aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_main.c
Commit message (Collapse)AuthorAge
* Fixes TCP fingerprint calculation when multiple EOL are specified in TCP optionsLuca Deri2024-10-27
|
* Improved fingerprintsLuca Deri2024-10-21
|
* Improved TCP fingerprintLuca Deri2024-10-20
|
* Improved TCP fingerprintLuca Deri2024-10-20
|
* Reworked TCP fingeprint implementationLuca Deri2024-10-20
|
* Renamed os hints to avoid name clashesLuca Deri2024-10-19
|
* Improved TCP fingepring calculationLuca Deri2024-10-18
| | | | Adde basidc OS detection based on TCP fingerprint
* Add configuration of TCP fingerprint computation (#2598)Ivan Nardi2024-10-18
| | | Extend configuration of raw format of JA4C fingerprint
* Added further boundary checks in TCP options parsing (#2597)Luca Deri2024-10-18
| | | * Added further memory checks
* Added TCP header checkLuca Deri2024-10-18
|
* Fixes buffer overflow when parsing invalid TCP optionsLuca Deri2024-10-17
|
* Implemented nDPI TCP fingerprintLuca Deri2024-10-15
|
* Add monitoring capability (#2588)Ivan Nardi2024-10-14
| | | | | | | | | | | | | Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
* Added sonos dissectorLuca Deri2024-10-13
|
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Add DingTalk protocol support (#2581)Vladimir Gavrilov2024-10-07
|
* Moved ndpi_lru in a separate fileLuca Deri2024-10-04
|
* Exports DNS A/AAAA responses (up to 4 addresses)Luca2024-10-02
| | | | Changed the default to IPv4 (used to be IPv6) in case of DNS error response
* Let the library returning the packet direction calculated internally (#2572)Ivan Nardi2024-09-27
| | | wireshark, lua: add basic analysis of possible obfuscated flows
* Add enable/disable guessing using client IP/port (#2569)Liam Wilson2024-09-27
| | | | | | | | Add configurable options for whether to include client port or client IP in the flow's protocol guesses. This defaults to include both client port/IP if the protocol is not guessed with the server IP/port. This is intended for when flow direction detection is enabled, so we know that sport = client port, dport = server port.
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* Allow IP guess before port in ndpi_detection_giveup (#2562)Liam Wilson2024-09-20
| | | | Add dpi.guess_ip_before_port which when enabled uses classification by-ip before classification by-port.
* Fixed handling of spurious TCP retransmissionsLuca2024-09-17
|
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* Implemented JA4 raw (ja4_r) fingerprintLuca Deri2024-09-05
| | | | | Example: ./example/ndpiReader -i tests/pcap/safari.pcap --cfg=tls,metadata.ja4r_fingerprint,1
* Add detection of SurfShark VPNNardi Ivan2024-09-05
|
* OpenVPN, Wireguard: improve sub-classificationNardi Ivan2024-09-05
| | | | | | | | Allow sub-classification of OpenVPN/Wireguard flows using their server IP. That is useful to detect the specific VPN application/app used. At the moment, the supported protocols are: Mullvad, NordVPN, ProtonVPN. This feature is configurable.
* Add detection of NordVPNNardi Ivan2024-09-05
|
* Add Lustre protocol detection support (#2544)Vladimir Gavrilov2024-09-04
|
* HTTP, QUIC, TLS: allow to disable sub-classification (#2533)Ivan Nardi2024-09-03
|
* Print risk code in ndpi_dump_risks_scoreAlfredo Cardigliano2024-08-28
|
* ndpi_get_protocol_by_name now return UNKNoWN when one protocol (either ↵Luca Deri2024-08-26
| | | | master or app) is not recognized
* Added in APILuca Deri2024-08-26
| | | | | | | | | | | | bool ndpi_is_proto(ndpi_master_app_protocol proto, u_int16_t p); bool ndpi_is_proto_unknown(ndpi_master_app_protocol proto); bool ndpi_is_proto_equals(ndpi_master_app_protocol to_check, ndpi_master_app_protocol to_match, bool exact_match_only); u_int16_t ndpi_get_proto_by_name(struct ndpi_detection_module_struct *ndpi_mod, const char *name); char* ndpi_get_proto_by_id(struct ndpi_detection_module_struct *ndpi_mod, u_int id); extern ndpi_master_app_protocol ndpi_get_protocol_by_name(struct ndpi_detection_module_struct *ndpi_str, const char *name); Removed (duplicate of ndpi_get_proto_by_name) int ndpi_get_protocol_id(struct ndpi_detection_module_struct *ndpi_mod, char *proto);
* Add TRDP protocol support (#2528)Vladimir Gavrilov2024-08-25
| | | The Train Real Time Data Protocol (TRDP) is a UDP/TCP-based communication protocol designed for IP networks in trains, enabling data exchange between devices such as door controls and air conditioning systems. It is standardized by the IEC under IEC 61375-2-3 and is not related to the Remote Desktop Protocol (RDP).
* Changed NDPI_MALICIOUS_JA3 to NDPI_MALICIOUS_FINGERPRINTLuca Deri2024-08-25
|
* Added ndpi_get_protocol_by_name*( API callLuca Deri2024-08-24
|
* Introduced ndpi_master_app_protocol typedefLuca Deri2024-08-24
|
* Add Automatic Tank Gauge protocol (#2527)wssxsxxsx2024-08-23
| | | | | | | See also #2523 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Add CNP/IP protocol support (#2521)Vladimir Gavrilov2024-08-22
| | | ISO/IEC 14908-4 defines how to tunnel Control Network Protocol (CNP) over IP networks. It encapsulates protocols like EIA-709, EIA-600, and CNP, making it a versatile solution for building automation and control systems.
* Removed unnecessary includes (#2525)Luca Deri2024-08-21
|
* Fixed probing attempt risk that was creating false positivesLuca Deri2024-08-07
|
* Improved ICMP malformed packet risk descriptionLuca Deri2024-07-25
|
* FPC: add DPI information (#2514)Ivan Nardi2024-07-23
| | | | If the flow is classified (via DPI) after the first packet, we should use this information as FPC
* Add OpenWire support (#2513)Vladimir Gavrilov2024-07-22
|
* FPC: small improvements (#2512)Ivan Nardi2024-07-22
| | | | Add printing of fpc_dns statistics and add a general cconfiguration option. Rework the code to be more generic and ready to handle other logics.
* FPC: add DNS correlation (#2497)mmanoj2024-07-22
| | | | | | | | | Use DNS information to get a better First Packet Classification. See: #2322 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* ndpi_strncasestr: optimization, fixes, tests (#2507)Petr2024-07-18
|
* Add Nano (XNO) protocol support (#2508)Vladimir Gavrilov2024-07-18
|
* Added ClickHouse protocolLuca2024-07-17
|
* Add HLS support (#2502)Vladimir Gavrilov2024-07-16
|
Powered by cgit, Themed by Ted Yin.