aboutsummaryrefslogtreecommitdiff
path: root/src/include/ndpi_typedefs.h
Commit message (Collapse)AuthorAge
* Extracted http host and referer metadata (http protocol)Luca Deri2025-01-24
|
* Added health categoryLuca Deri2025-01-24
|
* TLS: remove JA3C (#2679)Ivan Nardi2025-01-14
| | | | | | | | Last step of removing JA3C fingerprint Remove some duplicate tests: testing with ja4c/ja3s disabled is already performed by `disable_metadata_and_flowrisks` configuration. Close:#2551
* Classifications "by-port"/"by-ip" should never change (#2656)Ivan Nardi2025-01-06
| | | Add a new variable to keep track of internal partial classification
* Add the ability to enable/disable every specific flow risks (#2653)Ivan Nardi2025-01-06
|
* QUIC: extract "max idle timeout" parameter (#2649)Ivan Nardi2025-01-06
| | | | | Even if it is only the proposed value by the client (and not the negotiated one), it might be use as hint for timeout by the (external) flows manager
* TLS: remove ESNI support (#2648)Ivan Nardi2025-01-06
| | | | | ESNI has been superseded by ECH for years, now. See: https://blog.cloudflare.com/encrypted-client-hello/ Set the existing flow risk if we still found this extension.
* STUN/RTP: improve metadata extraction (#2641)Ivan Nardi2024-12-11
|
* Changed serializer buffer size to 256 bytesLuca Deri2024-12-05
|
* STUN counter changesLuca Deri2024-11-29
|
* STUN: improve Whatsapp monitoring (#2635)Ivan Nardi2024-11-29
|
* Enhanced STUN statsLuca Deri2024-11-28
|
* Removed old USE_LEGACY_AHO_CORASICK codeLuca Deri2024-11-26
|
* Update `flow->flow_multimedia_types` to a bitmask (#2625)Ivan Nardi2024-11-25
| | | In the same flow, we can have multiple multimedia types
* Implemented Mikrotik discovery protocol dissection and metadata extraction ↵Luca Deri2024-11-14
| | | | (#2618)
* Cosmetic changeLuca2024-11-14
|
* SIP: extract some basic metadataIvan Nardi2024-11-12
|
* Unify ndpi debug logging to always use a u16 protocol id (#2613)Toni2024-11-11
| | | | | * fixes SonarCloud complaint Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Increased "struct ndpi_flow_struct" sizeLuca Deri2024-10-31
|
* Added HTTP credentials extractionLuca Deri2024-10-31
|
* Fix blocks with inner-json modeAlfredo Cardigliano2024-10-31
|
* Add new json serialization type ndpi_serialization_format_inner_jsonAlfredo Cardigliano2024-10-31
|
* TLS: export heuristic fingerprint as metadata (#2609)Ivan Nardi2024-10-28
|
* Renamed os hints to avoid name clashesLuca Deri2024-10-19
|
* Increased struct size (#2599)Luca Deri2024-10-19
|
* Improved TCP fingepring calculationLuca Deri2024-10-18
| | | | Adde basidc OS detection based on TCP fingerprint
* Increased struct ndpi_flow_struct size (#2596)Luca Deri2024-10-18
| | | Build fix
* Implemented nDPI TCP fingerprintLuca Deri2024-10-15
|
* Add monitoring capability (#2588)Ivan Nardi2024-10-14
| | | | | | | | | | | | | Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Exports DNS A/AAAA responses (up to 4 addresses)Luca2024-10-02
| | | | Changed the default to IPv4 (used to be IPv6) in case of DNS error response
* Let the library returning the packet direction calculated internally (#2572)Ivan Nardi2024-09-27
| | | wireshark, lua: add basic analysis of possible obfuscated flows
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* Fixed handling of spurious TCP retransmissionsLuca2024-09-17
|
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* Enhanced DHCP fingerprintLuca Deri2024-09-15
| | | | Exported it with -E
* QUIC: add a basic heuristic to detect mid-flowsNardi Ivan2024-09-10
|
* RTMP: improve detection (#2549)Ivan Nardi2024-09-10
|
* Implemented algorithms for K-Nearest Neighbor Search (KNN) (#2554)Luca Deri2024-09-10
| | | | | | | | | | | | | | | | * Extended API with functions for vector similarity based on KD-trees https://en.wikipedia.org/wiki/K-d_tree ndpi_kd_tree* ndpi_kd_create(u_int num_dimensions); void ndpi_kd_free(ndpi_kd_tree *tree); void ndpi_kd_clear(ndpi_kd_tree *tree); bool ndpi_kd_insert(ndpi_kd_tree *tree, const double *data_vector, void *user_data); ndpi_kd_tree_result *ndpi_kd_nearest(ndpi_kd_tree *tree, const double *data_vector); u_int32_t ndpi_kd_num_results(ndpi_kd_tree_result *res); bool ndpi_kd_result_end(ndpi_kd_tree_result *res); double* ndpi_kd_result_get_item(ndpi_kd_tree_result *res, double **user_data); bool ndpi_kd_result_next(ndpi_kd_tree_result *res); void ndpi_kd_result_free(ndpi_kd_tree_result *res); double ndpi_kd_distance(double *a1, double *b2, u_int num_dimensions);
* Fix compilation (#2546)Ivan Nardi2024-09-05
|
* Implemented JA4 raw (ja4_r) fingerprintLuca Deri2024-09-05
| | | | | Example: ./example/ndpiReader -i tests/pcap/safari.pcap --cfg=tls,metadata.ja4r_fingerprint,1
* TLS: better state about handshake (#2534)Ivan Nardi2024-09-03
| | | | Keep track if we received CH or/and SH messsages: usefull with unidirectional flows
* Added ndpi_risk2code and ndpi_code2riskLuca Deri2024-08-27
|
* TypoLuca Deri2024-08-26
|
* Added commentLuca Deri2024-08-25
|
* Changed NDPI_MALICIOUS_JA3 to NDPI_MALICIOUS_FINGERPRINTLuca Deri2024-08-25
|
* Introduced ndpi_master_app_protocol typedefLuca Deri2024-08-24
|
* FPC: add DPI information (#2514)Ivan Nardi2024-07-23
| | | | If the flow is classified (via DPI) after the first packet, we should use this information as FPC
* FPC: add DNS correlation (#2497)mmanoj2024-07-22
| | | | | | | | | Use DNS information to get a better First Packet Classification. See: #2322 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Add infrastructure for explicit support of Fist Packet Classification (#2488)Ivan Nardi2024-07-03
| | | | | Let's start with some basic helpers and with FPC based on flow addresses. See: #2322
Powered by cgit, Themed by Ted Yin.