vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-30 16:09:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Rework flow breed (#2926)

Browse source 
Right now, there is, in essence, a static mapping between flow protocols
and flow breeds.
Make it dynamic: allow to have different flows, with the same
classification but differents breeds. This is the same logic that we
already have for categories....

Preliminary work to support breed in category lists.

API change from the app POV: to get the flow breed don't use anymore
`ndpi_get_proto_breed()`, but access directly `struct ndpi_proto->breed`

The functions `ndpi_domain_classify_*()` and
`ndpi_get_host_domain_suffix()` now have a `u_int32_t` parameter as
`class_id` (instead of `u_int_16_t`), with the following logic:
```
class_id = (breed << 16) | category
```
instead of the old:
```
class_id = category
```
Please note that this change is back-compatible: if you are not
interested into breeds, you don't need to update the application code.
This commit is contained in:
Ivan Nardi 2025-09-02 16:54:34 +02:00 committed by GitHub
parent 8640bd6d76
commit efccc7d5e4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
98 changed files with 849 additions and 718 deletions
Download patch file Download diff file Expand all files Collapse all files

5
tests/cfgs/default/result/smtp-starttls.pcap.out
View file

@ -23,8 +23,7 @@ Patricia protocols IPv6: 2/0 (search/found)
SMTPS 33 6429 1
Google 36 8403 1
Safe 33 6429 1
Acceptable 36 8403 1
Acceptable 69 14832 2
Email 69 14832 2
@ -35,4 +34,4 @@ JA Host Stats:
1 TCP 10.0.0.1:57406 <-> 173.194.68.26:25 [proto: 29.126/SMTPS.Google][Stack: SMTP.SMTPS.Google][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 15][cat: Email/3][Breed: Acceptable][17 pkts/2514 bytes <-> 19 pkts/5889 bytes][Goodput ratio: 55/79][0.48 sec][Hostname/SNI: mx.google.com][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/24 156/103 42/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 148/310 752/1484 168/444][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: Cipher TLS_RSA_WITH_RC4_128_SHA / TLSv1][nDPI Fingerprint: de9abf9d14e2e6e6efd5396d0bde2d80][TCP Fingerprint: 2_64_14600_2e3cee914fc1/Unknown][TLSv1][JA4: t10d290100_cdba58456bdf_e78b541c01a9][ServerNames: aspmx.l.google.com,alt1.aspmx.l.google.com,alt2.aspmx.l.google.com,alt3.aspmx.l.google.com,alt4.aspmx.l.google.com,gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,gmr-smtp-in.l.google.com,alt1.gmr-smtp-in.l.google.com,alt2.gmr-smtp-in.l.google.com,alt3.gmr-smtp-in.l.google.com,alt4.gmr-smtp-in.l.google.com,mx.google.com,aspmx2.googlemail.com,aspmx3.googlemail.com,aspmx4.googlemail.com,aspmx5.googlemail.com][JA3S: 6b96cf9c27b0223177b0e9f135fe4899][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=mx.google.com][Certificate SHA-1: 45:15:6A:E7:49:63:40:94:F9:AB:09:1E:F5:A7:33:6D:F3:7B:28:FC][Validity: 2013-09-09 11:32:35 - 2014-09-09 11:32:35][Cipher: TLS_RSA_WITH_RC4_128_SHA][PLAIN TEXT (x.google.com ESMTP s4)][Plen Bins: 23,18,13,9,4,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0]
2 TCP [2003:de:2016:125:fc36:8317:4e86:cb72]:7562 <-> [2003:de:2016:120::a08:53]:25 [VLAN: 125][proto: 29/SMTPS][Stack: SMTP.SMTPS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Email/3][Breed: Safe][16 pkts/2994 bytes <-> 17 pkts/3435 bytes][Goodput ratio: 58/61][0.30 sec][Hostname/SNI: dovecot.weberlab.de][bytes ratio: -0.069 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/23 202/202 55/54][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 187/202 1112/1218 244/263][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** TLS Susp Extn **][Risk Score: 210][Risk Info: Extn id 65283 / No ALPN / CN=jw-vm08-int-dns][nDPI Fingerprint: 8dccdb5a59f74a0533dcc1ae401d0da5][TCP Fingerprint: 2_64_8192_b5576ecca2fb/Unknown][TLSv1.2][JA4: t12d150900_073e58a039a6_b44afb9f0e6a][JA3S: ccc514751b175866924439bdbb5bba34][Issuer: CN=jw-vm08-int-dns][Subject: CN=jw-vm08-int-dns][Certificate SHA-1: AD:1B:57:6C:AC:BE:46:54:65:F6:1D:6D:85:2A:38:16:07:7D:31:17][Firefox][Validity: 2016-08-16 09:33:19 - 2026-08-14 09:33:19][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (dns.webernetz.net ESMTP Postfix)][Plen Bins: 17,35,17,4,4,8,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0]
2 TCP [2003:de:2016:125:fc36:8317:4e86:cb72]:7562 <-> [2003:de:2016:120::a08:53]:25 [VLAN: 125][proto: 29/SMTPS][Stack: SMTP.SMTPS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Email/3][Breed: Acceptable][16 pkts/2994 bytes <-> 17 pkts/3435 bytes][Goodput ratio: 58/61][0.30 sec][Hostname/SNI: dovecot.weberlab.de][bytes ratio: -0.069 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/23 202/202 55/54][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 187/202 1112/1218 244/263][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** TLS Susp Extn **][Risk Score: 210][Risk Info: Extn id 65283 / No ALPN / CN=jw-vm08-int-dns][nDPI Fingerprint: 8dccdb5a59f74a0533dcc1ae401d0da5][TCP Fingerprint: 2_64_8192_b5576ecca2fb/Unknown][TLSv1.2][JA4: t12d150900_073e58a039a6_b44afb9f0e6a][JA3S: ccc514751b175866924439bdbb5bba34][Issuer: CN=jw-vm08-int-dns][Subject: CN=jw-vm08-int-dns][Certificate SHA-1: AD:1B:57:6C:AC:BE:46:54:65:F6:1D:6D:85:2A:38:16:07:7D:31:17][Firefox][Validity: 2016-08-16 09:33:19 - 2026-08-14 09:33:19][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (dns.webernetz.net ESMTP Postfix)][Plen Bins: 17,35,17,4,4,8,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0]