mirror of
https://github.com/vel21ripn/nDPI.git
synced 2026-05-02 00:40:17 +00:00
8dd2220116
The idea is to remove the limitation of only two protocols ("master" and
"app") in the flow classifcation.
This is quite handy expecially for STUN flows and, in general, for any
flows where there is some kind of transitionf from a cleartext protocol
to TLS: HTTP_PROXY -> TLS/Youtube; SMTP -> SMTPS (via STARTTLS msg).
In the vast majority of the cases, the protocol stack is simply
Master/Application.
Examples of real stacks (from the unit tests) different from the standard
"master/app":
* "STUN.WhatsAppCall.SRTP": a WA call
* "STUN.DTLS.GoogleCall": a Meet call
* "Telegram.STUN.DTLS.TelegramVoip": a Telegram call
* "SMTP.SMTPS.Google": a SMTP connection to Google server started in
cleartext and updated to TLS
* "HTTP.Google.ntop": a HTTP connection to a Google domain (match via
"Host" header) and to a ntop server (match via "Server" header)
The logic to create the stack is still a bit coarse: we have a decade of
code try to push everything in only ywo protocols... Therefore, the
content of the stack is still **highly experimental** and might change
in the next future; do you have any suggestions?
It is quite likely that the legacy fields "master_protocol" and
"app_protocol" will be there for a long time.
Add some helper to use the stack:
```
ndpi_stack_get_upper_proto();
ndpi_stack_get_lower_proto();
bool ndpi_stack_contains(struct ndpi_proto_stack *s, u_int16_t proto_id);
bool ndpi_stack_is_tls_like(struct ndpi_proto_stack *s);
bool ndpi_stack_is_http_like(struct ndpi_proto_stack *s);
```
Be sure new stack logic is compatible with legacy code:
```
assert(ndpi_stack_get_upper_proto(&flow->detected_protocol.protocol_stack) ==
ndpi_get_upper_proto(flow->detected_protocol));
assert(ndpi_stack_get_lower_proto(&flow->detected_protocol.protocol_stack) ==
ndpi_get_lower_proto(flow->detected_protocol));
```
29 lines
1.5 KiB
Text
29 lines
1.5 KiB
Text
DPI Packets (UDP): 1 (1.00 pkts/flow)
|
|
Confidence DPI : 1 (flows)
|
|
Num dissector calls: 1 (1.00 diss/flow)
|
|
LRU cache ookla: 0/0/0 (insert/search/found)
|
|
LRU cache bittorrent: 0/0/0 (insert/search/found)
|
|
LRU cache stun: 0/0/0 (insert/search/found)
|
|
LRU cache tls_cert: 0/0/0 (insert/search/found)
|
|
LRU cache mining: 0/0/0 (insert/search/found)
|
|
LRU cache msteams: 0/0/0 (insert/search/found)
|
|
LRU cache fpc_dns: 0/0/0 (insert/search/found)
|
|
Automa host: 0/0 (search/found)
|
|
Automa domain: 0/0 (search/found)
|
|
Automa tls cert: 0/0 (search/found)
|
|
Automa risk mask: 0/0 (search/found)
|
|
Automa common alpns: 0/0 (search/found)
|
|
Patricia risk mask: 0/0 (search/found)
|
|
Patricia risk mask IPv6: 0/0 (search/found)
|
|
Patricia risk: 1/0 (search/found)
|
|
Patricia risk IPv6: 0/0 (search/found)
|
|
Patricia protocols: 2/0 (search/found)
|
|
Patricia protocols IPv6: 0/0 (search/found)
|
|
|
|
NTP 1 410 1
|
|
|
|
Acceptable 1 410 1
|
|
|
|
System 1 410 1
|
|
|
|
1 UDP 208.104.95.10:123 -> 78.46.76.2:80 [proto: 9/NTP][Stack: NTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 9/NTP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][1 pkts/410 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
|