Add Apache Thrift detection #1914
Conversation
|
@0xA50C1A1 , I didn't look at your code yet, but could you attached a trace with also an example of detection over HTTP, please? |
I don't have a PCAP sample with Thrift-over-HTTP traffic yet, but I'm looking for. |
|
Kudos, SonarCloud Quality Gate passed!
|
| static void ndpi_search_thrift_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) | ||
| { | ||
| struct ndpi_packet_struct *packet = &ndpi_struct->packet; | ||
|
|
There was a problem hiding this comment.
Could you try, at least, something like that:
/* As a HTTP sub-protocol */
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
flow->detected_protocol_stack[1] == NDPI_PROTOCOL_HTTP) {
/* Content line stuff */
} else { /* Standard dissector */
if (packet->payload_packet_len > 5) {
}
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
|
Sorry, I was too hasty with a pull request, so I'll change it to a draft until I fix this dissector. |
|
@0xA50C1A1 please rebase to the current dev branch |
|
Superseeded by #2007. |
Apache Thrift is a commonly used RPC framework.
This detector is quite simple and only checks the HTTP content-type field or looks for the Thrift strict or compact header in TCP or UDP packets. This can give false-positive results in theory, but I guess such accuracy is enough in practice.