We need to take into account retransmissions: they increase
`flow->all_packets_counter` counter but not `flows->packet_counter`
one.
Therefore, the right way to check for 3WH + RST pattern involves checking
for `flows->packet_counter == 0`
* Add Omron FINS protocol dissector
* Add a kludge to avoid invalid FINS over UDP detection as SkypeTeams and RTP
* Update unit test results
* Update protocols.rst
* Remove dummy flows from fins.pcap
* Add HART-IP protocol dissector
* Update docs
* Update protocols.rst
* Reuse free proto id and re-run tests
* docs: move HART-IP to top of list
---------
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
* Add IEEE 1588-2008 (PTPv2) dissector
PTPv2 is a time synchronization protocol in computer networks, similar to NTP.
* Add default protocol ports
* Update default test result for PTPv2
* Update copyright
---------
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
as explained here for bitcoin https://www.ntop.org/guides/nDPI/protocols.html#ndpi-protocol-bitcoin
the same is applicable for ethereum.
ethereum detection was removed from mining protocol and is now handled separately.
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
Use two separate lists:
* one for the ingress nodes, which triggers a ProtonVPN classification
* one for the egress nodes, which triggers the
`NDPI_ANONYMOUS_SUBSCRIBER` risk
Add a command line option (to `ndpiReader`) to easily test IP/port
matching.
Add another example of custom rule.
* added feature to extract filename from http attachment
* fixed some issues
* added check for filename format
* added check for filename format
* remove an unnecessary print
* changed the size from 952 to 960
* modified some test result files
* small changes string size
* comment removed and mallocs checked
Regardless of the name, the removed trace doesn't contain meaningful
Hangout traffic.
Remove last piece of sub-classifiction based only on ip addresses.
Try avoiding false positives: look for 3 RTP packets before classifing
the flow as such.
Add a generic function `is_rtp_or_rtcp()` to identify RTP/RTCP packets also
in other dissectors (see 3608ab01b commit message for an example)
For a lot of protocols, reduce the number of packets after which the
protocols dissector gives up.
The values are quite arbitary, tring to not impact on classification
Extend internal unit tests to handle multiple configurations.
As some examples, add tests about:
* disabling some protocols
* disabling Ookla aggressiveness
Every configurations data is stored in a dedicated directory under
`tests\cfgs`
