ntop · Gianla · Aug 10, 2025 · Aug 11, 2025 · Aug 11, 2025 · Aug 12, 2025
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #include <getopt.h>
 #include <float.h> /* FLT_EPSILON */
+
 #ifdef WIN32
 #include <winsock2.h> /* winsock.h is included automatically */
 #include <windows.h>
@@ -2000,6 +2001,48 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
 	}
       }
 
+    if(flow->mdns_metadata.num_services > 0) {
+      fprintf(out, "[MDNS advertised services (found %d) - ", flow->mdns_metadata.num_services);
+
+      for(int i = 0; i < flow->mdns_metadata.num_services - 1; i++) {
+        struct ndpi_mdns_rsp_entry *service = &flow->mdns_metadata.services[i];
+
+        fprintf(out, "rsp_class: %d ", service->rsp_class);
+        fprintf(out, "ttl: %ds ", service->ttl);
+        fprintf(out, "rdatalength: %d ", service->data_len);
+
+        fprintf(out, "rsp_type: ");
+        switch (service -> rsp_type) {
+          case 0x0C: /* PTR */
+            fprintf(out, "PTR data: %s advertised %s; ", service->name, service->data); break;
+          case 0x10: /* TXT */
+            fprintf(out, "TXT data: %s additional info %s; ", service->name, service->data); break;
+          case 0x21: /* SRV */
+            fprintf(out, "SRV data: %s is on port %d; ", service->name, service->srv_port); break;
+          case 0x05: /* CNAME */
+            break;
+        }
+      }
+      /* last line without spacing at the end */
+      struct ndpi_mdns_rsp_entry *service = &flow->mdns_metadata.services[flow->mdns_metadata.num_services - 1];
+
+      fprintf(out, "rsp_class: %d ", service->rsp_class);
+      fprintf(out, "ttl: %ds ", service->ttl);
+      fprintf(out, "rdatalength: %d ", service->data_len);
+
+      fprintf(out, "rsp_type: ");
+      switch (service -> rsp_type) {
+        case 0x0C: /* PTR */
+          fprintf(out, "PTR data: %s advertised %s]", service->name, service->data); break;
+        case 0x10: /* TXT */
+          fprintf(out, "TXT data: %s additional info %s]", service->name, service->data); break;
+        case 0x21: /* SRV */
+          fprintf(out, "SRV data: %s is on port %d]", service->name, service->srv_port); break;
+        case 0x05: /* CNAME */
+          break;
+      }
+    }
+
     fprintf(out, "[%s]",
 	    ndpi_is_encrypted_proto(ndpi_thread_info[thread_id].workflow->ndpi_struct,
 				    flow->detected_protocol) ? "Encrypted" : "ClearText");

diff --git a/example/reader_util.c b/example/reader_util.c
@@ -616,6 +616,14 @@ void ndpi_flow_info_free_data(struct ndpi_flow_info *flow) {
   if(flow->tcp_fingerprint) ndpi_free(flow->tcp_fingerprint);
   if(flow->risk_str)        ndpi_free(flow->risk_str);
   if(flow->flow_payload)    ndpi_free(flow->flow_payload);
+
+  if (flow->mdns_metadata.services) {
+    for(int i = 0; i < flow->mdns_metadata.num_services; i++) {
+      if (flow->mdns_metadata.services[i].name) ndpi_free(flow->mdns_metadata.services[i].name);
+      if (flow->mdns_metadata.services[i].data) ndpi_free(flow->mdns_metadata.services[i].data);
+    }
+    ndpi_free(flow->mdns_metadata.services);
+  }
 }
 
 /* ***************************************************** */
@@ -1628,6 +1636,28 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
     ndpi_snprintf(flow->fast_cgi.url, sizeof(flow->fast_cgi.url), "%s", flow->ndpi_flow->protos.fast_cgi.url);
   }
 
+  flow->mdns_metadata.num_services = flow->ndpi_flow->mdns_metadata.num_services;
+
+  if(flow->mdns_metadata.num_services > 0) {
+    flow->mdns_metadata.services = ndpi_malloc(
+      sizeof(struct ndpi_mdns_rsp_entry) * flow->mdns_metadata.num_services);
+
+    if (flow->mdns_metadata.services) {
+      for(int idx = 0; idx < flow->mdns_metadata.num_services; ++idx) {
+        struct ndpi_mdns_rsp_entry *service = &flow->mdns_metadata.services[idx];
+        struct ndpi_mdns_rsp_entry *reference = &flow->ndpi_flow->mdns_metadata.services[idx];
+
+        service->rsp_type = reference->rsp_type;
+        service->rsp_class = reference->rsp_class;
+        service->ttl = reference->ttl;
+        service->data_len = reference->data_len;
+        service->name = ndpi_strdup(reference->name);
+        service->data = ndpi_strdup(reference->data);
+        service->srv_port = reference->srv_port;
+      }
+    }
+  }
+
   if(!monitoring_enabled) {
     add_to_address_port_list(&flow->stun.mapped_address, &flow->ndpi_flow->stun.mapped_address);
     add_to_address_port_list(&flow->stun.peer_address, &flow->ndpi_flow->stun.peer_address);

diff --git a/example/reader_util.h b/example/reader_util.h
@@ -285,6 +285,11 @@ typedef struct ndpi_flow_info {
     } bfcp;
   };
 
+  struct {
+    uint8_t num_services;
+    struct ndpi_mdns_rsp_entry *services;
+  } mdns_metadata;
+
   ndpi_serializer ndpi_flow_serializer;
 
   char host_server_name[80]; /* Hostname/SNI */

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -397,12 +397,15 @@ struct ndpi_dhcphdr {
 } PACK_OFF;
 
 /* +++++++++++++++ MDNS rsp header +++++++++++++++ */
-PACK_ON
+
 struct ndpi_mdns_rsp_entry {
   u_int16_t rsp_type, rsp_class;
   u_int32_t ttl;
   u_int16_t data_len;
-} PACK_OFF;
+  char *name; // hostname
+  char *data; // metadata
+  u_int16_t srv_port;
+};
 
 /* +++++++++++++++++++ LLC header (IEEE 802.2) ++++++++++++++++ */
 
@@ -1319,6 +1322,7 @@ typedef enum {
 
 #define MAX_NUM_TLS_SIGNATURE_ALGORITHMS 16
 #define MAX_NUM_DNS_RSP_ADDRESSES         4
+#define MAX_NUM_MDNS_ADVERTISED_SERVICES  8
 
 typedef struct {
   union {
@@ -1700,6 +1704,11 @@ struct ndpi_flow_struct {
 
   } protos;
 
+  struct {
+    uint8_t num_services;
+    struct ndpi_mdns_rsp_entry *services;
+  } mdns_metadata;
+
   /* **Packet** metadata for flows where monitoring is enabled. It is reset after each packet! */
   struct ndpi_metadata_monitoring *monit;
 

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -7830,6 +7830,14 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
 
     if(flow->tls_quic.obfuscated_heur_state)
       ndpi_free(flow->tls_quic.obfuscated_heur_state);
+
+  	if (flow->mdns_metadata.services) {
+  	  for(int i = 0; i < flow->mdns_metadata.num_services; i++) {
+        if (flow->mdns_metadata.services[i].name) ndpi_free(flow->mdns_metadata.services[i].name);
+        if (flow->mdns_metadata.services[i].data) ndpi_free(flow->mdns_metadata.services[i].data);
+  	  }
+  	  ndpi_free(flow->mdns_metadata.services);
+  	}
   }
 }