`flow_classified` gains a 5th argument (`arg4 = ndpi_flow_struct *`) so
scripts can access any flow field (risk, num_processed_pkts, etc.)
while still using the fast scalar args (arg0-arg3) in predicates.
`hostname_set` is redesigned from three scalars to two args: arg0 keeps
the hostname string for zero-friction str() access, arg1 is the flow
pointer replacing the two separate protocol IDs.
Documentation is updated.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add opt-in USDT (User-level Statically Defined Tracing) support via
--enable-usdt-probes. When enabled, probes compile to single NOP
instructions with zero runtime cost; external tools like bpftrace and
perf can attach dynamically without restarting the application.
Two probes are added:
- flow_classified: fires once per flow at classification finalization,
exposing master/app protocol, confidence, and category
- hostname_set: fires when a hostname/SNI is extracted, exposing the
hostname string and master/app protocol
Includes CI job that builds with USDT, verifies probes via readelf, and
runs live bpftrace tracing against ndpiReader on test pcaps.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The origin of this list is not clear: remove this check about
suspicious HTTP headers.
If someone is really interested into that or provides a better/updated
list, we can always revert this change
Add specific protocol ids for Copilot, GitHub Actions and GitHub Packages.
There is some overlapping between the addresses in the Github list and in the Azure one.
Not sure about the best action here: add a (temporary?) workaround to avoid collisions.
Close#2976
---------
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
Fix the case where there are multiple Handshake messages, in the same
record, after CH/SH/Certificate.
Completely disable it for DTLS (even for DTLS over TCP) because it never
worked: with DTLS we process only Handshake records.
Current ApplePush dissector only look for IP match and doesn't allow
full metadata extraction (see #3074).
Since all ApplePush flows are TLS ones, let TLS dissector do its job and
handle IP match as usual; with this change, the dissector itself is
useless: remove it.
Close#3074
Signed-off-by: Chad Monroe <chad@monroe.io>
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
Try to avoid collisions with similar Wireshark function: see #3063.
Note that this function is now used by plugins, so it is somehow part
of the public API anyway.
Close#3063
