1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
/*
* ndpi_util.h
*
* Copyright (C) 2011-15 - ntop.org
* Copyright (C) 2009-11 - ipoque GmbH
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*
*/
/**
* This module contains routines to help setup a simple nDPI program.
*
* If you concern about performance or have to integrate nDPI in your
* application, you could need to reimplement them yourself.
*
* WARNING: this API is unstable! Use it at your own risk!
*/
#ifndef __NDPI_UTIL_H__
#define __NDPI_UTIL_H__
#include <pcap.h>
// flow tracking
typedef struct ndpi_flow_info {
u_int32_t lower_ip;
u_int32_t upper_ip;
u_int16_t lower_port;
u_int16_t upper_port;
u_int8_t detection_completed, protocol;
u_int16_t vlan_id;
struct ndpi_flow_struct *ndpi_flow;
char lower_name[48], upper_name[48];
u_int8_t ip_version;
u_int64_t last_seen;
u_int64_t bytes;
u_int32_t packets;
// result only, not used for flow identification
ndpi_protocol detected_protocol;
char host_server_name[192];
char bittorent_hash[41];
struct {
char client_certificate[48], server_certificate[48];
} ssl;
void *src_id, *dst_id;
} ndpi_flow_info_t;
typedef struct ndpi_stats {
u_int32_t guessed_flow_protocols;
u_int64_t raw_packet_count;
u_int64_t ip_packet_count;
u_int64_t total_wire_bytes, total_ip_bytes, total_discarded_bytes;
u_int64_t protocol_counter[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
u_int64_t protocol_counter_bytes[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
u_int32_t protocol_flows[NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS + 1];
u_int32_t ndpi_flow_count;
u_int64_t tcp_count, udp_count;
u_int64_t mpls_count, pppoe_count, vlan_count, fragmented_count;
u_int64_t packet_len[6];
u_int16_t max_packet_len;
} ndpi_stats_t;
typedef struct ndpi_workflow_prefs {
u_int8_t decode_tunnels;
u_int8_t quiet_mode;
u_int32_t num_roots;
u_int32_t max_ndpi_flows;
u_int32_t detection_tick_resolution;
} ndpi_workflow_prefs_t;
typedef struct ndpi_workflow {
u_int64_t last_time;
u_int64_t last_idle_scan_time;
u_int32_t idle_scan_idx;
u_int32_t num_idle_flows; /* TODO_EMA decide if idle flows will be handled */
struct ndpi_workflow_prefs prefs;
struct ndpi_stats stats;
/* outside referencies */
pcap_t *pcap_handle;
/* allocated by prefs */
struct ndpi_flow_info **idle_flows;
void **ndpi_flows_root;
struct ndpi_detection_module_struct *ndpi_struct;
} ndpi_workflow_t;
/* TODO: remove wrappers parameters and use ndpi global, when their initialization will be fixed... */
struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * prefs,
pcap_t * pcap_handle,
void * (*malloc_wrapper)(size_t),
void (*free_wrapper)(void*));
void ndpi_workflow_free(struct ndpi_workflow * workflow);
/** Process a @packet and update the @workflow. */
void ndpi_workflow_process_packet (struct ndpi_workflow * workflow,
const struct pcap_pkthdr *header,
const u_char *packet);
#endif
|