From 5d8b1a9b1a915a01ba60ad989221870e25e2929e Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Thu, 18 May 2023 10:50:36 +0200
Subject: [PATCH] ndpiReader: fix export of HTTP attributes

---
 example/reader_util.c                        |  28 ++++++++++---------
 tests/cfgs/default/pcap/bt-http.pcapng       | Bin 0 -> 2360 bytes
 tests/cfgs/default/result/bt-http.pcapng.out |  25 +++++++++++++++++
 3 files changed, 40 insertions(+), 13 deletions(-)
 create mode 100644 tests/cfgs/default/pcap/bt-http.pcapng
 create mode 100644 tests/cfgs/default/result/bt-http.pcapng.out

diff --git a/example/reader_util.c b/example/reader_util.c
index 97b5cce7ebc..9f8fb5322e8 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1237,19 +1237,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
                   sizeof(flow->kerberos.username),
                   "%s", flow->ndpi_flow->protos.kerberos.username);
   }
-  /* HTTP */
-  else if(is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP)
-	  || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP_PROXY)
-	  || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP_CONNECT)) {
-    if(flow->ndpi_flow->http.url != NULL) {
-      ndpi_snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url);
-    }
-    flow->http.response_status_code = flow->ndpi_flow->http.response_status_code;
-    ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : "");
-    ndpi_snprintf(flow->http.server, sizeof(flow->http.server), "%s", flow->ndpi_flow->http.server ? flow->ndpi_flow->http.server : "");
-    ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : "");
-    ndpi_snprintf(flow->http.nat_ip, sizeof(flow->http.nat_ip), "%s", flow->ndpi_flow->http.nat_ip ? flow->ndpi_flow->http.nat_ip : "");
-  }
   /* RTP */
   else if(is_ndpi_proto(flow, NDPI_PROTOCOL_RTP)) {
     flow->info_type = INFO_RTP;
@@ -1348,6 +1335,21 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
     }
   }
 
