添加協(xié)議編號(hào)

在文件src/include/ndpi_protocol_ids.h中添加自定義的協(xié)議NDPI_PROTOCOL_XXXX并延續(xù)使用新協(xié)議編號(hào)

  NDPI_PROTOCOL_NANO                  = 420,
  NDPI_PROTOCOL_OPENWIRE              = 421,

  // Add new protocols here
  NDPI_PROTOCOL_UOSDETECT             = 422,

創(chuàng)建協(xié)議文件

創(chuàng)建協(xié)議文件（文件名建議與協(xié)議對(duì)應(yīng)）src/lib/protocols/uosdetect.c

添加頭文件及相關(guān)定義

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UOSDETECT

#include "ndpi_api.h"
#include "ndpi_private.h"

為協(xié)議編寫 ndpi_search_uosdetect 查找函數(shù)

static void ndpi_search_uosdetect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

  NDPI_LOG_DBG(ndpi_struct, "search UOS Detect\n");

  if (packet->payload_packet_len > 123)
  {
    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UOSDETECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
    NDPI_LOG_INFO(ndpi_struct,"UOSDETECT found\n");
    return;
  }
  
  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}

協(xié)議識(shí)別完成使用函數(shù)ndpi_set_detected_protocol標(biāo)識(shí)當(dāng)前流為自定義協(xié)議，否則使用NDPI_EXCLUDE_PROTO 表示未識(shí)別

為協(xié)議編寫init_uosdetect_dissector解析器初始化函數(shù)。由于我們分析的內(nèi)容在HTTP Payload中，所以使用掩碼NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION

void init_uosdetect_dissector(struct ndpi_detection_module_struct *ndpi_struct,
                                         u_int32_t *id)
{
  ndpi_set_bitmask_protocol_detection("UOSDetect", ndpi_struct, *id,
                                      NDPI_PROTOCOL_UOSDETECT,
                                      ndpi_search_uosdetect,
                                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                                      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
                                      ADD_TO_DETECTION_BITMASK);

  *id += 1;
}

協(xié)議解析器注冊(cè)

在文件src/include/ndpi_private.h中添加協(xié)議解析器定義

void init_nano_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
void init_openwire_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);

// add custom protocol dissector
void init_uosdetect_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);

在文件src/lib/ndpi_main.c中添加協(xié)議默認(rèn)設(shè)置

  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, 
        NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_UOSDETECT,
        "UOSDetect", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
        ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
        ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */

配置默認(rèn)的TCP端口為80會(huì)導(dǎo)致協(xié)議解析與計(jì)數(shù)出現(xiàn)故障

由于是基于HTTP協(xié)議進(jìn)行判斷，所以要注冊(cè)為HTTP協(xié)議的子協(xié)議，否則只能識(shí)別為HTTP協(xié)議

  ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP,
                  NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_SOAP,
                  NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_GNUTELLA,
                  NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT, 
                  NDPI_PROTOCOL_IRC,
                  NDPI_PROTOCOL_UOSDETECT,
                  NDPI_PROTOCOL_IPP,
                  NDPI_PROTOCOL_MPEGDASH,
                  NDPI_PROTOCOL_RTSP,
                  NDPI_PROTOCOL_APACHE_THRIFT,
                  NDPI_PROTOCOL_JSON_RPC,
                  NDPI_PROTOCOL_HL7,
                  NDPI_PROTOCOL_MATCHED_BY_CONTENT,
                  NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_HTTP can have (content-matched) subprotocols */

并初始化協(xié)議解析器

    // custom protocols dissectors
  init_uosdetect_dissector(ndpi_str, &a);