Hi, As far as I have explored the nDPI code (in particular dhcp.c file), nDPI peforms port based detection as well as string-matching/signature-based detection.Below is an extract from the file src/lib/protocols/dhcp.c:
Line #1: if (packet->payload_packet_len<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#a40bbbe70f1f7463053f74df9f8383668>>= 244 Line#2: && (packet->udp<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#aa85cf865a8c09245159d0f8ef24121e9> ->source<http://fossies.org/dox/ntop-5.0.1/structudphdr.html#a57e57d722b5f11510e4ae3608877f316>== htons(67) || packet->udp<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#aa85cf865a8c09245159d0f8ef24121e9> ->source<http://fossies.org/dox/ntop-5.0.1/structudphdr.html#a57e57d722b5f11510e4ae3608877f316>== htons(68)) && (packet->udp<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#aa85cf865a8c09245159d0f8ef24121e9> ->dest<http://fossies.org/dox/ntop-5.0.1/structudphdr.html#afd27ae29487521d08ff3e703b330afc0>== htons(67) || packet-> udp<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#aa85cf865a8c09245159d0f8ef24121e9> ->dest<http://fossies.org/dox/ntop-5.0.1/structudphdr.html#afd27ae29487521d08ff3e703b330afc0>== htons(68)) Line#3: && get_u32<http://fossies.org/dox/ntop-5.0.1/ipq__protocols_8h.html#aa6bde72eee225981559176e83cc019f2> (packet->payload<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#aa5495220f2dc3610e6d6993093b230e3>, 236) == htonl(0x63825363) && get_u16<http://fossies.org/dox/ntop-5.0.1/ipq__protocols_8h.html#aeaf6a0843d06bfa1c11630d6613b7362> (packet->payload<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#aa5495220f2dc3610e6d6993093b230e3>, 240) == htons(0x3501)) In Line#1: packet size is being checked (UDP packet size is normally greater that 300 bytes, as far as I know, might be incorrect) In Line#2: source and destination port is being checked which is UDP/67 or UDP/68. In Line#3: What I have understood is that, first 236 bytes of the DHCP packet are matched against the signature (0x63825363). My Questions are: 1- How is this signature obtained? using Aho-Corasick Algorithm? 2- get_u32<http://fossies.org/dox/ntop-5.0.1/ipq__protocols_8h.html#aa6bde72eee225981559176e83cc019f2> (packet->payload<http://fossies.org/dox/ntop-5.0.1/structipoque__packet__struct.html#aa5495220f2dc3610e6d6993093b230e3>, 236): Am I right saying that this function matches first 236 bytes against the signature? If not, what does the number 236 represent? Thanks in advance.
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
