Added additional (minimalistic) detection information to flow updates.

This will only affect flows with the state `FT_FINISHED' (detection done).

 * nDPIsrvd.py: force use of JSON schema Draft 7 validator
 * flow-dash.py: gather/use total processed layer4 payload size
 * flow-info.py: added additional event filter
 * flow-info.py: prettified flow events printing whose detection is in progress
 * py-semantic-validation.py: added validation checks for FT_FINISHED
 * updated flow event JSON schema

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

2 files changed, 46 insertions, 16 deletions

diff --git a/examples/py-flow-dashboard/flow-dash.py b/examples/py-flow-dashboard/flow-dash.py
index e3ac0776d..2e3ea3dcf 100755
--- a/examples/py-flow-dashboard/flow-dash.py
+++ b/examples/py-flow-dashboard/flow-dash.py
@@ -24,6 +24,11 @@ def nDPIsrvd_worker_onFlowCleanup(instance, current_flow, global_user_data):
 
     shared_flow_dict['current-flows'] -= 1
 
+    if flow_id not in shared_flow_dict:
+        return True
+
+    shared_flow_dict['total-l4-bytes'] += shared_flow_dict[flow_id]['total-l4-bytes']
+
     if shared_flow_dict[flow_id]['is_detected'] is True:
         shared_flow_dict['current-detected-flows'] -= 1
 
@@ -47,7 +52,7 @@ def nDPIsrvd_worker_onJsonLineRecvd(json_dict, instance, current_flow, global_us
     nsock, shared_flow_dict = global_user_data
 
     shared_flow_dict['total-events'] += 1
-    shared_flow_dict['total-bytes']   = nsock.received_bytes
+    shared_flow_dict['total-json-bytes'] = nsock.received_bytes
 
     if 'basic_event_name' in json_dict:
         shared_flow_dict['total-base-events'] += 1
@@ -74,10 +79,14 @@ def nDPIsrvd_worker_onJsonLineRecvd(json_dict, instance, current_flow, global_us
         shared_flow_dict[flow_id]['is_not_detected'] = False
         shared_flow_dict[flow_id]['is_midstream']    = False
         shared_flow_dict[flow_id]['is_risky']        = False
+        shared_flow_dict[flow_id]['total-l4-bytes']  = 0
 
         shared_flow_dict['total-flows']   += 1
         shared_flow_dict['current-flows'] += 1
 
+    if 'flow_tot_l4_payload_len' in json_dict:
+        shared_flow_dict[flow_id]['total-l4-bytes'] = json_dict['flow_tot_l4_payload_len']
+
     if 'midstream' in json_dict and json_dict['midstream'] != 0:
         if shared_flow_dict[flow_id]['is_midstream'] is False:
             shared_flow_dict['total-midstream-flows']   += 1
@@ -93,6 +102,13 @@ def nDPIsrvd_worker_onJsonLineRecvd(json_dict, instance, current_flow, global_us
     if 'flow_event_name' not in json_dict:
         return True
 
+    if json_dict['flow_state'] == 'finished' and \
+       json_dict['ndpi']['proto'] != 'Unknown' and \
+       shared_flow_dict[flow_id]['is_detected'] is False:
+        shared_flow_dict['total-detected-flows']   += 1
+        shared_flow_dict['current-detected-flows'] += 1
+        shared_flow_dict[flow_id]['is_detected'] = True
+
     if json_dict['flow_event_name'] == 'new':
 
         shared_flow_dict['total-flow-new-events'] += 1
@@ -155,11 +171,20 @@ def nDPIsrvd_worker(address, shared_flow_dict):
                      .format(address[0]+':'+str(address[1])
                              if type(address) is tuple else address))
 
