vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-10 17:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
nDPI/python/ndpi_typestruct.py
Ivan Nardi 91bb77a880
A final(?) effort to reduce memory usage per flow (#1389) 
Remove some unused fields and re-organize other ones.
In particular:
* Update the parameters of `ndpi_ssl_version2str()` function
* Zattoo, Thunder: these timestamps aren't really used.
* Ftp/mail: these protocols are dissected only over TCP.
* Attention must be paid to TLS.Bittorrent flows to avoid invalid
read/write to `flow->protos.bittorrent.hash` field.

This is the last(?) commit of a long series (see 22241a1d, 227e586e,
730c2360, a8ffcd8b) aiming to reduce library memory consumption.

Before, at nDPI 4.0 (more precisly, at a6b10cf7, because memory stats
were wrong until that commit):
```
nDPI Memory statistics:
	nDPI Memory (once):      221.15 KB
	Flow Memory (per flow):  2.94 KB
```
Now:
```
nDPI Memory statistics:
	nDPI Memory (once):      231.71 KB
	Flow Memory (per flow):  1008 B       <---------
```
i.e. memory usage per flow has been reduced by 66%, dropping below the
psychological threshold of 1 KB.

To further reduce this value, we probably need to look into #1279:
let's fight this battle another day.
2021-12-22 19:54:06 +01:00

797 lines
25 KiB
Python
Raw Blame History

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
file: ndpi_typestruct.py
This file is part of nDPI.
Copyright (C) 2011-19 - ntop.org
Copyright (C) 2019 - Zied Aouini <aouinizied@gmail.com> (Incremental improvements)
nDPI is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
nDPI is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with nDPI.
If not, see <http://www.gnu.org/licenses/>.
"""
from ctypes import CDLL, Structure, c_uint16, c_int, c_ulong, c_uint32, CFUNCTYPE, c_void_p, POINTER, c_char_p, c_uint8
from ctypes import c_char, c_uint, c_int16, c_longlong, c_size_t, Union, c_ubyte, c_uint64, c_int32, c_ushort, cast
from os.path import abspath, dirname
ndpi = CDLL(dirname(abspath(__file__)) + '/ndpi_wrap.so')
# ----------------------------------------------- Structures -----------------------------------------------------------
class NDPIDetectionModuleStruct(Structure):
pass
class NDPIFlowStruct(Structure):
pass
class NDPIProtocol(Structure):
_fields_ = [
("master_protocol", c_uint16),
("app_protocol", c_uint16),
("category", c_int)
]
class TimeVal(Structure):
_fields_ = [("tv_sec", c_ulong), ("tv_usec", c_ulong)]
class PcapPktHdr(Structure):
_fields_ = [("ts", TimeVal), ("caplen", c_uint32), ("len", c_uint32)]
class NDPIMask(Structure):
_fields_ = [("fds_bits", c_uint32)]
class NDPIProtocolBitMask(Structure):
_fields_ = [("fds_bits", NDPIMask * ndpi.ndpi_wrap_ndpi_num_fds_bits())]
class NDPISubprotocolConfStruct(Structure):
_fields_ = [("func", CFUNCTYPE(c_void_p, POINTER(NDPIDetectionModuleStruct), c_char_p, c_char_p, c_int))]
class NDPIAutoma(Structure):
_fields_ = [
("ac_automa", c_void_p),
("ac_automa_finalized", c_uint8)
]
class NDPINode(Structure):
pass
NDPINode._fields_ = [
('key', POINTER(c_char)),
('left', POINTER(NDPINode)),
('right', POINTER(NDPINode)),
]
class NDPICallFunctionStruct(Structure):
_fields_ = [
