| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looking at `struct ndpi_flow_struct` the two bigger fields are
`host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and
`protos.tls_quic.client_requested_server_name[256]`
(for TLS/QUIC SNIs).
This commit aims to reduce `struct ndpi_flow_struct` size, according to
two simple observations:
1) maximum one of these two fields is used for each flow. So it seems safe
to merge them;
2) even if hostnames/SNIs might be very long, in practice they are rarely
longer than a fews tens of bytes. So, using a (single) large buffer is a
waste of memory for all kinds of flows. If we need to truncate the name,
we keep the *last* characters, easing domain matching.
Analyzing some real traffic, it seems safe to assume that the vast
majority of hostnames/SNIs is shorter than 80 bytes.
Hostnames/SNIs are always converted to lowercase.
Attention was given so as to be sure that unit-tests outputs are not
affected by this change.
Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the
*first* 64 ones): as a consequence, there were some "Suspicious DGA
domain name" and "TLS Certificate Mismatch" false positives.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We can write to `flow->protos` only after a proper classification.
This issue has been found in Kerberos, DHCP, HTTP, STUN, IMO, FTP,
SMTP, IMAP and POP code.
There are two kinds of fixes:
* write to `flow->protos` only if a final protocol has been detected
* move protocol state out of `flow->protos`
The hard part is to find, for each protocol, the right tradeoff between
memory usage and code complexity.
Handle Kerberos like DNS: if we find a request, we set the protocol
and an extra callback to further parsing the reply.
For all the other protocols, move the state out of `flow->protos`. This
is an issue only for the FTP/MAIL stuff.
Add DHCP Class Identification value to the output of ndpiReader and to
the Jason serialization.
Extend code coverage of fuzz tests.
Close #1343
Close #1342
|
| |
|
|
| |
Fields 'tls.hello_processed` and `tls.subprotocol_detected` are used by
QUIC (i.e UDP...), too.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Added ARM build and unit test run for SonarCloud-CI.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixed Mingw64 build.
* adapted to SonarCloud-CI workflow
* removed broken and incomplete Windows example (tested on VS2017/VS2019)
* removed unnecessary include (e.g. pthread.h for the library which does not make use of it)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
* fixed [h]euristic typo
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
| |
Improved AnyDesk detection
|
| | |
|
| |\
| |
| | |
Replaced obsolete libpcap pcap_lookupdev with pcap_findalldevs.
|
| | |
| |
| |
| | |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
| |
| |
| |
| |
| | |
requires lesser-or-equal condition for max_extra_packets_to_check
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |/
|
|
|
|
| |
Fixes build error introduced with 23c072153.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
|
|
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|