Improved sflow protocol detection false-positives.

Signed-off-by: lns <[email protected]>
ntop · Apr 19, 2022 · 8214b8b · 8214b8b
1 parent 739dfc5
commit 8214b8b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c
@@ -35,10 +35,20 @@ void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct
   if((packet->udp != NULL)
      && (payload_len >= 24)
      /* Version */
-     && (packet->payload[0] == 0) && (packet->payload[1] == 0) && (packet->payload[2] == 0)
-     && ((packet->payload[3] == 2) || (packet->payload[3] == 5))) {
-    NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+     && (ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000002 ||
+         ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000005)
+     /* Agent Address type: IPv4 / IPv6 */
+     && (ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000001 ||
+         ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000002)) {
+    NDPI_LOG_INFO(ndpi_struct, "found (probably) sflow\n");
+    if (flow->packet_counter >= 2)
+    {
+      NDPI_LOG_INFO(ndpi_struct, "found sflow\n");
+      ndpi_set_detected_protocol(ndpi_struct, flow,
+                                 NDPI_PROTOCOL_SFLOW,
+                                 NDPI_PROTOCOL_UNKNOWN,
+                                 NDPI_CONFIDENCE_DPI);
+    }
     return;
   }
 

diff --git a/tests/result/sflow.pcap.out b/tests/result/sflow.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	0
 
-DPI Packets (UDP):	1	(1.00 pkts/flow)
+DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 
 sFlow	9	1702	1