aboutsummaryrefslogtreecommitdiff
path: root/example
Commit message (Collapse)AuthorAge
* bittorrent: add configuration for "hash" metadata (#2706)Ivan Nardi2025-01-31
| | | Fix confidence value for same TCP flows
* HTTP: add configuration for some metadata (#2704)Ivan Nardi2025-01-31
| | | Extend file configuration for just subclassification.
* Create a specific configuration for classification only (#2689)Ivan Nardi2025-01-31
| | | | | | | | | | | | | | | | | | | | | | | | In some scenarios, you might not be interested in flow metadata or flow-risks at all, but you might want only flow (sub-)classification. Examples: you only want to forward the traffic according to the classification or you are only interested in some protocol statistics. Create a new configuration file (for `ndpiReader`, but you can trivially adapt it for the library itself) allowing exactly that. You can use it via: `ndpiReader --conf=example/only_classification.conf ...` Note that this way, the nDPI overhead is lower because it might need less packets per flow: * TLS: nDPI processes only the CH (in most cases) and not also the SH and certificates * DNS: only the request is processed (instead of both request and response) We might extend the same "shortcut-logic" (stop processing the flow immediately when there is a final sub-classification) for others protocols. Add the configuration options to enable/disable the extraction of some TLS metadata.
* fuzz: extend fuzzing coverage (#2696)Ivan Nardi2025-01-23
|
* ndpiReader: add some global statistics about FPC (#2680)Ivan Nardi2025-01-17
| | | Enabled via `--dump-fpc-stats` option
* TLS: remove JA3C (#2679)Ivan Nardi2025-01-14
| | | | | | | | Last step of removing JA3C fingerprint Remove some duplicate tests: testing with ja4c/ja3s disabled is already performed by `disable_metadata_and_flowrisks` configuration. Close:#2551
* Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)Ivan Nardi2025-01-14
| | | | | | | | | It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551
* Fix code scanning alert no. 7: Multiplication result converted to larger ↵Luca Deri2025-01-13
| | | | | type (#2677) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fixes https://github.com/ntop/nDPI/issues/2672Luca Deri2025-01-13
|
* Remove JA3C output from ndpiReader (#2667)Ivan Nardi2025-01-12
| | | | | | | | | | | | | Removing JA3C is an big task. Let's start with a simple change having an huge impact on unit tests: remove printing of JA3C information from ndpiReader. This way, when we will delete the actual code, the unit tests diffs should be a lot simpler to look at. Note that the information if the client/server cipher is weak or obsolete is still available via flow risk See: #2551
* ndpiReader: update JA statistics (#2646)Ivan Nardi2025-01-06
| | | | Show JA4C and JA3S information (instead of JA3C and JA3S) See #2551 for context
* QUIC: extract "max idle timeout" parameter (#2649)Ivan Nardi2025-01-06
| | | | | Even if it is only the proposed value by the client (and not the negotiated one), it might be use as hint for timeout by the (external) flows manager
* TLS: remove ESNI support (#2648)Ivan Nardi2025-01-06
| | | | | ESNI has been superseded by ECH for years, now. See: https://blog.cloudflare.com/encrypted-client-hello/ Set the existing flow risk if we still found this extension.
