mirror of
https://github.com/vel21ripn/nDPI.git
synced 2026-05-01 00:19:42 +00:00
7a7e4ee69f
The main goal of a DPI engine is usually to determine "what", i.e. which types of traffic flow on the network. However the applications using DPI are often interested also in "who", i.e. which "user/subscriber" generated that traffic. The association between a flow and a subscriber is usually done via some kind of DHCP/GTP/RADIUS/NAT mappings. In all these cases the key element of the flow used to identify the user is the source ip address. That usually happens for the vast majority of the traffic. However, depending on the protocols involved and on the position on the net where the traffic is captured, the source ip address might have been changed/anonymized. In that case, that address is useless for any flow-username association. Example: iCloud Private Relay traffic captured between the exit relay and the server. See the picture at page 5 on: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF This commit adds new generic flow risk `NDPI_ANONYMOUS_SUBSCRIBER` hinting that the ip addresses shouldn't be used to identify the user associated with the flow. As a first example of this new feature, the entire list of the relay ip addresses used by Private Relay is added. A key point to note is that list is NOT used for flow classification (unlike all the other ip lists present in nDPI) but only for setting this new flow risk. TODO: IPv6
62 lines
1.7 KiB
Python
Executable file
62 lines
1.7 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
|
|
import sys
|
|
import socket, struct
|
|
|
|
# This scripts is mainly used to create "ip -> protocols" lists.
|
|
# However it is also used to create "ip -> risk" lists
|
|
proto = "NDPI_PROTOCOL_XYX"
|
|
if len (sys.argv) < 2 :
|
|
print("Usage: ipaddr2list.py <file> <protocol>")
|
|
sys.exit (1)
|
|
|
|
if len (sys.argv) == 3:
|
|
proto = sys.argv[2]
|
|
|
|
|
|
|
|
print("""/*
|
|
*
|
|
* This file is generated automatically and part of nDPI
|
|
*
|
|
* nDPI is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* nDPI is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
/* ****************************************************** */
|
|
|
|
""")
|
|
|
|
print("static ndpi_network "+proto.lower()+"_protocol_list[] = {")
|
|
|
|
with open(sys.argv[1]) as fp:
|
|
for cnt, line in enumerate(fp):
|
|
line = line.rstrip()
|
|
|
|
if(line != ""):
|
|
x = line.split("/")
|
|
|
|
if(len(x) == 2):
|
|
ipaddr = x[0]
|
|
cidr = x[1]
|
|
else:
|
|
ipaddr = line
|
|
cidr = "32"
|
|
|
|
if(ipaddr != ""):
|
|
print(" { 0x"+socket.inet_aton(ipaddr).hex().upper()+" /* "+ipaddr+"/"+cidr+" */, "+cidr+", "+proto+" },")
|
|
|
|
print(" /* End */")
|
|
print(" { 0x0, 0, 0 }")
|
|
print("};")
|