aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_api.h.in3
-rw-r--r--src/lib/Makefile.in2
-rw-r--r--src/lib/ndpi_analyze.c96
-rw-r--r--src/lib/ndpi_content_match.c.inc2
-rw-r--r--src/lib/ndpi_main.c30
-rw-r--r--src/lib/protocols/tls.c3
6 files changed, 118 insertions, 18 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 9640d3d8b..ed94c5bf3 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -1071,7 +1071,10 @@ extern "C" {
void ndpi_free_bin(struct ndpi_bin *b);
void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id);
void ndpi_normalize_bin(struct ndpi_bin *b);
+ char* ndpi_print_bin(struct ndpi_bin *b, u_int8_t normalize_first, char *out_buf, u_int out_buf_len);
+ float ndpi_bin_similarity(struct ndpi_bin *b1, struct ndpi_bin *b2, u_int8_t normalize_first);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index f69c81946..874cee20c 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -54,7 +54,7 @@ $(NDPI_LIB_SHARED): $(OBJECTS)
$(CC) $(CFLAGS) -c $< -o $@ $(LDFLAGS)
clean:
- /bin/rm -f $(NDPI_LIB_STATIC) $(OBJECTS) *.o *.so *.lo $(NDPI_LIB_SHARED)
+ /bin/rm -f $(NDPI_LIB_STATIC) $(OBJECTS) *.o *.so *.lo libndpi.so*
distclean: clean
/bin/rm -f Makefile
diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c
index e1f37cc8d..4ca3ac25a 100644
--- a/src/lib/ndpi_analyze.c
+++ b/src/lib/ndpi_analyze.c
@@ -125,6 +125,12 @@ float ndpi_data_variance(struct ndpi_analyze_struct *s) {
/* ********************************************************************************* */
+/*
+ See the link below for "Population and sample standard deviation review"
+ https://www.khanacademy.org/math/statistics-probability/summarizing-quantitative-data/variance-standard-deviation-sample/a/population-and-sample-standard-deviation-review
+
+ In nDPI we use an approximate stddev calculation to avoid storing all data in memory
+*/
/* Compute the standard deviation on all values */
float ndpi_data_stddev(struct ndpi_analyze_struct *s) {
return(sqrt(ndpi_data_variance(s)));
@@ -260,6 +266,8 @@ int ndpi_init_bin(struct ndpi_bin *b, enum ndpi_bin_family f, u_int8_t num_bins)
return(0);
}
+/* ********************************************************************************* */
+
void ndpi_free_bin(struct ndpi_bin *b) {
switch(b->family) {
case ndpi_bin_family8:
@@ -274,6 +282,8 @@ void ndpi_free_bin(struct ndpi_bin *b) {
}
}
+/* ********************************************************************************* */
+
void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id) {
if(slot_id >= b->num_bins) slot_id = 0;
@@ -292,6 +302,8 @@ void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id) {
}
}
+/* ********************************************************************************* */
+
/*
Each bin slot is transformed in a % with respect to the value total
*/
@@ -316,3 +328,87 @@ void ndpi_normalize_bin(struct ndpi_bin *b) {
}
}
+/* ********************************************************************************* */
+
+char* ndpi_print_bin(struct ndpi_bin *b, u_int8_t normalize_first, char *out_buf, u_int out_buf_len) {
+ u_int8_t i;
+ u_int len = 0;
+
+ if(!out_buf) return(out_buf); else out_buf[0] = '\0';
+
+ if(normalize_first)
+ ndpi_normalize_bin(b);
+
+ switch(b->family) {
+ case ndpi_bin_family8:
+ for(i=0; i<b->num_bins; i++) {
+ int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins8[i]);
+
+ if(rc < 0) break;
+ len += rc;
+ }
+ break;
+
+ case ndpi_bin_family16:
+ for(i=0; i<b->num_bins; i++) {
