From e6b332aa4a1399e33df68998cf8351bccaee3fc4 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Sun, 24 Jul 2022 17:46:24 +0200 Subject: [PATCH] Add support for flow client/server information (#1671) In a lot of places in ndPI we use *packet* source/dest info (address/port/direction) when we are interested in *flow* client/server info, instead. Add basic logic to autodetect this kind of information. nDPI doesn't perform any "flow management" itself but this task is delegated to the external application. It is then likely that the application might provide more reliable hints about flow client/server direction and about the TCP handshake presence: in that case, these information might be (optionally) passed to the library, disabling the internal "autodetect" logic. These new fields have been used in some LRU caches and in the "guessing" algorithm. It is quite likely that some other code needs to be updated. --- example/ndpiSimpleIntegration.c | 2 +- example/reader_util.c | 8 +- fuzz/fuzz_process_packet.c | 2 +- python/ndpi/ndpi.py | 5 +- python/ndpi/ndpi_build.py | 3 +- python/ndpi_example.py | 6 +- python/tests.py | 4 +- src/include/ndpi_api.h.in | 8 +- src/include/ndpi_main.h | 4 + src/include/ndpi_typedefs.h | 43 +++- src/lib/ndpi_main.c | 252 ++++++++++++------- src/lib/ndpi_utils.c | 4 +- src/lib/protocols/bittorrent.c | 26 +- src/lib/protocols/ftp_data.c | 2 +- src/lib/protocols/icecast.c | 6 +- src/lib/protocols/lotus_notes.c | 7 +- tests/result/1kxun.pcap.out | 2 +- tests/result/KakaoTalk_chat.pcap.out | 2 +- tests/result/KakaoTalk_talk.pcap.out | 2 +- tests/result/Oscar.pcap.out | 2 +- tests/result/amqp.pcap.out | 2 +- tests/result/anyconnect-vpn.pcap.out | 2 +- tests/result/cloudflare-warp.pcap.out | 2 +- tests/result/dnp3.pcap.out | 2 +- tests/result/emotet.pcap.out | 2 +- tests/result/ftp_failed.pcap.out | 2 +- tests/result/fuzz-2006-06-26-2594.pcap.out | 2 +- tests/result/fuzz-2006-09-29-28586.pcap.out | 2 +- tests/result/google_ssl.pcap.out | 2 +- tests/result/imap-starttls.pcap.out | 2 +- tests/result/instagram.pcap.out | 2 +- tests/result/irc.pcap.out | 2 +- tests/result/mongo_false_positive.pcapng.out | 2 +- tests/result/oracle12.pcapng.out | 2 +- tests/result/skype.pcap.out | 2 +- tests/result/skype_no_unknown.pcap.out | 2 +- tests/result/socks-http-example.pcap.out | 2 +- tests/result/tinc.pcap.out | 2 +- tests/result/tls_false_positives.pcapng.out | 2 +- tests/result/waze.pcap.out | 2 +- tests/result/z3950.pcapng.out | 2 +- 41 files changed, 267 insertions(+), 165 deletions(-) diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index c02277538fa..67bc558070f 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -884,7 +884,7 @@ static void ndpi_process_packet(uint8_t * const args, flow_to_process->detected_l7_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, flow_to_process->ndpi_flow, ip != NULL ? (uint8_t *)ip : (uint8_t *)ip6, - ip_size, time_ms); + ip_size, time_ms, NULL); if (ndpi_is_protocol_detected(workflow->ndpi_struct, flow_to_process->detected_l7_protocol) != 0 && diff --git a/example/reader_util.c b/example/reader_util.c index 94564bfedaa..2344937ad09 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1543,6 +1543,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } if(!flow->detection_completed) { + struct ndpi_flow_input_info input_info; + u_int enough_packets = (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_udp_dissected_pkts)) || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_tcp_dissected_pkts))) ? 1 : 0; @@ -1558,9 +1560,13 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, else workflow->stats.dpi_packet_count[2]++; + memset(&input_info, '\0', sizeof(input_info)); /* To be sure to set to "unknown" any fields */ + /* Set here any information (easily) available; in this trivial example we don't have any */ + input_info.in_pkt_dir = NDPI_IN_PKT_DIR_UNKNOWN; + input_info.seen_flow_beginning = NDPI_FLOW_BEGINNING_UNKNOWN; flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time_ms); + ipsize, time_ms, &input_info); enough_packets |= ndpi_flow->fail_with_unknown; if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c index e4f4bcf785f..eb5a0a2810f 100644 --- a/fuzz/fuzz_process_packet.c +++ b/fuzz/fuzz_process_packet.c @@ -26,7 +26,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { struct ndpi_flow_struct *ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT); memset(ndpi_flow, 0, SIZEOF_FLOW_STRUCT); ndpi_protocol detected_protocol = - ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0); + ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0, NULL); ndpi_protocol guessed_protocol = ndpi_detection_giveup(ndpi_info_mod, ndpi_flow, 1, &protocol_was_guessed); diff --git a/python/ndpi/ndpi.py b/python/ndpi/ndpi.py index 4a7cf5f5683..2d73470adaa 100644 --- a/python/ndpi/ndpi.py +++ b/python/ndpi/ndpi.py @@ -45,12 +45,13 @@ def api_version(self): def revision(self): return ffi.string(lib.ndpi_revision()).decode('utf-8', errors='ignore') - def process_packet(self, flow, packet, packet_time_ms): + def process_packet(self, flow, packet, packet_time_ms, input_info): p = lib.ndpi_detection_process_packet(self._detection_module, flow.C, packet, len(packet), - int(packet_time_ms)) + int(packet_time_ms), + input_info) return ndpi_protocol(C=p, master_protocol=p.master_protocol, app_protocol=p.app_protocol, diff --git a/python/ndpi/ndpi_build.py b/python/ndpi/ndpi_build.py index 8bc41212656..ba1d68a63c8 100644 --- a/python/ndpi/ndpi_build.py +++ b/python/ndpi/ndpi_build.py @@ -56,7 +56,8 @@ struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t packet_time_ms); + const u_int64_t