diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index ed3223760..84354f725 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -710,6 +710,8 @@ bool ndpi_cache_address(struct ndpi_detection_module_struct *ndpi_struct, int is_monitoring_enabled(struct ndpi_detection_module_struct *ndpi_str, int protoId); int is_flowrisk_info_enabled(struct ndpi_detection_module_struct *ndpi_str, ndpi_risk_enum flowrisk_id); +void proto_stack_reset(struct ndpi_proto_stack *s); + u_int8_t ndpi_is_valid_protoId(const struct ndpi_detection_module_struct *ndpi_str, u_int16_t protoId); /* TLS */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index d439f83c3..58aeacad0 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -10637,6 +10637,20 @@ static void proto_stack_push(struct ndpi_proto_stack *s, u_int16_t proto) /* ********************************************************************************* */ +void proto_stack_reset(struct ndpi_proto_stack *s) +{ + unsigned int i; + +#ifdef DEBUG_STACK + printf("%s\n", __func__); +#endif + for(i = 0; i < s->protos_num; i++) + s->protos[i] = NDPI_PROTOCOL_UNKNOWN; + s->protos_num = 0; +} + +/* ********************************************************************************* */ + static void proto_stack_update(struct ndpi_proto_stack *s, u_int16_t lower_proto, u_int16_t upper_proto) { #ifdef DEBUG_STACK diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 535a0c5bd..c0ed2443c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -446,6 +446,10 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd MPEGDASH, SOAP, ....) */ if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { NDPI_LOG_DBG2(ndpi_struct, "Master: %d\n", master_protocol); + if(flow->detected_protocol_stack[0] != master_protocol) { + NDPI_LOG_DBG2(ndpi_struct, "Previous master was different\n"); + proto_stack_reset(&flow->protocol_stack); + } ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, master_protocol, NDPI_CONFIDENCE_DPI); } diff --git a/tests/cfgs/default/pcap/http_connect.pcap b/tests/cfgs/default/pcap/http_connect.pcap index 987f5758e..00a522a3e 100644 Binary files a/tests/cfgs/default/pcap/http_connect.pcap and b/tests/cfgs/default/pcap/http_connect.pcap differ diff --git a/tests/cfgs/default/result/http_connect.pcap.out b/tests/cfgs/default/result/http_connect.pcap.out index 03766c238..95627354d 100644 --- a/tests/cfgs/default/result/http_connect.pcap.out +++ b/tests/cfgs/default/result/http_connect.pcap.out @@ -1,35 +1,37 @@ -DPI Packets (TCP): 12 (6.00 pkts/flow) +DPI Packets (TCP): 20 (6.67 pkts/flow) DPI Packets (UDP): 2 (2.00 pkts/flow) -Confidence DPI : 3 (flows) -Num dissector calls: 3 (1.00 diss/flow) +Confidence DPI : 4 (flows) +Num dissector calls: 16 (4.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/2/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/2/0 (insert/search/found) -Automa host: 4/0 (search/found) -Automa domain: 4/0 (search/found) +LRU cache fpc_dns: 0/3/0 (insert/search/found) +Automa host: 5/1 (search/found) +Automa domain: 5/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 2/2 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 6/0 (search/found) +Patricia protocols: 8/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) DNS 2 178 1 TLS 58 36496 1 HTTP_Connect 40 26841 1 +WindowsUpdate 8 4524 1 -Safe 58 36496 1 +Safe 66 41020 2 Acceptable 42 27019 2 Web 98 63337 2 Network 2 178 1 +SoftwareUpdate 8 4524 1 JA Host Stats: IP Address # JA4C @@ -38,4 +40,5 @@ JA Host Stats: 1 TCP 192.168.1.146:35968 <-> 151.101.2.132:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Safe][28 pkts/3557 bytes <-> 30 pkts/32939 bytes][Goodput ratio: 48/94][0.11 sec][Hostname/SNI: apache.org][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/4 53/54 11/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 127/1098 583/1450 129/576][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1813h2_e8a523a41297_f81080dfc557][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 2,2,8,8,2,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0] 2 TCP 192.168.1.103:1714 <-> 192.168.1.146:8080 [proto: 130/HTTP_Connect][Stack: HTTP_Connect][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][18 pkts/2918 bytes <-> 22 pkts/23923 bytes][Goodput ratio: 65/95][0.11 sec][Hostname/SNI: apache.org][bytes ratio: -0.783 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/5 50/53 13/12][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 162/1087 571/5590 128/1857][URL: apache.org:443][StatusCode: 200][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 5.267 (Executable?)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (CONNECT apache.org)][Plen Bins: 4,4,20,15,4,4,4,0,0,4,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,20] - 3 UDP 192.168.1.146:47767 <-> 192.168.1.2:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 48/56][< 1 sec][Hostname/SNI: apache.org][151.101.2.132][DNS Id: 0xf5b7][PLAIN TEXT (apache)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 10.10.109.10:3128 <-> 10.100.3.133:50474 [VLAN: 1606][proto: 130.147/HTTP_Connect.WindowsUpdate][Stack: HTTP_Connect.WindowsUpdate][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: SoftwareUpdate/19][Breed: Safe][6 pkts/4297 bytes <-> 2 pkts/227 bytes][Goodput ratio: 91/43][502.21 sec][Hostname/SNI: fe3cr.delivery.mp.microsoft.com][bytes ratio: 0.900 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 100441/4 502189/4 200874/0][Pkt Len c2s/s2c min/avg/max/stddev: 64/70 716/114 1518/157 666/44][URL: fe3cr.delivery.mp.microsoft.com:443][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** Susp Entropy **][Risk Score: 160][Risk Info: Entropy: 5.246 (Executable?) / Empty or missing User-Agent / Expected on port 80][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (HTTP/1.1 407 Proxy Authenticati)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] + 4 UDP 192.168.1.146:47767 <-> 192.168.1.2:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 48/56][< 1 sec][Hostname/SNI: apache.org][151.101.2.132][DNS Id: 0xf5b7][PLAIN TEXT (apache)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]