aboutsummaryrefslogtreecommitdiff
path: root/src/include/ndpi_private.h
Commit message (Collapse)AuthorAge
* Add GearUP Booster protocol dissector (heuristic based).add/gearup_booster-protocol-dissectorToni Uhlig2025-03-07
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add configuration parameter to enable/disable export of flow risk info (#2761)Ivan Nardi2025-03-05
| | | | For the most common protocols, avoid creating the string message if we are not going to use it
* ICMP: move all the logic to the proper dissector fileIvan Nardi2025-02-28
| | | | | | | There are no reasons to keep entropy calculation and sanity checks code on the "guessing" algorithm. BTW, this change also fix the entropy calculation for non TCP/UDP/ICMP flows
* TOR: fix ip lists (#2748)Ivan Nardi2025-02-27
| | | | One list is from ingress nodes (used for protocol classification) and the second one is from exit nodes (used for flow risk check)
* Add LagoFast protocol dissector. (#2743)Toni2025-02-23
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved RTP dissection with EVS and other mobile voice codecsLuca Deri2025-02-20
|
* SSDP: add configuration for disabling metadata extraction (#2736)Ivan Nardi2025-02-17
|
* added metadata fields for M-NOTIFY (#2733)Ivan Kapranov2025-02-17
|
* Implement SSDP Metadata export (#2729)Ivan Kapranov2025-02-16
| | | Close #2524
* DNS: rework adding entries to the FPC-DNS cache (#2730)Ivan Nardi2025-02-16
| | | | | Try to populate the FPC-DNS cache using directly the info from the current packet, and not from the metadata saved in `struct ndpi_flow_struct`. This will be important when adding monitoring support
* Added ndpi_find_protocol_qoe() API callLuca Deri2025-02-10
| | | | Updated (C)
* bittorrent: add configuration for "hash" metadata (#2706)Ivan Nardi2025-01-31
| | | Fix confidence value for same TCP flows
* HTTP: add configuration for some metadata (#2704)Ivan Nardi2025-01-31
| | | Extend file configuration for just subclassification.
* Create a specific configuration for classification only (#2689)Ivan Nardi2025-01-31
| | | | | | | | | | | | | | | | | | | | | | | | In some scenarios, you might not be interested in flow metadata or flow-risks at all, but you might want only flow (sub-)classification. Examples: you only want to forward the traffic according to the classification or you are only interested in some protocol statistics. Create a new configuration file (for `ndpiReader`, but you can trivially adapt it for the library itself) allowing exactly that. You can use it via: `ndpiReader --conf=example/only_classification.conf ...` Note that this way, the nDPI overhead is lower because it might need less packets per flow: * TLS: nDPI processes only the CH (in most cases) and not also the SH and certificates * DNS: only the request is processed (instead of both request and response) We might extend the same "shortcut-logic" (stop processing the flow immediately when there is a final sub-classification) for others protocols. Add the configuration options to enable/disable the extraction of some TLS metadata.
* Minor extension for custom nDPIIvan Nardi2025-01-23
|
* Renamed ips_match to ndpi_ips_matchLuca Deri2025-01-17
|
* STUN: improve detection of Telegram calls (#2671)Ivan Nardi2025-01-14
|
* TLS: remove JA3C (#2679)Ivan Nardi2025-01-14
| | | | | | | | Last step of removing JA3C fingerprint Remove some duplicate tests: testing with ja4c/ja3s disabled is already performed by `disable_metadata_and_flowrisks` configuration. Close:#2551
* Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)Ivan Nardi2025-01-14
| | | | | | | | | It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551
* Improved WebSocket-over-HTTP detection (#2664)Toni2025-01-11
| | | | | | * detect `chisel` SSH-over-HTTP-WebSocket * use `strncasecmp()` for `LINE_*` matching macros Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* QUIC: remove extraction of user-agent (#2650)Ivan Nardi2025-01-07
| | | | | In very old (G)QUIC versions by Google, the user agent was available on plain text. That is not true anymore, since about end of 2021. See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
* Add the ability to enable/disable every specific flow risks (#2653)Ivan Nardi2025-01-06
|
* QUIC: extract "max idle timeout" parameter (#2649)Ivan Nardi2025-01-06
| | | | | Even if it is only the proposed value by the client (and not the negotiated one), it might be use as hint for timeout by the (external) flows manager
* Removed old USE_LEGACY_AHO_CORASICK codeLuca Deri2024-11-26
|
* Update `flow->flow_multimedia_types` to a bitmask (#2625)Ivan Nardi2024-11-25
| | | In the same flow, we can have multiple multimedia types
* RTP, STUN: improve detection of multimedia flow type (#2620)Ivan Nardi2024-11-19
| | | | Let's see if we are able to tell audio from video calls only looking at RTP Payload Type field...
