John, Within nDPI we have defined some default protocol (port based) and then in your case:
if you use the port 5355, nDPI report a warning because you are redefining the port 5355 for you protocol but this port is already defined for the Link local Multicast Name Resolution (http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution). A simply solution to your problem would be to use a different port. I'm planning to add to the guide a list of ports that are currently defined so as to avoid problems like this Best Regards, Filippo On 09 Dec 2013, at 10:18, John Zhang <[email protected]> wrote: > Thank you, Filippo. > > i did follow the quick start guide you mentioned to add new custom protocol, > but cant detect new traffic by ntopng and pcapreader. > > Here paste my config files and log below, FYI. Hope they are useful. > 1.ntopng.conf > cat /etc/ntopng/ntopng.conf > -r=localhost:6379 > -w=3000 > -m="172.0.0.1/8" > -G=/var/tmp/ntopng.pid > -i=eth0 > -i=tcp://0.0.0.0:5556 > -p=/etc/ntopng/custome.protos > > 2. protocol file: custome.protos > cat /etc/ntopng/custome.protos > # host:"<value>",host:"<value>",.....@<subproto> > host:"googlesyndacation.com"@Google > host:"venere.com"@Veneer > host:"172.20.102.29"@hehe > # <tcp|udp>:,<tcp|udp>:,.....@ > #tcp:81,tcp:8181@HTTP > #udp:5061-5062@SIP > #tcp:860,udp:860,tcp:3260,udp:3260@iSCSI > tcp:3000@ntop > udp:5355@T1 > udp:3702@T2 > udp:8612@T3 > tcp:8888@T4 > > 3. ntopng start up log > ntopng /etc/ntopng/ntopng.conf > 08/Dec/2013 11:02:29 [Ntop.cpp:457] Setting local networks to 172.0.0.1/8 > 08/Dec/2013 11:02:29 [AddressResolution.cpp:131] Rule '172.0.0.1'/'8' > [NDPI] addDefaultPort(): found duplicate for port 5355 # Maybe here? > 08/Dec/2013 11:02:29 [PF_RINGInterface.cpp:42] Reading packets from PF_RING > v.5.6.1 interface eth0... > 08/Dec/2013 11:02:29 [Ntop.cpp:564] Registered interface eth0 [id: 0] > [NDPI] addDefaultPort(): found duplicate for port 5355 # Maybe here? > 08/Dec/2013 11:02:29 [Ntop.cpp:564] Registered interface > [email protected]:5556 [id: 1] > 08/Dec/2013 11:02:29 [Utils.cpp:238] User changed to nobody > 08/Dec/2013 11:02:29 [main.cpp:147] PID stored in file /var/tmp/ntopng.pid > 08/Dec/2013 11:02:29 [HTTPserver.cpp:363] HTTP server listening on port 3000 > [/usr/local/share/ntopng/httpdocs][/usr/local/share/ntopng/scripts] > 08/Dec/2013 11:02:29 [main.cpp:179] Using RRD version 1.4.7 > 08/Dec/2013 11:02:29 [main.cpp:188] Working directory: /var/tmp/ntopng > 08/Dec/2013 11:02:29 [main.cpp:190] Scripts/HTML pages directory: > /usr/local/share/ntopng > 08/Dec/2013 11:02:29 [Ntop.cpp:161] Welcome to ntopng x86_64 v.1.1.1 (r7071) > - (C) 1998-13 ntop.org > 08/Dec/2013 11:02:29 [Redis.cpp:46] Successfully connected to Redis > localhost:6379 > 08/Dec/2013 11:02:29 [PeriodicActivities.cpp:53] Started periodic activities > loop... > 08/Dec/2013 11:02:29 [NetworkInterface.cpp:629] Started packet polling on > interface eth0... > 08/Dec/2013 11:02:29 [NetworkInterface.cpp:629] Started packet polling on > interface [email protected]:5556... > 08/Dec/2013 11:02:29 [CollectorInterface.cpp:100] Collecting flows... > 08/Dec/2013 11:02:29 [PeriodicActivities.cpp:91] Starting script > /usr/local/share/ntopng/scripts/callbacks/second.lua > > > Thanks! > > Best regards, > John > > 2013/12/7 Filippo Fontanelli <[email protected]> > Hi John > > You can find the nDPI quick start in > > nDPI/doc/ > > That explain how you can add custom protocol to nDPI. > > >> Il giorno 06/dic/2013, alle ore 16:29, John Zhang <[email protected]> ha >> scritto: >> > >> Hi everyone, >> >> >> I want to add custom protocol detection to mdpi, I found the below great >> guide, and followed >> http://www.ntop.org/ndpi/configuring-ndpi-for-custom-protocol-detection/ >> >> To add port-based protocol detection, I added the below line to the protocol >> file: >> tcp:29000,tcp:29001@MYAP > > This is correct > >> >> >> >> But ntopng cant detect any traffic of new protocol,and also testing by >> pcapReader could not find. > > Try to use the pcapreader command line with the parameter -p your.protos and > the parameter -v 2 to active the verbose mode and check the flow stack > > > Filippo > > On 06 Dec 2013, at 16:29, John Zhang <[email protected]> wrote: > >> Hi everyone, >> >> >> I want to add custom protocol detection to mdpi, I found the below great >> guide, and followed >> http://www.ntop.org/ndpi/configuring-ndpi-for-custom-protocol-detection/ >> >> To add port-based protocol detection, I added the below line to the protocol >> file: >> tcp:29000,tcp:29001@MYAPP >> >> But ntopng cant detect any traffic of new protocol,and also testing by >> pcapReader could not find. >> >> >> >> >> Anything I missed, or made wrong? Please help me. >> >> >> >> >> Thank you in advance! >> >> >> >> >> Best regards, >> John >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
