From c0732eda45884de91e0c221e9dd23eeec364bf68 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Fri, 5 Aug 2022 14:14:38 +0200
Subject: HTTP: improve sub-classification (#1696)

Content-matched sub-protocols (DASH, IPP, MPEGDASH...) shouldn't
ovewrite the previous master protocol (if any; usually HTTP).

Furthermore. the HTTP dissector shouldn't update the classification
(in the extra-dissection code path) if a content-matched sub-protocols
has already been found.

This commit should address the first part of the changes described in #1687.
---
 src/lib/ndpi_main.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'src/lib/ndpi_main.c')

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7929b3b88..f8d88374f 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -7063,6 +7063,22 @@ u_int8_t ndpi_detection_get_l4(const u_int8_t *l3, u_int16_t l3_len, const u_int
 
 /* ********************************************************************************* */
 
+void ndpi_set_detected_protocol_keeping_master(struct ndpi_detection_module_struct *ndpi_str,
+					       struct ndpi_flow_struct *flow,
+					       u_int16_t detected_protocol,
+					       ndpi_confidence_t confidence) {
+  u_int16_t master;
+
+  master = flow->detected_protocol_stack[1] ? flow->detected_protocol_stack[1] : flow->detected_protocol_stack[0];
+
+  if (master != NDPI_PROTOCOL_UNKNOWN)
+    ndpi_set_detected_protocol(ndpi_str, flow, detected_protocol, master, confidence);
+  else
+    ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_UNKNOWN, detected_protocol, confidence);
+}
+
+/* ********************************************************************************* */
+
 void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
 				u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol,
 				ndpi_confidence_t confidence) {
-- 
cgit v1.2.3