Hi Alfredo, Do you mean "Packet no. 236" or "Byte no. 236" of the packet? Then what does this function does this line of code collectively perform? get_u32(packet->payload, 236) == htonl(0x63825363) Is 0x63825363 the protocol signature for DHCP?
Thank you. On Wed, Sep 18, 2013 at 3:16 PM, <[email protected]>wrote: > Send Ntop-dev mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://listgateway.unipi.it/mailman/listinfo/ntop-dev > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Ntop-dev digest..." > > > Today's Topics: > > 1. nDPI uses Aho-Corasick Algorithm for string matching? > (Fizza Hussain) > 2. Re: nDPI uses Aho-Corasick Algorithm for string matching? > (Alfredo Cardigliano) > 3. Re: nDPI uses Aho-Corasick Algorithm for string matching? > (Alfredo Cardigliano) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 18 Sep 2013 15:09:39 +0500 > From: Fizza Hussain <[email protected]> > To: [email protected] > Subject: [Ntop-dev] nDPI uses Aho-Corasick Algorithm for string > matching? > Message-ID: > <CAOcjRXkwYveXeQncOdMYVLVru7ARr+ZFrzqPwFMeHM+RJk= > [email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > As far as I have explored the nDPI code (in particular dhcp.c file), nDPI > peforms port based detection as well as string-matching/signature-based > detection.Below is an extract from the file src/lib/protocols/dhcp.c: > > Line #1: if (packet->payload_packet_len >= 244 > > Line#2: && (packet->udp->source == htons(67) || packet->udp->source == > htons(68)) && (packet->udp->dest == htons(67) || packet->udp->dest == > htons(68)) > > Line#3: && get_u32(packet->payload, 236) == htonl(0x63825363) && get_u16 > (packet->payload, 240) == htons(0x3501)) > > > In Line#1: packet size is being checked (UDP packet size is normally > greater that 300 bytes, as far as I know, might be incorrect) > > In Line#2: source and destination port is being checked which is UDP/67 or > UDP/68. > > In Line#3: What I have understood is that, first 236 bytes of the DHCP > packet are matched against the signature (0x63825363). > > > My Questions are: > > 1- How is this signature obtained? using Aho-Corasick Algorithm? > > 2- get_u32(packet->payload, 236): Am I right saying that this function > matches first 236 bytes against the signature? If not, what does the number > 236 represent? > > > Thanks in advance. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://listgateway.unipi.it/mailman/private/ntop-dev/attachments/20130918/646cb4e3/attachment-0001.htm > > > > ------------------------------ > > Message: 2 > Date: Wed, 18 Sep 2013 12:15:55 +0200 > From: Alfredo Cardigliano <[email protected]> > To: [email protected] > Cc: [email protected] > Subject: Re: [Ntop-dev] nDPI uses Aho-Corasick Algorithm for string > matching? > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Fizza > get_u32(packet->payload, 236) does not compute a signature of the first > 236 bytes, it returns a 32bit uint starting at packet[236]. > > Alfredo > > On Sep 18, 2013, at 12:09 PM, Fizza Hussain <[email protected]> > wrote: > > > > > Hi, > > > > As far as I have explored the nDPI code (in particular dhcp.c file), > nDPI peforms port based detection as well as > string-matching/signature-based detection.Below is an extract from the file > src/lib/protocols/dhcp.c: > > > > Line #1: if (packet->payload_packet_len >= 244 > > Line#2: && (packet->udp->source == htons(67) || packet->udp->source == > htons(68)) && (packet->udp->dest == htons(67) || packet->udp->dest == > htons(68)) > > Line#3: && get_u32(packet->payload, 236) == htonl(0x63825363) && > get_u16(packet->payload, 240) == htons(0x3501)) > > > > In Line#1: packet size is being checked (UDP packet size is normally > greater that 300 bytes, as far as I know, might be incorrect) > > In Line#2: source and destination port is being checked which is UDP/67 > or UDP/68. > > In Line#3: What I have understood is that, first 236 bytes of the DHCP > packet are matched against the signature (0x63825363). > > > > My Questions are: > > 1- How is this signature obtained? using Aho-Corasick Algorithm? > > 2- get_u32(packet->payload, 236): Am I right saying that this function > matches first 236 bytes against the signature? If not, what does the number > 236 represent? > > > > Thanks in advance. > > > > > > > > _______________________________________________ > > Ntop-dev mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop-dev > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://listgateway.unipi.it/mailman/private/ntop-dev/attachments/20130918/73418ef6/attachment.htm > > > > ------------------------------ > > Message: 3 > Date: Wed, 18 Sep 2013 12:15:55 +0200 > From: Alfredo Cardigliano <[email protected]> > To: [email protected] > Cc: [email protected] > Subject: Re: [Ntop-dev] nDPI uses Aho-Corasick Algorithm for string > matching? > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Fizza > get_u32(packet->payload, 236) does not compute a signature of the first > 236 bytes, it returns a 32bit uint starting at packet[236]. > > Alfredo > > On Sep 18, 2013, at 12:09 PM, Fizza Hussain <[email protected]> > wrote: > > > > > Hi, > > > > As far as I have explored the nDPI code (in particular dhcp.c file), > nDPI peforms port based detection as well as > string-matching/signature-based detection.Below is an extract from the file > src/lib/protocols/dhcp.c: > > > > Line #1: if (packet->payload_packet_len >= 244 > > Line#2: && (packet->udp->source == htons(67) || packet->udp->source == > htons(68)) && (packet->udp->dest == htons(67) || packet->udp->dest == > htons(68)) > > Line#3: && get_u32(packet->payload, 236) == htonl(0x63825363) && > get_u16(packet->payload, 240) == htons(0x3501)) > > > > In Line#1: packet size is being checked (UDP packet size is normally > greater that 300 bytes, as far as I know, might be incorrect) > > In Line#2: source and destination port is being checked which is UDP/67 > or UDP/68. > > In Line#3: What I have understood is that, first 236 bytes of the DHCP > packet are matched against the signature (0x63825363). > > > > My Questions are: > > 1- How is this signature obtained? using Aho-Corasick Algorithm? > > 2- get_u32(packet->payload, 236): Am I right saying that this function > matches first 236 bytes against the signature? If not, what does the number > 236 represent? > > > > Thanks in advance. > > > > > > > > _______________________________________________ > > Ntop-dev mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop-dev > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://listgateway.unipi.it/mailman/private/ntop-dev/attachments/20130918/73418ef6/attachment-0001.htm > > > > ------------------------------ > > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev > > > End of Ntop-dev Digest, Vol 112, Issue 20 > ***************************************** >
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
