Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debug of NDPI #42

Open
Sacriyana opened this issue Oct 21, 2016 · 3 comments
Open

Debug of NDPI #42

Sacriyana opened this issue Oct 21, 2016 · 3 comments

Comments

@Sacriyana
Copy link

Hi,

Do you know activate the macro NDPI_LOG in the kernel ?
I searched it , but I didn't find.

Thanks in advance
@betolj
Copy link
Owner

betolj commented Oct 21, 2016

The debug_printf function was used in old ndpi_init_detection_module api.

Unfortunately, i have a little free time. But, in this weekend I will check the problem related for SSL connections.

@Sacriyana
Copy link
Author

I was thinking of the NDPI_LOG macro in the nDPI code.

I search to have the same level detection of ndpiReader (the little programme which comes with nDPI) in the kernel. But now, I have made some search (but no significative) and I will continue this week. If I find a solution, I tell you.
Do you know a solution to avoid set the detection of all protocol without rules in Iptables. I have tried only iptables -t mangle -A (PREROUTING || POSTROUTING) -ndpi --dpi_check but all packets are categorized as ""unknown". Yet if I add some rules on SSL, HTTP or GOOGLE, I have some detection.
It's very weird. So, I will compare the ndpiReader detection process and your code.

@betolj
Copy link
Owner

betolj commented Oct 22, 2016
edited
Loading

There are several differences between ndpiReader and ndpi-netfilter.

In ndpiReader the detection is made in sniffer mode (using libpcap) - so, by default, this application can inspect everything on network interface.

But, in ndpi-netfilter the inspection is made by netfilter flow (into proper firewall chain) - using the "flow struct". For this reason, we need to identify all packets directions. So, the dpi_check is used only to map all possibles flows to ndpi detection - no protocol is enabled at this moment.

All protocols are disabled when xt_ndpi module is loaded. For performance reason, the protocol is enabled only by firewall rule (with the ndpi_enable_protocols function).

-- line 821 in main.c code

    for (i = 0; i <= NDPI_LAST_IMPLEMENTED_PROTOCOL; i++){
            atomic_set (&protocols_cnt[i], 0);

            // Set HTTP based protocols
            if ((i > 118 && i < 127) || (i > 139 && i < 146) || (i > 175 && i <= 218 ) || i == 70 || i == 133) nfndpi_protocols_http[i]=1;
            else nfndpi_protocols_http[i]=0;
    }

    /* disable all protocols */
    NDPI_BITMASK_RESET(protocols_bitmask);
    ndpi_set_protocol_detection_bitmask2(ndpi_struct, &protocols_bitmask);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@betolj @Sacriyana