+ int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins16[i]);
+
+ if(rc < 0) break;
+ len += rc;
+ }
+ break;
+
+ case ndpi_bin_family32:
+ for(i=0; i<b->num_bins; i++) {
+ int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins32[i]);
+
+ if(rc < 0) break;
+ len += rc;
+ }
+ break;
+ }
+
+ return(out_buf);
+}
+
+/* ********************************************************************************* */
+
+/*
+ Determines how similar are two bins
+
+ 0 = Very differet
+ ... (gray zone)
+ 1 = Alike
+
+ See https://en.wikipedia.org/wiki/Cosine_similarity for more details
+*/
+float ndpi_bin_similarity(struct ndpi_bin *b1, struct ndpi_bin *b2, u_int8_t normalize_first) {
+ u_int8_t i;
+ u_int32_t sumxx = 0, sumxy = 0, sumyy = 0;
+
+ if((b1->num_incs == 0) || (b2->num_incs == 0)
+ || (b1->family != b2->family) || (b1->num_bins != b2->num_bins))
+ return(0);
+
+ if(normalize_first)
+ ndpi_normalize_bin(b1), ndpi_normalize_bin(b2);
+
+ switch(b1->family) {
+ case ndpi_bin_family8:
+ for(i=0; i<b1->num_bins; i++)
+ sumxx += b1->u.bins8[i] * b1->u.bins8[i], sumyy += b2->u.bins8[i] * b2->u.bins8[i], sumxy += b1->u.bins8[i] * b2->u.bins8[i];
+ break;
+ case ndpi_bin_family16:
+ for(i=0; i<b1->num_bins; i++)
+ sumxx += b1->u.bins16[i] * b1->u.bins16[i], sumyy += b2->u.bins16[i] * b2->u.bins16[i], sumxy += b1->u.bins16[i] * b2->u.bins16[i];
+ break;
+ case ndpi_bin_family32:
+ for(i=0; i<b1->num_bins; i++)
+ sumxx += b1->u.bins32[i] * b1->u.bins32[i], sumyy += b2->u.bins32[i] * b2->u.bins32[i], sumxy += b1->u.bins32[i] * b2->u.bins32[i];
+ break;
+ }
+
+ return((float)sumxy / sqrt((float)(sumxx * sumyy)));
+}
+
+/* ********************************************************************************* */
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 82a77183a..4ad5c5598 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -909,7 +909,7 @@ static ndpi_network host_protocol_list[] = {
/* Teamviewer 159.122.189.32-63 */
- { 0x9F7ABD30 /* 159.122.189.32 */, 21, NDPI_PROTOCOL_TEAMVIEWER },
+ { 0x9F7ABD20 /* 159.122.189.32 */, 27, NDPI_PROTOCOL_TEAMVIEWER },
#if 0
/*
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 957e3b763..7715f0460 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -275,7 +275,7 @@ u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *nd
if(protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS)
return(0);
- switch (protoId) {
+ switch(protoId) {
/* All dissectors that have calls to ndpi_match_host_subprotocol() */
case NDPI_PROTOCOL_DNS:
return(1);
@@ -588,7 +588,7 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str, ndpi_detection_preference pref,
int value) {
- switch (pref) {
+ switch(pref) {
case ndpi_pref_direction_detect_disable:
ndpi_str->direction_detect_disable = (u_int8_t) value;
break;
@@ -2028,7 +2028,7 @@ void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str)
for (i = 0; i < 4; i++) {
ndpi_automa *automa;
- switch (i) {
+ switch(i) {
case 0:
automa = &ndpi_str->host_automa;
break;
@@ -2376,7 +2376,7 @@ static ndpi_default_ports_tree_node_t *ndpi_get_guessed_protocol_id(struct ndpi_
as they have been excluded
*/
u_int8_t is_udp_guessable_protocol(u_int16_t l7_guessed_proto) {
- switch (l7_guessed_proto) {
+ switch(l7_guessed_proto) {
case NDPI_PROTOCOL_QUIC:
case NDPI_PROTOCOL_SNMP:
case NDPI_PROTOCOL_NETFLOW:
@@ -2412,7 +2412,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
} else {
/* No TCP/UDP */
- switch (proto) {
+ switch(proto) {
case NDPI_IPSEC_PROTOCOL_ESP:
