From 6eff7db9c2fc5bbd13403960fadf5d399cc0c310 Mon Sep 17 00:00:00 2001 From: Ivan Nardi Date: Wed, 22 Jan 2025 16:51:42 +0100 Subject: [PATCH] Preliminary work to rework `struct ndpi_flow_struct` No significant changes: * Move around some fields to avoid holes in the structures. * Some fields are about protocols based only on TCP. * Remove some unused (or set but never read) fields. See #2631 --- src/include/ndpi_typedefs.h | 174 ++++++++++++++++---------------- src/lib/ndpi_main.c | 29 +++--- src/lib/protocols/ftp_control.c | 12 +-- src/lib/protocols/http.c | 14 +-- src/lib/protocols/socks45.c | 20 ++-- src/lib/protocols/z3950.c | 4 +- 6 files changed, 124 insertions(+), 129 deletions(-) diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 398cdb8c3c6..51a16294420 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -805,6 +805,51 @@ struct ndpi_lru_cache { /* ************************************************** */ struct ndpi_flow_tcp_struct { + /* TCP sequence number */ + u_int32_t next_tcp_seq_nr[2]; + u_int16_t last_tcp_pkt_payload_len; + + /* Part of the TCP header */ + u_int8_t cli2srv_tcp_flags, srv2cli_tcp_flags; + u_int32_t seen_syn:1, seen_syn_ack:1, seen_ack:1; + + /* NDPI_PROTOCOL_IRC */ + u_int32_t irc_3a_counter:3; + + /* NDPI_PROTOCOL_USENET */ + u_int32_t usenet_stage:2; + + /* NDPI_PROTOCOL_HTTP */ + u_int32_t http_stage:3; + u_int32_t http_asymmetric_stage:2; + + /* NDPI_PROTOCOL_GNUTELLA */ + u_int32_t gnutella_stage:2; // 0 - 2 + + /* NDPI_PROTOCOL_SSH */ + u_int32_t ssh_stage:3; + + /* NDPI_PROTOCOL_VNC */ + u_int32_t vnc_stage:2; // 0 - 3 + + /* NDPI_PROTOCOL_TELNET */ + u_int32_t telnet_stage:2; // 0 - 2 + + /* NDPI_PROTOCOL_RADMIN */ + u_int32_t radmin_stage:1; + + /* NDPI_PROTOCOL_FTP_CONTROL */ + u_int32_t ftp_control_stage:2; + + /* NDPI_PROTOCOL_SOAP */ + u_int32_t soap_stage:1; + + /* NDPI_PROTOCOL_SOCKS */ + u_int32_t socks5_stage:2, socks4_stage:2; + + /* NDPI_PROTOCOL_Z3950 */ + u_int32_t z3950_stage:2; + /* NDPI_PROTOCOL_MAIL_SMTP */ /* NDPI_PROTOCOL_MAIL_POP */ /* NDPI_PROTOCOL_MAIL_IMAP */ @@ -815,6 +860,9 @@ struct ndpi_flow_tcp_struct { char username[32], password[16]; } ftp_imap_pop_smtp; + /* NDPI_PROTOCOL_LOTUS_NOTES */ + u_int8_t lotus_notes_packet_id; + /* NDPI_PROTOCOL_MAIL_SMTP */ u_int16_t smtp_command_bitmask; @@ -830,31 +878,11 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_GNUTELLA */ u_int8_t gnutella_msg_id[3]; - /* NDPI_PROTOCOL_IRC */ - u_int32_t irc_3a_counter:3; - - /* NDPI_PROTOCOL_USENET */ - u_int32_t usenet_stage:2; - - /* NDPI_PROTOCOL_HTTP */ - u_int32_t http_stage:3; - u_int32_t http_asymmetric_stage:2; - - /* NDPI_PROTOCOL_GNUTELLA */ - u_int32_t gnutella_stage:2; // 0 - 2 - - /* NDPI_PROTOCOL_SSH */ - u_int32_t ssh_stage:3; - - /* NDPI_PROTOCOL_VNC */ - u_int32_t vnc_stage:2; // 0 - 3 - - /* NDPI_PROTOCOL_TELNET */ - u_int32_t telnet_stage:2; // 0 - 2 + /* NDPI_PROTOCOL_NEST_LOG_SINK */ + u_int8_t nest_log_sink_matches; - /* NDPI_PROTOCOL_RTMP */ - u_int32_t rtmp_stage:2; - u_int16_t rtmp_client_buffer_len; + /* NDPI_PROTOCOL_MEMCACHED */ + u_int8_t memcached_matches; struct { /* NDPI_PROTOCOL_TLS */ @@ -863,12 +891,16 @@ struct ndpi_flow_tcp_struct { int16_t tls_application_blocks_len[NDPI_MAX_NUM_TLS_APPL_BLOCKS]; /* + = src->dst, - = dst->src */ } tls; + /* NDPI_PROTOCOL_ZMQ */ + u_char prev_zmq_pkt[10]; + u_int8_t prev_zmq_pkt_len; + + /* NDPI_PROTOCOL_RTMP */ + u_int16_t rtmp_client_buffer_len; + u_int32_t rtmp_stage:2; + /* NDPI_PROTOCOL_POSTGRES */ u_int32_t postgres_stage:3; - - /* Part of the TCP header. */ - u_int32_t seen_syn:1, seen_syn_ack:1, seen_ack:1, __notused:29; - u_int8_t cli2srv_tcp_flags, srv2cli_tcp_flags; /* NDPI_PROTOCOL_ICECAST */ u_int32_t icecast_stage:1; @@ -884,25 +916,6 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_MAIL_IMAP */ u_int32_t mail_imap_stage:3, mail_imap_starttls:2; - - /* NDPI_PROTOCOL_SOAP */ - u_int32_t soap_stage:1; - - /* NDPI_PROTOCOL_LOTUS_NOTES */ - u_int8_t lotus_notes_packet_id; - - /* NDPI_PROTOCOL_ZMQ */ - u_int8_t prev_zmq_pkt_len; - u_char prev_zmq_pkt[10]; - - /* NDPI_PROTOCOL_MEMCACHED */ - u_int8_t memcached_matches; - - /* NDPI_PROTOCOL_NEST_LOG_SINK */ - u_int8_t nest_log_sink_matches; - - /* NDPI_PROTOCOL_RADMIN */ - u_int32_t radmin_stage:1; }; /* ************************************************** */ @@ -928,27 +941,33 @@ struct ndpi_flow_udp_struct { /* NDPI_PROTOCOL_ZOOM */ u_int32_t zoom_p2p:1; - /* NDPI_PROTOCOL_EPICGAMES */ - u_int32_t epicgames_stage:1; - u_int32_t epicgames_word; - /* NDPI_PROTOCOL_RAKNET */ u_int32_t raknet_custom:1; - /* NDPI_PROTOCOL_EAQ */ - u_int8_t eaq_pkt_id; - u_int32_t eaq_sequence; + /* NDPI_PROTOCOL_MUMBLE */ + u_int32_t mumble_stage:1; + + /* NDPI_PROTOCOL_EPICGAMES */ + u_int32_t epicgames_stage:1; + u_int32_t epicgames_word; /* NDPI_PROTOCOL_RX */ u_int32_t rx_conn_epoch; u_int32_t rx_conn_id; + /* NDPI_PROTOCOL_WIREGUARD */ + u_int32_t wireguard_peer_index[2]; + u_int8_t wireguard_stage; + /* NDPI_PROTOCOL_MEMCACHED */ u_int8_t memcached_matches; - /* NDPI_PROTOCOL_WIREGUARD */ - u_int8_t wireguard_stage; - u_int32_t wireguard_peer_index[2]; + /* NDPI_PROTOCOL_EAQ */ + u_int8_t eaq_pkt_id; + u_int32_t eaq_sequence; + + /* NDPI_PROTOCOL_MUMBLE */ + u_int64_t mumble_ident; /* NDPI_PROTOCOL_QUIC */ u_int8_t *quic_reasm_buf; @@ -975,9 +994,6 @@ struct ndpi_flow_udp_struct { u_int16_t tftp_data_num; u_int16_t tftp_ack_num; - /* NDPI_PROTOCOL_MUMBLE */ - u_int8_t mumble_stage:1; - u_int64_t mumble_ident; }; /* ************************************************** */ @@ -1272,7 +1288,7 @@ struct ndpi_flow_struct { u_int16_t guessed_protocol_id; /* Classification by-port. Set with the first pkt and never updated */ u_int16_t guessed_protocol_id_by_ip; /* Classification by-ip. Set with the first pkt and never updated */ u_int16_t fast_callback_protocol_id; /* Partial/incomplete classification. Used internally as first callback when iterating all the protocols */ - u_int16_t guessed_category, guessed_header_category; + u_int16_t guessed_header_category; u_int8_t l4_proto, protocol_id_already_guessed:1, fail_with_unknown:1, init_finished:1, client_packet_direction:1, packet_direction:1, is_ipv6:1, first_pkt_fully_encrypted:1, skip_entropy_check: 1; u_int8_t monitoring:1, _pad:7; @@ -1282,13 +1298,6 @@ struct ndpi_flow_struct { /* First Packet Classification info */ struct ndpi_fpc_info fpc; - - /* - if ndpi_struct->direction_detect_disable == 1 - tcp sequence number connection tracking - */ - u_int32_t next_tcp_seq_nr[2]; - u_int16_t last_tcp_pkt_payload_len; /* Flow addresses (useful for LRU lookups in ndpi_detection_giveup()) and ports. All in *network* byte order. @@ -1310,6 +1319,15 @@ struct ndpi_flow_struct { u_int64_t last_packet_time_ms; + ndpi_protocol_category_t category; + + /* Counters with only packets with L5 data (ie no TCP SYN, pure ACKs, ...) */ + u_int16_t packet_counter; + u_int16_t packet_direction_counter[2]; + /* Counters with all packets even those without payload */ + u_int16_t all_packets_counter; + u_int16_t packet_direction_complete_counter[2]; + /* the tcp / udp / other l4 value union used to reduce the number of bytes for tcp or udp protocol states @@ -1548,17 +1566,6 @@ struct ndpi_flow_struct { /* protocols which have marked a connection as this connection cannot be protocol XXX, multiple u_int64_t */ NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask; - ndpi_protocol_category_t category; - - /* Only packets with L5 data (ie no TCP SYN, pure ACKs, ...) */ - u_int16_t packet_counter; // can be 0 - 65000 - u_int16_t packet_direction_counter[2]; - u_int8_t packet_direction_with_payload_observed[2]; /* 0 = no packet with payload observed, 1 = at least one packet with payload observed */ - - /* All packets even those without payload */ - u_int16_t all_packets_counter; - u_int16_t packet_direction_complete_counter[2]; // can be 0 - 65000 - /* NDPI_PROTOCOL_BITTORRENT */ u_int8_t bittorrent_stage; // can be 0 - 255 u_int8_t bt_check_performed : 1; @@ -1569,18 +1576,9 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_ZATTOO */ u_int8_t zattoo_stage:3; - /* NDPI_PROTOCOL_SOCKS */ - u_int8_t socks5_stage:2, socks4_stage:2; // 0 - 3 - - /* NDPI_PROTOCOL_FTP_CONTROL */ - u_int8_t ftp_control_stage:2; - /* NDPI_PROTOCOL_STARCRAFT */ u_int8_t starcraft_udp_stage : 3; // 0-7 - /* NDPI_PROTOCOL_Z3950 */ - u_int8_t z3950_stage : 2; // 0-3 - /* NDPI_PROTOCOL_OOKLA */ u_int8_t ookla_stage : 1; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b6724469504..a5dc02be274 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7281,7 +7281,7 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s if(ndpi_str->cfg.tcp_ack_paylod_heuristic && tcp_ack_padding(packet)) { NDPI_LOG_DBG2(ndpi_str, "TCP ACK with zero padding. Ignoring\n"); packet->tcp_retransmission = 1; - } else if(flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0 || + } else if(flow->l4.tcp.next_tcp_seq_nr[0] == 0 || flow->l4.tcp.next_tcp_seq_nr[1] == 0 || (tcph->syn && flow->packet_counter == 0)) { /* initialize tcp sequence counters */ /* the ack flag needs to be set to get valid sequence numbers from the other @@ -7294,7 +7294,7 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s * If we receive multiple syn-ack (before any real data), keep the last one */ if(tcph->ack != 0) { - flow->next_tcp_seq_nr[packet->packet_direction] = + flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + (tcph->syn ? 1 : packet->payload_packet_len); /* @@ -7302,33 +7302,33 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s but that is already started when nDPI being to process it. See also (***) below */ if(flow->num_processed_pkts > 1) - flow->next_tcp_seq_nr[1 - packet->packet_direction] = ntohl(tcph->ack_seq); + flow->l4.tcp.next_tcp_seq_nr[1 - packet->packet_direction] = ntohl(tcph->ack_seq); } } else if(packet->payload_packet_len > 0) { /* check tcp sequence counters */ - if(((u_int32_t)(ntohl(tcph->seq) - flow->next_tcp_seq_nr[packet->packet_direction])) > + if(((u_int32_t)(ntohl(tcph->seq) - flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction])) > ndpi_str->tcp_max_retransmission_window_size) { - if(flow->last_tcp_pkt_payload_len > 0) + if(flow->l4.tcp.last_tcp_pkt_payload_len > 0) packet->tcp_retransmission = 1; /* CHECK IF PARTIAL RETRY IS HAPPENING */ - if((flow->next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq) < + if((flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq) < packet->payload_packet_len)) { if(flow->num_processed_pkts > 1) /* See also (***) above */ - flow->next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; + flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; } } else { - flow->next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; + flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; } } if(tcph->rst) { - flow->next_tcp_seq_nr[0] = 0; - flow->next_tcp_seq_nr[1] = 0; + flow->l4.tcp.next_tcp_seq_nr[0] = 0; + flow->l4.tcp.next_tcp_seq_nr[1] = 0; } - flow->last_tcp_pkt_payload_len = packet->payload_packet_len; + flow->l4.tcp.last_tcp_pkt_payload_len = packet->payload_packet_len; } else if(udph != NULL) { if(ndpi_str->cfg.direction_detect_enabled && (udph->source != udph->dest)) @@ -7419,9 +7419,6 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s flow->packet_direction_complete_counter[packet->packet_direction]++; } - if(packet->payload_packet_len > 0) - flow->packet_direction_with_payload_observed[packet->packet_direction] = 1; - if(!ndpi_is_multi_or_broadcast(packet)) { /* ! (multicast or broadcast) */ @@ -8002,8 +7999,8 @@ static void ndpi_check_probing_attempt(struct ndpi_detection_module_struct *ndpi if((flow->l4_proto == IPPROTO_TCP) && (flow->l4.tcp.cli2srv_tcp_flags & TH_PUSH) && (flow->l4.tcp.srv2cli_tcp_flags & TH_PUSH)) { - if(flow->packet_direction_with_payload_observed[0] - && flow->packet_direction_with_payload_observed[1]) { + if(flow->packet_direction_counter[0] + && flow->packet_direction_counter[1]) { /* Both directions observed */ /* Nothing to do */ } else { diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 266fc414a31..5a4d1e0a2e5 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -600,7 +600,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str } /* Check if we so far detected the protocol in the request or not. */ - if(flow->ftp_control_stage == 0) { + if(flow->l4.tcp.ftp_control_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n"); if((payload_len > 0) && ndpi_ftp_control_check_request(ndpi_struct, flow, @@ -612,16 +612,16 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->ftp_control_stage = packet->packet_direction + 1; + flow->l4.tcp.ftp_control_stage = packet->packet_direction + 1; } } else { - NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage %u: \n", flow->ftp_control_stage); + NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage %u: \n", flow->l4.tcp.ftp_control_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if((flow->ftp_control_stage - packet->packet_direction) == 1) { + if((flow->l4.tcp.ftp_control_stage - packet->packet_direction) == 1) { return; } @@ -637,7 +637,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0' && flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 0 && flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 0) { - flow->ftp_control_stage = 0; + flow->l4.tcp.ftp_control_stage = 0; } else if (flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 1 && ndpi_struct->cfg.ftp_opportunistic_tls_enabled) { flow->host_server_name[0] = '\0'; /* Remove any data set by other dissectors (eg. SMTP) */ @@ -654,7 +654,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str } else { NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to FTP_CONTROL, " "resetting the stage to 0\n"); - flow->ftp_control_stage = 0; + flow->l4.tcp.ftp_control_stage = 0; } } } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index ffc0b9213a3..319677fe361 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -281,7 +281,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo u_int app_len_avail = packet->content_line.len-app_len; if(strncasecmp(app, "mpeg", app_len_avail) == 0) { - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING; + flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING; return(flow->category); } else { if(app_len_avail > 3) { @@ -301,7 +301,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) { char str[64]; - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer"); snprintf(str, sizeof(str), "Found binary mime %s", cmp_mimes[i]); @@ -330,7 +330,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo char str[64]; snprintf(str, sizeof(str), "Found mime exe %s", cmp_mimes[i]); - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; ndpi_set_binary_application_transfer(ndpi_struct, flow, str); NDPI_LOG_INFO(ndpi_struct, "Found executable HTTP transfer"); } @@ -393,7 +393,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo binary_exec_file_ext[i], ATTACHMENT_LEN) == 0) { snprintf(str, sizeof(str), "Found file extn %s", binary_exec_file_ext[i]); - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; ndpi_set_binary_application_transfer(ndpi_struct, flow, str); NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); return(flow->category); @@ -413,13 +413,13 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo case 'a': if(strncasecmp((const char *)packet->content_line.ptr, "audio", ndpi_min(packet->content_line.len, 5)) == 0) - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; + flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; break; case 'v': if(strncasecmp((const char *)packet->content_line.ptr, "video", ndpi_min(packet->content_line.len, 5)) == 0) - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; + flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; break; } } @@ -1106,7 +1106,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->content_line.len); flow->http.content_type[packet->content_line.len] = '\0'; - flow->guessed_category = flow->category = ndpi_http_check_content(ndpi_struct, flow); + flow->category = ndpi_http_check_content(ndpi_struct, flow); } } } diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c index 78a744087af..d2da12b1310 100644 --- a/src/lib/protocols/socks45.c +++ b/src/lib/protocols/socks45.c @@ -41,7 +41,7 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t payload_len = packet->payload_packet_len; /* Check if we so far detected the protocol in the request or not. */ - if(flow->socks4_stage == 0) { + if(flow->l4.tcp.socks4_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage 0: \n"); if(payload_len >= 9 && packet->payload[0] == 0x04 && @@ -50,13 +50,13 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct, "Possible SOCKS4 request detected, we will look further for the response\n"); /* TODO: check port and ip address is valid */ /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->socks4_stage = packet->packet_direction + 1; + flow->l4.tcp.socks4_stage = packet->packet_direction + 1; } } else { - NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage %u: \n", flow->socks4_stage); + NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage %u: \n", flow->l4.tcp.socks4_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if((flow->socks4_stage - packet->packet_direction) == 1) { + if((flow->l4.tcp.socks4_stage - packet->packet_direction) == 1) { return; } /* This is a packet in another direction. Check if we find the proper response. */ @@ -65,7 +65,7 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_socks_add_connection(ndpi_struct, flow); } else { NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to SOCKS4, resetting the stage to 0\n"); - flow->socks4_stage = 0; + flow->l4.tcp.socks4_stage = 0; } } } @@ -76,7 +76,7 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t payload_len = packet->payload_packet_len; /* Check if we so far detected the protocol in the request or not. */ - if(flow->socks5_stage == 0) { + if(flow->l4.tcp.socks5_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage 0: \n"); if(((payload_len == 3) && (packet->payload[0] == 0x05) && (packet->payload[1] == 0x01) && (packet->payload[2] == 0x00)) || @@ -84,14 +84,14 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct, "Possible SOCKS5 request detected, we will look further for the response\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->socks5_stage = packet->packet_direction + 1; + flow->l4.tcp.socks5_stage = packet->packet_direction + 1; } } else { - NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage %u: \n", flow->socks5_stage); + NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage %u: \n", flow->l4.tcp.socks5_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if((flow->socks5_stage - packet->packet_direction) == 1) { + if((flow->l4.tcp.socks5_stage - packet->packet_direction) == 1) { return; } @@ -101,7 +101,7 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_socks_add_connection(ndpi_struct, flow); } else { NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to SOCKS5, resetting the stage to 0\n"); - flow->socks5_stage = 0; + flow->l4.tcp.socks5_stage = 0; } } diff --git a/src/lib/protocols/z3950.c b/src/lib/protocols/z3950.c index 92eed01b0a9..bddc7ba1078 100644 --- a/src/lib/protocols/z3950.c +++ b/src/lib/protocols/z3950.c @@ -103,13 +103,13 @@ static void ndpi_search_z3950(struct ndpi_detection_module_struct *ndpi_struct, return; } - if(flow->z3950_stage == 3) { + if(flow->l4.tcp.z3950_stage == 3) { if(flow->packet_direction_counter[0] && flow->packet_direction_counter[1]) ndpi_int_z3950_add_connection(ndpi_struct, flow); else NDPI_EXCLUDE_PROTO(ndpi_struct, flow); /* Skip if unidirectional traffic */ } else - flow->z3950_stage++; + flow->l4.tcp.z3950_stage++; return; }