From 9f83bf4624d982c5ec654f36dc7563de393c29df Mon Sep 17 00:00:00 2001 From: Ravi Kerur Date: Sat, 14 Sep 2019 10:06:37 -0700 Subject: Add icmp and icmp6 to calculate splt and bd values. Signed-off-by: Ravi Kerur --- example/reader_util.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'example') diff --git a/example/reader_util.c b/example/reader_util.c index 9ec50486c..b981d2f7a 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -688,7 +688,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *proto = iph->protocol; l4 = ((const u_int8_t *) l3 + l4_offset); - if(iph->protocol == IPPROTO_TCP && l4_packet_len >= 20) { + if(iph->protocol == IPPROTO_TCP && l4_packet_len >= sizeof(struct ndpi_tcphdr)) { u_int tcp_len; // tcp @@ -699,7 +699,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *payload = (u_int8_t*)&l4[tcp_len]; *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); l4_data_len = l4_packet_len - sizeof(struct ndpi_tcphdr); - } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= 8) { + } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= sizeof(struct ndpi_udphdr)) { // udp workflow->stats.udp_count++; @@ -708,6 +708,16 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *payload = (u_int8_t*)&l4[sizeof(struct ndpi_udphdr)]; *payload_len = (l4_packet_len > sizeof(struct ndpi_udphdr)) ? l4_packet_len-sizeof(struct ndpi_udphdr) : 0; l4_data_len = l4_packet_len - sizeof(struct ndpi_udphdr); + } else if(iph->protocol == IPPROTO_ICMP || iph->protocol == IPPROTO_ICMPV6) { + if (iph->protocol == IPPROTO_ICMP) { + *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmphdr )]; + *payload_len = (l4_packet_len > sizeof(struct ndpi_icmphdr)) ? l4_packet_len-sizeof(struct ndpi_icmphdr) : 0; + l4_data_len = l4_packet_len - sizeof(struct ndpi_icmphdr); + } else { + *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmp6hdr)]; + *payload_len = (l4_packet_len > sizeof(struct ndpi_icmp6hdr)) ? l4_packet_len-sizeof(struct ndpi_icmp6hdr) : 0; + l4_data_len = l4_packet_len - sizeof(struct ndpi_icmp6hdr); + } } else { // non tcp/udp protocols *sport = *dport = 0; -- cgit v1.2.3 From 23780a655d8e16842f3a16946e2a12defde83f2c Mon Sep 17 00:00:00 2001 From: Ravi Kerur Date: Sat, 14 Sep 2019 18:38:18 -0700 Subject: Fix protocol for v4 and v6. Signed-off-by: Ravi Kerur --- example/reader_util.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) (limited to 'example') diff --git a/example/reader_util.c b/example/reader_util.c index b981d2f7a..b4f5d984a 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -664,9 +664,11 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow l4_offset = iph->ihl * 4; l3 = (const u_int8_t*)iph; + *proto = iph->protocol; } else { l4_offset = sizeof(struct ndpi_ipv6hdr); l3 = (const u_int8_t*)iph6; + *proto = iph6->ip6_hdr.ip6_un1_nxt; } if(l4_packet_len < 64) @@ -685,10 +687,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow if(l4_packet_len > workflow->stats.max_packet_len) workflow->stats.max_packet_len = l4_packet_len; - *proto = iph->protocol; l4 = ((const u_int8_t *) l3 + l4_offset); - if(iph->protocol == IPPROTO_TCP && l4_packet_len >= sizeof(struct ndpi_tcphdr)) { + if(*proto == IPPROTO_TCP && l4_packet_len >= sizeof(struct ndpi_tcphdr)) { u_int tcp_len; // tcp @@ -699,7 +700,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *payload = (u_int8_t*)&l4[tcp_len]; *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); l4_data_len = l4_packet_len - sizeof(struct ndpi_tcphdr); - } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= sizeof(struct ndpi_udphdr)) { + } else if(*proto == IPPROTO_UDP && l4_packet_len >= sizeof(struct ndpi_udphdr)) { // udp workflow->stats.udp_count++; @@ -708,16 +709,14 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *payload = (u_int8_t*)&l4[sizeof(struct ndpi_udphdr)]; *payload_len = (l4_packet_len > sizeof(struct ndpi_udphdr)) ? l4_packet_len-sizeof(struct ndpi_udphdr) : 0; l4_data_len = l4_packet_len - sizeof(struct ndpi_udphdr); - } else if(iph->protocol == IPPROTO_ICMP || iph->protocol == IPPROTO_ICMPV6) { - if (iph->protocol == IPPROTO_ICMP) { - *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmphdr )]; - *payload_len = (l4_packet_len > sizeof(struct ndpi_icmphdr)) ? l4_packet_len-sizeof(struct ndpi_icmphdr) : 0; - l4_data_len = l4_packet_len - sizeof(struct ndpi_icmphdr); - } else { - *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmp6hdr)]; - *payload_len = (l4_packet_len > sizeof(struct ndpi_icmp6hdr)) ? l4_packet_len-sizeof(struct ndpi_icmp6hdr) : 0; - l4_data_len = l4_packet_len - sizeof(struct ndpi_icmp6hdr); - } + } else if(*proto == IPPROTO_ICMP) { + *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmphdr )]; + *payload_len = (l4_packet_len > sizeof(struct ndpi_icmphdr)) ? l4_packet_len-sizeof(struct ndpi_icmphdr) : 0; + l4_data_len = l4_packet_len - sizeof(struct ndpi_icmphdr); + } else if (*proto == IPPROTO_ICMPV6) { + *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmp6hdr)]; + *payload_len = (l4_packet_len > sizeof(struct ndpi_icmp6hdr)) ? l4_packet_len-sizeof(struct ndpi_icmp6hdr) : 0; + l4_data_len = l4_packet_len - sizeof(struct ndpi_icmp6hdr); } else { // non tcp/udp protocols *sport = *dport = 0; -- cgit v1.2.3 From e8d501158e07af7dbe67cc795d64532031a4f1d4 Mon Sep 17 00:00:00 2001 From: Ravi Kerur Date: Sat, 21 Sep 2019 10:38:04 -0700 Subject: Restore protocol extraction to original method. Add microseconds to time series if milliseconds returns 0. Signed-off-by: Ravi Kerur --- example/reader_util.c | 4 ++-- src/include/ndpi_classify.h | 1 + src/lib/ndpi_classify.c | 38 ++++++++++++++++++++++++++++++-------- 3 files changed, 33 insertions(+), 10 deletions(-) (limited to 'example') diff --git a/example/reader_util.c b/example/reader_util.c index 0b4e6c2c8..a5c99a88b 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -664,13 +664,13 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow l4_offset = iph->ihl * 4; l3 = (const u_int8_t*)iph; - *proto = iph->protocol; } else { l4_offset = sizeof(struct ndpi_ipv6hdr); l3 = (const u_int8_t*)iph6; - *proto = iph6->ip6_hdr.ip6_un1_nxt; } + *proto = iph->protocol; + if(l4_packet_len < 64) workflow->stats.packet_len[0]++; else if(l4_packet_len >= 64 && l4_packet_len < 128) diff --git a/src/include/ndpi_classify.h b/src/include/ndpi_classify.h index 9b5f2841f..cd03027d8 100644 --- a/src/include/ndpi_classify.h +++ b/src/include/ndpi_classify.h @@ -87,6 +87,7 @@ unsigned int ndpi_timer_lt(const struct timeval *a, const struct timeval *b); void ndpi_timer_sub(const struct timeval *a, const struct timeval *b, struct timeval *result); void ndpi_timer_clear(struct timeval *a); unsigned int ndpi_timeval_to_milliseconds(struct timeval ts); +unsigned int ndpi_timeval_to_microseconds(struct timeval ts); void ndpi_log_timestamp(char *log_ts, u_int log_ts_len); #endif /* NDPI_CLASSIFY_H */ diff --git a/src/lib/ndpi_classify.c b/src/lib/ndpi_classify.c index 96b2ecbb0..7a814f7ce 100644 --- a/src/lib/ndpi_classify.c +++ b/src/lib/ndpi_classify.c @@ -299,6 +299,8 @@ ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time, tmp = pkt_time_twin[r]; ndpi_timer_sub(&tmp, &ts_start, &tmp_r); merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r); + if (merged_times[s+r] == 0) + merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r); ts_start = tmp; r++; } else if (r >= r_idx) { @@ -306,27 +308,35 @@ ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time, tmp = pkt_time[s]; ndpi_timer_sub(&tmp, &ts_start, &tmp_r); merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r); + if (merged_times[s+r] == 0) + merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r); ts_start = tmp; s++; } else { if (ndpi_timer_lt(&pkt_time[s], &pkt_time_twin[r])) { merged_lens[s+r] = pkt_len[s]; - tmp = pkt_time[s]; - ndpi_timer_sub(&tmp, &ts_start, &tmp_r); - merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r); - ts_start = tmp; + tmp = pkt_time[s]; + ndpi_timer_sub(&tmp, &ts_start, &tmp_r); + merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r); + if (merged_times[s+r] == 0) + merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r); + ts_start = tmp; s++; } else { merged_lens[s+r] = pkt_len_twin[r]; - tmp = pkt_time_twin[r]; - ndpi_timer_sub(&tmp, &ts_start, &tmp_r); - merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r); - ts_start = tmp; + tmp = pkt_time_twin[r]; + ndpi_timer_sub(&tmp, &ts_start, &tmp_r); + merged_times[s+r] = ndpi_timeval_to_milliseconds(tmp_r); + if (merged_times[s+r] == 0) + merged_times[s+r] = ndpi_timeval_to_microseconds(tmp_r); + ts_start = tmp; r++; } } } merged_times[0] = ndpi_timeval_to_milliseconds(start_m); + if (merged_times[0] == 0) + merged_times[0] = ndpi_timeval_to_microseconds(start_m); } /* transform lens array to Markov chain */ @@ -656,6 +666,18 @@ ndpi_timeval_to_milliseconds(struct timeval ts) return result; } +/** + * \brief Calculate the microseconds representation of a timeval. + * \param ts Timeval + * \return unsigned int - Milliseconds + */ +unsigned int +ndpi_timeval_to_microseconds(struct timeval ts) +{ + unsigned int result = ts.tv_usec + ts.tv_sec * 1000 * 1000; + return result; +} + void ndpi_log_timestamp(char *log_ts, u_int log_ts_len) { -- cgit v1.2.3