From e6b332aa4a1399e33df68998cf8351bccaee3fc4 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Sun, 24 Jul 2022 17:46:24 +0200 Subject: Add support for flow client/server information (#1671) In a lot of places in ndPI we use *packet* source/dest info (address/port/direction) when we are interested in *flow* client/server info, instead. Add basic logic to autodetect this kind of information. nDPI doesn't perform any "flow management" itself but this task is delegated to the external application. It is then likely that the application might provide more reliable hints about flow client/server direction and about the TCP handshake presence: in that case, these information might be (optionally) passed to the library, disabling the internal "autodetect" logic. These new fields have been used in some LRU caches and in the "guessing" algorithm. It is quite likely that some other code needs to be updated. --- example/reader_util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'example/reader_util.c') diff --git a/example/reader_util.c b/example/reader_util.c index 94564bfed..2344937ad 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1543,6 +1543,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } if(!flow->detection_completed) { + struct ndpi_flow_input_info input_info; + u_int enough_packets = (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_udp_dissected_pkts)) || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_tcp_dissected_pkts))) ? 1 : 0; @@ -1558,9 +1560,13 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, else workflow->stats.dpi_packet_count[2]++; + memset(&input_info, '\0', sizeof(input_info)); /* To be sure to set to "unknown" any fields */ + /* Set here any information (easily) available; in this trivial example we don't have any */ + input_info.in_pkt_dir = NDPI_IN_PKT_DIR_UNKNOWN; + input_info.seen_flow_beginning = NDPI_FLOW_BEGINNING_UNKNOWN; flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time_ms); + ipsize, time_ms, &input_info); enough_packets |= ndpi_flow->fail_with_unknown; if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { -- cgit v1.2.3