Updated nDPI API ndpi_ssl_version2str ndpi_get_l4_proto_name

ntop · Oct 11, 2019 · 6a38ede · 6a38ede
1 parent 206ce0a
commit 6a38ede
Show file tree

Hide file tree

Showing 6 changed files with 244 additions and 122 deletions.
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
@@ -412,9 +412,15 @@ static void help(u_int long_help) {
 #endif
 
   if(long_help) {
+    NDPI_PROTOCOL_BITMASK all;
+
     printf("\n\nnDPI supported protocols:\n");
-    printf("%3s %-22s %-12s %s\n", "Id", "Protocol", "Breed", "Category");
+    printf("%3s %-22s %-8s %-12s %s\n", "Id", "Protocol", "Layer_4", "Breed", "Category");
     num_threads = 1;
+
+    NDPI_BITMASK_SET_ALL(all);
+    ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all);
+
     ndpi_dump_protocols(ndpi_info_mod);
   }
   exit(!long_help);
@@ -1000,12 +1006,13 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa
   json_object *jObj;
 #endif
   FILE *out = results_file ? results_file : stdout;
-
+  u_int8_t known_tls;
+
   if(csv_fp != NULL) {
     char buf[32];
     float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes);
     float f = (float)flow->first_seen, l = (float)flow->last_seen;
-
+    
     /* PLEASE KEEP IN SYNC WITH printCSVHeader() */
 
     fprintf(csv_fp, "%u,%u,%.3f,%.3f,%s,%u,%s,%u,",
@@ -1043,7 +1050,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa
 	    (flow->ssh_tls.server_info[0] != '\0')  ? flow->ssh_tls.server_info : "");
 
     fprintf(csv_fp, "%s,%s,%s,",
-	    (flow->ssh_tls.ssl_version != 0)        ? ndpi_ssl_version2str(flow->ssh_tls.ssl_version) : "",
+	    (flow->ssh_tls.ssl_version != 0)        ? ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls) : "",
 	    (flow->ssh_tls.ja3_client[0] != '\0')   ? flow->ssh_tls.ja3_client : "",
 	    (flow->ssh_tls.ja3_client[0] != '\0')   ? is_unsafe_cipher(flow->ssh_tls.client_unsafe_cipher) : "");
 
@@ -1140,7 +1147,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa
       fprintf(out, "[URL: %s][StatusCode: %u]",
 	      flow->http.url, flow->http.response_status_code);
 
-    if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version));
+    if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls));
     if(flow->ssh_tls.client_info[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_info);
     if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh);
 
@@ -1304,9 +1311,13 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept
   u_int16_t thread_id = *((u_int16_t *) user_data);
 
   if((which == ndpi_preorder) || (which == ndpi_leaf)) { /* Avoid walking the same node multiple times */
-    if((!flow->detection_completed) && flow->ndpi_flow)
-      flow->detected_protocol = ndpi_detection_giveup(ndpi_thread_info[0].workflow->ndpi_struct, flow->ndpi_flow, enable_protocol_guess);
-
+    if((!flow->detection_completed) && flow->ndpi_flow) {
+      u_int8_t proto_guessed;
+
+      flow->detected_protocol = ndpi_detection_giveup(ndpi_thread_info[0].workflow->ndpi_struct,
+						      flow->ndpi_flow, enable_protocol_guess, &proto_guessed);
+    }
+
     process_ndpi_collected_info(ndpi_thread_info[thread_id].workflow, flow);
 
     ndpi_thread_info[thread_id].workflow->stats.protocol_counter[flow->detected_protocol.app_protocol]       += flow->src2dst_packets + flow->dst2src_packets;
@@ -1873,50 +1884,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
   if(_protoFilePath != NULL)
     ndpi_load_protocols_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _protoFilePath);
 
-  if(_customCategoryFilePath) {
-    FILE *fd = fopen(_customCategoryFilePath, "r");
-
-    if(fd) {
-      while(fd) {
-	char buffer[512], *line, *name, *category;
-	int i;
-
-	if(!(line = fgets(buffer, sizeof(buffer), fd)))
-	  break;
-
-	if(((i = strlen(line)) <= 1) || (line[0] == '#'))
-	  continue;
-	else
-	  line[i-1] = '\0';
-
-	name = strtok(line, "\t");
-	if(name) {
-	  category = strtok(NULL, "\t");
-
-	  if(category) {
-	    int fields[4];
-
-
-	    if(verbose && !quiet_mode) printf("[Category] Loading %s\t%s\n", name, category);
-
-	    if(sscanf(name, "%d.%d.%d.%d", &fields[0], &fields[1], &fields[2], &fields[3]) == 4)
-	      ndpi_load_ip_category(ndpi_thread_info[thread_id].workflow->ndpi_struct,
-				    name, (ndpi_protocol_category_t)atoi(category));
-	    else {
-	      /* TODO free the strdup */
-	      ndpi_load_hostname_category(ndpi_thread_info[thread_id].workflow->ndpi_struct,
-					  strdup(name), (ndpi_protocol_category_t)atoi(category));
-	    }
-	  }
-	}
-      }
-
-      ndpi_enable_loaded_categories(ndpi_thread_info[thread_id].workflow->ndpi_struct);
-    } else
-      printf("ERROR: Unable to read file %s\n", _customCategoryFilePath);
-
-    fclose(fd);
-  }
+  if(_customCategoryFilePath)
+    ndpi_load_categories_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _customCategoryFilePath);
 }
 
