From 6e85b9344298dbba49d06951360c5e3c464d92ba Mon Sep 17 00:00:00 2001 From: Micah Lyle Date: Mon, 17 Jul 2017 18:06:07 -0700 Subject: Implementation for extra packet processing if desired --- example/ndpi_util.c | 40 ++++++++++++++++++++++++++++++++-------- example/ndpi_util.h | 5 +++-- 2 files changed, 35 insertions(+), 10 deletions(-) (limited to 'example') diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 75bab6319..b0955d8d4 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -158,10 +158,10 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { if(fa->hashval < fb->hashval) return(-1); else if(fa->hashval > fb->hashval) return(1); /* Flows have the same hash */ - + if(fa->vlan_id < fb->vlan_id ) return(-1); else { if(fa->vlan_id > fb->vlan_id ) return(1); } if(fa->protocol < fb->protocol ) return(-1); else { if(fa->protocol > fb->protocol ) return(1); } - + if( ( (fa->src_ip == fb->src_ip ) @@ -178,12 +178,12 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { ) ) return(0); - + if(fa->src_ip < fb->src_ip ) return(-1); else { if(fa->src_ip > fb->src_ip ) return(1); } if(fa->src_port < fb->src_port) return(-1); else { if(fa->src_port > fb->src_port) return(1); } if(fa->dst_ip < fb->dst_ip ) return(-1); else { if(fa->dst_ip > fb->dst_ip ) return(1); } if(fa->dst_port < fb->dst_port) return(-1); else { if(fa->dst_port > fb->dst_port) return(1); } - + return(0); /* notreached */ } @@ -453,7 +453,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } - if(flow->detection_completed) { + if(flow->detection_completed && !flow->check_extra_packets) { if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { if (workflow->__flow_giveup_callback != NULL) workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); @@ -516,7 +516,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->src2dst_packets++, flow->src2dst_bytes += rawsize; else flow->dst2src_packets++, flow->dst2src_bytes += rawsize; - + flow->last_seen = time; } else { // flow is NULL workflow->stats.total_discarded_bytes++; @@ -524,7 +524,28 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } /* Protocol already detected */ - if(flow->detection_completed) return(flow->detected_protocol); + if(flow->detection_completed) { + if(flow->check_extra_packets && ndpi_flow != NULL && ndpi_flow->check_extra_packets) { + if(ndpi_flow->num_extra_packets_checked == 0 && ndpi_flow->max_extra_packets_to_check == 0) { + /* Protocols can set this, but we set it here in case they didn't */ + ndpi_flow->max_extra_packets_to_check = MAX_EXTRA_PACKETS_TO_CHECK; + } + if(ndpi_flow->num_extra_packets_checked < ndpi_flow->max_extra_packets_to_check) { + ndpi_process_extra_packet(workflow->ndpi_struct, ndpi_flow, + iph ? (uint8_t *)iph : (uint8_t *)iph6, + ipsize, time, src, dst); + if (ndpi_flow->check_extra_packets == 0) { + flow->check_extra_packets = 0; + ndpi_free_flow_info_half(flow); + } + } + } else if (ndpi_flow != NULL) { + /* If this wasn't NULL we should do the half free */ + /* TODO: When half_free is deprecated, get rid of this */ + ndpi_free_flow_info_half(flow); + } + return(flow->detected_protocol); + } flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, @@ -535,12 +556,15 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { /* New protocol detected or give up */ flow->detection_completed = 1; + /* Check if we should keep checking extra packets */ + if (ndpi_flow->check_extra_packets) + flow->check_extra_packets = 1; if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow); process_ndpi_collected_info(workflow, flow); - } + } return(flow->detected_protocol); } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index f6d315748..45101cf10 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -36,6 +36,7 @@ #define MAX_IDLE_TIME 30000 #define IDLE_SCAN_BUDGET 1024 #define NUM_ROOTS 512 +#define MAX_EXTRA_PACKETS_TO_CHECK 7 #define MAX_NDPI_FLOWS 200000000 #define TICK_RESOLUTION 1000 #define MAX_NUM_IP_ADDRESS 5 /* len of ip address array */ @@ -56,7 +57,7 @@ typedef struct ndpi_flow_info { u_int32_t dst_ip; u_int16_t src_port; u_int16_t dst_port; - u_int8_t detection_completed, protocol, bidirectional; + u_int8_t detection_completed, protocol, bidirectional, check_extra_packets; u_int16_t vlan_id; struct ndpi_flow_struct *ndpi_flow; char src_name[48], dst_name[48]; @@ -64,7 +65,7 @@ typedef struct ndpi_flow_info { u_int64_t last_seen; u_int64_t src2dst_bytes, dst2src_bytes; u_int32_t