| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
- AdultContent -> Category Adult Content
- LLM -> Category Artificial Intelligence
|
| | |
|
| | |
|
| |
|
| |
GLBP is a Cisco proprietary first-hop redundancy protocol similar to HSRP and VRRP, but with additional load balancing capabilities.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main difference is that the memory is allocated at runtime
Typical usercase:
```
struct ndpi_bitmask b;
ndpi_bitmask_alloc(&b, ndpi_get_num_internal_protocols());
ndpi_bitmask_set(&b, $BIT);
ndpi_bitmask_is_set(&b, $BIT);
[...]
ndpi_bitmask_dealloc(&b);
```
See #2136
|
| |
|
|
|
|
|
|
| |
Partial revert of 88bfe2cf0: in the trees we save the index and no more
a pointer to `ndpi_struct->proto_defaults[]`.
Remove same functions from public API
See #2136
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We want to get rid of the defines `NDPI_MAX_SUPPORTED_PROTOCOLS` and
`NDPI_MAX_NUM_CUSTOM_PROTOCOLS`.
You can use:
```
ndpi_get_num_protocols()
```
See #2136
Removed some unused functions from public API
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ndpi_set_protocol_detection_bitmask2()` (#2853)
The main goal is not to have the bitmask depending on the total number
of protocols anymore: `NDPI_INTERNAL_PROTOCOL_BITMASK` depends only on
internal protocols, i.e. on `NDPI_MAX_INTERNAL_PROTOCOLS`, i.e.
custom-defined protocols are not counted.
See #2136
Keep the old data structure `NDPI_PROTOCOL_BITMASK` with the old
semantic.
Since we need to change the API (and all the application code...)
anyway, simplify the API: by default all the protocols are enabled.
If you need otherwise, please use `ndpi_init_detection_module_ext()`
instead of `ndpi_init_detection_module()` (you can find an example in
the `ndpiReader` code).
To update the application code you likely only need to remove these 3
lines from your code:
```
- NDPI_PROTOCOL_BITMASK all;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
```
Removed an unused field and struct definition.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use `registr_dissector()` instead of
`ndpi_set_bitmask_protocol_detection()`.
Every file in `src/lib/protocols/*.c` is a dissector.
Every dissector can handle multiple protocols.
The real goal is this small change:
```
struct call_function_struct {
- NDPI_PROTOCOL_BITMASK detection_bitmask;
```
i.e. getting rid of another protocol bitmask: this is mandatory to try
to fix #2136 (see also e845e8205b68752c997d05224d8b2fd45acde714)
As a nice side effect, we remove a bitmask comparison in the hot function
`check_ndpi_detection_func()`
TODO: change logging configuration from per-protocol to per-dissector
|
| |
|
|
|
|
|
|
|
| |
- default (0) is the native nDPI format
- MuonOF (1) has been added
The format can be changed using metadata.tcp_fingerprint_format
Added ability to identify mass scanners using TCP fingerprint
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Proton doesn't provide anymore the list of egress and ingress addresses.
Remove the (stale) lists and the relative configuration parameters.
See: https://www.reddit.com/r/ProtonVPN/comments/1k3lrl5/great_the_httpsapiprotonvpnchvpnlogicals_api_has/
See also 470a479eb
|
| | |
|
| |
|
|
|
|
| |
In the flow, we should keep track of state of "dissectors", not
"protocols". This way, flow structure doesn't depend anymore on
the max number of protocols.
This is also the first step into fixing #2136
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* added raw tcp fingerprint to json
* removed unnecessary change
* fixed key for json
* added configuration option for raw tcp fingerprint
* fixed typos
|
| | |
|
| | |
|
| |
|
|
| |
Cloudflare CDN
|
| |
|
|
|
| |
Remove the specific dissector and use the Blizzard's generic one.
For the time being, keep `NDPI_PROTOCOL_WORLDOFWARCRAFT`
|
| |
|
|
| |
Follow-up of f56831336334dddcff00eaf2132e5e0f226f0e32: now the
configuration is for flow-risk, not global
|
| |
|
|
|
|
|
| |
int ndpi_add_tcp_fingerprint(struct ndpi_detection_module_struct *ndpi_str,
char *fingerprint, enum operating_system_hint os);
int load_tcp_fingerprint_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd);
int ndpi_load_tcp_fingerprint_file(struct ndpi_detection_module_struct *ndpi_str, const char *path);
|
| |
|
|
|
| |
games (#2776)
Remove `NDPI_PROTOCOL_STARCRAFT` and add a generic `NDPI_PROTOCOL_BLIZZARD`.
|
| |
|
|
|
|
| |
(#2773)
Remove `NDPI_PROTOCOL_MAPLESTORY` and add a generic
`NDPI_PROTOCOL_NEXON`
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
For the most common protocols, avoid creating the string message if we
are not going to use it
|
| |
|
|
|
|
|
| |
There are no reasons to keep entropy calculation and sanity checks code
on the "guessing" algorithm.
BTW, this change also fix the entropy calculation for non TCP/UDP/ICMP
flows
|
| |
|
|
| |
One list is from ingress nodes (used for protocol classification) and
the second one is from exit nodes (used for flow risk check)
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Close #2524
|
| |
|
|
|
| |
Try to populate the FPC-DNS cache using directly the info from the current
packet, and not from the metadata saved in `struct ndpi_flow_struct`. This
will be important when adding monitoring support
|
| |
|
|
| |
Updated (C)
|
| |
|
| |
Fix confidence value for same TCP flows
|
| |
|
| |
Extend file configuration for just subclassification.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some scenarios, you might not be interested in flow metadata or
flow-risks at all, but you might want only flow (sub-)classification.
Examples: you only want to forward the traffic according to the
classification or you are only interested in some protocol statistics.
Create a new configuration file (for `ndpiReader`, but you can trivially
adapt it for the library itself) allowing exactly that. You can use it
via: `ndpiReader --conf=example/only_classification.conf ...`
Note that this way, the nDPI overhead is lower because it might need
less packets per flow:
* TLS: nDPI processes only the CH (in most cases) and not also the SH
and certificates
* DNS: only the request is processed (instead of both request and
response)
We might extend the same "shortcut-logic" (stop processing the flow
immediately when there is a final sub-classification) for others
protocols.
Add the configuration options to enable/disable the extraction of some
TLS metadata.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Last step of removing JA3C fingerprint
Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.
Close:#2551
|