block ip for service

[adrienb4]

Hi

I would like to create a filter for block 'OCS GO' a french service (similar to NetFlix).
Actualy I can add the website, but what is the procedure for add ip range ?

I add this in 'ndpi_content_math.c.inc, but ips are not matching :

 /*
    OCS GO (Orange Cinéma Séries)
    178.248.208.0/21
  */
  { 0xB2F8D000 /* 178.248.208.0 */, 21, NDPI_SERVICE_OCS },

https://apps.db.ripe.net/search/query.html?searchtext=178.248.208.210#resultsAnchor

Thank

Adrien

[kYroL01]

The procedure to recognize is add a subnet for a range of IP address.
For example: https://github.com/ntop/nDPI/blob/dev/src/lib/ndpi_content_match.c.inc#L63

but actually, nDPI cannot block a range of IP.

[adrienb4]

For block, I convert nDPI in iptables module. But when I use nDPI with NTOP, no traffic is matching with this ip range.

[adrienb4]

I checked everything, and the ip range is not categorized. :(

[kYroL01]

It's because it's not enough modify only ndpi_content_math.c.inc.
I'll show you how to do it.

[adrienb4]

Thank you !! You will allow me to progress :)

[kYroL01]

If you want to add a service, you have to modify two files: the ndpi_content_match.c.inc and the ndpi_protocol_ids.h.
in this second file you have to put a line in the service list like this:

#define NDPI_SERVICE_OCS                          (number)

where number is the n+1 number associated to the service you add.

Services begin from here: https://github.com/ntop/nDPI/blob/dev/src/include/ndpi_protocol_ids.h#L220

[adrienb4]

I also modified the second file.

ndpi_content_match.c.inc :

  /*
    OCS GO (Orange Cinéma Séries)
    178.248.208.0/21
  */
  { 0xB2F8D000 /* 178.248.208.0 */, 21, NDPI_SERVICE_OCS },

  { "ocs.fr",               "OCS",          NDPI_SERVICE_OCS, NDPI_PROTOCOL_FUN },
  { ".ocs.fr",              "OCS",          NDPI_SERVICE_OCS, NDPI_PROTOCOL_FUN },
  { ".ocsdomain.com",           "OCS",          NDPI_SERVICE_OCS, NDPI_PROTOCOL_FUN },

ndpi_protocol_ids.h :

#define NDPI_SERVICE_HOTSPOT_SHIELD                     215
#define NDPI_SERVICE_DAILYMOTION            219
#define NDPI_SERVICE_OCS                220

/* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */
#define NDPI_LAST_IMPLEMENTED_PROTOCOL          NDPI_SERVICE_OCS

I have test with URL only, and the traffic is classified. If I test with IP RANGE only, the traffic is not classified.

I validated the ip range with tcpdump.

What is going on ?

[kYroL01]

Can you pass me a pcap with a capture of these packets ?
I need to reproduce what you see to understand better.
Thanks

[adrienb4]

See attached file (rename in .pcap)
I have create ocs service with parameters in this issue.

Thank for your help.

ocs.txt

[adrienb4]

Hi @kYroL01

did you find the problem of my issue ?

Thank

Adrien

[kYroL01]

Hi @adrienb4 sorry for answer you in late. Maybe I'll find the problem, but untill tomorrow i'll busy to work on it.
From tomorrow I'll come back to work to nDPI to 100 % and first of all I'll try to solve this issue.
Be patient, please. :)

[kYroL01]

@adrienb4 I'm trying to understand the problem.
First of all, if you insert OCS as a service and not as a procotol, you cannot modify the line
#define NDPI_LAST_IMPLEMENTED_PROTOCOL
because OCS is putting as a service.
Second: I tried to put the name of the server as you did, but (also without the ip range) the traffic is not classified as "ocs". Are u sure the name of the url is correct for the ocs servers ?

[adrienb4]

@kYroL01
Yes the URL are correct. You can test with this site : http://ocs.fr/ and http://www.ocs.fr/
During my test the website are ok (classified), but no the IP.

