Skip to content

fix: nDPI v5.0.0 upgrade, protocol detection fixes (VLAN/PIM/IGMP/H.245), responsive hex viewer & packet table#84

Merged
NotYuSheng merged 3 commits intomainfrom
fix/protocol-detection-ndpi-v5-hex-viewer-responsive
Mar 28, 2026
Merged

fix: nDPI v5.0.0 upgrade, protocol detection fixes (VLAN/PIM/IGMP/H.245), responsive hex viewer & packet table#84
NotYuSheng merged 3 commits intomainfrom
fix/protocol-detection-ndpi-v5-hex-viewer-responsive

Conversation

@NotYuSheng
Copy link
Copy Markdown
Owner

@NotYuSheng NotYuSheng commented Mar 28, 2026

Summary

  • Upgrades nDPI from Ubuntu 22.04's libndpi-bin 4.2-2 to nDPI 5.0.0 via ntop's apt repository, which includes H.225 session tracking — dynamically negotiated H.245 ports are now correctly classified as H323/VoIP instead of Cassandra
  • Removes the correctMisclassification() port-override workaround in NdpiService (nDPI 5.0.0 handles this natively)
  • Fixes VLAN-tagged traffic (802.1Q / QinQ) not producing conversations — raw-byte unwrapping handles VLAN→IP and VLAN→PPPoE→IP since pcap4j doesn't register Dot1qVlanTagPacket in its EtherType factory
  • Adds link-layer handlers for BSD null/loopback (DLT=0), raw IP (DLT=12), and Linux SLL cooked (DLT=113)
  • Extends FLOW_LINE regex from (TCP|UDP) to (\w+) so IGMP, GRE, OSPF, PIM, and other portless protocols are enriched by nDPI; port 0 is normalised to null for non-TCP/UDP flows
  • Adds IP-pair fallback indexing in NdpiService for portless flow resolution
  • HexViewer is now fully responsive: a ResizeObserver + hidden ruler span dynamically recalculates bytes-per-row as the container resizes, honouring the standard 3:1 hex-to-ascii character ratio
  • Packet stream table in ConversationDetail switches to table-layout: fixed with <colgroup> percentage widths and text-overflow: ellipsis on long cells

Test plan

  • Upload h245-rtp.pcap (VLAN + H.225/H.245/RTP/PIM/IGMP) — H.225 flows on port 1720 show H323/VoIP; dynamically negotiated H.245 port shows H323/VoIP (not Cassandra)
  • Upload voip-final.pcapng (VLAN→PPPoE→IP) — SIP and RTP conversations appear with correct app labels
  • Upload pim-reg.cap (BSD null/loopback) — PIM conversations appear with IP_PIM/Network
  • IGMP flows show app=IGMP, cat=Network (not empty)
  • Resize the conversation detail modal — hex viewer reflows bytes-per-row to fill available width
  • Source/destination columns with long IPv6 addresses truncate with ellipsis; hover shows full address

Closes #83

🤖 Generated with Claude Code

NotYuSheng and others added 2 commits March 28, 2026 18:46
@NotYuSheng @claude
fix: upgrade nDPI to v5.0.0 and fix protocol detection for VLAN/PIM/I…
a3cb2e3 
…GMP/H.245

- Upgrade ndpiReader from Ubuntu 22.04's libndpi-bin 4.2-2 to nDPI 5.0.0
  from ntop's apt repository (packages.ntop.org/apt-stable/22.04/).
  nDPI 5.0.0 includes H.225 session tracking, so dynamically negotiated
  H.245 ports are now correctly classified as H323/VoIP instead of Cassandra.

- Remove correctMisclassification() workaround in NdpiService — nDPI 5.0.0
  handles H.225/H.245 natively so the port-based override is no longer needed.

- Extend FLOW_LINE regex from (TCP|UDP) to (\w+) so non-TCP/UDP protocols
  (IGMP, GRE, OSPF, PIM, SCTP) are parsed from ndpiReader output.
  Port 0 emitted by ndpiReader for portless protocols is normalised to null.
  Portless flows are also indexed by IP pair for fallback resolution.

- Add raw-byte VLAN unwrapping (802.1Q and QinQ) in PcapParserService to
  handle pcap4j not registering Dot1qVlanTagPacket in the EtherType factory.
  Supports VLAN→IP and VLAN→PPPoE→IP (resolves SIP/RTP/H.225 on VLAN nets).

- Add BSD null/loopback (DLT=0), raw IP (DLT=12), and Linux SLL (DLT=113)
  link-layer handlers so PIM and other protocols on those capture types are
  correctly decoded.

- Add resolveVlanInnerProtocolName() for human-readable protocol labels on
  non-IP VLAN frames (ARP, LLDP, PPPoE-Discovery, LLC, etc.).

Closes #83

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@NotYuSheng @claude
feat: responsive hex viewer and fixed-layout packet stream table
d572e84 
HexViewer:
- Replace hardcoded BYTES_PER_ROW with ResizeObserver-driven calculation.
  A hidden ruler span ("XX " — 3 monospace chars) measures the exact character
  width at the rendered font size; bytes-per-row is recalculated whenever the
  container resizes, snapped to multiples of 8 (min 8).
- Formula: line = 8 + N×4 chars (4 offset + 2 gap + N×3 hex + 2 gap + N ascii),
  correctly preserving the standard 3:1 hex-to-ascii width ratio.

ConversationDetail packet stream table:
- Switch to table-layout: fixed with <colgroup> percentage widths so columns
  scale with the modal rather than being fixed pixel sizes.
- Add text-overflow: ellipsis + title attributes on source, destination,
  timestamp, and info cells to truncate long content gracefully.
- Remove table-responsive horizontal-scroll wrapper (no longer needed with
  fixed layout); keep overflow-y scroll + sticky header on the same container.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@NotYuSheng NotYuSheng mentioned this pull request Mar 28, 2026
Closed
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances protocol detection and packet parsing by updating the backend to a newer nDPI version and adding manual support for VLAN, PPPoE, and various link-layer types like BSD loopback and Linux SLL. It also introduces a responsive hex viewer in the frontend that dynamically adjusts its layout based on the container width. Feedback suggests optimizing the Docker image size by removing temporary build dependencies, improving error handling by logging exceptions during packet parsing, and refactoring protocol resolution logic into a switch statement for better maintainability.

Comment thread backend/Dockerfile Outdated
Comment thread backend/src/main/java/com/tracepcap/analysis/service/PcapParserService.java Outdated
Comment thread backend/src/main/java/com/tracepcap/analysis/service/PcapParserService.java Outdated
@NotYuSheng @claude
refactor: address PR #84 review comments
e45945e 
- Purge curl and gnupg after ntop repo setup to reduce image size;
  ca-certificates is retained as a runtime dependency.
  Note: rm -rf /var/lib/apt/lists/* is intentionally omitted — BuildKit
  cache mounts on /var/cache/apt and /var/lib/apt already handle cleanup.
- Replace silent catch(Exception ignored) blocks with log.debug() calls
  in BSD loopback, raw IP, Linux SLL, and VLAN unwrap handlers so
  malformed packets surface during troubleshooting.
- Refactor resolveVlanInnerProtocolName() if-chain to a switch statement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@NotYuSheng NotYuSheng merged commit 9eba1d2 into main Mar 28, 2026
@NotYuSheng NotYuSheng deleted the fix/protocol-detection-ndpi-v5-hex-viewer-responsive branch March 28, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: protocol detection failures for VLAN traffic (SIP/RTP/H.225/H.245/PIM) and H.225 misidentified as Cassandra

1 participant

@NotYuSheng