7 files changed, 37 insertions, 28 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7929b3b88..f8d88374f 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -7063,6 +7063,22 @@ u_int8_t ndpi_detection_get_l4(const u_int8_t *l3, u_int16_t l3_len, const u_int
 
 /* ********************************************************************************* */
 
+void ndpi_set_detected_protocol_keeping_master(struct ndpi_detection_module_struct *ndpi_str,
+					       struct ndpi_flow_struct *flow,
+					       u_int16_t detected_protocol,
+					       ndpi_confidence_t confidence) {
+  u_int16_t master;
+
+  master = flow->detected_protocol_stack[1] ? flow->detected_protocol_stack[1] : flow->detected_protocol_stack[0];
+
+  if (master != NDPI_PROTOCOL_UNKNOWN)
+    ndpi_set_detected_protocol(ndpi_str, flow, detected_protocol, master, confidence);
+  else
+    ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_UNKNOWN, detected_protocol, confidence);
+}
+
+/* ********************************************************************************* */
+
 void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
 				u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol,
 				ndpi_confidence_t confidence) {
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index 505f2ad16..b5ea1d1e6 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -109,7 +109,8 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc
   if(check_hash)
     ndpi_search_bittorrent_hash(ndpi_struct, flow, bt_offset);
 
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, confidence);
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT,
+					    confidence);
   
   if(flow->protos.bittorrent.hash[0] == '\0') {
     /* This is necessary to inform the core to call this dissector again */
diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c
index 7f6656424..a5ab04c3c 100644
--- a/src/lib/protocols/gnutella.c
+++ b/src/lib/protocols/gnutella.c
@@ -33,8 +33,9 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct
 					     struct ndpi_flow_struct *flow,
 					     ndpi_confidence_t confidence)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN, confidence);
   NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n");
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA,
+					    confidence);
 }
 
 void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 48a80dd9a..a403118f2 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -344,9 +344,6 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
   if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN))
      return; /* Nothing new to add */
 
-  /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */
-  ndpi_search_tcp_or_udp(ndpi_struct, flow);
-
   /* If no custom protocol has been detected */
   if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)
      || ((http_protocol != NDPI_PROTOCOL_HTTP) &&
@@ -363,9 +360,14 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
           flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_PROXY)
     master_protocol = flow->detected_protocol_stack[0];
 
-  ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id,
-			     master_protocol,
-			     NDPI_CONFIDENCE_DPI);
+  /* Update the classification only if we don't already have master + app;
+     for example don't change the protocols if we have already detected a
+     sub-protocol via the (content-matched) subprotocols logic (i.e.
+     MPEGDASH, SOAP, ....) */
+  if(flow->detected_protocol_stack[1] == 0)
+    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id,
+			       master_protocol,
+			       NDPI_CONFIDENCE_DPI);
 
   /* This is necessary to inform the core to call this dissector again */
   flow->check_extra_packets = 1;
diff --git a/src/lib/protocols/mpegdash.c b/src/lib/protocols/mpegdash.c
index 0e2ac1944..147057ac3 100644
--- a/src/lib/protocols/mpegdash.c
+++ b/src/lib/protocols/mpegdash.c
@@ -31,15 +31,9 @@
 static void ndpi_int_mpegdash_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
                                              struct ndpi_flow_struct *flow)
 {
-  if (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN ||
-      flow->guessed_host_protocol_id == NDPI_PROTOCOL_HTTP)
-  {
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGDASH, NDPI_PROTOCOL_HTTP,
-                               NDPI_CONFIDENCE_DPI);
-  } else {
-    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_MPEGDASH,
-                               NDPI_CONFIDENCE_DPI);
-  }
+  NDPI_LOG_INFO(ndpi_struct, "found MpegDash\n");
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_MPEGDASH,
+					    NDPI_CONFIDENCE_DPI);
 }
 
 void ndpi_search_mpegdash_http(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c
index c6a8b1f26..f49530ecf 100644
--- a/src/lib/protocols/rtsp.c
+++ b/src/lib/protocols/rtsp.c
@@ -30,10 +30,10 @@
 
 
 static void ndpi_int_rtsp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
-					 struct ndpi_flow_struct *flow/* , */
-					 /* ndpi_protocol_type_t protocol_type */)
+					 struct ndpi_flow_struct *flow)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTSP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_RTSP,
+					    NDPI_CONFIDENCE_DPI);
 }
 
 /* this function searches for a rtsp-"handshake" over tcp or udp. */
diff --git a/src/lib/protocols/soap.c b/src/lib/protocols/soap.c
index a2504f15c..82e2ab428 100644
--- a/src/lib/protocols/soap.c
+++ b/src/lib/protocols/soap.c
@@ -27,14 +27,9 @@
 static void ndpi_int_soap_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
                                          struct ndpi_flow_struct *flow)
 {
-  if (flow->guessed_host_protocol_id == NDPI_PROTOCOL_HTTP)
-  {
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_HTTP,
-                               NDPI_CONFIDENCE_DPI);
-  } else {
-    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_SOAP,
-                               NDPI_CONFIDENCE_DPI);
-  }
+  NDPI_LOG_INFO(ndpi_struct, "found Soap\n");
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_SOAP,
+					    NDPI_CONFIDENCE_DPI);
 }
 
 void ndpi_search_soap(struct ndpi_detection_module_struct *ndpi_struct,