* Added ndpi_intoav6()Luca Deri2024-11-17
| | | | Implemented Mikrotik JSON serialization
* Added DICOM supportLuca2024-11-15
| | | | Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
* Implemented Mikrotik discovery protocol dissection and metadata extraction ↵Luca Deri2024-11-14
| | | | (#2618)
* SIP: extract some basic metadataIvan Nardi2024-11-12
|
* Add Paltalk protocol support (#2606)Vladimir Gavrilov2024-10-28
|
* Add configuration of TCP fingerprint computation (#2598)Ivan Nardi2024-10-18
| | | Extend configuration of raw format of JA4C fingerprint
* Add monitoring capability (#2588)Ivan Nardi2024-10-14
| | | | | | | | | | | | | Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
* Added sonos dissectorLuca Deri2024-10-13
|
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Add DingTalk protocol support (#2581)Vladimir Gavrilov2024-10-07
|
* Let the library returning the packet direction calculated internally (#2572)Ivan Nardi2024-09-27
| | | wireshark, lua: add basic analysis of possible obfuscated flows
* Add enable/disable guessing using client IP/port (#2569)Liam Wilson2024-09-27
| | | | | | | | Add configurable options for whether to include client port or client IP in the flow's protocol guesses. This defaults to include both client port/IP if the protocol is not guessed with the server IP/port. This is intended for when flow direction detection is enabled, so we know that sport = client port, dport = server port.
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* Allow IP guess before port in ndpi_detection_giveup (#2562)Liam Wilson2024-09-20
| | | | Add dpi.guess_ip_before_port which when enabled uses classification by-ip before classification by-port.
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* Implemented JA4 raw (ja4_r) fingerprintLuca Deri2024-09-05
| | | | | Example: ./example/ndpiReader -i tests/pcap/safari.pcap --cfg=tls,metadata.ja4r_fingerprint,1
* OpenVPN, Wireguard: improve sub-classificationNardi Ivan2024-09-05
| | | | | | | | Allow sub-classification of OpenVPN/Wireguard flows using their server IP. That is useful to detect the specific VPN application/app used. At the moment, the supported protocols are: Mullvad, NordVPN, ProtonVPN. This feature is configurable.
* Add Lustre protocol detection support (#2544)Vladimir Gavrilov2024-09-04
|
* HTTP, QUIC, TLS: allow to disable sub-classification (#2533)Ivan Nardi2024-09-03
|
* Add TRDP protocol support (#2528)Vladimir Gavrilov2024-08-25
| | | The Train Real Time Data Protocol (TRDP) is a UDP/TCP-based communication protocol designed for IP networks in trains, enabling data exchange between devices such as door controls and air conditioning systems. It is standardized by the IEC under IEC 61375-2-3 and is not related to the Remote Desktop Protocol (RDP).
* Add Automatic Tank Gauge protocol (#2527)wssxsxxsx2024-08-23
| | | | | | | See also #2523 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Add CNP/IP protocol support (#2521)Vladimir Gavrilov2024-08-22
| | | ISO/IEC 14908-4 defines how to tunnel Control Network Protocol (CNP) over IP networks. It encapsulates protocols like EIA-709, EIA-600, and CNP, making it a versatile solution for building automation and control systems.
* Add OpenWire support (#2513)Vladimir Gavrilov2024-07-22
|
* FPC: small improvements (#2512)Ivan Nardi2024-07-22
| | | | Add printing of fpc_dns statistics and add a general cconfiguration option. Rework the code to be more generic and ready to handle other logics.
Powered by cgit, Themed by Ted Yin.