("detection_bitmask", NDPIProtocolBitMask),
("excluded_protocol_bitmask", NDPIProtocolBitMask),
("ndpi_selection_bitmask", c_uint32),
("func", CFUNCTYPE(None, POINTER(NDPIDetectionModuleStruct), POINTER(NDPIFlowStruct))),
("detection_feature", c_uint8)
]
class NDPIProtoDefaultsT(Structure):
_fields_ = [
("protoName", c_char_p),
("protoCategory", c_uint),
("subprotocols", c_uint16_p),
("subprotocol_count", c_uint32),
("protoId", c_uint16),
("protoIdx", c_uint16),
("protoBreed", c_uint),
("func", CFUNCTYPE(None, POINTER(NDPIDetectionModuleStruct), POINTER(NDPIFlowStruct))),
]
class NDPIDefaultsPortsTreeNodeT(Structure):
_fields_ = [
("proto", NDPIProtoDefaultsT),
("customUserProto", c_uint8),
("default_port", c_int16)
]
class SpinlockT(Structure):
_fields_ = [("val", c_int)]
class AtomicT(Structure):
_fields_ = [("counter", c_int)]
class TimeT(Structure):
_fields_ = [("counter", c_longlong)]
class HashIp4pNode(Structure):
pass
HashIp4pNode._fields_ = [
("next", POINTER(HashIp4pNode)),
("prev", POINTER(HashIp4pNode)),
("lchg", TimeT),
("port", c_uint16),
("count", c_uint16, 12),
("flag", c_uint16, 4),
("ip", c_uint32)
]
class HashIp4p(Structure):
_fields_ = [
("top", POINTER(HashIp4pNode)),
("lock",SpinlockT),
("len", c_size_t)
]
class HashIp4pTable(Structure):
_fields_ = [
("size", c_size_t),
("ipv6", c_int),
("lock", SpinlockT),
("count", AtomicT),
("tbl", HashIp4p)
]
class BtAnnounce(Structure):
_fields_ = [
("hash", c_uint32 * 5),
("ip", c_uint32 * 4),
("time", c_uint32),
("port", c_uint16),
("name_len", c_uint8),
("name", c_uint8 * 149)
]
class NDPILruCacheEntry(Structure):
_fields_ = [
("key", c_uint32),
("is_full", c_uint32, 1),
("value", c_uint32, 16),
("pad", c_uint32, 15)
]
class NDPILruCache(Structure):
_fields_ = [
("num_entries", c_uint32),
("entries", POINTER(NDPILruCacheEntry)),
]
class CacheEntry(Structure):
pass
CacheEntry._fields_ = [
("item", c_void_p),
("item_size", c_uint32),
("prev", POINTER(CacheEntry)),
("next", POINTER(CacheEntry))
]
class CacheEntryMap(Structure):
pass
CacheEntryMap._fields_ = [
("entry", POINTER(CacheEntry)),
("next", POINTER(CacheEntryMap)),
]
class Cache(Structure):
_fields_ = [
("size", c_uint32),
("max_size", c_uint32),
("head", POINTER(CacheEntry)),
("tail", POINTER(CacheEntry)),
("map", POINTER(POINTER(CacheEntryMap)))
]
class CustomCategories(Structure):
_fields_ = [
("hostnames", NDPIAutoma),
("hostnames_shadow", NDPIAutoma),
("ipAddresses", c_void_p),
("ipAddresses_shadow", c_void_p),
("categories_loaded", c_uint8),
]
NDPIDetectionModuleStruct._fields_ = [
("detection_bitmask", NDPIProtocolBitMask),
("generic_http_packet_bitmask", NDPIProtocolBitMask),
("current_ts", c_uint32),
("ticks_per_second", c_uint32),
("custom_category_labels",
(c_char * ndpi.ndpi_wrap_num_custom_categories()) * ndpi.ndpi_wrap_custom_category_label_len()),
("callback_buffer", NDPICallFunctionStruct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)),
("callback_buffer_size", c_uint32),
("callback_buffer_tcp_no_payload", NDPICallFunctionStruct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)),
("callback_buffer_size_tcp_no_payload", c_uint32),
("callback_buffer_tcp_payload", NDPICallFunctionStruct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)),