case NDPI_IPSEC_PROTOCOL_AH:
return(NDPI_PROTOCOL_IP_IPSEC);
@@ -2421,7 +2421,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
return(NDPI_PROTOCOL_IP_GRE);
break;
case NDPI_ICMP_PROTOCOL_TYPE:
- {
+ if(flow) {
/* Run some basic consistency tests */
if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr))
@@ -2454,7 +2454,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
return(NDPI_PROTOCOL_IP_IP_IN_IP);
break;
case NDPI_ICMPV6_PROTOCOL_TYPE:
- {
+ if(flow) {
/* Run some basic consistency tests */
if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr))
@@ -2518,7 +2518,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule,
at[0] = 0, proto = &at[1];
for (i = 0; proto[i] != '\0'; i++) {
- switch (proto[i]) {
+ switch(proto[i]) {
case '/':
case '&':
case '^':
@@ -5711,7 +5711,7 @@ char *ndpi_protocol2name(struct ndpi_detection_module_struct *ndpi_str,
/* ****************************************************** */
int ndpi_is_custom_category(ndpi_protocol_category_t category) {
- switch (category) {
+ switch(category) {
case NDPI_PROTOCOL_CATEGORY_CUSTOM_1:
case NDPI_PROTOCOL_CATEGORY_CUSTOM_2:
case NDPI_PROTOCOL_CATEGORY_CUSTOM_3:
@@ -5734,7 +5734,7 @@ void ndpi_category_set_name(struct ndpi_detection_module_struct *ndpi_str,
if(!name)
return;
- switch (category) {
+ switch(category) {
case NDPI_PROTOCOL_CATEGORY_CUSTOM_1:
snprintf(ndpi_str->custom_category_labels[0], CUSTOM_CATEGORY_LABEL_LEN, "%s", name);
break;
@@ -5775,7 +5775,7 @@ const char *ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_str
}
if((category >= NDPI_PROTOCOL_CATEGORY_CUSTOM_1) && (category <= NDPI_PROTOCOL_CATEGORY_CUSTOM_5)) {
- switch (category) {
+ switch(category) {
case NDPI_PROTOCOL_CATEGORY_CUSTOM_1:
return(ndpi_str->custom_category_labels[0]);
case NDPI_PROTOCOL_CATEGORY_CUSTOM_2:
@@ -5841,7 +5841,7 @@ ndpi_protocol_breed_t ndpi_get_proto_breed(struct ndpi_detection_module_struct *
char *ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_str,
ndpi_protocol_breed_t breed_id) {
- switch (breed_id) {
+ switch(breed_id) {
case NDPI_PROTOCOL_SAFE:
return("Safe");
break;
@@ -6009,7 +6009,7 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_
if((previous_proto == NDPI_PROTOCOL_UNKNOWN) || (previous_proto == new_proto))
return(0);
- switch (previous_proto) {
+ switch(previous_proto) {
case NDPI_PROTOCOL_WHATSAPP_CALL:
case NDPI_PROTOCOL_WHATSAPP_FILES:
if(new_proto == NDPI_PROTOCOL_WHATSAPP)
@@ -6353,7 +6353,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
proto);
#endif
- switch (proto) {
+ switch(proto) {
case NDPI_PROTOCOL_TLS:
if(!flow->l4.tcp.tls.certificate_processed)
return(1); /* TODO: add check for TLS 1.3 */
@@ -6394,7 +6394,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
/* ******************************************************************** */
const char *ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) {
- switch (proto) {
+ switch(proto) {
case ndpi_l4_proto_unknown:
return("");
break;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 007931e19..830232554 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1298,7 +1298,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
e_offset += 2;
- if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) {
+ if((e_offset+e_sni_len-extension_len-initial_offset) >= 0 &&
+ e_offset+e_sni_len < packet->payload_packet_len) {
#ifdef DEBUG_ENCRYPTED_SNI
printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len);
#endif