aboutsummaryrefslogtreecommitdiff
path: root/example/ndpiReader.c
Commit message (Collapse)AuthorAge
* Compilation fixLuca Deri2021-04-27
|
* Updated code due to https://github.com/ntop/nDPI/pull/1175Luca Deri2021-04-27
|
* Added flow risk to wireshark dissectionLuca Deri2021-04-26
|
* Fix some warnings about unused variables/functions (#1160)Ivan Nardi2021-04-05
|
* Trace fixLuca Deri2021-04-02
|
* Fixed incapoatibilities with the latest extcap/wiresharkLuca Deri2021-04-01
|
* Fixed invalid guess statsLuca Deri2021-03-30
|
* ndpiReader: print an error msg if we found an unsupported datalink type (#1157)Ivan Nardi2021-03-23
|
* Refactored nDPI subprotocol handling and aimini protocol detection. (#1156)Toni2021-03-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactored and merged callback buffer routines for non-udp-tcp / udp / tcp / tcp-wo-payload. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Try to detect one subprotocol if a detected protocol can have one. * This adds a performance overhead due to much more protocol detection routine calls. See #1148 for more information. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Refactor subprotocol handling (1/2). Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Refactor subprotocol handling (2/2). Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Prevent some code duplication by using macros for ndpi_int_one_line_struct string comparision. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Refactored aimini HTTP detection parts (somehow related to #1148). Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Added aimini client/server test pcap. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Removed master protocol as it was only used for STUN and via also removed API function ndpi_get_protocol_id_master_proto * Adjusted Python code to conform to the changes made during the refactoring process. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Better DGA detection (slightly decreased accuracy)Luca Deri2021-03-20
|
* Added % of flows with risksLuca Deri2021-03-14
|
* Added in stats the number of flows with risksLuca Deri2021-03-14
|
* Added flows risks reportLuca Deri2021-03-14
|
* Reworked extendal dependency across testing toolsLuca Deri2021-03-14
|
* Help crash fixLuca Deri2021-03-14
|
* Implemented square erro rollup to avoid overflowLuca Deri2021-03-14
|
* Added double exponential smoothing implementationLuca2021-03-11
|
* Added single exponential smoothing APILuca Deri2021-03-11
| | | | | int ndpi_ses_init(struct ndpi_ses_struct *ses, double alpha, float significance); int ndpi_ses_add_value(struct ndpi_ses_struct *ses, const u_int32_t _value, double *forecast, double *confidence_band);
* Added experiemntal JA3+ implementation that can be used with -z i ndpiReaderLuca Deri2021-03-09
|
* Add support for Snapchat voip calls (#1147)Ivan Nardi2021-03-06
| | | | | | | | | * Add support for Snapchat voip calls Snapchat multiplexes some of its audio/video real time traffic with QUIC sessions. The peculiarity of these sessions is that they are Q046 and don't have any SNI. * Fix tests with libgcrypt disabled
* Improved DGA detectionLuca Deri2021-03-03
| | | | | | | | Before Accuracy 66%, Precision 86%, Recall 38% After Accuracy 71%, Precision 89%, Recall 49%
* Improved DGA detection with trigrams. Disadvantage: slower startup timeLuca Deri2021-03-03
| | | | | Reworked Tor dissector embedded in TLS (fixes #1141) Removed false positive on HTTP User-Agent
* Holt-Winters calculation improvementLuca Deri2021-02-27
|
* Added NDPI_MALICIOUS_SHA1 flow risk. (#1142)Toni2021-02-26
| | | | | | * An external file which contains known malicious SSL certificate SHA-1 hashes can be loaded via ndpi_load_malicious_sha1_file(...) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added NDPI_MALICIOUS_JA3 flow riskLuca Deri2021-02-22
| | | | Added ndpi_load_malicious_ja3_file() API call
* Implemented TLS Certificate Sibject matchingLuca Deri2021-02-22
| | | | Improved AnyDesk detection
* Added risky domain flow-risk supportLuca Deri2021-02-21
|
* Fix small memory leak (#1133)Ivan Nardi2021-02-10
| | | Now function definition matches the prototype in ndpi_api.h.in
* Extended the API to calculate jitterLuca Deri2021-02-09
| | | | | | - ndpi_jitter_init() - ndpi_jitter_free() - ndpi_jitter_add_value()
* Removed debug statementLuca Deri2021-02-09
|
* Added timeseries forecasting support implementing Holt-Winters with ↵Luca Deri2021-02-08
| | | | | | | | | confidence interval New API calls added - ndpi_hw_init() - ndpi_hw_add_value() - ndpi_hw_free()
* Implemented more efficient and memory savvy RSILuca Deri2021-02-05
|
* RSI enhancementsLuca Deri2021-02-05
|
* Implemented API for computing RSI (Relative Strenght Index)Luca Deri2021-02-04
| | | | | | void ndpi_init_rsi(struct ndpi_rsi_struct *s, u_int16_t num_learning_values); void ndpi_free_rsi(struct ndpi_rsi_struct *s); float ndpi_rsi_add_value(struct ndpi_rsi_struct *s, const u_int32_t value);