packet_time_ms, + const struct ndpi_flow_input_info *input_info); ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t enable_guess, diff --git a/python/ndpi_example.py b/python/ndpi_example.py index 8606ae84b30..f3f07a879fa 100644 --- a/python/ndpi_example.py +++ b/python/ndpi_example.py @@ -14,7 +14,7 @@ """ from collections import namedtuple -from ndpi import NDPI, NDPIFlow +from ndpi import NDPI, NDPIFlow, ffi import argparse import socket import dpkt @@ -131,7 +131,7 @@ def parse_arguments(): key = ppkt_to_flow_key(ppkt) try: # Try a Flow update flow = flow_cache[key] - flow.detected_protocol = nDPI.process_packet(flow.ndpi_flow, ppkt.ip_bytes, time_ms) + flow.detected_protocol = nDPI.process_packet(flow.ndpi_flow, ppkt.ip_bytes, time_ms, ffi.NULL) flow.pkts += 1 flow.bytes += len(packet) except KeyError: # New Flow @@ -139,7 +139,7 @@ def parse_arguments(): flow.index = flow_count flow_count += 1 flow.ndpi_flow = NDPIFlow() # We create an nDPIFlow object per Flow - flow.detected_protocol = nDPI.process_packet(flow.ndpi_flow, ppkt.ip_bytes, time_ms) + flow.detected_protocol = nDPI.process_packet(flow.ndpi_flow, ppkt.ip_bytes, time_ms, ffi.NULL) flow.pkts += 1 flow.bytes += len(packet) flow_cache[key] = flow diff --git a/python/tests.py b/python/tests.py index ebb4abbb9e9..34e1675ade0 100644 --- a/python/tests.py +++ b/python/tests.py @@ -13,7 +13,7 @@ ------------------------------------------------------------------------------------------------------------------------ """ -from ndpi import NDPI, NDPIFlow +from ndpi import NDPI, NDPIFlow, ffi import time @@ -21,7 +21,7 @@ try: nDPI = NDPI() ndpi_flow = NDPIFlow() - nDPI.process_packet(ndpi_flow, b'', time.time()) + nDPI.process_packet(ndpi_flow, b'', time.time(), ffi.NULL) nDPI.giveup(ndpi_flow) print("nDPI Python bindings: OK") except Exception: diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 2db7a4c0e3d..a069d0571a1 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -302,6 +302,7 @@ extern "C" { * @par packet = unsigned char pointer to the Layer 3 (IP header) * @par packetlen = the length of the packet * @par packet_time_ms = the current timestamp for the packet (expressed in msec) + * @par input_info = (optional) flow information provided by the (external) flow manager * @return void * */ @@ -309,7 +310,8 @@ extern "C" { struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t packet_time_ms); + const u_int64_t packet_time_ms, + const struct ndpi_flow_input_info *input_info); /** * Processes one packet and returns the ID of the detected protocol. @@ -320,6 +322,7 @@ extern "C" { * @par packet = unsigned char pointer to the Layer 3 (IP header) * @par packetlen = the length of the packet * @par packet_time_ms = the current timestamp for the packet (expressed in msec) + * @par input_info = (optional) flow information provided by the (external) flow manager * @return the detected ID of the protocol * */ @@ -327,7 +330,8 @@ extern "C" { struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t packet_time_ms); + const u_int64_t packet_time_ms, + const struct ndpi_flow_input_info *input_info); /** * Get the main protocol of the passed flows for the detected module * diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 071097d992d..355b9a0867e 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -167,6 +167,10 @@ extern "C" { int64_t ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len); + int ndpi_current_pkt_from_client_to_server(const struct ndpi_packet_struct *packet, const struct ndpi_flow_struct *flow); + int ndpi_current_pkt_from_server_to_client(const struct ndpi_packet_struct *packet, const struct ndpi_flow_struct *flow); + int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow); + #ifdef __cplusplus } #endif diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index bcbdab296c3..9928ce321e6 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -528,6 +528,31 @@ struct ndpi_vxlanhdr { } PACK_OFF; /* ************************************************************ */ + +/** + * The application might inform the library about client/server direction + */ +#define NDPI_IN_PKT_DIR_UNKNOWN 0 /**< The application doesn't provide this kind of information */ +#define NDPI_IN_PKT_DIR_C_TO_S 1 /**< Current packet is from client to server */ +#define NDPI_IN_PKT_DIR_S_TO_C 2 /**< Current packet is from server to client */ + +/** + * The application might choose to not pass TCP handshake packets to the library + * (for performance reasons), but it might want to inform the library itlsef that these + * packets have been captured/seen anyway (to avoid losing classifiation capabilities). + */ +#define NDPI_FLOW_BEGINNING_UNKNOWN 0 /**< The application doesn't provide this kind of information */ +#define NDPI_FLOW_BEGINNING_SEEN 1 /**< The application informs the library that the TCP handshake has been seen (even if its packets might not have been passed to the library) */ +#define NDPI_FLOW_BEGINNING_NOT_SEEN 2 /**< The application informs the library that the TCP handshake has not been seen */ + +/** + * Optional information about flow management (per packet) + */ +struct ndpi_flow_input_info { + unsigned char in_pkt_dir; + unsigned char seen_flow_beginning; +}; + /* ******************* ********************* ****************** */ /* ************************************************************ */ @@ -1150,6 +1175,7 @@ struct ndpi_detection_module_struct { /* Current packet */ struct ndpi_packet_struct packet; + const struct ndpi_flow_input_info *input_info; }; #endif /* NDPI_LIB_COMPILATION */ @@ -1182,7 +1208,7 @@ struct ndpi_flow_struct { /* init parameter, internal used to set up timestamp,... */ u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category, guessed_header_category; u_int8_t l4_proto, protocol_id_already_guessed:1, host_already_guessed:1, fail_with_unknown:1, - init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1, is_ipv6:1; + init_finished:1, client_packet_direction:1, packet_direction:1, check_extra_packets:1, is_ipv6:1; u_int16_t num_dissector_calls; ndpi_confidence_t confidence; /* ndpi_confidence_t */ @@ -1192,14 +1218,15 @@ struct ndpi_flow_struct { */ u_int32_t next_tcp_seq_nr[2]; - /* Flow addresses (used mainly for LRU lookups in ndpi_detection_giveup()) - and ports. All in *network* byte order - - TODO - - IPv6. Note that LRU is ipv4 only, for the time being + /* Flow addresses (useful for LRU lookups in ndpi_detection_giveup()) + and ports. All in *network* byte order. + Client and server. */ - u_int32_t saddr, daddr; - u_int16_t sport, dport; + union { + u_int32_t v4; + u_int8_t v6[16]; + } c_address, s_address; /* For some unknown reasons, x86_64-w64-mingw32-gcc doesn't like the name "s_addr" */ + u_int16_t c_port, s_port; // ----------------------------------------- diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index afa01d8fd2e..0ef07454efb 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2156,6 +2156,19 @@ u_int16_t ndpi_network_port_ptree_match(struct ndpi_detection_module_struct *ndp ndpi_prefix_t prefix; ndpi_patricia_node_t *node; + if(ndpi_str->ndpi_num_custom_protocols == 0) { + /* + In case we don't have defined any custom protocol we check the ptree + only in case of public IP addresses as in ndpi_content_match.c.inc + we only have public IP addresses. Instead with custom protocols, users + might have defined private protocols hence we should not skip + the checks below + */ + + if(ndpi_is_public_ipv4(ntohl(pin->s_addr)) == 0) + return(NDPI_PROTOCOL_UNKNOWN); /* Non public IP */ + } + /* Make sure all in network byte order otherwise compares wont work */ ndpi_fill_prefix_v4(&prefix, pin, 32, ((ndpi_patricia_tree_t *) ndpi_str->protocols_ptree)->maxbits); node = ndpi_patricia_search_best(ndpi_str->protocols_ptree, &prefix); @@ -3084,16 +3097,14 @@ static ndpi_default_ports_tree_node_t *ndpi_get_guessed_protocol_id(struct ndpi_ ndpi_default_ports_tree_node_t node; if(sport && dport) { - int low = ndpi_min(sport, dport); - int high = ndpi_max(sport, dport); const void *ret; - node.default_port = low; /* Check server port first */ + node.default_port = dport; /* Check server port first */ ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void *) &ndpi_str->tcpRoot : (void *) &ndpi_str->udpRoot, ndpi_default_ports_tree_node_t_cmp); if(ret == NULL) { - node.default_port = high; + node.default_port = sport; ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void *) &ndpi_str->tcpRoot : (void *) &ndpi_str->udpRoot, ndpi_default_ports_tree_node_t_cmp); } @@ -4850,7 +4861,8 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const u_int64_t current_time_ms, const unsigned char *packet_data, - unsigned short packetlen) { + unsigned short packetlen, + const struct ndpi_flow_input_info *input_info) { struct ndpi_packet_struct *packet = &ndpi_str->packet; const struct ndpi_iphdr *decaps_iph = NULL; u_int16_t l3len; @@ -4868,6 +4880,8 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str, packet->current_time_ms = current_time_ms; + ndpi_str->input_info = input_info; + packet->iph = (const struct ndpi_iphdr *)packet_data; /* reset payload_packet_len, will be set if ipv4 tcp or udp */ @@ -5040,36 +5054,32 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, } flow->is_ipv6 = (packet->iphv6 != NULL); - if(flow->is_ipv6 == 0) - flow->saddr = packet->iph->saddr, flow->daddr = packet->iph->daddr; /* See (*#*) */ flow->last_packet_time_ms = packet->current_time_ms; packet->packet_lines_parsed_complete = 0; - if(flow->init_finished == 0) { - flow->init_finished = 1; - flow->setup_packet_direction = packet->packet_direction; - } - if(tcph != NULL) { - flow->sport = tcph->source, flow->dport = tcph->dest; /* (*#*) */ - if(!ndpi_str->direction_detect_disable) packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0; - if(tcph->syn != 0 && tcph->ack == 0 && flow->l4.tcp.seen_syn == 0 && flow->l4.tcp.seen_syn_ack == 0 && - flow->l4.tcp.seen_ack == 0) { - flow->l4.tcp.seen_syn = 1; - } else - if(tcph->syn != 0 && tcph->ack != 0 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 0 && - flow->l4.tcp.seen_ack == 0) { - flow->l4.tcp.seen_syn_ack = 1; - } else - if(tcph->syn == 0 && tcph->ack == 1 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 1 && - flow->l4.tcp.seen_ack == 0) { - flow->l4.tcp.seen_ack = 1; - } + if(ndpi_str->input_info == NULL || + ndpi_str->input_info->seen_flow_beginning == NDPI_FLOW_BEGINNING_UNKNOWN) { + if(tcph->syn != 0 && tcph->ack == 0 && flow->l4.tcp.seen_syn == 0 && flow->l4.tcp.seen_syn_ack == 0 && + flow->l4.tcp.seen_ack == 0) { + flow->l4.tcp.seen_syn = 1; + } else { + if(tcph->syn != 0 && tcph->ack != 0 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 0 && + flow->l4.tcp.seen_ack == 0) { + flow->l4.tcp.seen_syn_ack = 1; + } else { + if(tcph->syn == 0 && tcph->ack == 1 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 1 && + flow->l4.tcp.seen_ack == 0) { + flow->l4.tcp.seen_ack = 1; + } + } + } + } if((flow->next_tcp_seq_nr[0] == 0 && flow->next_tcp_seq_nr[1] == 0) || (flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0)) { @@ -5115,12 +5125,79 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, flow->next_tcp_seq_nr[1] = 0; } } else if(udph != NULL) { - flow->sport = udph->source, flow->dport = udph->dest; /* (*#*) */ - if(!ndpi_str->direction_detect_disable) packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0; } + if(flow->init_finished == 0) { + u_int16_t s_port, d_port; /* Source/Dest ports */ + + flow->init_finished = 1; + + if(ndpi_str->input_info && + ndpi_str->input_info->seen_flow_beginning == NDPI_FLOW_BEGINNING_SEEN) { + flow->l4.tcp.seen_syn = 1; + flow->l4.tcp.seen_syn_ack = 1; + flow->l4.tcp.seen_ack = 1; + } + + /* Client/Server direction */ + + s_port = 0; + d_port = 0; + if(tcph != NULL) { + s_port = tcph->source; + d_port = tcph->dest; + } else if(udph != NULL) { + s_port = udph->source; + d_port = udph->dest; + } + + if(ndpi_str->input_info && + ndpi_str->input_info->in_pkt_dir != NDPI_IN_PKT_DIR_UNKNOWN) { + if(ndpi_str->input_info->in_pkt_dir == NDPI_IN_PKT_DIR_C_TO_S) + flow->client_packet_direction = packet->packet_direction; + else + flow->client_packet_direction = !packet->packet_direction; + } else { + if(tcph && tcph->syn) { + if(tcph->ack == 0) { + flow->client_packet_direction = packet->packet_direction; + } else { + flow->client_packet_direction = !packet->packet_direction; + } + } else if(ntohs(s_port) > 1024 && ntohs(d_port) < 1024) { + flow->client_packet_direction = packet->packet_direction; + } else if(ntohs(s_port) < 1024 && ntohs(d_port) > 1024) { + flow->client_packet_direction = !packet->packet_direction; + } else { + flow->client_packet_direction = packet->packet_direction; + } + } + + if(ndpi_current_pkt_from_client_to_server(packet, flow)) { + if(flow->is_ipv6 == 0) { + flow->c_address.v4 = packet->iph->saddr; + flow->s_address.v4 = packet->iph->daddr; + } else { + memcpy(flow->c_address.v6, &packet->iphv6->ip6_src, 16); + memcpy(flow->s_address.v6, &packet->iphv6->ip6_dst, 16); + } + flow->c_port = s_port; + flow->s_port = d_port; + } else { + if(flow->is_ipv6 == 0) { + flow->c_address.v4 = packet->iph->daddr; + flow->s_address.v4 = packet->iph->saddr; + } else { + memcpy(flow->c_address.v6, &packet->iphv6->ip6_dst, 16); + memcpy(flow->s_address.v6, &packet->iphv6->ip6_src, 16); + } + flow->c_port = d_port; + flow->s_port = s_port; + } + } + if(flow->packet_counter < MAX_PACKET_COUNTER && packet->payload_packet_len) { flow->packet_counter++; } @@ -5319,23 +5396,14 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ if(packet->iph) { struct in_addr addr; - u_int16_t sport, dport; - addr.s_addr = packet->iph->saddr; - - if((flow->l4_proto == IPPROTO_TCP) && packet->tcp) - sport = packet->tcp->source, dport = packet->tcp->dest; - else if((flow->l4_proto == IPPROTO_UDP) && packet->udp) - sport = packet->udp->source, dport = packet->udp->dest; - else - sport = dport = 0; - - /* guess host protocol */ - ret = ndpi_network_port_ptree_match(ndpi_str, &addr, sport); + /* guess host protocol; server first */ + addr.s_addr = flow->s_address.v4; + ret = ndpi_network_port_ptree_match(ndpi_str, &addr, ntohs(flow->s_port)); if(ret == NDPI_PROTOCOL_UNKNOWN) { - addr.s_addr = packet->iph->daddr; - ret = ndpi_network_port_ptree_match(ndpi_str, &addr, dport); + addr.s_addr = flow->c_address.v4; + ret = ndpi_network_port_ptree_match(ndpi_str, &addr, ntohs(flow->c_port)); } } @@ -5374,7 +5442,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s if(ndpi_str->msteams_cache) ndpi_lru_add_to_cache(ndpi_str->msteams_cache, - ntohl(flow->saddr), + ntohl(flow->c_address.v4), (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */); } break; @@ -5386,7 +5454,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s && ndpi_str->msteams_cache) { u_int16_t when; - if(ndpi_lru_find_cache(ndpi_str->msteams_cache, ntohl(flow->saddr), + if(ndpi_lru_find_cache(ndpi_str->msteams_cache, ntohl(flow->c_address.v4), &when, 0 /* Don't remove it as it can be used for other connections */)) { u_int16_t tdiff = ((flow->last_packet_time_ms /1000) & 0xFFFF) - when; @@ -5396,7 +5464,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s /* Refresh cache */ ndpi_lru_add_to_cache(ndpi_str->msteams_cache, - ntohl(flow->saddr), + ntohl(flow->c_address.v4), (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */); } } @@ -5547,7 +5615,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(ndpi_str->mining_cache && flow->is_ipv6 == 0) { u_int16_t cached_proto; - if(ndpi_lru_find_cache(ndpi_str->mining_cache, flow->saddr + flow->daddr, + if(ndpi_lru_find_cache(ndpi_str->mining_cache, flow->c_address.v4 + flow->s_address.v4, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; @@ -5660,14 +5728,14 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st && (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)) { /* Last resort */ if(ndpi_search_into_bittorrent_cache(ndpi_str, flow, - flow->saddr, flow->sport, - flow->daddr, flow->dport)) { + flow->c_address.v4, flow->c_port, + flow->s_address.v4, flow->s_port)) { /* This looks like BitTorrent */ ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); ret.app_protocol = NDPI_PROTOCOL_BITTORRENT; } else if((flow->l4_proto == IPPROTO_UDP) /* Zoom/UDP used for video */ - && (((ntohs(flow->sport) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->saddr)) - || ((ntohs(flow->dport) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->daddr)) + && (((ntohs(flow->c_port) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->c_address.v4)) + || ((ntohs(flow->s_port) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->s_address.v4)) )) { /* This looks like Zoom */ ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); @@ -5688,12 +5756,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, const unsigned short packetlen, - const u_int64_t current_time_ms) { + const u_int64_t current_time_ms, + const struct ndpi_flow_input_info *input_info) { if(flow == NULL) return; /* set up the packet headers for the extra packet function to use if it wants */ - if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen) != 0) + if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen, input_info) != 0) return; ndpi_connection_tracking(ndpi_str, flow); @@ -5977,29 +6046,15 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n ret->master_protocol = ret->app_protocol = NDPI_PROTOCOL_UNKNOWN, ret->category = 0; if(packet->iphv6 || packet->iph) { - u_int16_t sport, dport; - u_int8_t protocol; u_int8_t user_defined_proto; - if(packet->iphv6 != NULL) { - protocol = packet->iphv6->ip6_hdr.ip6_un1_nxt; - } else - protocol = packet->iph->protocol; - - if(packet->udp) - sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); - else if(packet->tcp) - sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - else - sport = dport = 0; - /* guess protocol */ - flow->guessed_protocol_id = (int16_t) ndpi_guess_protocol_id(ndpi_str, flow, protocol, sport, dport, &user_defined_proto); + flow->guessed_protocol_id = (int16_t) ndpi_guess_protocol_id(ndpi_str, flow, flow->l4_proto, ntohs(flow->c_port), ntohs(flow->s_port), &user_defined_proto); flow->guessed_host_protocol_id = ndpi_guess_host_protocol_id(ndpi_str, flow); if(ndpi_str->custom_categories.categories_loaded && packet->iph) { if(ndpi_str->ndpi_num_custom_protocols != 0) - ndpi_fill_ip_protocol_category(ndpi_str, packet->iph->saddr, packet->iph->daddr, ret); + ndpi_fill_ip_protocol_category(ndpi_str, flow->c_address.v4, flow->s_address.v4, ret); flow->guessed_header_category = ret->category; } else flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; @@ -6007,9 +6062,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n if(flow->guessed_protocol_id >= NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ ret->master_protocol = NDPI_PROTOCOL_UNKNOWN, - ret->app_protocol = flow->guessed_protocol_id ? flow->guessed_protocol_id : flow->guessed_host_protocol_id; - - // if(ndpi_str->ndpi_num_custom_protocols != 0) + ret->app_protocol = flow->guessed_protocol_id ? flow->guessed_protocol_id : flow->guessed_host_protocol_id; flow->confidence = NDPI_CONFIDENCE_MATCH_BY_PORT; /* TODO */ ndpi_fill_protocol_category(ndpi_str, flow, ret); return(-1); @@ -6063,7 +6116,6 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n flow->num_dissector_calls += ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet); - //if(ndpi_str->ndpi_num_custom_protocols != 0) ndpi_fill_protocol_category(ndpi_str, flow, ret); return(-1); } @@ -6075,7 +6127,8 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, - const unsigned short packetlen, const u_int64_t current_time_ms) { + const unsigned short packetlen, const u_int64_t current_time_ms, + const struct ndpi_flow_input_info *input_info) { struct ndpi_packet_struct *packet = &ndpi_str->packet; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; u_int32_t num_calls = 0; @@ -6108,19 +6161,19 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ret.app_protocol = flow->detected_protocol_stack[0]; if(flow->check_extra_packets) { - ndpi_process_extra_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms); + ndpi_process_extra_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms, input_info); /* Update in case of new match */ ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0], ret.category = flow->category; return ret; } else if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { - if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen) != 0) + if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen, input_info) != 0) return ret; goto ret_protocols; } - if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen) != 0) + if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen, input_info) != 0) return ret; ndpi_connection_tracking(ndpi_str, flow); @@ -6200,20 +6253,20 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct && ((ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) || (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)) ) { ndpi_default_ports_tree_node_t *found; - u_int16_t *default_ports, sport, dport; + u_int16_t *default_ports; if(packet->udp) found = ndpi_get_guessed_protocol_id(ndpi_str, IPPROTO_UDP, - sport = ntohs(packet->udp->source), - dport = ntohs(packet->udp->dest)), + ntohs(flow->c_port), + ntohs(flow->s_port)), default_ports = ndpi_str->proto_defaults[ret.master_protocol ? ret.master_protocol : ret.app_protocol].udp_default_ports; else if(packet->tcp) found = ndpi_get_guessed_protocol_id(ndpi_str, IPPROTO_TCP, - sport = ntohs(packet->tcp->source), - dport = ntohs(packet->tcp->dest)), + ntohs(flow->c_port), + ntohs(flow->s_port)), default_ports = ndpi_str->proto_defaults[ret.master_protocol ? ret.master_protocol : ret.app_protocol].tcp_default_ports; else - found = NULL, default_ports = NULL, sport = dport = 0; + found = NULL, default_ports = NULL; if(found && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN) @@ -6231,7 +6284,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct u_int8_t found = 0, i; for(i=0; (is_port)) { found = 1; break; } @@ -6239,7 +6292,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(!found) { ndpi_default_ports_tree_node_t *r = ndpi_get_guessed_protocol_id(ndpi_str, packet->udp ? IPPROTO_UDP : IPPROTO_TCP, - sport, dport); + ntohs(flow->c_port), ntohs(flow->s_port)); if((r == NULL) || ((r->proto->protoId != ret.app_protocol) && (r->proto->protoId != ret.master_protocol))) { @@ -6270,7 +6323,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct check_default_ports: for(i=0; (ic_port)) || (default_ports[i] == ntohs(flow->s_port))) { found = 1; break; } @@ -6288,7 +6341,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(!found) { ndpi_default_ports_tree_node_t *r = ndpi_get_guessed_protocol_id(ndpi_str, packet->udp ? IPPROTO_UDP : IPPROTO_TCP, - sport, dport); + ntohs(flow->c_port), ntohs(flow->s_port)); if((r == NULL) || ((r->proto->protoId != ret.app_protocol) && (r->proto->protoId != ret.master_protocol))) @@ -8696,3 +8749,30 @@ char *ndpi_user_agent_set(struct ndpi_flow_struct *flow, const u_int8_t *value, return flow->http.user_agent; } + +/* ******************************************************************** */ + +int ndpi_current_pkt_from_client_to_server(const struct ndpi_packet_struct *packet, + const struct ndpi_flow_struct *flow) +{ + return packet->packet_direction == flow->client_packet_direction; +} + +/* ******************************************************************** */ + +int ndpi_current_pkt_from_server_to_client(const struct ndpi_packet_struct *packet, + const struct ndpi_flow_struct *flow) +{ + return packet->packet_direction != flow->client_packet_direction; +} + +/* ******************************************************************** */ + +int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow) +{ + if(flow->l4_proto == IPPROTO_TCP && + (flow->l4.tcp.seen_syn == 0 || flow->l4.tcp.seen_syn_ack == 0 || + flow->l4.tcp.seen_ack == 0)) + return 0; + return 1; +} diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 6f8b4603c7c..6a58b598260 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2271,8 +2271,8 @@ static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndp /* TODO: add IPv6 support */ if(!flow->ip_risk_mask_evaluated) { if(flow->is_ipv6 == 0) { - ndpi_check_ipv4_exception(ndpi_str, flow, flow->saddr /* Source */); - ndpi_check_ipv4_exception(ndpi_str, flow, flow->daddr /* Destination */); + ndpi_check_ipv4_exception(ndpi_str, flow, flow->c_address.v4 /* Client */); + ndpi_check_ipv4_exception(ndpi_str, flow, flow->s_address.v4 /* Server */); } flow->ip_risk_mask_evaluated = 1; diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index d2cfa93f5ac..435dc10890b 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -126,34 +126,25 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc if(ndpi_struct->bittorrent_cache && packet->iph) { u_int32_t key1, key2, i; - if(packet->udp) - key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->udp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->udp->dest); - else - key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->tcp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->tcp->dest); + key1 = ndpi_ip_port_hash_funct(flow->c_address.v4, flow->c_port), key2 = ndpi_ip_port_hash_funct(flow->s_address.v4, flow->s_port); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key2, NDPI_PROTOCOL_BITTORRENT); /* Now add hosts as twins */ ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, - packet->iph->saddr + packet->iph->daddr, + flow->c_address.v4 + flow->s_address.v4, NDPI_PROTOCOL_BITTORRENT); /* Also add +2 ports of the sender in order to catch additional sockets open by the same client */ for(i=0; i<2; i++) { - if(packet->udp) - key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->udp->source)+1+i)); - else - key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->tcp->source)+1+i)); + key1 = ndpi_ip_port_hash_funct(flow->c_address.v4, htons(ntohs(flow->c_port)+1+i)); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT); } #ifdef BITTORRENT_CACHE_DEBUG - if(packet->udp) - printf("[BitTorrent] [UDP] *** ADDED ports %u / %u [%u][%u]\n", ntohs(packet->udp->source), ntohs(packet->udp->dest), key1, key2); - else - printf("[BitTorrent] [TCP] *** ADDED ports %u / %u [%u][%u]\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest), key1, key2); + printf("[BitTorrent] [%s] *** ADDED ports %u / %u [%u][%u]\n", flow->l4_proto == IPPROTO_TCP ? "TCP" : "UDP", ntohs(flow->c_port), ntohs(flow->s_port), key1, key2); #endif } } @@ -455,14 +446,7 @@ static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { static void ndpi_skip_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, struct ndpi_packet_struct *packet) { - u_int16_t sport, dport; - - if(packet->udp) - sport = packet->udp->source, dport = packet->udp->dest; - else - sport = packet->tcp->source, dport = packet->tcp->dest; - - if(packet->iph && ndpi_search_into_bittorrent_cache(ndpi_struct, flow, packet->iph->saddr, sport, packet->iph->daddr, dport)) + if(packet->iph && ndpi_search_into_bittorrent_cache(ndpi_struct, flow, flow->c_address.v4, flow->c_port, flow->s_address.v4, flow->s_port)) ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, NDPI_CONFIDENCE_DPI_CACHE); else NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 4a3ad973da0..2c3f06d975b 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -232,7 +232,7 @@ static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct Make sure we see the beginning of the connection as otherwise we might have false positive results */ - if(flow->l4.tcp.seen_syn) { + if(ndpi_seen_flow_beginning(flow)) { if((packet->payload_packet_len > 0) && (ndpi_match_file_header(ndpi_struct, flow) || ndpi_match_ftp_data_directory(ndpi_struct, flow) diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index ce8b20c12a3..c8dac6b4889 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -60,14 +60,12 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - if(flow == NULL) return; - - if((packet->packet_direction == flow->setup_packet_direction) + if(ndpi_current_pkt_from_client_to_server(packet, flow) && (flow->packet_counter < 10)) { return; } - if(packet->packet_direction != flow->setup_packet_direction) { + if(ndpi_current_pkt_from_server_to_client(packet, flow)) { /* server