Skype_Teams, Mining, SnapchatCall: fix flow category (ntop#1624)

yalonso7 · Jul 3, 2022 · eed47ac · eed47ac
1 parent 77ac58e
commit eed47ac
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 2 deletions.
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -5542,6 +5542,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
 			   &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) {
       ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_CACHE);
       ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+      ndpi_fill_protocol_category(ndpi_str, flow, &ret);
       return(ret);
     }
   }

diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
@@ -1598,8 +1598,15 @@ static int ndpi_search_quic_extra(struct ndpi_detection_module_struct *ndpi_stru
      (packet->payload[1] == 201 || /* RTCP, Receiver Report */
       packet->payload[1] == 200 || /* RTCP, Sender Report */
       is_valid_rtp_payload_type(packet->payload[1] & 0x7F)) /* RTP */) {
+    ndpi_protocol proto;
+
     NDPI_LOG_DBG(ndpi_struct, "Found RTP/RTCP over QUIC\n");
     ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNAPCHAT_CALL, NDPI_PROTOCOL_QUIC, NDPI_CONFIDENCE_DPI);
+    /* In "extra_eval" data path, if we change the classification, we need to update the category, too */
+    proto.master_protocol = NDPI_PROTOCOL_QUIC;
+    proto.app_protocol = NDPI_PROTOCOL_SNAPCHAT_CALL;
+    proto.category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED;
+    ndpi_fill_protocol_category(ndpi_struct, flow, &proto);
   } else {
     /* Unexpected traffic pattern: we should investigate it... */
     NDPI_LOG_INFO(ndpi_struct, "To investigate...\n");

diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c
@@ -54,7 +54,14 @@ static int ndpi_check_skype_udp_again(struct ndpi_detection_module_struct *ndpi_
     }
 
     if (detected) {
+      ndpi_protocol proto;
+
       ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+      /* In "extra_eval" data path, if we change the classification, we need to update the category, too */
+      proto.master_protocol = NDPI_PROTOCOL_UNKNOWN;
+      proto.app_protocol = NDPI_PROTOCOL_SKYPE_TEAMS;
+      proto.category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED;
+      ndpi_fill_protocol_category(ndpi_struct, flow, &proto);
       flow->extra_packets_func = NULL;
 
       /* Stop checking extra packets */

diff --git a/tests/result/skype_udp.pcap.out b/tests/result/skype_udp.pcap.out
@@ -5,4 +5,4 @@ Confidence DPI              : 1 (flows)
 
 Skype_Teams	5	339	1
 
-	1	UDP 192.168.1.2:35990 <-> 24.224.190.149:39262 [proto: 125/Skype_Teams][Encrypted][Confidence: DPI][4 pkts/279 bytes <-> 1 pkts/60 bytes][Goodput ratio: 40/30][72.51 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 192.168.1.2:35990 <-> 24.224.190.149:39262 [proto: 125/Skype_Teams][Encrypted][Confidence: DPI][cat: VoIP/10][4 pkts/279 bytes <-> 1 pkts/60 bytes][Goodput ratio: 40/30][72.51 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/snapchat_call.pcapng.out b/tests/result/snapchat_call.pcapng.out
@@ -5,4 +5,4 @@ Confidence DPI              : 1 (flows)
 
 SnapchatCall	50	12772	1
 
-	1	UDP 192.168.12.169:42083 <-> 18.184.138.142:443 [proto: 188.255/QUIC.SnapchatCall][Encrypted][Confidence: DPI][cat: Cloud/13][25 pkts/5295 bytes <-> 25 pkts/7477 bytes][Goodput ratio: 80/86][8.29 sec][bytes ratio: -0.171 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 288/246 1313/1315 376/342][Pkt Len c2s/s2c min/avg/max/stddev: 65/62 212/299 1392/1392 365/419][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (AESGCC20)][Plen Bins: 28,44,0,2,2,0,0,2,4,4,0,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]
+	1	UDP 192.168.12.169:42083 <-> 18.184.138.142:443 [proto: 188.255/QUIC.SnapchatCall][Encrypted][Confidence: DPI][cat: VoIP/10][25 pkts/5295 bytes <-> 25 pkts/7477 bytes][Goodput ratio: 80/86][8.29 sec][bytes ratio: -0.171 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 288/246 1313/1315 376/342][Pkt Len c2s/s2c min/avg/max/stddev: 65/62 212/299 1392/1392 365/419][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (AESGCC20)][Plen Bins: 28,44,0,2,2,0,0,2,4,4,0,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,4 +5,4 @@ Confidence DPI : 1 (flows)

		Skype_Teams 5 339 1

		1 UDP 192.168.1.2:35990 <-> 24.224.190.149:39262 [proto: 125/Skype_Teams][Encrypted][Confidence: DPI][4 pkts/279 bytes <-> 1 pkts/60 bytes][Goodput ratio: 40/30][72.51 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
		1 UDP 192.168.1.2:35990 <-> 24.224.190.149:39262 [proto: 125/Skype_Teams][Encrypted][Confidence: DPI][cat: VoIP/10][4 pkts/279 bytes <-> 1 pkts/60 bytes][Goodput ratio: 40/30][72.51 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,4 +5,4 @@ Confidence DPI : 1 (flows)

		SnapchatCall 50 12772 1

		1 UDP 192.168.12.169:42083 <-> 18.184.138.142:443 [proto: 188.255/QUIC.SnapchatCall][Encrypted][Confidence: DPI][cat: Cloud/13][25 pkts/5295 bytes <-> 25 pkts/7477 bytes][Goodput ratio: 80/86][8.29 sec][bytes ratio: -0.171 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 288/246 1313/1315 376/342][Pkt Len c2s/s2c min/avg/max/stddev: 65/62 212/299 1392/1392 365/419][Risk: Missing SNI TLS Extn ][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (AESGCC20)][Plen Bins: 28,44,0,2,2,0,0,2,4,4,0,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]
		1 UDP 192.168.12.169:42083 <-> 18.184.138.142:443 [proto: 188.255/QUIC.SnapchatCall][Encrypted][Confidence: DPI][cat: VoIP/10][25 pkts/5295 bytes <-> 25 pkts/7477 bytes][Goodput ratio: 80/86][8.29 sec][bytes ratio: -0.171 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 288/246 1313/1315 376/342][Pkt Len c2s/s2c min/avg/max/stddev: 65/62 212/299 1392/1392 365/419][Risk: Missing SNI TLS Extn ][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (AESGCC20)][Plen Bins: 28,44,0,2,2,0,0,2,4,4,0,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]