~ndpi_tracking_flow_t() { // We need use custom function because standard free could not free all memory here ndpi_free_flow(flow); free(dst); free(src); flow = NULL; dst = NULL; src = NULL; }
void pcap_parse_packet(char* buffer, uint32_t len) { struct pfring_pkthdr packet_header; memset(&packet_header, 0, sizeof(packet_header)); packet_header.len = len; packet_header.caplen = len; // We do not calculate timestamps because timestamping is very CPU intensive operation: // https://github.com/ntop/PF_RING/issues/9 u_int8_t timestamp = 0; u_int8_t add_hash = 0; fastnetmon_parse_pkt((u_char*)buffer, &packet_header, 4, timestamp, add_hash); struct ndpi_id_struct *src = NULL; struct ndpi_id_struct *dst = NULL; struct ndpi_flow_struct *flow = NULL; // So, we will init nDPI flow here if (flow == NULL) { src = (struct ndpi_id_struct*)malloc(size_id_struct); memset(src, 0, size_id_struct); dst = (struct ndpi_id_struct*)malloc(size_id_struct); memset(dst, 0, size_id_struct); flow = (struct ndpi_flow_struct *)malloc(size_flow_struct); memset(flow, 0, size_flow_struct); /* struct ndpi_flow *newflow = (struct ndpi_flow*)malloc(sizeof(struct ndpi_flow)); memset(newflow, 0, sizeof(struct ndpi_flow)); newflow->protocol = packet_header.extended_hdr.parsed_pkt.l3_proto; newflow->vlan_id = packet_header.extended_hdr.parsed_pkt.vlan_id; uint32_t ip_src = packet_header.extended_hdr.parsed_pkt.ip_src.v4; uint32_t ip_dst = packet_header.extended_hdr.parsed_pkt.ip_dst.v4; uint16_t src_port = packet_header.extended_hdr.parsed_pkt.l4_src_port; uint16_t dst_port = packet_header.extended_hdr.parsed_pkt.l4_dst_port; if (ip_src < ip_dst) { newflow->lower_ip = ip_src newflow->upper_ip = ip_dst; newflow->lower_port = src_port; newflow->upper_port = dst_port; } else { newflow->lower_ip = ip_dst; newflow->upper_ip = ip_src; newflow->lower_port = dst_port; newflow->upper_port = src_port; } newflow->src_id = malloc(size_id_struct); memset(newflow->src_id, 0, size_id_struct); newflow->dst_id = malloc(size_id_struct); memset(newflow->dst_id, 0, size_id_struct); *src = newflow->src_id, *dst = newflow->dst_id; flow = newflow; */ } else { //printf("We process only single packet\n"); //exit(0); return; } uint32_t current_tickt = 0 ; uint8_t* iph = (uint8_t*)(&buffer[packet_header.extended_hdr.parsed_pkt.offset.l3_offset]); struct ndpi_iphdr* ndpi_ip_header = (struct ndpi_iphdr*)iph; unsigned int ipsize = packet_header.len; ndpi_protocol detected_protocol = ndpi_detection_process_packet(my_ndpi_struct, flow, iph, ipsize, current_tickt, src, dst); if (detected_protocol.protocol == NDPI_PROTOCOL_UNKNOWN && detected_protocol.master_protocol == NDPI_PROTOCOL_UNKNOWN) { printf("Can't detect protocol\n"); } else { //printf("Master protocol: %d protocol: %d\n", detected_protocol.master_protocol, detected_protocol.protocol); char* protocol_name = ndpi_get_proto_name(my_ndpi_struct, detected_protocol.protocol); char* master_protocol_name = ndpi_get_proto_name(my_ndpi_struct, detected_protocol.master_protocol); printf("Protocol: %s master protocol: %s\n", protocol_name, master_protocol_name); // It's DNS request or answer if (detected_protocol.protocol == NDPI_PROTOCOL_DNS) { } if (strstr(master_protocol_name, "Tor") == master_protocol_name or strstr(protocol_name, "IRC") != NULL) { printf("Bad protocol %s master protocol %s found\n", protocol_name, master_protocol_name); char print_buffer[512]; fastnetmon_print_parsed_pkt(print_buffer, 512, (u_char*)buffer, &packet_header); printf("packet: %s\n", print_buffer); } } // We need use custom function because standard free could not free all memory here ndpi_free_flow(flow); free(dst); free(src); flow = NULL; dst = NULL; src = NULL; }