libndpi.git - Open Source Deep Packet Inspection Software Toolkit

	Commit message (Collapse)	Author	Age
*	Test multiple `ndpiReader` configurations (#1931)	Ivan Nardi	2023-04-06
\| \| \| \| \| \| \| \| \|	Extend internal unit tests to handle multiple configurations. As some examples, add tests about: * disabling some protocols * disabling Ookla aggressiveness Every configurations data is stored in a dedicated directory under `tests\cfgs`
*	ndpiReader: print how many packets (per flow) were needed to perform full ↵	Ivan Nardi	2023-03-01
\| \| \| \| \| \|	DPI (#1891) Average values are already printed, but this change should ease to identify regressions/improvements.
*	STUN: add detection of ZOOM peer-to-peer flows (#1825)	Ivan Nardi	2022-12-11
\| \| \| \|	See: "Enabling Passive Measurement of Zoom Performance in Production Networks" https://dl.acm.org/doi/pdf/10.1145/3517745.3561414
*	Remove classification "by-ip" from protocol stack (#1743)	Ivan Nardi	2022-09-20
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Basically: * "classification by-ip" (i.e. `flow->guessed_protocol_id_by_ip` is NEVER returned in the protocol stack (i.e. `flow->detected_protocol_stack[]`); * if the application is interested into such information, it can access `ndpi_protocol->protocol_by_ip` itself. There are mainly 4 points in the code that set the "classification by-ip" in the protocol stack: the generic `ndpi_set_detected_protocol()`/ `ndpi_detection_giveup()` functions and the HTTP/STUN dissectors. In the unit tests output, a print about `ndpi_protocol->protocol_by_ip` has been added for each flow: the huge diff of this commit is mainly due to that. Strictly speaking, this change is NOT an API/ABI breakage, but there are important differences in the classification results. For examples: * TLS flows without the initial handshake (or without a matching SNI/certificate) are simply classified as `TLS`; * similar for HTTP or QUIC flows; * DNS flows without a matching request domain are simply classified as `DNS`; we don't have `DNS/Google` anymore just because the server is 8.8.8.8 (that was an outrageous behaviour...); * flows previusoly classified only "by-ip" are now classified as `NDPI_PROTOCOL_UNKNOWN`. See #1425 for other examples of why adding the "classification by-ip" in the protocol stack is a bad idea. Please, note that IPV6 is not supported :( (long standing issue in nDPI) i.e. `ndpi_protocol->protocol_by_ip` wil be always `NDPI_PROTOCOL_UNKNOWN` for IPv6 flows. Define `NDPI_CONFIDENCE_MATCH_BY_IP` has been removed. Close #1687
*	Fix `ndpi_do_guess()` (#1731)	Ivan Nardi	2022-09-12
\| \| \| \| \|	Avoid a double call of `ndpi_guess_host_protocol_id()`. Some code paths work for ipv4/6 both Remove some never used code.
*	Patricia tree, Ahocarasick automa, LRU cache: add statistics (#1683)	Ivan Nardi	2022-07-29
\| \| \| \| \| \| \| \| \| \|	Add (basic) internal stats to the main data structures used by the library; they might be usefull to check how effective these structures are. Add an option to `ndpiReader` to dump them; enabled by default in the unit tests. This new option enables/disables dumping of "num dissectors calls" values, too (see b4cb14ec).
*	Keep track of how many dissectors calls we made for each flow (#1657)	Ivan Nardi	2022-07-11
\|
*	Add a "confidence" field about the reliability of the classification. (#1395)	Ivan Nardi	2022-01-11
\| \| \| \| \| \| \| \| \| \| \| \| \|	As a general rule, the higher the confidence value, the higher the "reliability/precision" of the classification. In other words, this new field provides an hint about "how" the flow classification has been obtained. For example, the application may want to ignore classification "by-port" (they are not real DPI classifications, after all) or give a second glance at flows classified via LRU caches (because of false positives). Setting only one value for the confidence field is a bit tricky: more work is probably needed in the next future to tweak/fix/improve the logic.
*	ndpiReader: slight simplificaton of the output (#1378)	Ivan Nardi	2021-11-27
\|
*	Reworked HTTP protocol dissection including HTTP proxy and HTTP connect	Luca Deri	2021-11-25
\|
*	Fixed cleartext protocol assignment (#1357)	Ivan Nardi	2021-10-25
\|
*	Refreshed results list	Luca Deri	2021-10-16
\|
*	Updated output	Luca Deri	2021-08-07
\|
*	ndpiReader: add statistics about nDPI performance (#1240)	Ivan Nardi	2021-07-13
\| \| \| \| \| \| \|	The goal is to have a (roughly) idea about how many packets nDPI needs to properly classify a flow. Log this information (and guessed flows number too) during unit tests, to keep track of improvements/regressions across commits.
*	QUIC: improve handling of SNI (#1105)	Ivan Nardi	2021-01-07
\| \| \| \| \| \| \| \| \| \| \| \| \|	* QUIC: SNI should be always saved in flow->protos.stun_ssl.ssl.client_requested_server_name Close #1077 * QUIC: fix matching of custom categories * QUIC: add NDPI_TLS_MISSING_SNI support for older GQUIC versions * QUIC: fix serialization * QUIC: add DGA check for older GQUIC versions
*	QUIC: extract User Agent information	Nardi Ivan	2020-09-08
\|
*	Add sub-classification for GQUIC >= Q050 and (IETF-)QUIC	Nardi Ivan	2020-08-21
\| \| \| \| \| \| \| \| \| \| \|	Add QUIC payload and header decryption: most of the crypto code has been "copied-and-incolled" from Wireshark. That code has been clearly marked as such. All credits for that code should go to the original authors. I tried to keep the Wireshark code as similar as possible to the original, comments included, to ease future backporting of fixes. Inevitably, glibc data types and data structures, tvbuff abstraction and allocation functions have been converted.
*	Major rework of QUIC dissector	Nardi Ivan	2020-08-21
	Improve support for GQUIC (up to Q046) and add support for Q050 and (IETF-)QUIC Still no sub-classification for Q050 and QUIC