src2dst_packets, dst2src_packets; - + // result only, not used for flow identification ndpi_protocol detected_protocol; -- cgit v1.2.3 From 55d13629249fed5b3750a393b053e8a72a9caaa3 Mon Sep 17 00:00:00 2001 From: Micah Lyle Date: Tue, 18 Jul 2017 12:53:02 -0700 Subject: Updated tests to match new SSL server certificate fix/addition --- example/ndpi_util.c | 2 +- tests/result/dropbox.pcap.out | 6 +++--- tests/result/http_ipv6.pcap.out | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'example') diff --git a/example/ndpi_util.c b/example/ndpi_util.c index b0955d8d4..96a88a8e5 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -536,7 +536,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ipsize, time, src, dst); if (ndpi_flow->check_extra_packets == 0) { flow->check_extra_packets = 0; - ndpi_free_flow_info_half(flow); + process_ndpi_collected_info(workflow, flow); } } } else if (ndpi_flow != NULL) { diff --git a/tests/result/dropbox.pcap.out b/tests/result/dropbox.pcap.out index 81353f45f..57b68986f 100644 --- a/tests/result/dropbox.pcap.out +++ b/tests/result/dropbox.pcap.out @@ -4,9 +4,9 @@ Dropbox 1104 246122 16 1 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/588 bytes][Host: notify.dropbox.com] 2 UDP 192.168.1.105:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes -> 0 pkts/0 bytes] - 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][18 pkts/3562 bytes <-> 16 pkts/14464 bytes][client: client.dropbox.com] + 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][18 pkts/3562 bytes <-> 16 pkts/14464 bytes][client: client.dropbox.com][server: *.dropbox.com] 4 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/312 bytes <-> 4 pkts/1078 bytes][Host: log.getdropbox.com] - 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][12 pkts/2338 bytes <-> 10 pkts/9054 bytes][client: notify.dropbox.com] + 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][12 pkts/2338 bytes <-> 10 pkts/9054 bytes][client: notify.dropbox.com][server: *.dropbox.com] 6 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/146 bytes <-> 2 pkts/646 bytes][Host: d.dropbox.com] 7 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/666 bytes][Host: client.dropbox.com] 8 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13960 bytes <-> 100 pkts/6260 bytes] @@ -25,7 +25,7 @@ Dropbox 1104 246122 16 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13910 bytes <-> 100 pkts/6210 bytes] 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13921 bytes <-> 100 pkts/6221 bytes] 23 UDP 192.168.1.106:57268 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2632 bytes -> 0 pkts/0 bytes] - 24 TCP 192.168.1.105:44949 <-> 54.240.174.31:443 [proto: 91.121/SSL.Dropbox][64 pkts/12228 bytes <-> 74 pkts/85074 bytes][client: client-cf.dropbox.com] + 24 TCP 192.168.1.105:44949 <-> 54.240.174.31:443 [proto: 91.121/SSL.Dropbox][64 pkts/12228 bytes <-> 74 pkts/85074 bytes][client: client-cf.dropbox.com][server: client-cf.dropbox.com] 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.Dropbox][10 pkts/2170 bytes <-> 10 pkts/1758 bytes][Host: log.getdropbox.com] 26 UDP 192.168.1.101:2169 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] 27 UDP 192.168.1.101:2141 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index 8d2a0b46c..16c73c8b0 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -11,8 +11,8 @@ ntop 80 36401 4 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.232/SSL.ntop][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][client: www.ntop.org] 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40526 <-> [2a00:1450:4006:804::200e]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/SSL][7 pkts/860 bytes <-> 7 pkts/1353 bytes] - 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][7 pkts/960 bytes <-> 5 pkts/4227 bytes][client: s-static.ak.facebook.com] - 9 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][6 pkts/874 bytes <-> 4 pkts/4141 bytes][client: s-static.ak.facebook.com] + 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][7 pkts/960 bytes <-> 5 pkts/4227 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] + 9 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][6 pkts/874 bytes <-> 4 pkts/4141 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:58660 <-> [2a00:1450:4006:803::2008]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:59690 <-> [2a00:1450:4001:803::1012]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] -- cgit v1.2.3