aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_utils.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/ndpi_utils.c')
-rw-r--r--src/lib/ndpi_utils.c127
1 files changed, 82 insertions, 45 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 4a30b1954..00fb47dad 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -902,63 +902,44 @@ char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len) {
}
/* ********************************** */
-/* ********************************** */
-int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow,
- u_int8_t ip_version,
- u_int8_t l4_protocol, u_int16_t vlan_id,
- u_int32_t src_v4, u_int32_t dst_v4,
- struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6,
- u_int16_t src_port, u_int16_t dst_port,
- ndpi_protocol l7_protocol,
- ndpi_serializer *serializer) {
- char buf[64], src_name[32], dst_name[32];
-
- if(ndpi_init_serializer(serializer, ndpi_serialization_format_json) == -1)
- return(-1);
+void ndpi_serialize_risk(ndpi_serializer *serializer,
+ struct ndpi_flow_struct *flow) {
+ if(flow->risk != 0) {
+ u_int32_t i;
- if(ip_version == 4) {
- inet_ntop(AF_INET, &src_v4, src_name, sizeof(src_name));
- inet_ntop(AF_INET, &dst_v4, dst_name, sizeof(dst_name));
- } else {
- inet_ntop(AF_INET6, src_v6, src_name, sizeof(src_name));
- inet_ntop(AF_INET6, dst_v6, dst_name, sizeof(dst_name));
- /* For consistency across platforms replace :0: with :: */
- ndpi_patchIPv6Address(src_name), ndpi_patchIPv6Address(dst_name);
+ ndpi_serialize_start_of_block(serializer, "flow_risk");
+
+ for(i = 0; i < NDPI_MAX_RISK; i++) {
+ ndpi_risk_enum r = (ndpi_risk_enum)i;
+
+ if(NDPI_ISSET_BIT(flow->risk, r))
+ ndpi_serialize_uint32_string(serializer, i, ndpi_risk2str(r));
+ }
+
+ ndpi_serialize_end_of_block(serializer);
}
+}
- ndpi_serialize_string_string(serializer, "src_ip", src_name);
- ndpi_serialize_string_string(serializer, "dest_ip", dst_name);
- if(src_port) ndpi_serialize_string_uint32(serializer, "src_port", src_port);
- if(dst_port) ndpi_serialize_string_uint32(serializer, "dst_port", dst_port);
-
- switch(l4_protocol) {
- case IPPROTO_TCP:
- ndpi_serialize_string_string(serializer, "proto", "TCP");
- break;
-
- case IPPROTO_UDP:
- ndpi_serialize_string_string(serializer, "proto", "UDP");
- break;
-
- case IPPROTO_ICMP:
- ndpi_serialize_string_string(serializer, "proto", "ICMP");
- break;
+/* ********************************** */
+/* ********************************** */
- default:
- ndpi_serialize_string_uint32(serializer, "proto", l4_protocol);
- break;
- }
+/* NOTE: serializer must have been already initialized */
+int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow,
+ ndpi_protocol l7_protocol,
+ ndpi_serializer *serializer) {
+ char buf[64];
+ if(flow == NULL) return(-1);
+
ndpi_serialize_start_of_block(serializer, "ndpi");
+ ndpi_serialize_risk(serializer, flow);
ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol, buf, sizeof(buf)));
if(l7_protocol.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)
ndpi_serialize_string_string(serializer, "category", ndpi_category_get_name(ndpi_struct, l7_protocol.category));
ndpi_serialize_end_of_block(serializer);
- if(flow == NULL) return(0);
-
switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) {
case NDPI_PROTOCOL_DHCP:
ndpi_serialize_start_of_block(serializer, "dhcp");
@@ -1148,6 +1129,59 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
/* ********************************** */
+/* NOTE: serializer is initialized by the function */
+int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow,
+ u_int8_t ip_version,
+ u_int8_t l4_protocol, u_int16_t vlan_id,
+ u_int32_t src_v4, u_int32_t dst_v4,
+ struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6,
+ u_int16_t src_port, u_int16_t dst_port,
+ ndpi_protocol l7_protocol,
+ ndpi_serializer *serializer) {
+ char src_name[32], dst_name[32];
+
+ if(ndpi_init_serializer(serializer, ndpi_serialization_format_json) == -1)
+ return(-1);
+
+ if(ip_version == 4) {
+ inet_ntop(AF_INET, &src_v4, src_name, sizeof(src_name));
+ inet_ntop(AF_INET, &dst_v4, dst_name, sizeof(dst_name));
+ } else {
+ inet_ntop(AF_INET6, src_v6, src_name, sizeof(src_name));
+ inet_ntop(AF_INET6, dst_v6, dst_name, sizeof(dst_name));
+ /* For consistency across platforms replace :0: with :: */
+ ndpi_patchIPv6Address(src_name), ndpi_patchIPv6Address(dst_name);
+ }
+
+ ndpi_serialize_string_string(serializer, "src_ip", src_name);
+ ndpi_serialize_string_string(serializer, "dest_ip", dst_name);
+ if(src_port) ndpi_serialize_string_uint32(serializer, "src_port", src_port);
+ if(dst_port) ndpi_serialize_string_uint32(serializer, "dst_port", dst_port);
+
+ switch(l4_protocol) {
+ case IPPROTO_TCP:
+ ndpi_serialize_string_string(serializer, "proto", "TCP");
+ break;
+
+ case IPPROTO_UDP:
+ ndpi_serialize_string_string(serializer, "proto", "UDP");
+ break;
+
+ case IPPROTO_ICMP:
+ ndpi_serialize_string_string(serializer, "proto", "ICMP");
+ break;
+
+ default:
+ ndpi_serialize_string_uint32(serializer, "proto", l4_protocol);
+ break;
+ }
+
+ return(ndpi_dpi2json(ndpi_struct, flow, l7_protocol, serializer));
+}
+
+/* ********************************** */
+
const char* ndpi_tunnel2str(ndpi_packet_tunnel tt) {
switch(tt) {
case ndpi_no_tunnel:
@@ -1457,6 +1491,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_HTTP_SUSPICIOUS_URL:
return("HTTP Suspicious URL");
+
+ case NDPI_HTTP_SUSPICIOUS_HEADER:
+ return("HTTP Suspicious Header");
default:
snprintf(buf, sizeof(buf), "%d", (int)risk);
Powered by cgit, Themed by Ted Yin.