("callback_buffer_size_tcp_payload", c_uint32),
("callback_buffer_udp", NDPICallFunctionStruct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)),
("callback_buffer_size_udp", c_uint32),
("callback_buffer_non_tcp_udp", NDPICallFunctionStruct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)),
("callback_buffer_size_non_tcp_udp", c_uint32),
("tcpRoot", POINTER(NDPIDefaultsPortsTreeNodeT)),
("udpRoot", POINTER(NDPIDefaultsPortsTreeNodeT)),
("ndpi_log_level", c_uint),
("tcp_max_retransmission_window_size", c_uint32),
("directconnect_connection_ip_tick_timeout", c_uint32),
("subprotocol_conf", NDPISubprotocolConfStruct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)),
("ndpi_num_supported_protocols", c_uint),
("ndpi_num_custom_protocols", c_uint),
("host_automa", NDPIAutoma),
("bigrams_automa", NDPIAutoma),
("impossible_bigrams_automa", NDPIAutoma),
("custom_categories", CustomCategories),
("protocols_ptree", c_void_p),
("irc_timeout", c_uint32),
("gnutella_timeout", c_uint32),
("zattoo_connection_timeout", c_uint32),
("jabber_stun_timeout", c_uint32),
("jabber_file_transfer_timeout", c_uint32),
("ip_version_limit", c_uint8),
("bt_ht", POINTER(HashIp4pTable)),
("bt6_ht", POINTER(HashIp4pTable)),
("bt_ann", POINTER(BtAnnounce)),
("bt_ann_len", c_int),
("ookla_cache", POINTER(NDPILruCache)),
("tinc_cache", POINTER(Cache)),
("proto_defaults", NDPIProtoDefaultsT * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() +
ndpi.ndpi_wrap_ndpi_max_num_custom_protocols())),
("direction_detect_disable", c_uint8, 1),
('_pad', c_uint8, 7),
('packet', NDPIPacketStruct),
]
class U6Addr(Union):
_fields_ = [
("u6_addr8", c_uint8 * 16),
("u6_addr16", c_uint16 * 8),
("u6_addr32", c_uint32 * 4),
("u6_addr64", c_uint64 * 2)
]
class NDPIIn6Addr(Structure):
_pack_ = 1
_fields_ = [("u6_addr", U6Addr)]
class NDPIIpAddrT(Union):
_fields_ = [
('ipv4', c_uint32),
('ipv4_u_int8_t', c_uint8 * 4),
('ipv6', NDPIIn6Addr),
]
class NDPIIdStruct(Structure):
_fields_ = [
('detected_protocol_bitmask', NDPIProtocolBitMask),
('irc_port', c_uint16 * 8),
('last_time_port_used', c_uint32 * 8),
('irc_ts', c_uint32),
('gnutella_ts', c_uint32),
('battlefield_ts', c_uint32),
('rtsp_timer', c_uint32),
('jabber_stun_or_ft_ts', c_uint32),
('directconnect_last_safe_access_time', c_uint32),
('detected_directconnect_port', c_uint16),
('detected_directconnect_udp_port', c_uint16),
('detected_directconnect_ssl_port', c_uint16),
('jabber_voice_stun_port', c_uint16 * 6),
('jabber_file_transfer_port', c_uint16 * 2),
('detected_gnutella_udp_port1', c_uint16),
('detected_gnutella_udp_port2', c_uint16),
('irc_number_of_port', c_uint8),
('oscar_ssl_session_id', c_uint8 * 33),
('jabber_voice_stun_used_ports', c_uint8),
]
class NDPIFlowTcpStruct(Structure):
_pack_ = 1
_fields_ = [
('smtp_command_bitmask', c_uint16),
('pop_command_bitmask', c_uint16),
('wa_matched_so_far', c_uint8),
('irc_stage', c_uint8),
('h323_valid_packets', c_uint8),
('gnutella_msg_id', c_uint8 * 3),
('irc_3a_counter', c_uint32, 3),
('irc_stage2', c_uint32, 5),
('irc_direction', c_uint32, 2),
('irc_0x1000_full', c_uint32, 1),
('usenet_stage', c_uint32, 2),
