diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 12 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 41 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 7 |
3 files changed, 31 insertions, 29 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index fe32bfd97..b55224be2 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1198,7 +1198,7 @@ struct ndpi_flow_struct { /* init parameter, internal used to set up timestamp,... */ u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category, guessed_header_category; u_int8_t l4_proto, protocol_id_already_guessed:1, host_already_guessed:1, fail_with_unknown:1, - init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1; + init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1, is_ipv6:1; /* if ndpi_struct->direction_detect_disable == 1 @@ -1206,6 +1206,11 @@ struct ndpi_flow_struct { */ u_int32_t next_tcp_seq_nr[2]; + /* Flow addresses (used mainly for LRU lookups in ndpi_detection_giveup()) + * TODO: ipv6. Note that LRU is ipv4 only, for the time being */ + u_int32_t saddr; + u_int32_t daddr; + // ----------------------------------------- u_int8_t max_extra_packets_to_check; @@ -1214,6 +1219,8 @@ struct ndpi_flow_struct { int (*extra_packets_func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); + u_int64_t last_packet_time_ms; + /* the tcp / udp / other l4 value union used to reduce the number of bytes for tcp or udp protocol states @@ -1415,9 +1422,6 @@ struct ndpi_flow_struct { u_int8_t ovpn_session_id[8]; u_int8_t ovpn_counter; - /* Flow key used to search a match into the mining cache */ - u_int32_t key_mining_cache; - /* NDPI_PROTOCOL_TINC */ u_int8_t tinc_state; struct tinc_cache_entry tinc_cache_entry; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index f2b6aa334..03bdccc7a 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4508,6 +4508,13 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, packet->packet_direction = 1; } + flow->is_ipv6 = (packet->iphv6 != NULL); + if(flow->is_ipv6 == 0) { + flow->saddr = packet->iph->saddr; + flow->daddr = packet->iph->daddr; + } + flow->last_packet_time_ms = packet->current_time_ms; + packet->packet_lines_parsed_complete = 0; if(flow->init_finished == 0) { @@ -4793,7 +4800,7 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_protocol *ret) { - struct ndpi_packet_struct *packet = &ndpi_str->packet; + /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup() */ #if 0 if(flow) { @@ -4812,7 +4819,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s (MS Teams uses Skype as transport protocol for voice/video) */ case NDPI_PROTOCOL_MSTEAMS: - if(packet->iph && packet->tcp) { + if(flow->is_ipv6 == 0 && flow->l4_proto == IPPROTO_TCP) { // printf("====>> NDPI_PROTOCOL_MSTEAMS\n"); if(ndpi_str->msteams_cache == NULL) @@ -4820,21 +4827,21 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s if(ndpi_str->msteams_cache) ndpi_lru_add_to_cache(ndpi_str->msteams_cache, - packet->iph->saddr, - (packet->current_time_ms / 1000) & 0xFFFF /* 16 bit */); + flow->saddr, + (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */); } break; case NDPI_PROTOCOL_SKYPE_TEAMS: case NDPI_PROTOCOL_SKYPE_CALL: - if(packet->iph - && packet->udp + if(flow->is_ipv6 == 0 + && flow->l4_proto == IPPROTO_UDP && ndpi_str->msteams_cache) { u_int16_t when; - if(ndpi_lru_find_cache(ndpi_str->msteams_cache, packet->iph->saddr, + if(ndpi_lru_find_cache(ndpi_str->msteams_cache, flow->saddr, &when, 0 /* Don't remove it as it can be used for other connections */)) { - u_int16_t tdiff = ((packet->current_time_ms /1000) & 0xFFFF) - when; + u_int16_t tdiff = ((flow->last_packet_time_ms /1000) & 0xFFFF) - when; if(tdiff < 60 /* sec */) { // printf("====>> NDPI_PROTOCOL_SKYPE(_CALL) -> NDPI_PROTOCOL_MSTEAMS [%u]\n", tdiff); @@ -4842,8 +4849,8 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s /* Refresh cache */ ndpi_lru_add_to_cache(ndpi_str->msteams_cache, - packet->iph->saddr, - (packet->current_time_ms / 1000) & 0xFFFF /* 16 bit */); + flow->saddr, + (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */); } } } @@ -4854,7 +4861,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s break; case NDPI_PROTOCOL_ANYDESK: - if(packet->tcp) /* TCP only */ + if(flow->l4_proto == IPPROTO_TCP) /* TCP only */ ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ break; } /* switch */ @@ -4898,10 +4905,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* TODO: this lookup seems in the wrong place here... Move it somewhere else (?) or setting flow->guessed_protocol_id directly in the mining dissector? */ - if(ndpi_str->mining_cache && flow->key_mining_cache) { + if(ndpi_str->mining_cache && flow->is_ipv6 == 0) { u_int16_t cached_proto; - if(ndpi_lru_find_cache(ndpi_str->mining_cache, flow->key_mining_cache, + if(ndpi_lru_find_cache(ndpi_str->mining_cache, flow->saddr + flow->daddr, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN); ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; @@ -5439,14 +5446,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct /* detect traffic for tcp or udp only */ flow->src = src, flow->dst = dst; - /* If/when calling ndpi_detection_giveup(), if this flow is still un-classified, - we will check if it is some kind of mining stuff. Save now the key, because we don't - have packet information later. - It seems quite hacky: any better way to do that? */ - if(flow->num_processed_pkts == 1 && packet->iph) { - flow->key_mining_cache = packet->iph->saddr + packet->iph->daddr; - } - ndpi_connection_tracking(ndpi_str, flow); /* build ndpi_selection packet bitmask */ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 652107a19..c8206a066 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2110,15 +2110,14 @@ static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndp } /* TODO: add IPv6 support */ - struct ndpi_packet_struct *packet = &ndpi_str->packet; if(!flow->ip_risk_mask_evaluated) { - if(packet->iph) { + if(flow->is_ipv6 == 0) { struct in_addr pin; - pin.s_addr = packet->iph->saddr; + pin.s_addr = flow->saddr; flow->risk_mask &= ndpi_host_ip_risk_ptree_match(ndpi_str, &pin); - pin.s_addr = packet->iph->daddr; + pin.s_addr = flow->daddr; flow->risk_mask &= ndpi_host_ip_risk_ptree_match(ndpi_str, &pin); } |