[kYroL01]

But how is classified ? what is the output of nDPI ?

[adrienb4]

I give you the classification today. Thank

[adrienb4]

For a service, if i not modify the #define NDPI_LAST_IMPLEMENTED_PROTOCOL line, the service is NEVER classified. But it is classified with an increment.

For my new tests, i used this configuration :

  { "ocs.fr",                           "OCS",                  NDPI_SERVICE_OCS, NDPI_PROTOCOL_ACCEPTABLE },
  { ".ocs.fr",                          "OCS",                  NDPI_SERVICE_OCS,  NDPI_PROTOCOL_ACCEPTABLE },
  { ".ocsdomain.com",                   "OCS",                  NDPI_SERVICE_OCS, NDPI_PROTOCOL_ACCEPTABLE },

[adrienb4]

Using nDPI (1.7.1-dev-267-e0c6d80) [1 thread(s)]
Reading packets from pcap file /tmp/ocs.pcap...
Running thread 0...

WARNING: IPv4 fragments are not handled by this demo (nDPI supports them)


WARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded


nDPI Memory statistics:
    nDPI Memory (once):      105.48 KB    
    Flow Memory (per flow):  1.91 KB      
    Actual Memory:           1.99 MB      
    Peak Memory:             1.99 MB      

Traffic statistics:
    Ethernet bytes:        2562097       (includes ethernet CRC/IFC/trailer)
    Discarded bytes:       57690        
    IP packets:            3534          of 3639 packets total
    IP bytes:              2477281       (avg pkt size 680 bytes)
    Unique flows:          88           
    TCP Packets:           3404         
    UDP Packets:           130          
    VLAN Packets:          0            
    MPLS Packets:          0            
    PPPoE Packets:         0            
    Fragmented Packets:    72           
    Max Packet size:       2808         
    Packet Len < 64:       1623         
    Packet Len 64-128:     156          
    Packet Len 128-256:    59           
    Packet Len 256-1024:   156          
    Packet Len 1024-1500:  1535         
    Packet Len > 1500:     5            
    nDPI throughput:       823.39 K pps / 4.45 Gb/sec
    Traffic throughput:    123.28 pps / 698.25 Kb/sec
    Traffic duration:      28.666 sec
    Guessed flow protos:   23           


Detected protocols:
    Unknown              packets: 76            bytes: 34056         flows: 3            
    DNS                  packets: 12            bytes: 2563          flows: 6            
    HTTP                 packets: 118           bytes: 13386         flows: 16           
    NetBIOS              packets: 3             bytes: 276           flows: 1            
    QuickTime            packets: 2320          bytes: 2040612       flows: 3            
    SSL                  packets: 75            bytes: 14451         flows: 5            
    DHCPV6               packets: 5             bytes: 805           flows: 1            
    Facebook             packets: 2             bytes: 320           flows: 1            
    Twitter              packets: 2             bytes: 324           flows: 1            
    YouTube              packets: 2             bytes: 336           flows: 1            
    Google               packets: 542           bytes: 232414        flows: 25           
    LLMNR                packets: 8             bytes: 592           flows: 4            
    OpenVPN              packets: 12            bytes: 1122          flows: 1            
    OCS                  packets: 357           bytes: 136024        flows: 20           


Protocol statistics:
    Safe                         15573 bytes
    Acceptable                  386384 bytes
    Fun                        2041268 bytes
    Unrated                      34056 bytes

[kYroL01]

Ok let me try your configuration and I'll let you know.
Maybe I understand the problem thanks to your help.

[kYroL01]

@adrienb4 I think I solved! And also insered the IP range.
I used the pcap you sent me last time ;)
Before commit, I need to do some changes.
Wait please

[adrienb4]

Cool, I expect the solution for my problem :P

[kYroL01]

Fixed by bfded90

[adrienb4]

@kYroL01 : Thank for your job. It's work great :)

[kYroL01]

@adrienb4 You're welcome :)