aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/ndpi_main.c11
-rw-r--r--src/lib/protocols/dns.c19
2 files changed, 25 insertions, 5 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index fa2192472..6cb706e66 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6338,15 +6338,18 @@ int ndpi_flowv6_flow_hash(u_int8_t l4_proto, struct ndpi_in6_addr *src_ip, struc
*/
u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndpi_str,
struct ndpi_flow_struct *flow) {
+ u_int16_t proto = flow->detected_protocol_stack[1] ? flow->detected_protocol_stack[1] : flow->detected_protocol_stack[0];
+
#if 0
- printf("[DEBUG] %s(%u.%u)\n", __FUNCTION__,
+ printf("[DEBUG] %s(%u.%u): %u\n", __FUNCTION__,
flow->detected_protocol_stack[0],
- flow->detected_protocol_stack[1]);
+ flow->detected_protocol_stack[1],
+ proto);
#endif
if(flow->check_extra_packets) return(1);
- switch(flow->detected_protocol_stack[0]) {
+ switch(proto) {
case NDPI_PROTOCOL_TLS:
if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed)
return(1);
@@ -6359,7 +6362,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
case NDPI_PROTOCOL_DNS:
if((ndpi_str->dns_dont_dissect_response == 0)
- && (flow->host_server_name[0] == '\0'))
+ && (flow->protos.dns.num_answers == 0))
return(1);
break;
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 86575f23e..7c3ead514 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -195,6 +195,16 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
/* *********************************************** */
+static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+ /* possibly dissect the DNS reply */
+ ndpi_search_dns(ndpi_struct, flow);
+
+ /* stop extra processing */
+ return(0);
+}
+
+/* *********************************************** */
+
void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
int payload_offset;
u_int8_t is_query;
@@ -271,9 +281,16 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
ret.master_protocol = NDPI_PROTOCOL_DNS;
}
- if(is_query && (ndpi_struct->dns_dont_dissect_response == 0)) {
+ if(is_query && (ndpi_struct->dns_dont_dissect_response == 0) && (flow->num_processed_pkts == 1)) {
/* In this case we say that the protocol has been detected just to let apps carry on with their activities */
ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol);
+
+ /* This is necessary to inform the core to call this dissector again */
+ flow->check_extra_packets = 1;
+
+ /* Dissect at most 1 more packets, hopefully the DNS response */
+ flow->max_extra_packets_to_check = 1;
+ flow->extra_packets_func = search_dns_again;
return; /* The response will set the verdict */
}