 /* *********************************************** */

diff --git a/example/reader_util.c b/example/reader_util.c
@@ -966,6 +966,14 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
   else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UBNTAC2) {
     snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version);
   }
+  /* KERBEROS */
+  else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_KERBEROS) {
+    if(flow->ndpi_flow->protos.kerberos.cname[0] != '\0') {
+      snprintf(flow->info, sizeof(flow->info), "%s (%s)",
+	       flow->ndpi_flow->protos.kerberos.cname,
+	       flow->ndpi_flow->protos.kerberos.realm);
+    }
+  }
   /* HTTP */
   else if(flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) {
     if(flow->ndpi_flow->http.url != NULL) {
@@ -1230,10 +1238,13 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
 	if(ndpi_flow && ndpi_flow->check_extra_packets)
 	  flow->check_extra_packets = 1;
 
-	if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN)
+	if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) {
+	  u_int8_t proto_guessed;
+
 	  flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow,
-							  enable_protocol_guess);
-
+							  enable_protocol_guess, &proto_guessed);
+	}
+
 	process_ndpi_collected_info(workflow, flow);
       }
     }

diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
@@ -225,12 +225,14 @@ extern "C" {
    * @par    ndpi_struct  = the detection module
    * @par    flow         = the flow given for the detection module
    * @par    enable_guess = guess protocol if unknown
+   * @par    protocol_was_guessed = 1 if the protocol was guesses (requires enable_guess = 1), 0 otherwise
    * @return the detected protocol even if the flow is not completed;
    *
    */
   ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct,
 				      struct ndpi_flow_struct *flow,
-				      u_int8_t enable_guess);
+				      u_int8_t enable_guess,
+				      u_int8_t *protocol_was_guessed);
 
   /**
    * Processes an extra packet in order to get more information for a given protocol
@@ -613,6 +615,16 @@ extern "C" {
   int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod,
 			       const char* path);
 
+ /**
+   * Read a file and load the categories
+   *
+   * @par     ndpi_mod = the detection module
+   * @par     path     = the path of the file
+   * @return  0 if the file is loaded correctly;
+   *          -1 else
+   */
+  int ndpi_load_categories_file(struct ndpi_detection_module_struct *ndpi_str, const char* path);
+
   /**
    * Get the total number of the supported protocols
    *
@@ -744,10 +756,12 @@ extern "C" {
    */
   int ndpi_match_string(void *_automa, char *string_to_match);
 
-  void ndpi_load_ip_category(struct ndpi_detection_module_struct *ndpi_struct,
-			     char *ip_address_and_mask, ndpi_protocol_category_t category);
+  int ndpi_load_ip_category(struct ndpi_detection_module_struct *ndpi_struct,
+				 const char *ip_address_and_mask, ndpi_protocol_category_t category);
   int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struct,
-				  char *name, ndpi_protocol_category_t category);
+				 const char *name_to_add, ndpi_protocol_category_t category);
+  int ndpi_load_category(struct ndpi_detection_module_struct *ndpi_struct,
+				 const char *ip_or_name, ndpi_protocol_category_t category);
   int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_struct);
   int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
 				 u_int32_t saddr,
@@ -759,11 +773,15 @@ extern "C" {
 				   struct ndpi_flow_struct *flow,
 				   ndpi_protocol *ret);
   int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_struct,
-				      char *name_or_ip, u_int name_len, unsigned long *id);
+				     char *name_or_ip, u_int name_len, unsigned long *id);
   int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_mod,
 				     ndpi_detection_preference pref,
 				     int value);
 
+  /* Tells to called on what l4 protocol given application protocol can be found */
+  ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t ndpi_proto_id);
+  const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto);
+
   ndpi_proto_defaults_t* ndpi_get_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod);
   u_int ndpi_get_ndpi_num_supported_protocols(struct ndpi_detection_module_struct *ndpi_mod);
   u_int ndpi_get_ndpi_num_custom_protocols(struct ndpi_detection_module_struct *ndpi_mod);
@@ -817,7 +835,7 @@ extern "C" {
 				      char *buffer, u_int buffer_size,
 				      u_int8_t min_string_match_len, /* Will return 0 if no string > min_string_match_len have been found */
 				      char *outbuf, u_int outbuf_len);
-  char* ndpi_ssl_version2str(u_int16_t version);
+  char* ndpi_ssl_version2str(u_int16_t version, u_int8_t *unknown_tls_version);
 
   /* Serializer */
   int ndpi_init_serializer_ll(ndpi_serializer *serializer, ndpi_serialization_format fmt,

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -35,6 +35,13 @@ typedef enum {
 	      NDPI_LOG_DEBUG_EXTRA
 } ndpi_log_level_t;
 
+typedef enum {
+	      ndpi_l4_proto_unknown = 0,
+	      ndpi_l4_proto_tcp_only,
+	      ndpi_l4_proto_udp_only,
+	      ndpi_l4_proto_tcp_and_udp,
+} ndpi_l4_proto_info;
+
 /* NDPI_VISIT */
 typedef enum {
 	      ndpi_preorder,
@@ -1182,6 +1189,10 @@ struct ndpi_flow_struct {
       u_int8_t version;
     } ntp;
 
+    struct {
+      char cname[24], realm[24];
+    } kerberos;
+
     struct {
       struct {
 	u_int16_t ssl_version;