diff options
Diffstat (limited to 'src/lib/protocols/http.c')
| -rw-r--r-- | src/lib/protocols/http.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 68ba42561..2d894f345 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1411,6 +1411,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct requests. The easiest (but costly) idea is to reset the state and process it (i.e. we keep the metadata of the last request that we have processed) */ + if(flow->l4.tcp.http_asymmetric_stage < 2) + flow->l4.tcp.http_asymmetric_stage++; reset(ndpi_struct, flow); process_request(ndpi_struct, flow, filename_start); return; @@ -1437,6 +1439,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG_DBG2(ndpi_struct, "Another piece of response\n"); if(is_response(ndpi_struct, flow)) { /* See the comment above about how we handle consecutive requests/responses */ + if(flow->l4.tcp.http_asymmetric_stage < 2) + flow->l4.tcp.http_asymmetric_stage++; reset(ndpi_struct, flow); process_response(ndpi_struct, flow); return; @@ -1467,8 +1471,16 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc NDPI_LOG_DBG(ndpi_struct, "search HTTP\n"); ndpi_check_http_tcp(ndpi_struct, flow); - if(flow->host_server_name[0] != '\0'&& - flow->http.response_status_code != 0) { + if((flow->host_server_name[0] != '\0'&& + flow->http.response_status_code != 0) || + /* We have found 3 consecutive requests (without the reply) or 3 + consecutive replies (without the request). If the traffic is really + asymmetric, stop here, because we will never find the metadata from + both the request and the reply. We wait for 3 events (instead of 2) + to avoid false positives triggered by missing/dropped packets */ + (flow->l4.tcp.http_asymmetric_stage == 2 && + (flow->packet_direction_complete_counter[0] == 0 || + flow->packet_direction_complete_counter[1] == 0))) { flow->extra_packets_func = NULL; /* We're good now */ if(flow->initial_binary_bytes_len) ndpi_analyze_content_signature(ndpi_struct, flow); |