Hi Fizza get_u32(packet->payload, 236) does not compute a signature of the first 236 bytes, it returns a 32bit uint starting at packet[236].
Alfredo On Sep 18, 2013, at 12:09 PM, Fizza Hussain <[email protected]> wrote: > > Hi, > > As far as I have explored the nDPI code (in particular dhcp.c file), nDPI > peforms port based detection as well as string-matching/signature-based > detection.Below is an extract from the file src/lib/protocols/dhcp.c: > > Line #1: if (packet->payload_packet_len >= 244 > Line#2: && (packet->udp->source == htons(67) || packet->udp->source == > htons(68)) && (packet->udp->dest == htons(67) || packet->udp->dest == > htons(68)) > Line#3: && get_u32(packet->payload, 236) == htonl(0x63825363) && > get_u16(packet->payload, 240) == htons(0x3501)) > > In Line#1: packet size is being checked (UDP packet size is normally greater > that 300 bytes, as far as I know, might be incorrect) > In Line#2: source and destination port is being checked which is UDP/67 or > UDP/68. > In Line#3: What I have understood is that, first 236 bytes of the DHCP packet > are matched against the signature (0x63825363). > > My Questions are: > 1- How is this signature obtained? using Aho-Corasick Algorithm? > 2- get_u32(packet->payload, 236): Am I right saying that this function > matches first 236 bytes against the signature? If not, what does the number > 236 represent? > > Thanks in advance. > > > > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
