aboutsummaryrefslogtreecommitdiff
path: root/src/include/ndpi_api.h
Commit message (Collapse)AuthorAge
* Faster configuration (#2887)Ivan Nardi2025-06-17
|
* Prelimary work to remove `NDPI_LAST_IMPLEMENTED_PROTOCOL` (#2885)Ivan Nardi2025-06-16
|
* Added missing ndpi_is_custom_category() the ndpi_api.hLuca Deri2025-06-16
| | | | Fixed ndpi_is_custom_category() and ndpi_is_custom_protocol(0 prototypes so that now return a bool
* Rework sanity checks and remove some functions from API (#2882)Ivan Nardi2025-06-12
|
* Simplify `ndpi_internal_detection_process_packet()` (#2877)Ivan Nardi2025-06-10
| | | Simplify process of each packet
* Rename `ndpi_bitmask_dealloc` into `ndpi_bitmask_free`Ivan Nardi2025-06-09
|
* Remove `NDPI_PROTOCOL_BITMASK`; add a new generic bitmask data structure (#2871)Ivan Nardi2025-06-09
| | | | | | | | | | | | | | | | | | | The main difference is that the memory is allocated at runtime Typical usercase: ``` struct ndpi_bitmask b; ndpi_bitmask_alloc(&b, ndpi_get_num_internal_protocols()); ndpi_bitmask_set(&b, $BIT); ndpi_bitmask_is_set(&b, $BIT); [...] ndpi_bitmask_dealloc(&b); ``` See #2136
* Improved HTTP risk reportLuca Deri2025-06-08
| | | | PCRE2 is now enabled (if present) by default as necessary to report some HTTP risks
* Dynamic allocation of `ndpi_struct->proto_defaults[]` (#2866)Ivan Nardi2025-06-06
| | | | | | | | Partial revert of 88bfe2cf0: in the trees we save the index and no more a pointer to `ndpi_struct->proto_defaults[]`. Remove same functions from public API See #2136
* Add ndpi_get_breed_by_name (#2870)Vladimir Gavrilov2025-06-05
|
* First step into a dynamic number of protocols (#2857)Ivan Nardi2025-06-03
| | | | | | | | | | | | | We want to get rid of the defines `NDPI_MAX_SUPPORTED_PROTOCOLS` and `NDPI_MAX_NUM_CUSTOM_PROTOCOLS`. You can use: ``` ndpi_get_num_protocols() ``` See #2136 Removed some unused functions from public API
* New API to enable/disable protocols; remove ↵Ivan Nardi2025-06-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | `ndpi_set_protocol_detection_bitmask2()` (#2853) The main goal is not to have the bitmask depending on the total number of protocols anymore: `NDPI_INTERNAL_PROTOCOL_BITMASK` depends only on internal protocols, i.e. on `NDPI_MAX_INTERNAL_PROTOCOLS`, i.e. custom-defined protocols are not counted. See #2136 Keep the old data structure `NDPI_PROTOCOL_BITMASK` with the old semantic. Since we need to change the API (and all the application code...) anyway, simplify the API: by default all the protocols are enabled. If you need otherwise, please use `ndpi_init_detection_module_ext()` instead of `ndpi_init_detection_module()` (you can find an example in the `ndpiReader` code). To update the application code you likely only need to remove these 3 lines from your code: ``` - NDPI_PROTOCOL_BITMASK all; - NDPI_BITMASK_SET_ALL(all); - ndpi_set_protocol_detection_bitmask2(ndpi_str, &all); ``` Removed an unused field and struct definition.
* Added ndpi_load_protocols_dir() API call for loading IP-based protocol detectionLuca Deri2025-05-28
| | | | Added --protocols-list-dir <dir> to ndpiReader for loading IP_based protocol
* Reworked fingerprint codeLuca Deri2025-05-26
|
* Add ndpi_memcasecmp, refactor mail protocol dissectors (#2849)Vladimir Gavrilov2025-05-24
|
* A new interface for dissectors registration (#2843)Ivan Nardi2025-05-24
| | | | | | | | | | | | | | | | | | | | | We use `registr_dissector()` instead of `ndpi_set_bitmask_protocol_detection()`. Every file in `src/lib/protocols/*.c` is a dissector. Every dissector can handle multiple protocols. The real goal is this small change: ``` struct call_function_struct { - NDPI_PROTOCOL_BITMASK detection_bitmask; ``` i.e. getting rid of another protocol bitmask: this is mandatory to try to fix #2136 (see also e845e8205b68752c997d05224d8b2fd45acde714) As a nice side effect, we remove a bitmask comparison in the hot function `check_ndpi_detection_func()` TODO: change logging configuration from per-protocol to per-dissector
* Added new APi callsLuca Deri2025-05-20
| | | | | | | - ndpi_is_master_only_protocol() - ndpi_normalize_protocol() These two APi calls are used to normalize mater/app nDPI protocols
* Flow: keep track of "dissectors" (#2828)Ivan Nardi2025-05-19
| | | | | | In the flow, we should keep track of state of "dissectors", not "protocols". This way, flow structure doesn't depend anymore on the max number of protocols. This is also the first step into fixing #2136
* OS fingerprint code cleanupLuca Deri2025-03-31
|
* Added ndpi_str_to_utf8() API call to convert an ISO 8859 stirng to UTF-8Luca2025-03-27
|
* Added API calls to load TCP fingeprintsLuca Deri2025-03-25
| | | | | | | int ndpi_add_tcp_fingerprint(struct ndpi_detection_module_struct *ndpi_str, char *fingerprint, enum operating_system_hint os); int load_tcp_fingerprint_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd); int ndpi_load_tcp_fingerprint_file(struct ndpi_detection_module_struct *ndpi_str, const char *path);
* Add Autonomous System Organization to geoip (#2763)Leonardo Teixeira Alves2025-03-06
| | | Co-authored-by: Leonardo Teixeira Alves <leonardo.alves@zerum.com>
* Add city as a geoip possibility (#2746)Leonardo Teixeira Alves2025-02-24
|
* Improved RTP dissection with EVS and other mobile voice codecsLuca Deri2025-02-20
|
* Exported RTP payload in packet metadataLuca Deri2025-02-19
| | | | Added ndpi_rtp_payload_type2str() API call
* DNS: fix check for DGA domain (#2716)Ivan Nardi2025-02-11
| | | | If we have a (potential) valid sub-classification, we shoudn't check for DGA, even if the subclassification itself is disabled!