('http_stage', c_uint32, 2),
('http_empty_line_seen', c_uint32, 1),
('gnutella_stage', c_uint32, 2),
('ssh_stage', c_uint32, 3),
('vnc_stage', c_uint32, 2),
('telnet_stage', c_uint32, 2),
('tls_seen_client_cert', c_uint8, 1),
('tls_seen_server_cert', c_uint8, 1),
('tls_seen_certificate', c_uint8, 1),
('tls_srv_cert_fingerprint_found', c_uint8, 1),
('tls_srv_cert_fingerprint_processed', c_uint8, 1),
('tls_stage', c_uint8, 2),
('tls_record_offset', c_int16),
('tls_fingerprint_len', c_int16),
('tls_sha1_certificate_fingerprint', c_uint8 * 20),
('postgres_stage', c_uint32, 3),
('seen_syn', c_uint32, 1),
('seen_syn_ack', c_uint32, 1),
('seen_ack', c_uint32, 1),
('icecast_stage', c_uint32, 1),
('dofus_stage', c_uint32, 1),
('fiesta_stage', c_uint32, 2),
('wow_stage', c_uint32, 2),
('shoutcast_stage', c_uint32, 2),
('rtp_special_packets_seen', c_uint32, 1),
('mail_pop_stage', c_uint32, 2),
('mail_imap_stage', c_uint32, 3),
('mail_imap_starttls', c_uint32, 2),
('skype_packet_id', c_uint8),
('citrix_packet_id', c_uint8),
('lotus_notes_packet_id', c_uint8),
('teamviewer_stage', c_uint8),
('prev_zmq_pkt_len', c_uint8),
('prev_zmq_pkt', c_char * 10),
('ppstream_stage', c_uint32, 3),
('memcached_matches', c_uint8),
('nest_log_sink_matches', c_uint8),
]
class NDPIFlowUdpStruct(Structure):
_pack_ = 1
_fields_ = [
('ppstream_stage', c_uint32, 3),
('halflife2_stage', c_uint32, 2),
('tftp_stage', c_uint32, 2),
('aimini_stage', c_uint32, 5),
('xbox_stage', c_uint32, 1),
('skype_packet_id', c_uint8),
('teamviewer_stage', c_uint8),
('eaq_pkt_id', c_uint8),
('eaq_sequence', c_uint32),
('rx_conn_epoch', c_uint32),
('rx_conn_id', c_uint32),
('memcached_matches', c_uint8),
('wireguard_stage', c_uint8),
('wireguard_peer_index', c_uint32 * 2),
('quic_reasm_buf', POINTER(c_uint8)),
('quic_reasm_buf_len', c_uint32),
('csgo_strid', c_uint8 * 18),
('csgo_state', c_uint8),
('csgo_s2', c_uint8),
('csgo_id2', c_uint32),
('rdp_to_srv', c_uint8 * 3),
('rdp_from_srv', c_uint8 * 3),
('rdp_to_srv_pkts,', c_uint8),
('rdp_from_srv_pkts', c_uint8),
('imo_last_one_byte_pkt,', c_uint8),
('imo_last_byte', c_uint8),
]
class L4(Union):
_fields_ = [("tcp", NDPIFlowTcpStruct), ("udp", NDPIFlowUdpStruct)]
class Http(Structure):
_fields_ = [
("method", c_int),
("request_version", c_uint8),
("response_status_code", c_uint16),
("url", c_char_p),
("content_type", c_char_p),
("user_agent", c_char_p),
("detected_os", c_char_p),
("nat_ip", c_char_p),
]
class Dns(Structure):
_fields_ = [
("num_queries", c_uint8),
("num_answers", c_uint8),
("reply_code", c_uint8),
("is_query", c_uint8),
("query_type", c_uint16),
("query_class", c_uint16),
("rsp_type", c_uint16),
("rsp_addr", NDPIIpAddrT)
]
class Ntp(Structure):
_fields_ = [("request_code", c_uint8),
("version", c_uint8)]
class Kerberos(Structure):
_fields_ = [("cname", c_char * 24),
("realm", c_char * 24)]
class QuicSsl(Structure):
_fields_ = [
("ssl_version", c_uint16),
("client_certificate", c_char * 64),
("server_certificate", c_char * 64),
("server_organization", c_char * 64),
('notBefore', c_uint32),
('notAfter', c_uint32),
("ja3_client", c_char * 33),
("ja3_server", c_char * 33),
("server_cipher", c_uint16),
("server_unsafe_cipher", c_int)
]
