3 files changed, 52 insertions, 39 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 8a2aec2c5..c4df5b030 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1005,7 +1005,6 @@ struct ndpi_flow_struct {
 
   /* init parameter, internal used to set up timestamp,... */
   u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category;
-
   u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1;
 
   /*
@@ -1016,6 +1015,8 @@ struct ndpi_flow_struct {
 
   u_int8_t max_extra_packets_to_check;
   u_int8_t num_extra_packets_checked;
+  u_int8_t num_processed_pkts; /* <= WARNING it can wrap but we do expect people to giveup earlier */
+  
   int (*extra_packets_func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow);
 
   /*
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 1bbc4095e..a0ac4a574 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -6,15 +6,16 @@
 # make Makefile
 #
 
+
 #
 # Installation directories
 #
 prefix     = /usr/local
 libdir     = ${prefix}/lib
 includedir = ${prefix}/include/ndpi
-
-CFLAGS += -fPIC -DPIC -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION -g
-RANLIB  = ranlib
+CC         = @CC@
+CFLAGS     += -fPIC -DPIC -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION -g
+RANLIB     = ranlib
 
 OBJECTS   = $(patsubst protocols/%.c, protocols/%.o, $(wildcard protocols/*.c)) $(patsubst third_party/src/%.c, third_party/src/%.o, $(wildcard third_party/src/*.c)) ndpi_main.o
 HEADERS   = $(wildcard ../include/*.h)
@@ -23,6 +24,10 @@ NDPI_LIB_SHARED_BASE = libndpi.so
 NDPI_LIB_SHARED      = $(NDPI_LIB_SHARED_BASE).@NDPI_VERSION_SHORT@
 NDPI_LIBS            = $(NDPI_LIB_STATIC) $(NDPI_LIB_SHARED)
 
+ifeq ($(OS),Darwin)
+CC=clang
+endif
+
 all: $(NDPI_LIBS)
 
 ndpi_main.c: ndpi_content_match.c.inc
@@ -32,7 +37,7 @@ $(NDPI_LIB_STATIC): $(OBJECTS)
 	   $(RANLIB) $@	       
 
 $(NDPI_LIB_SHARED): $(OBJECTS)
-	gcc -shared -fPIC -o $@ $(OBJECTS)
+	$(CC) -shared -fPIC -o $@ $(OBJECTS)
 	ln -Fs $(NDPI_LIB_SHARED) $(NDPI_LIB_SHARED_BASE)
 
 %.o: %.c $(HEADERS) Makefile
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b8e22abe6..557c5b455 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3505,7 +3505,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
     if(flow->packet.l4_packet_len >=flow->packet.tcp->doff * 4) {
       flow->packet.payload_packet_len =
 	flow->packet.l4_packet_len -flow->packet.tcp->doff * 4;
-      flow->packet.actual_payload_len =flow->packet.payload_packet_len;
+      flow->packet.actual_payload_len = flow->packet.payload_packet_len;
       flow->packet.payload = ((u_int8_t *)flow->packet.tcp) + (flow->packet.tcp->doff * 4);
 
       /* check for new tcp syn packets, here
@@ -3515,15 +3515,17 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
 	 && flow->packet.tcp->ack == 0
 	 && flow->init_finished != 0
 	 && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
-	if(flow->http.url)
-		ndpi_free(flow->http.url);
-	if(flow->http.content_type)
-		ndpi_free(flow->http.content_type);
-	memset(flow, 0, sizeof(*(flow)));
+	u_int8_t backup;
+	
+	if(flow->http.url)          ndpi_free(flow->http.url);
+	if(flow->http.content_type) ndpi_free(flow->http.content_type);
 
+	backup = flow->num_processed_pkts;
+	memset(flow, 0, sizeof(*(flow)));
+	flow->num_processed_pkts = backup;
+	
 	NDPI_LOG_DBG(ndpi_struct,
 		 "tcp syn packet for unknown protocol, reset detection state\n");
-
       }
     } else {
       /* tcp header not complete */
@@ -3536,6 +3538,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
   } else {
     flow->packet.generic_l4_ptr = l4ptr;
   }
+
   return 0;
 }
 
@@ -3826,7 +3829,6 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct,
   }
 }
 
-
 /* ********************************************************************************* */
 
 void ndpi_check_flow_func(struct ndpi_detection_module_struct *ndpi_struct,
@@ -3921,6 +3923,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
   }
 
   ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+  ndpi_fill_protocol_category(ndpi_struct, flow, &ret);
 
   return(ret);
 }
@@ -4225,6 +4228,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   u_int32_t a;
   ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
 
+  flow->num_processed_pkts++;
+  
   if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE)
   	NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN,
 		  ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
@@ -4253,7 +4258,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
     return(ret);
 
   /* detect traffic for tcp or udp only */
-
   flow->src = src, flow->dst = dst;
 
   ndpi_connection_tracking(ndpi_struct, flow);
@@ -4356,6 +4360,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
     
     ndpi_check_flow_func(ndpi_struct, flow, &ndpi_selection_packet);
     ndpi_fill_protocol_category(ndpi_struct, flow, &ret);
+
     return(ret);
   }
 
@@ -4384,6 +4389,24 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
     ret.app_protocol = flow->detected_protocol_stack[0];
 
   ndpi_fill_protocol_category(ndpi_struct, flow, &ret);
+
+  if((flow->num_processed_pkts == 1)
+     && (ret.master_protocol == NDPI_PROTOCOL_UNKNOWN)
+     && (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)
+     && flow->packet.tcp
+     && (flow->packet.tcp->syn == 0)
+    ) {
+    /*
+      This is a TCP flow
+      - whose first packet is NOT a SYN
+      - no protocol has been detected
+
+      We don't see how future packets can match anything
+      hence we giveup here
+    */
+    ret = ndpi_detection_giveup(ndpi_struct, flow);
+  }
+
   return(ret);
 }
 
@@ -4602,7 +4625,6 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc
 	    strncpy((char*)flow->http.response_status_code, (char*)packet->http_response.ptr, 3);
 	    flow->http.response_status_code[4]='\0';
 
-
 	    NDPI_LOG_DBG2(ndpi_struct,
 		  "ndpi_parse_packet_line_info: HTTP response parsed: \"%.*s\"\n",
 		   packet->http_response.len, packet->http_response.ptr);
@@ -5034,27 +5056,6 @@ void ndpi_int_change_category(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* ********************************************************************************* */
 
-/* change protocol only if guessing is active */
-/* void ndpi_guess_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, */
-/* 				struct ndpi_flow_struct *flow) */
-/* { */
-/*   if(flow->guessed_host_protocol_id != 0 && */
-/*      flow->guessed_protocol_id != 0) { */
-/*     /\* app proto for flow *\/ */
-/*     flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; */
-/*     /\* master proto for flow *\/ */
-/*     flow->detected_protocol_stack[1] = flow->guessed_protocol_id; */
-
-/*     /\* app proto for packet *\/ */
-/*     flow->packet.detected_protocol_stack[0] = flow->guessed_host_protocol_id; */
-/*     /\* master proto for packet *\/ */
-/*     flow->packet.detected_protocol_stack[1] = flow->guessed_protocol_id; */
-
-/*   } */
-/* } */
-
-/* ********************************************************************************* */
-
 /* turns a packet back to unknown */
 void ndpi_int_reset_packet_protocol(struct ndpi_packet_struct *packet) {
   int a;
@@ -5286,11 +5287,13 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
 
     if(rc != NDPI_PROTOCOL_UNKNOWN) {
       ret.app_protocol = rc,
-	ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, dport, &user_defined_proto);
+	ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport,
+						     dport, &user_defined_proto);
 
       if(ret.app_protocol == ret.master_protocol)
 	ret.master_protocol = NDPI_PROTOCOL_UNKNOWN;
 
+      ret.category = ndpi_get_proto_category(ndpi_struct, ret);
       return(ret);
     }
 
@@ -5300,8 +5303,10 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
 
       if(rc == NDPI_PROTOCOL_SSL)
 	goto check_guessed_skype;
-      else
+      else {
+	ret.category = ndpi_get_proto_category(ndpi_struct, ret);
 	return(ret);
+      }
     }
 
   check_guessed_skype:
@@ -5314,8 +5319,10 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
 	ret.app_protocol = NDPI_PROTOCOL_SKYPE;
     }
   } else
-    ret.app_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, dport, &user_defined_proto);
+    ret.app_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport,
+					      dport, &user_defined_proto);
 
+  ret.category = ndpi_get_proto_category(ndpi_struct, ret);
   return(ret);
 }