* STUN/RTP: improve metadata extraction (#2641)Ivan Nardi2024-12-11
|
* STUN: fix monitoring (#2639)Ivan Nardi2024-12-06
|
* STUN counter changesLuca Deri2024-11-29
|
* Enhanced STUN statsLuca Deri2024-11-28
|
* Add a configuration file to ndpiReader (#2629)Ivan Nardi2024-11-27
| | | | | | Example: ./example/ndpiReader --conf=./example/calls.conf -i ./tests/pcap/signal_videocall.pcapng -v2 Close #2608
* Update `flow->flow_multimedia_types` to a bitmask (#2625)Ivan Nardi2024-11-25
| | | In the same flow, we can have multiple multimedia types
* Remove unused variableAlfredo Cardigliano2024-11-18
|
* ndpiReader: fix statistic about total number of flows (#2622)Ivan Nardi2024-11-18
| | | | | When capturing live traffic, accounting and export of expired flows is wrong (see #2617). Let's try to fix some statistics, at least
* SIP: extract some basic metadataIvan Nardi2024-11-12
|
* Unify ndpi debug logging to always use a u16 protocol id (#2613)Toni2024-11-11
| | | | | * fixes SonarCloud complaint Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Crash fix when -f is specified with a non-existing pcap file (-i)Luca Deri2024-11-04
|
* Exported is_ndpi_proto definitionLuca Deri2024-11-04
|
* Added HTTP credentials extractionLuca Deri2024-10-31
|
* TLS: export heuristic fingerprint as metadata (#2609)Ivan Nardi2024-10-28
|
* ndpiReader: fix command line options used by wireshark (#2605)Ivan Nardi2024-10-21
|
* ndpiReader: explicitly remove non ipv4/6 packets (#2601)Ivan Nardi2024-10-19
|
* ndpiReader: add some statistics about monitoring (#2602)Ivan Nardi2024-10-19
|
* Improved TCP fingepring calculationLuca Deri2024-10-18
| | | | Adde basidc OS detection based on TCP fingerprint
* Added -L <domain suffix> for loading domain suffixesLuca Deri2024-10-15
| | | | Exported domainanme in JSON file (-K JSON)
* Implemented nDPI TCP fingerprintLuca Deri2024-10-15
|
* Add monitoring capability (#2588)Ivan Nardi2024-10-14
| | | | | | | | | | | | | Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
* Added support for printing JA4r when enabledLuca Deri2024-10-11
|
* Fix unit tests on CI on GitHub Actions (#2587)Ivan Nardi2024-10-11
| | | | On CI, tests run in parallel, because of `NDPI_FORCE_PARALLEL_UTESTS` define
* Added -N option for dumping/restoring the DNS cache (when enabled)Luca Deri2024-10-10
| | | | Example ndpiReader -i en0 --cfg=dpi.address_cache_size,32768 -N /tmp/a
* Added new API calls for serializing/restoring the DNS cacheLuca Deri2024-10-10
| | | | | - bool ndpi_address_cache_dump(struct ndpi_address_cache *cache, char *path, u_int32_t epoch_now); - u_int32_t ndpi_address_cache_restore(struct ndpi_address_cache *cache, char *path, u_int32_t epoch_now);
* Test unit fixLuca Deri2024-10-08
|
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Exports DNS A/AAAA responses (up to 4 addresses)Luca2024-10-02
| | | | Changed the default to IPv4 (used to be IPv6) in case of DNS error response
* Fix builds on Windows (#2580)Ivan Nardi2024-10-01
| | | | | | | | | | | | | | | | | Quick fix with latest Windows image on GitHub CI, where we got: ``` ndpiReader.c:2860:38: error: '%s' directive output may be truncated writing up to 64 bytes into a region of size 63 [-Werror=format-truncation=] 2860 | snprintf(srcip, sizeof(srcip), "[%s]", flow->src_name); | ^~ ndpiReader.c:2860:5: note: 'snprintf' output between 3 and 67 bytes into a destination of size 64 2860 | snprintf(srcip, sizeof(srcip), "[%s]", flow->src_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ndpiReader.c:2861:38: error: '%s' directive output may be truncated writing up to 64 bytes into a region of size 63 [-Werror=format-truncation=] 2861 | snprintf(dstip, sizeof(dstip), "[%s]", flow->dst_name); | ^~ ndpiReader.c:2861:5: note: 'snprintf' output between 3 and 67 bytes into a destination of size 64 2861 | snprintf(dstip, sizeof(dstip), "[%s]", flow->dst_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ```
* wireshark: extcap: allow configuration of OpenVPN/TLS heuristics via GUI (#2576)Ivan Nardi2024-09-30
|
* Let the library returning the packet direction calculated internally (#2572)Ivan Nardi2024-09-27
| | | wireshark, lua: add basic analysis of possible obfuscated flows
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* buffer lenghtt is now returned by ndpi_quick_encrypt() and ndpi_quick_deecrypt()Luca Deri2024-09-24
|
* Added ndpi_quick_encrypt() ndpi_quick_decrypt() APi calls (#2568)Luca Deri2024-09-24
| | | | | * Added ndpi_quick_encrypt() ndpi_quick_decrypt(0 APi calls based on AES * Added aes.c
* Implemented ndpi_strrstr()Luca Deri2024-09-19
| | | | Fixed bug in ndpi_get_host_domain
* domain lists are not loaded when -E is usedLuca2024-09-17
|
* fuzz: try to be a little bit faster (#2559)Ivan Nardi2024-09-17
| | | | | | | Some fuzzers don't really need a real and complete local context. Try to avoid setting it up, creating a simpler fake version with only the features really needed. That is a kind of experiment: if it works, we can extend the same logic to other fuzzers
Powered by cgit, Themed by Ted Yin.