* Added simple hash implementation to the nDPI APILuca Deri2021-01-20
|
* Code cleanup: third party uthash is at the right placeLuca Deri2021-01-20
|
* (C) UpdateLuca Deri2021-01-07
|
* Split HTTP request from response Content-Type. Request Content-Type should ↵Luca Deri2021-01-06
| | | | be present with POSTs and not with other methods such as GET
* Fix some warnings when compiling with "-W -Wall" flags (#1103)Ivan Nardi2021-01-04
|
* Added --ignore-vlanid / -I to exclude VLAN ids for flow hash calculation. ↵Toni2020-12-11
| | | | | #1073 (#1085) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* nDPI rules (work in progress) implementationLuca Deri2020-11-30
|
* Moved global in reader_util.cLuca Deri2020-10-27
|
* Added -D flag for detecting DoH in the wildLuca Deri2020-10-26
| | | | Removed heuristic from CiscoVPN as it leads to false positives
* Added -x for checking patternsLuca Deri2020-10-22
|
* Add unit tests to travis. Move ndpi serializer tests to unit tests.Alfredo Cardigliano2020-09-21
|
* Merge pull request #1012 from IvanNardi/uaLuca Deri2020-09-17
|\ | | | | QUIC: extract User Agent information
| * http: create a common function to parse User Agent fieldNardi Ivan2020-09-08
| | | | | | | | Prepare the code to handle UA information from flows other than HTTP
* | Added extension to detect nested subdomains as used in Browsertunnel attack toolLuca Deri2020-09-09
|/ | | | https://github.com/veggiedefender/browsertunnel
* Fixed invalid memory access leading to a SIGSEGV in ndpiReader's option parser.Toni Uhlig2020-08-28
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add (optional) dependency on external libraries: libgcrypt and libgpg-errorNardi Ivan2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To support QUIC payload and header decryption, it is necessary to choose an external crypto library to handle the low-level crypto stuff. Since we will use some Wireshark code, it is quite natural to choose the same library used by Wireshark itself: libgcrypt. More precisely, we will use libgcrypt and libgpg-error. Both libraries have LGPL license, so there should be no issue from this point of view. These libraries are not required to build nDPI, and their usage is optional: nDPI will keep working (and compiling) even if they are not available. However, without them, QUIC sub-classification is next to impossible. The configure flag "--disable-gcrypt" forces the build system to ignore these libraries. libgpg-error is only used for debug to have meaningful error messages and its usage is trivial. The same cannot be said for libgcrypt because its initialization is a significant issue. The rest of this commit message try explaining how libgcrypt is initialized. According to the documentation https://gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html https://gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading libgcrypt must be initialized before using it, but such initialization should be performed by the actual application and not by any library. Forcing the users to proper initialize libgcrypt in their own code seems unreasonable: most people using nDPI might be complete unaware of any crypto stuff and update each and every one application linking to nDPI with specific libgcrypt code should be out of question, anyway. Fortunately, it seems a workaround exists to initialize libgcrypt in a library https://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html Therefore, we could provide a wrapper to this initialization stuff in a nDPI function. Unfortunately nDPI API lacks a global init function that must be called only once, before any other functions. We could add it, but that would be a major API break. AFAIK, ndpi_init_detection_module() might be called multiple times, for example to create multiple independent dpi engines in the same program. The proposed solution is to (optionally) initialize libgcrypt in ndpi_init_detection_module() anyway: * if the actual application doesn't directly use libgcrypt and only calls ndpi_init_detection_module() once, everything is formally correct and it should work out of the box [by far the most common user case]; * if the actual application already uses libgcrypt directly, it already performs the required initialization. In this case the ndpi_prefs.ndpi_dont_init_libgcrypt flag should be passed to ndpi_init_detection_module() to avoid further initializations. The only scenario not supported by this solution is when the application is unaware of libgcrypt and calls ndpi_init_detection_module() multiple times concurrently. But this scenario should be uncommon. A completely different option should be to switch to another crypto library, with a huge impact on the QUIC dissector code. Bottom line: crypto is hard, using libgcrypt is complex and the proposed initialization, even if not perfect, should cover the most frequent user cases and should work, for the time being. If anyone has some suggestions...