+  /* HTTP metadata are "global" not in `flow->ndpi_flow->protos` union; for example, we can have
+     HTTP/BitTorrent and in that case we want to export also HTTP attributes */
+  if(is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP)
+	  || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP_PROXY)
+	  || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP_CONNECT)) {
+    if(flow->ndpi_flow->http.url != NULL) {
+      ndpi_snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url);
+    }
+    flow->http.response_status_code = flow->ndpi_flow->http.response_status_code;
+    ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : "");
+    ndpi_snprintf(flow->http.server, sizeof(flow->http.server), "%s", flow->ndpi_flow->http.server ? flow->ndpi_flow->http.server : "");
+    ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : "");
+    ndpi_snprintf(flow->http.nat_ip, sizeof(flow->http.nat_ip), "%s", flow->ndpi_flow->http.nat_ip ? flow->ndpi_flow->http.nat_ip : "");
+  }
+
   ndpi_snprintf(flow->http.user_agent,
                 sizeof(flow->http.user_agent),
                 "%s", (flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : ""));
diff --git a/tests/cfgs/default/pcap/bt-http.pcapng b/tests/cfgs/default/pcap/bt-http.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..cf0476462d4d328761557828317608ab3b7efd82
GIT binary patch
literal 2360
zcmd^>U1%It6oBt;en>Z2sI}NAt-Z9&x=AyWnc3N7vu1JIBqU0LYqG&U6xzw1o6L~i
znd$uOX4ACRz9_zEwT-1O^+6$GiY*9%ir|9}DmEwz`l6uFhf0zMDdK}v&z((bjIy%N
zUO02lnKSo0d+t4FW+TyP<U54WSpSj7LNNcaIl`zHJ#Bil5FhWr1C~SM`LPac^zuqd
z633py1G!0@#j=nRhezgdyli+no|qU?1i1q>pnYi6F#S246eLLy`GmsHP?I_aL5=7H
z8uW`cQEeQ5-f*a^tIli(P6&#S!tr6l!=<Wjt7KN4p&C}*s+X6}`BT2>`LZa8iXa{-
zZ!Ono$@SE!0+l)-1;p}Uxr}Vi2%?5jGb$JCgexMn3%t9)*H+_qf;(8>40C}QF!tYh
z=aFac%WKbo&gAWjH!moC{qNpeI=I$?h7jssE@e@+IsMYdOQG{O4*pnLIfQa+gNJXk
z)o+Dc_0R-D;l`#98pAD-(cNGF#_oq28sN%euvjNR*kG}|Zh5^Q^gx0r)rdi?E`+iu
z(R?q;;;?uqw{qz2-dkrN-s-76gZ7moixqCKG8y|g1H)kKZ$6RNdq8LMk38bb<sgr%
zJMvfs{z7hdtA1yZaTt$rKV_Q@gK<C4DeFsMGug=vU0t4I+`cFNmD}E`-~Sb%;h{Y4
zR!!6LO+ueC%xUYSuDW`LQ`KIBBgzCPYMe$nv4@itPD;6)rgECXB~)%I$q~X)!pU$2
zw;Z!6bxs;uhR=`7eTv8vUAOvVlI*elLd>=tFO!rMDG~GSf~9Iy%ZM?}Dw_|C0-g3U
za!MAHVzNh!nSQaXnqDR)#%5_HlbA{-MVXKov5HWxUPg+!zRj@2so0(cwnI<*P^J%T
zTB5KXs@3tJv`6y!T(=}h(a4D9dTH!AQ1sLhHs@($P5^W?GU-x>KMFkr&*UA|bc=@T
z8kX5D3w=s7a+DBigR8T<bIag|Ok!z<Ig`dS^M?K8=?pYt7uM)>LG@@CHZ*`4UL_id
zM%ekWb6nnbj+1+?Z@dCFlWK+kRePa@YVG~<(T>_%SR3TBxkm?WR>oVo;e^<W^Rx)t
zqB<2kPBpe4UNkabnI<TZMjDfX<<e**=cqG9HH}S+Co0k5PB8JrGCjvCY<G-WM6Is<
zpA-u_sp=W+>}B-w`x`ZSxf1m9mB05Km%Y39!>@7=wdy~uvfkb5<?Zi?_inZRUV}Ry
zaNn$tdjQ@Mmp?1*tHC`Ja2M<6l2?Bit-)OgxR>karjK7=slh!Pa4*%zeH`}T%eIY6
zHMr*j?i=-SF>nvG^Vu5Q7Xt3<^>Gga_ri_k#Twl60rz5k+)m)$JoWQ<4epBp_qG4#
zHbEV4eXEas(S*+4mcI|7{b&F_B_4HLY&%v7UVIv!s$i}9CnSto5PSC8vEsK4n|d3p
TYXtq_80!p#nn2$^Sd2db3Xie~

literal 0
HcmV?d00001

diff --git a/tests/cfgs/default/result/bt-http.pcapng.out b/tests/cfgs/default/result/bt-http.pcapng.out
new file mode 100644
index 00000000000..76e43e62c42
--- /dev/null
+++ b/tests/cfgs/default/result/bt-http.pcapng.out
@@ -0,0 +1,25 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	7	(7.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 15 (15.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 5/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          1/0 (search/found)
+Automa domain:        1/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+
+BitTorrent	14	1492	1
+
+	1	TCP 192.168.1.128:46882 <-> 176.31.225.118:80 [proto: 7.37/HTTP.BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 7][cat: Download/7][12 pkts/1038 bytes <-> 2 pkts/454 bytes][Goodput ratio: 36/75][57.56 sec][Hostname/SNI: tracker.trackerfix.com][bytes ratio: 0.391 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 5384/0 28927/0 8989/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 86/227 424/394 102/167][URL: tracker.trackerfix.com/announce?info_hash=%aa7i%c4S%0d%de%06%24%18s%da%d4%3a%b5%cc%ec%2c%e6%22&peer_id=-TR2940-chho92c56pul&port=51413&uploaded=0&downloaded=0&left=282050560&numwant=80&key=3b5502cc&compact=1&supportcrypto=1&requirecrypto=1&event=started][User-Agent: Transmission/2.94][PLAIN TEXT (GET /announce)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]