| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The host automa is used for two tasks:
* protocol sub-classification (obviously);
* DGA evaluation: the idea is that if a domain is present in this
automa, it can't be a DGA, regardless of its format/name.
In most dissectors both checks are executed, i.e. the code is something
like:
```
ndpi_match_host_subprotocol(..., flow->host_server_name, ...);
ndpi_check_dga_name(..., flow->host_server_name,...);
```
In that common case, we can perform only one automa lookup: if we check the
sub-classification before the DGA, we can avoid the second lookup in
the DGA function itself.
|
| |
|
|
|
|
|
|
|
|
| |
Add (basic) internal stats to the main data structures used by the
library; they might be usefull to check how effective these structures
are.
Add an option to `ndpiReader` to dump them; enabled by default in the
unit tests.
This new option enables/disables dumping of "num dissectors calls"
values, too (see b4cb14ec).
|
| |
|
|
|
|
|
|
|
|
|
| |
Since e6b332aa, we have proper support for detecting client/server
direction. So Tinc dissector is now able to properly initialize the
cache entry only when needed and not anymore at the SYN time; initializing
that entry for **every** SYN packets was a complete waste of resources.
Since 4896dabb, the various `struct ndpi_call_function_struct`
structures are not more separate objects and therefore comparing them
using only their pointers is bogus: this bug was triggered by this
change because `ndpi_str->callback_buffer_size_tcp_no_payload` is now 0.
|
| |
|
|
|
|
|
| |
Tcp retransmissions should be ignored.
Remove some unused protocol bitmasks.
Update script to download Whatsapp IP list.
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As a general rule, the higher the confidence value, the higher the
"reliability/precision" of the classification.
In other words, this new field provides an hint about "how" the flow
classification has been obtained.
For example, the application may want to ignore classification "by-port"
(they are not real DPI classifications, after all) or give a second
glance at flows classified via LRU caches (because of false positives).
Setting only one value for the confidence field is a bit tricky: more
work is probably needed in the next future to tweak/fix/improve the logic.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The goal is to have a (roughly) idea about how many packets nDPI needs
to properly classify a flow.
Log this information (and guessed flows number too) during unit tests,
to keep track of improvements/regressions across commits.
|
| | |
|
| |
|
|
| |
Added packet lenght distribution bins
|
| |
|
|
| |
Modified HTTP report information to make it closer to the HTTP field names
|
| |
|
|
| |
Added check to spot executables exchanged via HTTP
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Improved data report
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Improved IAT and byte distribution
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Updated tests with new protocols
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Merged MS Lync with Skype (Microsoft renamed MS Lync in Skype for Business)
Renumbered Nintendo protocols in former MS Lync that was no longer used
Fix for #425
|
| | |
|
| |
|
|
|
| |
Updated test results
Renamed SOMEIP -> someip
|
| | |
|
| | |
|
| |
|
|
| |
solved and now protocols are in sync with its previous values in the stable version
|
| | |
|
| |
|
|
| |
service
|
| |
|
|
| |
https://github.com/ntop/nDPI/commit/0f94a46f868e6818790b0c278121c081a63c9eeb
|
| | |
|
| | |
|
| | |
|
| | |
|