static void printFlow(struct ndpi_flow *flow) { char buf1[32], buf2[32]; printf("\t%s %s:%u > %s:%u [proto: %u/%s][%u pkts/%u bytes]\n", ipProto2Name(flow->protocol), intoaV4(ntohl(flow->lower_ip), buf1, sizeof(buf1)), ntohs(flow->lower_port), intoaV4(ntohl(flow->upper_ip), buf2, sizeof(buf2)), ntohs(flow->upper_port), flow->detected_protocol, ndpi_get_proto_name(ndpi_struct, flow->detected_protocol), flow->packets, flow->bytes); }
static void fPrintFlow(FILE *stream, struct ndpi_flow *flow) { char buf1[32], buf2[32]; fprintf(stream, "%s %u %s %u %.6f %s %u/%s %u %u\n", intoaV4(ntohl(flow->lower_ip), buf1, sizeof(buf1)), ntohs(flow->lower_port), intoaV4(ntohl(flow->upper_ip), buf2, sizeof(buf2)), ntohs(flow->upper_port), flow->first_packet_time_sec + flow->first_packet_time_usec/1000000.0, ipProto2Name(flow->protocol), flow->detected_protocol, ndpi_get_proto_name(ndpi_struct, flow->detected_protocol), flow->packets, flow->bytes); }
static unsigned int packet_processing(const u_int64_t time, const struct ndpi_iphdr *iph, struct ndpi_ip6_hdr *iph6, u_int16_t ip_offset, u_int16_t ipsize, u_int16_t rawsize) { struct ndpi_id_struct *src, *dst; struct ndpi_flow *flow; struct ndpi_flow_struct *ndpi_flow = NULL; u_int32_t protocol = 0; u_int8_t proto; if(iph) flow = get_ndpi_flow(4, iph, ip_offset, ipsize, ntohs(iph->tot_len) - (iph->ihl * 4), &src, &dst, &proto); else flow = get_ndpi_flow6(iph6, ip_offset, &src, &dst, &proto); if(flow != NULL) { ndpi_flow = flow->ndpi_flow; flow->packets++, flow->bytes += rawsize; } else return(0); ip_packet_count++; total_bytes += rawsize + 24 /* CRC etc */; if(flow->detection_completed) return(0); protocol = (const u_int32_t)ndpi_detection_process_packet(ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time, src, dst); flow->detected_protocol = protocol; if((flow->detected_protocol != NDPI_PROTOCOL_UNKNOWN) || (proto == IPPROTO_UDP) || ((proto == IPPROTO_TCP) && (flow->packets > 10))) { flow->detection_completed = 1; #if 0 if(flow->ndpi_flow->l4.tcp.host_server_name[0] != '\0') printf("%s\n", flow->ndpi_flow->l4.tcp.host_server_name); #endif if(verbose > 1) { char buf1[32], buf2[32]; printf("%s %s:%u > %s:%u [proto: %u/%s][%s]\n", ipProto2Name(flow->protocol), intoaV4(ntohl(flow->lower_ip), buf1, sizeof(buf1)), ntohs(flow->lower_port), intoaV4(ntohl(flow->upper_ip), buf2, sizeof(buf2)), ntohs(flow->upper_port), protocol, ndpi_get_proto_name(ndpi_struct, protocol), flow->ndpi_flow->host_server_name); } snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", flow->ndpi_flow->host_server_name); free_ndpi_flow(flow); } #if 0 if(ndpi_flow->l4.tcp.host_server_name[0] != '\0') printf("%s\n", ndpi_flow->l4.tcp.host_server_name); #endif return 0; }
static unsigned int packet_processing(const u_int64_t time, const struct pcap_pkthdr *header, const struct ndpi_iphdr *iph, u_int16_t ipsize, u_int16_t rawsize) { struct ndpi_id_struct *src, *dst; struct ndpi_flow *flow; struct ndpi_flow_struct *ndpi_flow = NULL; u_int16_t protocol = 0; u_int16_t frag_off = ntohs(iph->frag_off); flow = get_ndpi_flow(header, iph, ipsize); if (flow != NULL) { ndpi_flow = flow->ndpi_flow; flow->packets++, flow->bytes += rawsize; src = flow->src_id, dst = flow->dst_id; } else return; ip_packet_count++; total_bytes += rawsize; if(flow->detection_completed) return; // only handle unfragmented packets if ((frag_off & 0x3FFF) == 0) { // here the actual detection is performed ndpi_protocol detected = ndpi_detection_process_packet(ndpi_struct, ndpi_flow, (uint8_t *) iph, ipsize, time, src, dst); protocol = detected.master_protocol; } else { static u_int8_t frag_warning_used = 0; if (frag_warning_used == 0) { printf("\n\nWARNING: fragmented ip packets are not supported and will be skipped \n\n"); frag_warning_used = 1; } return 0; } #if 0 if(verbose && (protocol == 0)) { char buf1[32], buf2[32]; printf("%s %s:%u > %s:%u [proto: %u/%s]\n", ipProto2Name(flow->protocol), intoaV4(ntohl(flow->lower_ip), buf1, sizeof(buf1)), ntohs(flow->lower_port), intoaV4(ntohl(flow->upper_ip), buf2, sizeof(buf2)), ntohs(flow->upper_port), protocol, ndpi_get_proto_name(ndpi_struct, protocol)); } #endif flow->detected_protocol = protocol; if((flow->detected_protocol != NDPI_PROTOCOL_UNKNOWN) || (iph->protocol == IPPROTO_UDP) || ((iph->protocol == IPPROTO_TCP) && (flow->packets > 10))) { flow->detection_completed = 1; #if 0 if(flow->ndpi_flow->l4.tcp.host_server_name[0] != '\0') printf("%s\n", flow->ndpi_flow->l4.tcp.host_server_name); #endif free_ndpi_flow(flow); } #if 0 if(ndpi_flow->l4.tcp.host_server_name[0] != '\0') printf("%s\n", ndpi_flow->l4.tcp.host_server_name); #endif return 0; }