From b0f3852fed9273f530753573ca1bde9d714ae988 Mon Sep 17 00:00:00 2001
From: berat <beratiz@gmail.com>
Date: Mon, 25 Sep 2017 11:06:47 +0200
Subject: improved (-x flag) bpf filter condition

---
 example/ndpiReader.c | 88 +++++++++++++++++++++++++++++++++++++++++++---------
 example/ndpi_util.h  |  1 +
 2 files changed, 74 insertions(+), 15 deletions(-)

(limited to 'example')

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 4b2caba0a..f1cb40c75 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -2375,12 +2375,6 @@ void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[],
     json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string(filter));
   else
     json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string(""));
-
-  /*if(produced)
-    fprintf(fp,"%s\n",filter);
-  else
-    fprintf(fp,"");*/
-
 }
 #endif
 
@@ -2490,6 +2484,62 @@ void bpf_filter_port_array_add(int filter_array[], int size, int port) {
 }
 
 
+/* *********************************************** */
+float getAverage(struct json_object *jObj_stat, char *field){
+  json_object *field_stat;
+  json_bool res;
+  float average;
+  float sum = 0;
+  int r;
+  int j;
+
+  if((r = strcmp(field, "top.scanner.stats")) == 0){
+    for(j=0; j<json_object_array_length(jObj_stat); j++) {
+      field_stat = json_object_array_get_idx(jObj_stat, j);
+      json_object *jObj_tot_flows_number;
+
+      if((res = json_object_object_get_ex(field_stat, "total.flows.number", &jObj_tot_flows_number)) == 0) {
+        fprintf(stderr, "ERROR: can't get \"total.flows.number\", use -x flag only with .json files generated by ndpiReader -b flag.\n");
+        exit(-1);
+      }
+      int tot_flows_number = json_object_get_int(jObj_tot_flows_number);
+
+      sum += tot_flows_number;
+    }
+  }
+    
+  if(j == 0) return 0.0;
+
+  return sum/j;
+}
+/* *********************************************** */
+
+float getStdDeviation(struct json_object *jObj_stat, float average, char *field){
+  json_object *field_stat;
+  json_bool res;
+  float sum = 0;
+  int j;
+  int r;
+
+  if((r = strcmp(field, "top.scanner.stats")) == 0){
+    for(j=0; j<json_object_array_length(jObj_stat); j++) {
+      field_stat = json_object_array_get_idx(jObj_stat, j);
+      json_object *jObj_tot_flows_number;
+
+      if((res = json_object_object_get_ex(field_stat, "total.flows.number", &jObj_tot_flows_number)) == 0) {
+        fprintf(stderr, "ERROR: can't get \"total.flows.number\", use -x flag only with .json files generated by ndpiReader -b flag.\n");
+        exit(-1);
+      }
+      int tot_flows_number = json_object_get_int(jObj_tot_flows_number);
+
+      sum += pow((tot_flows_number - average), 2);
+    }
+  }
+
+  return sqrt(sum/(float)j);
+}
+
+
 /* *********************************************** */
 
 /*
@@ -2542,7 +2592,9 @@ void getPacketBasedSourcePortsToFilter(struct json_object *jObj_stat, int srcPor
  * flows per second to the srcHostArray to filter
  */
 #ifdef HAVE_JSON_C
-void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, const char *srcHostArray[48], int size) {
+void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, 
+                             const char *srcHostArray[48], int size, 
+                             float threshold) {
   int j;
 
   for(j=0; j<json_object_array_length(jObj_stat); j++) {
@@ -2558,7 +2610,7 @@ void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, const
     int tot_flows_number = json_object_get_int(jObj_tot_flows_number);
 
 
-    if((tot_flows_number/duration) > 1000) {
+    if(((tot_flows_number/duration) > FLOWS_THRESHOLD) && tot_flows_number > threshold) {
       if((res = json_object_object_get_ex(scanner_stat, "ip.address", &jObj_host_address)) == 0) {
 	fprintf(stderr, "ERROR: can't get \"ip.address\", use -x flag only with .json files generated by ndpiReader -b flag.\n");
 	exit(-1);
@@ -2647,16 +2699,18 @@ void getHostBasedSourcePortsToFilter(struct json_object *jObj_stat, int duration
 
 #ifdef HAVE_JSON_C
 static void produceBpfFilter(char *filePath) {
-  int fsock;
-  struct stat statbuf;
-  void *fmap;
-  int filterSrcPorts[PORT_ARRAY_SIZE]; /* ports to filter */
-  const char *filterSrcHosts[48]; /* hosts to filter */
-  const char *filterDstHosts[48]; /* hosts to filter */
   json_object *jObj; /* entire json object from file */
   json_object *jObj_duration;
   json_object *jObj_statistics; /* json array */
   json_bool res;
+  int filterSrcPorts[PORT_ARRAY_SIZE]; 
+  const char *filterSrcHosts[48]; 
+  const char *filterDstHosts[48]; 
+  struct stat statbuf;
+  void *fmap;
+  int fsock;
+  float average;
+  float deviation;
   int duration;
   int typeCheck;
   int array_len;
@@ -2716,7 +2770,11 @@ static void produceBpfFilter(char *filePath) {
       fprintf(stderr,"ERROR: can't get \"top.scanner.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n");
       exit(-1);
     }
-    getScannerHostsToFilter(val, duration, filterSrcHosts, HOST_ARRAY_SIZE);    
+
+    if((average = getAverage(val, "top.scanner.stats")) != 0){
+      deviation = getStdDeviation(val, average, "top.scanner.stats");
+      getScannerHostsToFilter(val, duration, filterSrcHosts, HOST_ARRAY_SIZE, average+deviation);    
+    }
 
 
     if((res = json_object_object_get_ex(stats, "top.src.pkts.stats", &val)) == 0) {
diff --git a/example/ndpi_util.h b/example/ndpi_util.h
index fd4c4b84d..eb54ac9fb 100644
--- a/example/ndpi_util.h
+++ b/example/ndpi_util.h
@@ -48,6 +48,7 @@
 #define HOST_ARRAY_SIZE            20
 #define FLOWS_PACKETS_THRESHOLD   0.9
 #define FLOWS_PERCENT_THRESHOLD   1.0
+#define FLOWS_THRESHOLD          1000
 #define INIT_VAL                   -1
 
 // flow tracking
-- 
cgit v1.2.3