vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-10 09:19:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
nDPI/python
History
Ivan Nardi a8ffcd8bb0
Rework how hostname/SNI info is saved (#1330) 
Looking at `struct ndpi_flow_struct` the two bigger fields are
`host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and
`protos.tls_quic.client_requested_server_name[256]`
(for TLS/QUIC SNIs).

This commit aims to reduce `struct ndpi_flow_struct` size, according to
two simple observations:
 1) maximum one of these two fields is used for each flow. So it seems safe
to merge them;
 2) even if hostnames/SNIs might be very long, in practice they are rarely
longer than a fews tens of bytes. So, using a (single) large buffer is a
waste of memory for all kinds of flows. If we need to truncate the name,
we keep the *last* characters, easing domain matching.

Analyzing some real traffic, it seems safe to assume that the vast
majority of hostnames/SNIs is shorter than 80 bytes.

Hostnames/SNIs are always converted to lowercase.

Attention was given so as to be sure that unit-tests outputs are not
affected by this change.

Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the
*first* 64 ones): as a consequence, there were some "Suspicious DGA
domain name" and "TLS Certificate Mismatch" false positives.
2021-11-24 10:46:48 +01:00
..
flow_printer.py Update example. 2020-09-14 16:42:33 +02:00
Makefile.in Added missing library 2021-01-22 09:31:37 +01:00
ndpi.py Rework how hostname/SNI info is saved (#1330) 2021-11-24 10:46:48 +01:00
ndpi_example.py Polish. 2019-11-15 19:30:50 +01:00
ndpi_typestruct.py Rework how hostname/SNI info is saved (#1330) 2021-11-24 10:46:48 +01:00
ndpi_wrap.c Fixes #777 2019-09-23 18:04:55 +02:00
python_extensions_guide.pdf Reworked categories handling 2019-09-29 21:46:41 +02:00
README.rst Update Python cffi bindings. 2020-02-21 17:28:44 +01:00

README.rst 

nDPI Python bindings
--------------------

This directory contains the Python3 bindings for nDPI. We provide both cffi and ctypes based bindings.

**cffi bindings**

Files:

* ndpi.py

Example (using `nfstream <https://github.com/aouinizied/nfstream>`_   package):

.. code-block:: bash

    pip3 install nfstream
    python3 flow_printer.py <interface>
    python3 flow_printer.py <pcap_file>

Code courtesy:

* Zied Aouini

**ctypes bindings**

Files:

* ndpi_typestruct.py
* ndpi_wrap.c
* Makefile.in

Example:

.. code-block:: bash

    pip3 install scapy
    python3 ndpi_example.py <interface>
    python3 ndpi_example.py <pcap_file>

Code courtesy:

* Massimo Puddu
* Zied Aouini