memset(flow, 0, sizeof(*(flow))); + u_int8_t backup; + + if(flow->http.url) ndpi_free(flow->http.url); + if(flow->http.content_type) ndpi_free(flow->http.content_type); + backup = flow->num_processed_pkts; + memset(flow, 0, sizeof(*(flow))); + flow->num_processed_pkts = backup; + NDPI_LOG_DBG(ndpi_struct, "tcp syn packet for unknown protocol, reset detection state\n"); - } } else { /* tcp header not complete */ @@ -3536,6 +3538,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str } else { flow->packet.generic_l4_ptr = l4ptr; } + return 0; } @@ -3826,7 +3829,6 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct, } } - /* ********************************************************************************* */ void ndpi_check_flow_func(struct ndpi_detection_module_struct *ndpi_struct, @@ -3921,6 +3923,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st } ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + ndpi_fill_protocol_category(ndpi_struct, flow, &ret); return(ret); } @@ -4225,6 +4228,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct u_int32_t a; ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; + flow->num_processed_pkts++; + if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE) NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n"); @@ -4253,7 +4258,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct return(ret); /* detect traffic for tcp or udp only */ - flow->src = src, flow->dst = dst; ndpi_connection_tracking(ndpi_struct, flow); @@ -4356,6 +4360,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ndpi_check_flow_func(ndpi_struct, flow, &ndpi_selection_packet); ndpi_fill_protocol_category(ndpi_struct, flow, &ret); + return(ret); } @@ -4384,6 +4389,24 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ret.app_protocol = flow->detected_protocol_stack[0]; ndpi_fill_protocol_category(ndpi_struct, flow, &ret); + + if((flow->num_processed_pkts == 1) + && (ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) + && (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) + && flow->packet.tcp + && (flow->packet.tcp->syn == 0) + ) { + /* + This is a TCP flow + - whose first packet is NOT a SYN + - no protocol has been detected + + We don't see how future packets can match anything + hence we giveup here + */ + ret = ndpi_detection_giveup(ndpi_struct, flow); + } + return(ret); } @@ -4602,7 +4625,6 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc strncpy((char*)flow->http.response_status_code, (char*)packet->http_response.ptr, 3); flow->http.response_status_code[4]='\0'; - NDPI_LOG_DBG2(ndpi_struct, "ndpi_parse_packet_line_info: HTTP response parsed: \"%.*s\"\n", packet->http_response.len, packet->http_response.ptr); @@ -5034,27 +5056,6 @@ void ndpi_int_change_category(struct ndpi_detection_module_struct *ndpi_struct, /* ********************************************************************************* */ -/* change protocol only if guessing is active */ -/* void ndpi_guess_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, */ -/* struct ndpi_flow_struct *flow) */ -/* { */ -/* if(flow->guessed_host_protocol_id != 0 && */ -/* flow->guessed_protocol_id != 0) { */ -/* /\* app proto for flow *\/ */ -/* flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; */ -/* /\* master proto for flow *\/ */ -/* flow->detected_protocol_stack[1] = flow->guessed_protocol_id; */ - -/* /\* app proto for packet *\/ */ -/* flow->packet.detected_protocol_stack[0] = flow->guessed_host_protocol_id; */ -/* /\* master proto for packet *\/ */ -/* flow->packet.detected_protocol_stack[1] = flow->guessed_protocol_id; */ - -/* } */ -/* } */ - -/* ********************************************************************************* */ - /* turns a packet back to unknown */ void ndpi_int_reset_packet_protocol(struct ndpi_packet_struct *packet) { int a; @@ -5286,11 +5287,13 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct if(rc != NDPI_PROTOCOL_UNKNOWN) { ret.app_protocol = rc, - ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, dport, &user_defined_proto); + ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, + dport, &user_defined_proto); if(ret.app_protocol == ret.master_protocol) ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; + ret.category = ndpi_get_proto_category(ndpi_struct, ret); return(ret); } @@ -5300,8 +5303,10 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct if(rc == NDPI_PROTOCOL_SSL) goto check_guessed_skype; - else + else { + ret.category = ndpi_get_proto_category(ndpi_struct, ret); return(ret); + } } check_guessed_skype: @@ -5314,8 +5319,10 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct ret.app_protocol = NDPI_PROTOCOL_SKYPE; } } else - ret.app_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, dport, &user_defined_proto); + ret.app_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, + dport, &user_defined_proto); + ret.category = ndpi_get_proto_category(ndpi_struct, ret); return(ret); } |