class Stun(Structure):
_fields_ = [
("num_udp_pkts", c_uint8),
("num_processed_pkts", c_uint8),
("num_binding_requests", c_uint8),
]
class Ssh(Structure):
_fields_ = [
("client_signature", c_char * 48),
("server_signature", c_char * 48),
("hassh_client", c_char * 33),
("hassh_server", c_char * 33)
]
class Mdns(Structure):
_fields_ = [("answer", c_char * 96)]
class Ubntac2(Structure):
_fields_ = [("version", c_char * 32)]
class FtpImapPopSmtp(Structure):
_fields_ = [
("auth_found", c_uint8, 1),
("auth_failed", c_uint8, 1),
("auth_tls", c_uint8, 1),
("auth_done", c_uint8, 1),
("_pad", c_uint8, 4),
("username", c_char * 32),
("password", c_char * 16)
]
class Bittorrent(Structure):
_fields_ = [("hash", c_char * 20)]
class Dhcp(Structure):
_fields_ = [
("fingerprint", c_char * 48),
("class_ident", c_char * 48)
]
class Protos(Union):
_fields_ = [
("dns", Dns),
("kerberos", Kerberos),
("quic_ssl", QuicSsl),
("ssh", Ssh),
("mdns", Mdns),
("ubntac2", Ubntac2),
("bittorrent", Bittorrent),
("dhcp", Dhcp)
]
class TincCacheEntry(Structure):
_pack_ = 1
_fields_ = [
('src_address', c_uint32),
('dst_address', c_uint32),
('dst_port', c_uint16),
]
class NDPIIntOneLineStruct(Structure):
_fields_ = [
('ptr', POINTER(c_uint8)),
('len', c_uint16),
]
class NDPIIphdr(Structure):
_pack_ = 1
_fields_ = [
('ihl', c_uint8, 4),
('version', c_uint8, 4),
('tos', c_uint8),
('tot_len', c_uint16),
('id', c_uint16),
('frag_off', c_uint16),
('ttl', c_uint8),
('protocol', c_uint8),
('check', c_uint16),
('saddr', c_uint32),
('daddr', c_uint32)]
class NDPIIp6Hdrctl(Structure):
_pack_ = 1
_fields_ = [
('ip6_un1_flow', c_uint32),
('ip6_un1_plen', c_uint16),
('ip6_un1_nxt', c_uint8),
('ip6_un1_hlim', c_uint8),
]
class NDPIIpv6hdr(Structure):
_pack_ = 1
_fields_ = [
('ip6_hdr', NDPIIp6Hdrctl),
('ip6_src', NDPIIn6Addr),
('ip6_dst', NDPIIn6Addr),
]
class NDPITcpHdr(Structure):
_pack_ = 1
_fields_ = [
('source', c_uint16),
('dest', c_uint16),
('seq', c_uint32),
('ack_seq', c_uint32),
('res1', c_uint16, 4),
('doff', c_uint16, 4),
('fin', c_uint16, 1),
('syn', c_uint16, 1),
('rst', c_uint16, 1),
('psh', c_uint16, 1),
('ack', c_uint16, 1),
('urg', c_uint16, 1),
('ece', c_uint16, 1),
('cwr', c_uint16, 1),
('window', c_uint16),
('check', c_uint16),
('urg_ptr', c_uint16),
]
class NDPIUdpHdr(Structure):
_pack_ = 1
_fields_ = [
('source', c_uint16),
('dest', c_uint16),
('len', c_uint16),
('check', c_uint16),
]
class NDPIPacketStruct(Structure):
_fields_ = [
('iph', POINTER(NDPIIphdr)),
('iphv6', POINTER(NDPIIpv6hdr)),
('tcp', POINTER(NDPITcpHdr)),
('udp', POINTER(NDPIUdpHdr)),
('generic_l4_ptr', POINTER(c_uint8)),
('payload', POINTER(c_uint8)),
('current_timestamp_ms', c_uint64),
('detected_protocol_stack', c_uint16 * ndpi.ndpi_wrap_ndpi_procol_size()),
('line', NDPIIntOneLineStruct * 64),
('host_line', NDPIIntOneLineStruct),
('forwarded_line', NDPIIntOneLineStruct),
('referer_line', NDPIIntOneLineStruct),
('content_line', NDPIIntOneLineStruct),
('accept_line', NDPIIntOneLineStruct),
('user_agent_line', NDPIIntOneLineStruct),
('http_url_name', NDPIIntOneLineStruct),
('http_encoding', NDPIIntOneLineStruct),
('http_transfer_encoding', NDPIIntOneLineStruct),
('http_contentlen', NDPIIntOneLineStruct),