* DNS: evaluate all flow risks even if sub-classification is disabled (#2714)Ivan Nardi2025-02-11
|
* Added ndpi_find_protocol_qoe() API callLuca Deri2025-02-10
| | | | Updated (C)
* Added ndpi_network_ptree6_match() API callLuca Deri2025-01-31
|
* Added ndpi_data_jitter() API callLuca Deri2025-01-29
|
* Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)Ivan Nardi2025-01-14
| | | | | | | | | It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551
* Update `flow->flow_multimedia_types` to a bitmask (#2625)Ivan Nardi2024-11-25
| | | In the same flow, we can have multiple multimedia types
* SIP: extract some basic metadataIvan Nardi2024-11-12
|
* Added HTTP credentials extractionLuca Deri2024-10-31
|
* Added ndpi_str_endswith()Luca Deri2024-10-28
|
* Improved TCP fingepring calculationLuca Deri2024-10-18
| | | | Adde basidc OS detection based on TCP fingerprint
* Added u_int8_t ndpi_is_public_ipv4(u_int32_t a /* host byte order */);Luca Deri2024-10-13
|
* Added -N option for dumping/restoring the DNS cache (when enabled)Luca Deri2024-10-10
| | | | Example ndpiReader -i en0 --cfg=dpi.address_cache_size,32768 -N /tmp/a
* Added new API calls for serializing/restoring the DNS cacheLuca Deri2024-10-10
| | | | | - bool ndpi_address_cache_dump(struct ndpi_address_cache *cache, char *path, u_int32_t epoch_now); - u_int32_t ndpi_address_cache_restore(struct ndpi_address_cache *cache, char *path, u_int32_t epoch_now);
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Let the library returning the packet direction calculated internally (#2572)Ivan Nardi2024-09-27
| | | wireshark, lua: add basic analysis of possible obfuscated flows
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* buffer lenghtt is now returned by ndpi_quick_encrypt() and ndpi_quick_deecrypt()Luca Deri2024-09-24
|
* Added new API callsLuca Deri2024-09-24
| | | | | u_int ndpi_hex2bin(u_char *out, u_int out_len, u_char* in, u_int in_len); u_int ndpi_bin2hex(u_char *out, u_int out_len, u_char* in, u_int in_len);
* Added ndpi_quick_encrypt() ndpi_quick_decrypt() APi calls (#2568)Luca Deri2024-09-24
| | | | | * Added ndpi_quick_encrypt() ndpi_quick_decrypt(0 APi calls based on AES * Added aes.c
* Implemented ndpi_strrstr()Luca Deri2024-09-19
| | | | Fixed bug in ndpi_get_host_domain
* Updated ndpi_serialize_flow_fingerprint API signatureLuca2024-09-17
|
* Reworked fingerprint export now in JSONLuca2024-09-16
|
* Implemented algorithms for K-Nearest Neighbor Search (KNN) (#2554)Luca Deri2024-09-10
| | | | | | | | | | | | | | | | * Extended API with functions for vector similarity based on KD-trees https://en.wikipedia.org/wiki/K-d_tree ndpi_kd_tree* ndpi_kd_create(u_int num_dimensions); void ndpi_kd_free(ndpi_kd_tree *tree); void ndpi_kd_clear(ndpi_kd_tree *tree); bool ndpi_kd_insert(ndpi_kd_tree *tree, const double *data_vector, void *user_data); ndpi_kd_tree_result *ndpi_kd_nearest(ndpi_kd_tree *tree, const double *data_vector); u_int32_t ndpi_kd_num_results(ndpi_kd_tree_result *res); bool ndpi_kd_result_end(ndpi_kd_tree_result *res); double* ndpi_kd_result_get_item(ndpi_kd_tree_result *res, double **user_data); bool ndpi_kd_result_next(ndpi_kd_tree_result *res); void ndpi_kd_result_free(ndpi_kd_tree_result *res); double ndpi_kd_distance(double *a1, double *b2, u_int num_dimensions);
* Added print_ndpi_address_port in nDPi APILuca Deri2024-08-27
|
Powered by cgit, Themed by Ted Yin.