answer, now test Server for Icecast */ ndpi_parse_packet_line_info(ndpi_struct, flow); diff --git a/src/lib/protocols/lotus_notes.c b/src/lib/protocols/lotus_notes.c index ff5c9cf7148..376507f23dd 100644 --- a/src/lib/protocols/lotus_notes.c +++ b/src/lib/protocols/lotus_notes.c @@ -37,11 +37,8 @@ static void ndpi_check_lotus_notes(struct ndpi_detection_module_struct *ndpi_str flow->l4.tcp.lotus_notes_packet_id++; - if((flow->l4.tcp.lotus_notes_packet_id == 1) - /* We have seen the 3-way handshake */ - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack) { + if((flow->l4.tcp.lotus_notes_packet_id == 1) && + ndpi_seen_flow_beginning(flow)) { if(payload_len > 16) { char lotus_notes_header[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x40, 0x02, 0x0F }; diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index e5e3c3b70a7..bd2117a80eb 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -6,7 +6,7 @@ Confidence Unknown : 14 (flows) Confidence Match by port : 5 (flows) Confidence Match by IP : 1 (flows) Confidence DPI : 177 (flows) -Num dissector calls: 5061 (25.69 diss/flow) +Num dissector calls: 5058 (25.68 diss/flow) Unknown 24 6428 14 DNS 2 378 1 diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 82202b385b9..dce0a11c318 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 1 (1.00 pkts/flow) Confidence Match by port : 4 (flows) Confidence Match by IP : 1 (flows) Confidence DPI : 33 (flows) -Num dissector calls: 878 (23.11 diss/flow) +Num dissector calls: 879 (23.13 diss/flow) DNS 2 217 1 HTTP 1 56 1 diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 924b9ab62c2..00c6824c108 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 6 (1.20 pkts/flow) Confidence Match by port : 4 (flows) Confidence Match by IP : 5 (flows) Confidence DPI : 11 (flows) -Num dissector calls: 993 (49.65 diss/flow) +Num dissector calls: 999 (49.95 diss/flow) HTTP 5 280 1 QQ 15 1727 1 diff --git a/tests/result/Oscar.pcap.out b/tests/result/Oscar.pcap.out index a82f3829000..c24351f0b4f 100644 --- a/tests/result/Oscar.pcap.out +++ b/tests/result/Oscar.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 33 (33.00 pkts/flow) Confidence Match by port : 1 (flows) -Num dissector calls: 351 (351.00 diss/flow) +Num dissector calls: 352 (352.00 diss/flow) TLS 71 9386 1 diff --git a/tests/result/amqp.pcap.out b/tests/result/amqp.pcap.out index 725522d60cc..a0013433ff1 100644 --- a/tests/result/amqp.pcap.out +++ b/tests/result/amqp.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 9 (3.00 pkts/flow) Confidence DPI : 3 (flows) -Num dissector calls: 398 (132.67 diss/flow) +Num dissector calls: 401 (133.67 diss/flow) AMQP 160 23514 3 diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out index e08b1c6df95..6d04f9f3d02 100644 --- a/tests/result/anyconnect-vpn.pcap.out +++ b/tests/result/anyconnect-vpn.pcap.out @@ -7,7 +7,7 @@ Confidence Unknown : 2 (flows) Confidence Match by port : 5 (flows) Confidence Match by IP : 1 (flows) Confidence DPI : 61 (flows) -Num dissector calls: 1165 (16.88 diss/flow) +Num dissector calls: 1170 (16.96 diss/flow) Unknown 19 1054 2 DNS 32 3655 16 diff --git a/tests/result/cloudflare-warp.pcap.out b/tests/result/cloudflare-warp.pcap.out index fffdf6aeb17..eff72b17d02 100644 --- a/tests/result/cloudflare-warp.pcap.out +++ b/tests/result/cloudflare-warp.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 4 DPI Packets (TCP): 41 (5.12 pkts/flow) Confidence Match by IP : 3 (flows) Confidence DPI : 5 (flows) -Num dissector calls: 285 (35.62 diss/flow) +Num dissector calls: 286 (35.75 diss/flow) Jabber 11 890 1 Google 8 476 3 diff --git a/tests/result/dnp3.pcap.out b/tests/result/dnp3.pcap.out index d5da026aafe..ece43267bca 100644 --- a/tests/result/dnp3.pcap.out +++ b/tests/result/dnp3.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 80 (10.00 pkts/flow) Confidence DPI : 8 (flows) -Num dissector calls: 351 (43.88 diss/flow) +Num dissector calls: 248 (31.00 diss/flow) DNP3 543 38754 8 diff --git a/tests/result/emotet.pcap.out b/tests/result/emotet.pcap.out index 06a71411f8c..8db6960f840 100644 --- a/tests/result/emotet.pcap.out +++ b/tests/result/emotet.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 48 (8.00 pkts/flow) Confidence DPI : 6 (flows) -Num dissector calls: 281 (46.83 diss/flow) +Num dissector calls: 280 (46.67 diss/flow) SMTP 626 438465 1 HTTP 1601 1581542 3 diff --git a/tests/result/ftp_failed.pcap.out b/tests/result/ftp_failed.pcap.out index 3944a87a0e8..a0c7461168d 100644 --- a/tests/result/ftp_failed.pcap.out +++ b/tests/result/ftp_failed.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 8 (8.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 161 (161.00 diss/flow) +Num dissector calls: 160 (160.00 diss/flow) FTP_CONTROL 18 1700 1 diff --git a/tests/result/fuzz-2006-06-26-2594.pcap.out b/tests/result/fuzz-2006-06-26-2594.pcap.out index 574fb4a87c3..fbe9512e35c 100644 --- a/tests/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/result/fuzz-2006-06-26-2594.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 5 (1.00 pkts/flow) Confidence Unknown : 30 (flows) Confidence Match by port : 28 (flows) Confidence DPI : 193 (flows) -Num dissector calls: 5303 (21.13 diss/flow) +Num dissector calls: 5266 (20.98 diss/flow) Unknown 30 3356 30 FTP_CONTROL 36 2569 12 diff --git a/tests/result/fuzz-2006-09-29-28586.pcap.out b/tests/result/fuzz-2006-09-29-28586.pcap.out index 686de394a2a..d85f4a68d58 100644 --- a/tests/result/fuzz-2006-09-29-28586.pcap.out +++ b/tests/result/fuzz-2006-09-29-28586.pcap.out @@ -6,7 +6,7 @@ Confidence Unknown : 3 (flows) Confidence Match by port : 23 (flows) Confidence Match by IP : 2 (flows) Confidence DPI : 12 (flows) -Num dissector calls: 1227 (30.67 diss/flow) +Num dissector calls: 1232 (30.80 diss/flow) Unknown 3 655 3 HTTP 116 27378 35 diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out index 478bd476365..7494ce9e60d 100644 --- a/tests/result/google_ssl.pcap.out +++ b/tests/result/google_ssl.