('http_cookie', NDPIIntOneLineStruct),
('http_origin', NDPIIntOneLineStruct),
('http_x_session_type', NDPIIntOneLineStruct),
('server_line', NDPIIntOneLineStruct),
('http_method', NDPIIntOneLineStruct),
('http_response', NDPIIntOneLineStruct),
('http_num_headers', c_uint8),
('l3_packet_len', c_uint16),
('l4_packet_len', c_uint16),
('payload_packet_len', c_uint16),
('actual_payload_len', c_uint16),
('num_retried_bytes', c_uint16),
('parsed_lines', c_uint16),
('empty_line_position', c_uint16),
('tcp_retransmission', c_uint8),
('l4_protocol', c_uint8),
('packet_lines_parsed_complete', c_uint8, 1),
('packet_direction', c_uint8, 1),
('empty_line_position_set', c_uint8, 1),
('http_check_content', c_uint8, 1),
('pad', c_uint8, 4),
]
class NDPIFlowStructStack(Structure):
_pack_ = 1
_fields_ = [
("detected_protocol_stack", c_uint16 * ndpi.ndpi_wrap_ndpi_procol_size()),
]
NDPIFlowStruct._fields_ = [
("ndpi_flow_stack", NDPIFlowStructStack),
("guessed_protocol_id", c_uint16),
("guessed_host_protocol_id", c_uint16),
("guessed_category", c_uint16),
("guessed_header_category", c_uint16),
("l4_proto", c_uint8),
("protocol_id_already_guessed", c_uint8, 1),
("host_already_guessed", c_uint8, 1),
("init_finished", c_uint8, 1),
("setup_packet_direction", c_uint8, 1),
("packet_direction", c_uint8, 1),
("check_extra_packets", c_uint8, 1),
("next_tcp_seq_nr", c_uint32 * 2),
("max_extra_packets_to_check", c_uint8),
("num_extra_packets_checked", c_uint8),
("num_processed_pkts", c_uint8),
("extra_packets_func", CFUNCTYPE(c_int, POINTER(NDPIDetectionModuleStruct), POINTER(NDPIFlowStruct))),
("l4", L4),
("host_server_name", c_char * 80),
("http", Http),
("stun", Stun),
("ftp_imap_pop_smtp", FtpImapPopSmtp),
("protos", Protos),
("excluded_protocol_bitmask", NDPIProtocolBitMask),
("category", c_int),
('redis_s2d_first_char', c_uint8),
('redis_d2s_first_char', c_uint8),
('packet_counter', c_uint16),
('packet_direction_counter', c_uint16 * 2),
('byte_counter', c_uint16 * 2),
('bittorrent_stage', c_uint8),
('directconnect_stage', c_uint8, 2),
('http_detected', c_uint8, 1),
('http_upper_protocol', c_uint16),
('http_lower_protocol', c_uint16),
('rtsprdt_stage', c_uint8, 2),
('zattoo_stage', c_uint8, 3),
('thunder_stage', c_uint8, 2),
('oscar_ssl_voice_stage', c_uint8, 3),
('oscar_video_voice', c_uint8, 1),
('florensia_stage', c_uint8, 1),
('socks5_stage', c_uint8, 2),
('socks4_stage', c_uint8, 2),
('edonkey_stage', c_uint8, 2),
('ftp_control_stage', c_uint8, 2),
('rtmp_stage', c_uint8, 2),
('pando_stage', c_uint8, 3),
('steam_stage1', c_uint16, 3),
('steam_stage2', c_uint16, 2),
('steam_stage3', c_uint16, 2),
('pplive_stage1', c_uint8, 3),
('pplive_stage2', c_uint8, 2),
('pplive_stage3', c_uint8, 2),
('starcraft_udp_stage', c_uint8, 3),
('ovpn_session_id', c_uint8 * 8),
('ovpn_counter', c_uint8),
('key_mining_cache', c_uint32),
('tinc_state', c_uint8),
('TincCacheEntry', TincCacheEntry),
('src', POINTER(NDPIIdStruct)),
('dst', POINTER(NDPIIdStruct))
]
# ----------------------------------------------- nDPI APIs ------------------------------------------------------------
""" ndpi_detection_giveup: Function to be called before we give up with detection for a given flow.
