HTTP: improve extraction of metadata and of flow risks (#1959)

example/ndpiReader.c

@@ -1638,15 +1638,20 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
       if(risk != NDPI_NO_RISK)
 	NDPI_SET_BIT(flow->risk, risk);
 
-      fprintf(out, "[URL: %s][StatusCode: %u]",
-	      flow->http.url, flow->http.response_status_code);
+      fprintf(out, "[URL: %s]", flow->http.url);
+    }
 
-      if(flow->http.request_content_type[0] != '\0')
-	fprintf(out, "[Req Content-Type: %s]", flow->http.request_content_type);
+    if(flow->http.response_status_code)
+      fprintf(out, "[StatusCode: %u]", flow->http.response_status_code);
 
-      if(flow->http.content_type[0] != '\0')
-	fprintf(out, "[Content-Type: %s]", flow->http.content_type);
-    }
+    if(flow->http.request_content_type[0] != '\0')
+      fprintf(out, "[Req Content-Type: %s]", flow->http.request_content_type);
+
+    if(flow->http.content_type[0] != '\0')
+      fprintf(out, "[Content-Type: %s]", flow->http.content_type);
+
+    if(flow->http.nat_ip[0] != '\0')
+      fprintf(out, "[Nat-IP: %s]", flow->http.nat_ip);
 
     if(flow->http.server[0] != '\0')
       fprintf(out, "[Server: %s]", flow->http.server);

example/reader_util.c

@@ -1243,11 +1243,12 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
 	  || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP_CONNECT)) {
     if(flow->ndpi_flow->http.url != NULL) {
       ndpi_snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url);
-      flow->http.response_status_code = flow->ndpi_flow->http.response_status_code;
-      ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : "");
-      ndpi_snprintf(flow->http.server, sizeof(flow->http.server), "%s", flow->ndpi_flow->http.server ? flow->ndpi_flow->http.server : "");
-      ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : "");
     }
+    flow->http.response_status_code = flow->ndpi_flow->http.response_status_code;
+    ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : "");
+    ndpi_snprintf(flow->http.server, sizeof(flow->http.server), "%s", flow->ndpi_flow->http.server ? flow->ndpi_flow->http.server : "");
+    ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : "");
+    ndpi_snprintf(flow->http.nat_ip, sizeof(flow->http.nat_ip), "%s", flow->ndpi_flow->http.nat_ip ? flow->ndpi_flow->http.nat_ip : "");
   }
   /* RTP */
   else if(is_ndpi_proto(flow, NDPI_PROTOCOL_RTP)) {

example/reader_util.h

@@ -281,7 +281,7 @@ typedef struct ndpi_flow_info {
   } rtp;
 
   struct {
-    char url[256], request_content_type[64], content_type[64], user_agent[256], server[128];
+    char url[256], request_content_type[64], content_type[64], user_agent[256], server[128], nat_ip[32];
     u_int response_status_code;
   } http;
 

src/include/ndpi_typedefs.h

@@ -742,7 +742,6 @@ struct ndpi_flow_tcp_struct {
 
   /* NDPI_PROTOCOL_HTTP */
   u_int32_t http_stage:2;
-  u_int32_t http_empty_line_seen:1;
 
   /* NDPI_PROTOCOL_GNUTELLA */
   u_int32_t gnutella_stage:2;		       // 0 - 2