~ndpi_tracking_flow_t() {
// We need use custom function because standard free could not free all memory here
ndpi_free_flow(flow);
free(dst);
free(src);
flow = NULL;
dst = NULL;
src = NULL;
}
void pcap_parse_packet(char* buffer, uint32_t len) {
struct pfring_pkthdr packet_header;
memset(&packet_header, 0, sizeof(packet_header));
packet_header.len = len;
packet_header.caplen = len;
// We do not calculate timestamps because timestamping is very CPU intensive operation:
// https://github.com/ntop/PF_RING/issues/9
u_int8_t timestamp = 0;
u_int8_t add_hash = 0;
fastnetmon_parse_pkt((u_char*)buffer, &packet_header, 4, timestamp, add_hash);
struct ndpi_id_struct *src = NULL;
struct ndpi_id_struct *dst = NULL;
struct ndpi_flow_struct *flow = NULL;
// So, we will init nDPI flow here
if (flow == NULL) {
src = (struct ndpi_id_struct*)malloc(size_id_struct);
memset(src, 0, size_id_struct);
dst = (struct ndpi_id_struct*)malloc(size_id_struct);
memset(dst, 0, size_id_struct);
flow = (struct ndpi_flow_struct *)malloc(size_flow_struct);
memset(flow, 0, size_flow_struct);
/*
struct ndpi_flow *newflow = (struct ndpi_flow*)malloc(sizeof(struct ndpi_flow));
memset(newflow, 0, sizeof(struct ndpi_flow));
newflow->protocol = packet_header.extended_hdr.parsed_pkt.l3_proto;
newflow->vlan_id = packet_header.extended_hdr.parsed_pkt.vlan_id;
uint32_t ip_src = packet_header.extended_hdr.parsed_pkt.ip_src.v4;
uint32_t ip_dst = packet_header.extended_hdr.parsed_pkt.ip_dst.v4;
uint16_t src_port = packet_header.extended_hdr.parsed_pkt.l4_src_port;
uint16_t dst_port = packet_header.extended_hdr.parsed_pkt.l4_dst_port;
if (ip_src < ip_dst) {
newflow->lower_ip = ip_src
newflow->upper_ip = ip_dst;
newflow->lower_port = src_port;
newflow->upper_port = dst_port;
} else {
newflow->lower_ip = ip_dst;
newflow->upper_ip = ip_src;
newflow->lower_port = dst_port;
newflow->upper_port = src_port;
}
newflow->src_id = malloc(size_id_struct);
memset(newflow->src_id, 0, size_id_struct);
newflow->dst_id = malloc(size_id_struct);
memset(newflow->dst_id, 0, size_id_struct);
*src = newflow->src_id, *dst = newflow->dst_id;
flow = newflow;
*/
} else {
//printf("We process only single packet\n");
//exit(0);
return;
}
uint32_t current_tickt = 0 ;
uint8_t* iph = (uint8_t*)(&buffer[packet_header.extended_hdr.parsed_pkt.offset.l3_offset]);
struct ndpi_iphdr* ndpi_ip_header = (struct ndpi_iphdr*)iph;
unsigned int ipsize = packet_header.len;
ndpi_protocol detected_protocol = ndpi_detection_process_packet(my_ndpi_struct, flow, iph, ipsize, current_tickt, src, dst);
if (detected_protocol.protocol == NDPI_PROTOCOL_UNKNOWN &&
detected_protocol.master_protocol == NDPI_PROTOCOL_UNKNOWN) {
printf("Can't detect protocol\n");
} else {
//printf("Master protocol: %d protocol: %d\n", detected_protocol.master_protocol, detected_protocol.protocol);
char* protocol_name = ndpi_get_proto_name(my_ndpi_struct, detected_protocol.protocol);
char* master_protocol_name = ndpi_get_proto_name(my_ndpi_struct, detected_protocol.master_protocol);
printf("Protocol: %s master protocol: %s\n", protocol_name, master_protocol_name);
// It's DNS request or answer
if (detected_protocol.protocol == NDPI_PROTOCOL_DNS) {
}
if (strstr(master_protocol_name, "Tor") == master_protocol_name or strstr(protocol_name, "IRC") != NULL) {
printf("Bad protocol %s master protocol %s found\n", protocol_name, master_protocol_name);
char print_buffer[512];
fastnetmon_print_parsed_pkt(print_buffer, 512, (u_char*)buffer, &packet_header);
printf("packet: %s\n", print_buffer);
}
}
// We need use custom function because standard free could not free all memory here
ndpi_free_flow(flow);
free(dst);
free(src);
flow = NULL;
dst = NULL;
src = NULL;
}
