void Flow::processDetectedProtocol() { if(protocol_processed || (ndpi_flow == NULL)) return; switch(ndpi_detected_protocol) { case NDPI_PROTOCOL_DNS: if(ntop->getPrefs()->decode_dns_responses()) { if(ndpi_flow->host_server_name[0] != '\0') { char delimiter = '@', *name = NULL; char *at = (char*)strchr((const char*)ndpi_flow->host_server_name, delimiter); bool to_track = false; /* Consider only positive DNS replies */ if(at != NULL) name = &at[1], at[0] = '\0', to_track = true; else if((!strstr((const char*)ndpi_flow->host_server_name, ".in-addr.arpa")) && (!strstr((const char*)ndpi_flow->host_server_name, ".ip6.arpa"))) name = (char*)ndpi_flow->host_server_name; if(name) { // ntop->getTrace()->traceEvent(TRACE_NORMAL, "[DNS] %s", (char*)ndpi_flow->host_server_name); if(ndpi_flow->protos.dns.ret_code != 0) to_track = false; /* Error response */ else { if(ndpi_flow->protos.dns.num_answers > 0) { to_track = true, protocol_processed = true; if(at != NULL) ntop->getRedis()->setResolvedAddress(name, (char*)ndpi_flow->host_server_name); } } aggregateInfo((char*)ndpi_flow->host_server_name, ndpi_detected_protocol, aggregation_domain_name, to_track); } } } break; case NDPI_PROTOCOL_NETBIOS: if(ndpi_flow->host_server_name[0] != '\0') get_cli_host()->set_alternate_name((char*)ndpi_flow->host_server_name); break; case NDPI_PROTOCOL_WHOIS_DAS: if(ndpi_flow->host_server_name[0] != '\0') { protocol_processed = true; aggregateInfo((char*)ndpi_flow->host_server_name, ndpi_detected_protocol, aggregation_domain_name, true); } break; case NDPI_PROTOCOL_SSL: case NDPI_PROTOCOL_HTTP: case NDPI_PROTOCOL_HTTP_PROXY: case NDPI_SERVICE_GOOGLE: if(ndpi_flow->nat_ip[0] != '\0') { // ntop->getTrace()->traceEvent(TRACE_NORMAL, "-> %s", (char*)ndpi_flow->nat_ip); aggregateInfo((char*)ndpi_flow->nat_ip, ndpi_detected_protocol, aggregation_client_name, true); } if(ndpi_flow->host_server_name[0] != '\0') { char buf[64], *doublecol, delimiter = ':'; u_int16_t sport = htons(cli_port), dport = htons(srv_port); Host *svr = (sport < dport) ? cli_host : srv_host; protocol_processed = true; /* if <host>:<port> We need to remove ':' */ if((doublecol = (char*)strchr((const char*)ndpi_flow->host_server_name, delimiter)) != NULL) doublecol[0] = '\0'; if(svr) { aggregateInfo((char*)ndpi_flow->host_server_name, ndpi_detected_protocol, aggregation_domain_name, true); if(ntop->getRedis()->getFlowCategory((char*)ndpi_flow->host_server_name, buf, sizeof(buf), true) != NULL) { categorization.flow_categorized = true; categorization.category = strdup(buf); } if(ndpi_detected_protocol != NDPI_PROTOCOL_HTTP_PROXY) { svr->setName((char*)ndpi_flow->host_server_name, true); ntop->getRedis()->setResolvedAddress(svr->get_ip()->print(buf, sizeof(buf)), (char*)ndpi_flow->host_server_name); } if(ndpi_flow->detected_os[0] != '\0') { aggregateInfo((char*)ndpi_flow->detected_os, NTOPNG_NDPI_OS_PROTO_ID, aggregation_os_name, true); if(cli_host) cli_host->setOS((char*)ndpi_flow->detected_os); } } } break; } /* switch */ if(protocol_processed /* For DNS we delay the memory free so that we can let nDPI analyze all the packets of the flow */ && (ndpi_detected_protocol != NDPI_PROTOCOL_DNS)) deleteFlowMemory(); }