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 28 (28.00 pkts/flow) Confidence Match by IP : 1 (flows) -Num dissector calls: 252 (252.00 diss/flow) +Num dissector calls: 253 (253.00 diss/flow) Google 28 9108 1 diff --git a/tests/result/imap-starttls.pcap.out b/tests/result/imap-starttls.pcap.out index 65dd102361b..8158a847fe2 100644 --- a/tests/result/imap-starttls.pcap.out +++ b/tests/result/imap-starttls.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 10 (10.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 193 (193.00 diss/flow) +Num dissector calls: 192 (192.00 diss/flow) IMAPS 32 7975 1 diff --git a/tests/result/instagram.pcap.out b/tests/result/instagram.pcap.out index c5ea01f7f58..74fa6bad69c 100644 --- a/tests/result/instagram.pcap.out +++ b/tests/result/instagram.pcap.out @@ -7,7 +7,7 @@ Confidence Unknown : 1 (flows) Confidence Match by port : 6 (flows) Confidence Match by IP : 1 (flows) Confidence DPI : 30 (flows) -Num dissector calls: 2069 (54.45 diss/flow) +Num dissector calls: 2042 (53.74 diss/flow) Unknown 1 66 1 HTTP 116 91784 6 diff --git a/tests/result/irc.pcap.out b/tests/result/irc.pcap.out index bb49ebbfef8..f8a32d8088c 100644 --- a/tests/result/irc.pcap.out +++ b/tests/result/irc.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 7 (7.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 168 (168.00 diss/flow) +Num dissector calls: 169 (169.00 diss/flow) IRC 29 8945 1 diff --git a/tests/result/mongo_false_positive.pcapng.out b/tests/result/mongo_false_positive.pcapng.out index 7b369de910e..decbd936143 100644 --- a/tests/result/mongo_false_positive.pcapng.out +++ b/tests/result/mongo_false_positive.pcapng.out @@ -2,7 +2,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 26 (26.00 pkts/flow) Confidence Match by port : 1 (flows) -Num dissector calls: 413 (413.00 diss/flow) +Num dissector calls: 414 (414.00 diss/flow) TLS 26 12163 1 diff --git a/tests/result/oracle12.pcapng.out b/tests/result/oracle12.pcapng.out index 50adb743b6c..250c7ca2e6f 100644 --- a/tests/result/oracle12.pcapng.out +++ b/tests/result/oracle12.pcapng.out @@ -2,7 +2,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 20 (20.00 pkts/flow) Confidence Match by port : 1 (flows) -Num dissector calls: 304 (304.00 diss/flow) +Num dissector calls: 305 (305.00 diss/flow) Oracle 20 2518 1 diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index b933d21c289..a5debdcb562 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -7,7 +7,7 @@ Confidence Unknown : 61 (flows) Confidence Match by port : 27 (flows) Confidence Match by IP : 1 (flows) Confidence DPI : 204 (flows) -Num dissector calls: 31948 (109.04 diss/flow) +Num dissector calls: 31972 (109.12 diss/flow) Unknown 1575 272476 61 DNS 2 267 1 diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 705fd30fde4..4ec4425f60f 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 5 (1.00 pkts/flow) Confidence Unknown : 45 (flows) Confidence Match by port : 22 (flows) Confidence DPI : 200 (flows) -Num dissector calls: 26144 (97.92 diss/flow) +Num dissector calls: 26166 (98.00 diss/flow) Unknown 850 152468 45 DNS 2 267 1 diff --git a/tests/result/socks-http-example.pcap.out b/tests/result/socks-http-example.pcap.out index 62bfccf7a64..0cc599ddd63 100644 --- a/tests/result/socks-http-example.pcap.out +++ b/tests/result/socks-http-example.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 29 (9.67 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 2 (flows) -Num dissector calls: 514 (171.33 diss/flow) +Num dissector calls: 515 (171.67 diss/flow) SOCKS 46 8383 3 diff --git a/tests/result/tinc.pcap.out b/tests/result/tinc.pcap.out index 698ef284822..7715e523c81 100644 --- a/tests/result/tinc.pcap.out +++ b/tests/result/tinc.pcap.out @@ -4,7 +4,7 @@ DPI Packets (TCP): 19 (9.50 pkts/flow) DPI Packets (UDP): 2 (1.00 pkts/flow) Confidence DPI (cache) : 2 (flows) Confidence DPI : 2 (flows) -Num dissector calls: 555 (138.75 diss/flow) +Num dissector calls: 556 (139.00 diss/flow) TINC 317 352291 4 diff --git a/tests/result/tls_false_positives.pcapng.out b/tests/result/tls_false_positives.pcapng.out index ff2734ca383..952f5ee501a 100644 --- a/tests/result/tls_false_positives.pcapng.out +++ b/tests/result/tls_false_positives.pcapng.out @@ -2,7 +2,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 30 (30.00 pkts/flow) Confidence Unknown : 1 (flows) -Num dissector calls: 409 (409.00 diss/flow) +Num dissector calls: 410 (410.00 diss/flow) Unknown 30 37313 1 diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index f47f1a8c4eb..78e6cced997 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 1 (1.00 pkts/flow) Confidence Unknown : 1 (flows) Confidence Match by port : 9 (flows) Confidence DPI : 23 (flows) -Num dissector calls: 885 (26.82 diss/flow) +Num dissector calls: 890 (26.97 diss/flow) Unknown 10 786 1 HTTP 65 64777 8 diff --git a/tests/result/z3950.pcapng.out b/tests/result/z3950.pcapng.out index 40b158e4ba3..afd8f62d69e 100644 --- a/tests/result/z3950.pcapng.out +++ b/tests/result/z3950.pcapng.out @@ -3,7 +3,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 26 (13.00 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 1 (flows) -Num dissector calls: 493 (246.50 diss/flow) +Num dissector calls: 494 (247.00 diss/flow) Z3950 31 6308 2