From 9ce4d40d1490fb0f89d9d5eb6d249529cbd60513 Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Wed, 14 Sep 2022 10:44:16 +0200 Subject: Remove a case of guessed sub-classification This code is triggered only for "unknown" flows with a valid sni/hostname. Why in that case the guessed classification should be something like `DNS/Subprotocol_depending_on_hostname`? Why DNS as master and not HTTP or TLS or QUIC? Furthermore, I have not been able to trigger a positive match from that lookup. I strongly think that if we had a valid subprotocol, we would have a valid master in the first place. In doubt, remove it completely. As a follow up, we should investigate why some dissectors (the HTTP one, at least) set the sni/hostname field without setting a valid protocol, in the first place. This behaviour seems quite suspicious, if not plainly buggy. --- src/lib/ndpi_main.c | 11 ----------- 1 file changed, 11 deletions(-) (limited to 'src') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c44391c85..7a01827ab 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5788,17 +5788,6 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st confidence = NDPI_CONFIDENCE_DPI_PARTIAL; } - if(flow->host_server_name[0] != '\0') { - ndpi_protocol_match_result ret_match; - - ndpi_match_host_subprotocol(ndpi_str, flow, (char *) flow->host_server_name, - strlen((const char *) flow->host_server_name), &ret_match, - NDPI_PROTOCOL_DNS); - - if(ret_match.protocol_id != NDPI_PROTOCOL_UNKNOWN) - guessed_host_protocol_id = ret_match.protocol_id; - } - *protocol_was_guessed = 1; ndpi_set_detected_protocol(ndpi_str, flow, guessed_host_protocol_id, guessed_protocol_id, confidence); } -- cgit v1.2.3