This function reduces the NDPI_UNKNOWN_PROTOCOL detection. """
ndpi.ndpi_detection_giveup.restype = NDPIProtocol
ndpi.ndpi_detection_giveup.argtypes = [POINTER(NDPIDetectionModuleStruct),
POINTER(NDPIFlowStruct), c_uint8,
POINTER(c_uint8)]
""" ndpi_detection_process_packet: Processes one packet and returns the ID of the detected protocol.
This is the MAIN PACKET PROCESSING FUNCTION. """
ndpi.ndpi_detection_process_packet.restype = NDPIProtocol
ndpi.ndpi_detection_process_packet.argtypes = [POINTER(NDPIDetectionModuleStruct),
POINTER(NDPIFlowStruct),
POINTER(c_ubyte),
c_ushort,
c_uint64,
POINTER(NDPIIdStruct),
POINTER(NDPIIdStruct)]
""" ndpi_ssl_version2str : Converts ssl version to readable string """
ndpi.ndpi_ssl_version2str.restype = c_char_p
ndpi.ndpi_ssl_version2str.argtypes = [c_int16, POINTER(c_uint8)]
""" ndpi_init_detection_module: Returns a new initialized detection module.
Note that before you can use it you can still load hosts and do other things. As soon as you are ready to use
it do not forget to call first ndpi_finalize_initalization() """
ndpi.ndpi_init_detection_module.restype = POINTER(NDPIDetectionModuleStruct)
def ndpi_ndpi_finalize_initalization(detection_module):
""" ndpi_finalize_initalization: Completes the initialization (ndpi_revision >= 3.1)"""
if cast(ndpi.ndpi_revision(), c_char_p).value.decode("utf-8")[:3] >= '3.1':
ndpi.ndpi_finalize_initalization.restype = c_void_p
ndpi.ndpi_finalize_initalization.argtypes = [POINTER(NDPIDetectionModuleStruct)]
return ndpi.ndpi_finalize_initalization(detection_module)
else:
# ignore it
return None
""" ndpi_tfind: find a node, or return 0. """
ndpi.ndpi_tfind.restype = c_void_p
""" ndpi_tsearch: ftp://ftp.cc.uoc.gr/mirrors/OpenBSD/src/lib/libc/stdlib/tsearch.c
find or insert datum into search tree. """
ndpi.ndpi_tsearch.restype = c_void_p
ndpi.ndpi_tsearch.argtypes = [c_void_p, POINTER(c_void_p), CFUNCTYPE(c_int, c_void_p, c_void_p)]
""" ndpi_revision: Get the nDPI version release. """
ndpi.ndpi_revision.restype = c_void_p
""" ndpi_get_proto_name: Get the protocol name associated to the ID."""
ndpi.ndpi_get_proto_name.restype = c_void_p
""" ndpi_category_get_name: Get protocol category as string."""
ndpi.ndpi_category_get_name.restype = c_void_p
""" ndpi_get_num_supported_protocols: Get the total number of the supported protocols."""
ndpi.ndpi_get_num_supported_protocols.restype = c_uint
""" ndpi_wrap_NDPI_BITMASK_SET_ALL: memset((char *)(p), 0xFF, sizeof(*(p)))"""
ndpi.ndpi_wrap_NDPI_BITMASK_SET_ALL.argtypes = [POINTER(NDPIProtocolBitMask)]
""" ndpi_set_protocol_detection_bitmask2: Sets the protocol bitmask2."""
ndpi.ndpi_set_protocol_detection_bitmask2.argtypes = [POINTER(NDPIDetectionModuleStruct),
POINTER(NDPIProtocolBitMask)]
""" ndpi_twalk: Walk the nodes of a tree. """
ndpi.ndpi_twalk.argtypes = [c_void_p, CFUNCTYPE(None, c_void_p, c_int32, c_int, c_void_p), c_void_p]
""" ndpi_tdestroy: node destroy. """
ndpi.ndpi_tdestroy.argtypes = [c_void_p, CFUNCTYPE(None, c_void_p)]
Reference in a new issue View git blame Copy permalink