diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/ndpi_main.c | 11 | ||||
-rw-r--r-- | src/lib/protocols/dns.c | 19 |
2 files changed, 25 insertions, 5 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fa2192472..6cb706e66 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6338,15 +6338,18 @@ int ndpi_flowv6_flow_hash(u_int8_t l4_proto, struct ndpi_in6_addr *src_ip, struc */ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { + u_int16_t proto = flow->detected_protocol_stack[1] ? flow->detected_protocol_stack[1] : flow->detected_protocol_stack[0]; + #if 0 - printf("[DEBUG] %s(%u.%u)\n", __FUNCTION__, + printf("[DEBUG] %s(%u.%u): %u\n", __FUNCTION__, flow->detected_protocol_stack[0], - flow->detected_protocol_stack[1]); + flow->detected_protocol_stack[1], + proto); #endif if(flow->check_extra_packets) return(1); - switch(flow->detected_protocol_stack[0]) { + switch(proto) { case NDPI_PROTOCOL_TLS: if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) return(1); @@ -6359,7 +6362,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp case NDPI_PROTOCOL_DNS: if((ndpi_str->dns_dont_dissect_response == 0) - && (flow->host_server_name[0] == '\0')) + && (flow->protos.dns.num_answers == 0)) return(1); break; diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 86575f23e..7c3ead514 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -195,6 +195,16 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* *********************************************** */ +static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + /* possibly dissect the DNS reply */ + ndpi_search_dns(ndpi_struct, flow); + + /* stop extra processing */ + return(0); +} + +/* *********************************************** */ + void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int payload_offset; u_int8_t is_query; @@ -271,9 +281,16 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd ret.master_protocol = NDPI_PROTOCOL_DNS; } - if(is_query && (ndpi_struct->dns_dont_dissect_response == 0)) { + if(is_query && (ndpi_struct->dns_dont_dissect_response == 0) && (flow->num_processed_pkts == 1)) { /* In this case we say that the protocol has been detected just to let apps carry on with their activities */ ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + + /* Dissect at most 1 more packets, hopefully the DNS response */ + flow->max_extra_packets_to_check = 1; + flow->extra_packets_func = search_dns_again; return; /* The response will set the verdict */ } |