-    nsock = nDPIsrvdSocket()
-    nsock.connect(address)
-    nsock.loop(nDPIsrvd_worker_onJsonLineRecvd,
-               nDPIsrvd_worker_onFlowCleanup,
-               (nsock, shared_flow_dict))
+    try:
+        while True:
+            try:
+                nsock = nDPIsrvdSocket()
+                nsock.connect(address)
+                nsock.loop(nDPIsrvd_worker_onJsonLineRecvd,
+                           nDPIsrvd_worker_onFlowCleanup,
+                           (nsock, shared_flow_dict))
+            except nDPIsrvd.SocketConnectionBroken:
+                sys.stderr.write('Lost connection to {} .. reconnecting\n'
+                                 .format(address[0]+':'+str(address[1])
+                                         if type(address) is tuple else address))
+    except KeyboardInterrupt:
+        pass
 
 
 if __name__ == '__main__':
@@ -185,7 +210,8 @@ if __name__ == '__main__':
     shared_flow_dict['total-base-events']        = 0
     shared_flow_dict['total-daemon-events']      = 0
 
-    shared_flow_dict['total-bytes']              = 0
+    shared_flow_dict['total-json-bytes']         = 0
+    shared_flow_dict['total-l4-bytes']           = 0
     shared_flow_dict['total-flows']              = 0
     shared_flow_dict['total-detected-flows']     = 0
     shared_flow_dict['total-risky-flows']        = 0
diff --git a/examples/py-flow-dashboard/plotly_dash.py b/examples/py-flow-dashboard/plotly_dash.py
index 4822307c0..c3ce95e12 100644
--- a/examples/py-flow-dashboard/plotly_dash.py
+++ b/examples/py-flow-dashboard/plotly_dash.py
@@ -95,7 +95,7 @@ def generate_tab_flow():
             dt.DataTable(
                 id='table-info',
                 columns=[{'id': c.lower(), 'name': c, 'editable': False}
-                         for c in ['Key', 'Value']],
+                         for c in ['Name', 'Total']],
             )
 
         ], style={'display': 'flex', 'flex-direction': 'row'}),
@@ -212,13 +212,14 @@ def prettifyBytes(bytes_received):
 
               inputs=[Input('tab-flow-default-interval', 'n_intervals')])
 def tab_flow_update_components(n):
-    return [[{'key': 'Total JSON Events',        'value': shared_flow_dict['total-events']},
-             {'key': 'Total JSON Bytes',         'value': prettifyBytes(shared_flow_dict['total-bytes'])},
-             {'key': 'Total Flows',              'value': shared_flow_dict['total-flows']},
-             {'key': 'Total Risky Flows',        'value': shared_flow_dict['total-risky-flows']},
-             {'key': 'Total Midstream Flows',    'value': shared_flow_dict['total-midstream-flows']},
-             {'key': 'Total Guessed Flows',      'value': shared_flow_dict['total-guessed-flows']},
-             {'key': 'Total Not Detected Flows', 'value': shared_flow_dict['total-not-detected-flows']}],
+    return [[{'name': 'JSON Events',        'total': shared_flow_dict['total-events']},
+             {'name': 'JSON Bytes',         'total': prettifyBytes(shared_flow_dict['total-json-bytes'])},
+             {'name': 'Layer4 Bytes',       'total': prettifyBytes(shared_flow_dict['total-l4-bytes'])},
+             {'name': 'Flows',              'total': shared_flow_dict['total-flows']},
+             {'name': 'Risky Flows',        'total': shared_flow_dict['total-risky-flows']},
+             {'name': 'Midstream Flows',    'total': shared_flow_dict['total-midstream-flows']},
+             {'name': 'Guessed Flows',      'total': shared_flow_dict['total-guessed-flows']},
+             {'name': 'Not Detected Flows', 'total': shared_flow_dict['total-not-detected-flows']}],
             build_piechart(['Detected', 'Guessed', 'Not-Detected', 'Unclassified'],
                            [shared_flow_dict['current-detected-flows'],
                             shared_flow_dict['current-guessed-flows'],
@@ -355,4 +356,7 @@ def web_worker(mp_shared_flow_dict, listen_host, listen_port):
 
     shared_flow_dict = mp_shared_flow_dict
 
-    app.run_server(debug=False, host=listen_host, port=listen_port)
+    try:
+        app.run_server(debug=False, host=listen_host, port=listen_port)
+    except KeyboardInterrupt:
+        pass