Reworked fingerprint export now in JSON

ntop · Sep 16, 2024 · 6de91c7 · 6de91c7
1 parent b77d3e3
commit 6de91c7
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 39 deletions.
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
@@ -943,14 +943,6 @@ void extcap_capture(int datalink_type) {
 
 /* ********************************** */
 
-void printFingerprintHeader() {
-  if(!fingerprint_fp) return;
-
-  fprintf(fingerprint_fp, "#protocol|src_ip|dst_ip|dst_port|family|fingerprint\n");
-}
-
-/* ********************************** */
-
 void printCSVHeader() {
   if(!csv_fp) return;
 
@@ -1460,7 +1452,6 @@ static void parseOptions(int argc, char **argv) {
     exit(0);
 
   printCSVHeader();
-  printFingerprintHeader();
 
 #ifndef USE_DPDK
   if(do_extcap_capture) {

diff --git a/example/reader_util.c b/example/reader_util.c
@@ -1042,34 +1042,37 @@ u_int8_t plen2slot(u_int16_t plen) {
 
 /* ****************************************************** */
 
-static void dump_raw_fingerprint(struct ndpi_workflow * workflow,
-				 struct ndpi_flow_info *flow,
-				 char *fingerprint_family,
-				 char *fingerprint) {
-  char buf[64];
-
-  fprintf(fingerprint_fp, "%u|%s|%s|%u|%s|%s|%s\n",
-	  flow->protocol,flow->src_name, flow->dst_name, ntohs(flow->dst_port),
-	  ndpi_protocol2name(workflow->ndpi_struct, flow->detected_protocol, buf, sizeof(buf)),
-	  fingerprint_family, fingerprint);
-}
-
-/* ****************************************************** */
-
-static void dump_flow_fingerprint(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) {
-  if(is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) || is_ndpi_proto(flow, NDPI_PROTOCOL_QUIC)) {
-    if(flow->ndpi_flow->protos.tls_quic.ja4_client_raw != NULL)
-      dump_raw_fingerprint(workflow, flow, "JA4r", flow->ndpi_flow->protos.tls_quic.ja4_client_raw);
-  } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP)
-	    && (flow->ndpi_flow->protos.dhcp.fingerprint[0] != '\0')) {
-    char buf[256];
+static void dump_flow_fingerprint(struct ndpi_workflow * workflow,
+				  struct ndpi_flow_info *flow) {
+  ndpi_serializer serializer;
+  bool rc;
+
+  if(ndpi_init_serializer(&serializer, ndpi_serialization_format_json) == -1)
+    return;
 
-    snprintf(buf, sizeof(buf), "%s_%s",
-	     flow->ndpi_flow->protos.dhcp.options,
-	     flow->ndpi_flow->protos.dhcp.fingerprint);
-
-    dump_raw_fingerprint(workflow, flow, "DHCP_r", buf);
-  }
+  ndpi_serialize_start_of_block(&serializer, "fingerprint");
+  rc = ndpi_serialize_flow_fingerprint(flow->ndpi_flow, &serializer);
+  ndpi_serialize_end_of_block(&serializer);
+
+  if(rc) {
+    char buf[64], *buffer;
+    u_int32_t buffer_len;
+
+    ndpi_serialize_string_uint32(&serializer, "proto", flow->protocol);
+    ndpi_serialize_string_string(&serializer, "cli_ip", flow->src_name);
+    ndpi_serialize_string_uint32(&serializer, "cli_port", ntohs(flow->src_port));
+    ndpi_serialize_string_string(&serializer, "srv_ip", flow->dst_name);
+    ndpi_serialize_string_uint32(&serializer, "srv_port", ntohs(flow->dst_port));
+    ndpi_serialize_string_string(&serializer, "proto",
+				 ndpi_protocol2name(workflow->ndpi_struct,
+						    flow->detected_protocol,
+						    buf, sizeof(buf)));
+
+    buffer = ndpi_serializer_get_buffer(&serializer, &buffer_len);
+    fprintf(fingerprint_fp, "%s\n", buffer);
+  }
+
+  ndpi_term_serializer(&serializer);  
 }
 
 /* ****************************************************** */

diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
@@ -2307,6 +2307,10 @@ extern "C" {
 
   /* ******************************* */
 
+  bool ndpi_serialize_flow_fingerprint(struct ndpi_flow_struct *flow, ndpi_serializer *serializer);
+
+  /* ******************************* */
+
   const char *ndpi_lru_cache_idx_to_name(lru_cache_type idx);
 
   /**

diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
@@ -3602,3 +3602,46 @@ u_int ndpi_encode_domain(struct ndpi_detection_module_struct *ndpi_str,
 
   return(out_idx);
 }
+
+/* ****************************************************** */
+
+static u_int8_t is_ndpi_proto(struct ndpi_flow_struct *flow, u_int16_t id) {
+  if((flow->detected_protocol_stack[0] == id)
+     || (flow->detected_protocol_stack[1] == id))
+    return(1);
+  else
+    return(0);
+}
+
+/* ****************************************************** */
+
+bool ndpi_serialize_flow_fingerprint(struct ndpi_flow_struct *flow, ndpi_serializer *serializer) {
+  if(is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) || is_ndpi_proto(flow, NDPI_PROTOCOL_QUIC)) {
+    if((flow->protos.tls_quic.ja4_client_raw != NULL)
+       || (flow->protos.tls_quic.ja4_client[0] != '\0')) {
+
+      if(flow->protos.tls_quic.ja4_client_raw != NULL)
+	ndpi_serialize_string_string(serializer, "JA4r", flow->protos.tls_quic.ja4_client_raw);
+
+      ndpi_serialize_string_string(serializer, "JA4", flow->protos.tls_quic.ja4_client);
+      return(true);
+    }
+  } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP)
+	    && (flow->protos.dhcp.fingerprint[0] != '\0')) {
+    ndpi_serialize_string_string(serializer, "options", flow->protos.dhcp.options);
+    ndpi_serialize_string_string(serializer, "fingerprint", flow->protos.dhcp.fingerprint);
+
+    return(true);
+  } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)
+	    && (flow->protos.ssh.hassh_client[0] != '\0')) {
+
+    ndpi_serialize_string_string(serializer, "hassh_client", flow->protos.ssh.hassh_client);
+    ndpi_serialize_string_string(serializer, "client_signature", flow->protos.ssh.client_signature);
+    ndpi_serialize_string_string(serializer, "hassh_server", flow->protos.ssh.hassh_server);
+    ndpi_serialize_string_string(serializer, "server_signature", flow->protos.ssh.server_signature);
+
+    return(true);
+  }
+
+  return(false);
+}
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -1,7 +1,7 @@
 /*
  * tls.c - TLS/TLS/DTLS dissector
  *
- * Copyright (C) 2016-22 - ntop.org
+ * Copyright (C) 2016-24 - ntop.org
  *
  * nDPI is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as published by
@@ -29,7 +29,7 @@
 #include "ndpi_encryption.h"
 #include "ndpi_private.h"
 
-/* #define JA4R_DECIMAL 1 */
+#define JA4R_DECIMAL 1 
 
 static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow);
@@ -1801,7 +1801,7 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 
 #ifdef JA4R_DECIMAL
-  rc = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, " ");
+  rc = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "_");
   if(rc > 0) ja4_r_len += rc;
 #endif