Fix non zero app data len increment.

[rkerur]

Restrict SPLT score for first 32 packets in either dir
which should suffice for classification.

Signed-off-by: Ravi Kerur ravi.kerur@viasat.com

[lucaderi]

Can you please update thus pull request?

[rkerur]

Hi Luca,

I modified code such that BD, entropy, mean and variance are calculated for every 10 packets. The idea here is to push these metrics to a analytical tool which could then be used for classification. This is RFC only Kindly let me know your comments.

Thanks.

[lucaderi]

Can you please update this contribution with the current source tree? So I can merge it and test it,

[rkerur]

Can you please check now? I see following commit in my fix_bd repo
commit 19dbcaa
Author: Luca Deri deri@ntop.org
Date: Mon Sep 23 18:04:55 2019 +0200

Fixes #777

Also, git pull says...

git pull origin dev
From https://github.com/ntop/nDPI

• branch dev -> FETCH_HEAD
  Already up-to-date.
  root@localhost:/home/vagrant/nDPI# git pull
  Already up-to-date.

[lucaderi]

You definitively need to update the patch as it does not work even on command line
patch -p1 < 769.diff
patching file example/ndpiReader.c
patching file example/reader_util.c
Hunk #5 succeeded at 821 (offset 14 lines).
Hunk #6 succeeded at 858 (offset 14 lines).
Hunk #7 succeeded at 928 (offset 14 lines).
Hunk #8 succeeded at 1008 (offset 14 lines).
Hunk #9 FAILED at 1070.
Hunk #10 FAILED at 1080.
Hunk #11 FAILED at 1095.
Hunk #12 succeeded at 1113 (offset 18 lines).
Hunk #13 succeeded at 1125 (offset 18 lines).
Hunk #14 succeeded at 1152 (offset 18 lines).
3 out of 14 hunks FAILED -- saving rejects to file example/reader_util.c.rej
patching file example/reader_util.h
patching file src/include/ndpi_classify.h
Hunk #1 FAILED at 87.
1 out of 1 hunk FAILED -- saving rejects to file src/include/ndpi_classify.h.rej
patching file src/lib/ndpi_classify.c
Hunk #2 succeeded at 679 (offset 22 lines).

[rkerur]

Sorry for the inconvenience. Can you please check now? If it still doesn't work I will create a new local branch and push the new changes.

[lucaderi]

I have merged the code by hand as it was unable to merge automatically. I have looked at the code and it looks good to me even though IAT and packet length stats are different now

Before

< 1 UDP 192.168.1.7:56074 <-> 216.58.198.33:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][113 pkts/16111 bytes <-> 145 pkts/162384 bytes][Host: yt3.ggpht.com][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.5/21.0 2122/2177 199.3/180.7][Pkt Len c2s/s2c min/avg/max/stddev: 77/73 142.6/1119.9 1392/1392 176.1/437.4][PLAIN TEXT (yt3.ggpht.com)]
< 2 UDP 192.168.1.7:53859 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][cat: Web/5][9 pkts/3929 bytes <-> 9 pkts/4736 bytes][Host: googleads.g.doubleclick.net][bytes ratio: -0.093 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/5 38.4/40.5 114/158 45.2/49.2][Pkt Len c2s/s2c min/avg/max/stddev: 80/69 436.6/526.2 1392/1392 523.6/546.1][PLAIN TEXT (googleads.g.doubleclick.net)]
< 3 UDP 192.168.1.7:54997 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][cat: Web/5][7 pkts/2312 bytes <-> 6 pkts/2167 bytes][Host: pagead2.googlesyndication.com][bytes ratio: 0.032 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/8 92.7/93.8 355/400 121.6/153.8][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 330.3/361.2 1392/1392 449.0/478.5][PLAIN TEXT (pagead2.googlesyndication.com)]

Now

1 UDP 192.168.1.7:56074 <-> 216.58.198.33:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][113 pkts/16111 bytes <-> 145 pkts/162384 bytes][Host: yt3.ggpht.com][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8.6/5.2 70/69 14.6/11.6][Pkt Len c2s/s2c min/avg/max/stddev: 77/73 142.6/1119.9 1392/1392 176.1/437.4][PLAIN TEXT (yt3.ggpht.com)]
2 UDP 192.168.1.7:53859 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][cat: Web/5][9 pkts/3929 bytes <-> 9 pkts/4736 bytes][Host: googleads.g.doubleclick.net][bytes ratio: -0.093 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/5 36.1/37.3 114/158 47.9/51.9][Pkt Len c2s/s2c min/avg/max/stddev: 80/69 436.6/526.2 1392/1392 523.6/546.1][PLAIN TEXT (googleads.g.doubleclick.net)]
3 UDP 192.168.1.7:54997 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][cat: Web/5][7 pkts/2312 bytes <-> 6 pkts/2167 bytes][Host: pagead2.googlesyndication.com][bytes ratio: 0.032 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/8 40.2/17.2 89/44 35.1/16.6][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 330.3/361.2 1392/1392 449.0/478.5][PLAIN TEXT (pagead2.googlesyndication.com)]

Do you know what could be the root cause? If you can find the culprit please send a make a pull request or fix it. Thanks