Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow changing NDPI configuration when using PF_RING FT to to disable dpi guess on giveup #965

Open
ronygut opened this issue Nov 11, 2024 · 7 comments
Open

Allow changing NDPI configuration when using PF_RING FT to to disable dpi guess on giveup #965

ronygut opened this issue Nov 11, 2024 · 7 comments
Labels
enhancement ready to test

Comments

@ronygut
Copy link

ronygut commented Nov 11, 2024
edited by cardigliano
Loading

FT can return the nDPI handle with pfring_ft_get_ndpi_handle(table) on which you can call ndpi functions, however calls like ndpi_set_config(handle, NULL, "dpi.guess_on_giveup", "0") should be called before the ndpi handle is finalized. This means we have to extend the FT API to allow that: ndpi_set_config() must be called before ndpi_finalize_initialization()
@ronygut ronygut mentioned this issue Nov 11, 2024
Open
@cardigliano
Copy link
Member

In order to handle this, FT provides the ability to set an external ndpi handle which can be customized/configured by the user. In order to use it, just remove the PFRING_FT_TABLE_FLAGS_DPI flag in pfring_ft_create_table, created a ndpi handle, and provide it to FT with pfring_ft_set_ndpi_handle just after pfring_ft_create_table.

Example:

`
struct ndpi_detection_module_struct *ndpi_mod = ndpi_init_detection_module(NULL);
ndpi_set_config(ndpi_mod, NULL, "dpi.guess_on_giveup", "0")
NDPI_PROTOCOL_BITMASK all;
NDPI_BITMASK_SET_ALL(all);
ndpi_set_protocol_detection_bitmask2(ndpi_mod, &all);
ndpi_finalize_initialization(ndpi_mod);

pfring_ft_table *ft = pfring_ft_create_table(0, 4000000, 0, 0, 0);
pfring_ft_set_ndpi_handle(ft_table, ndpi_mod);
`

@ronygut
Copy link
Author

ronygut commented Nov 13, 2024

@cardigliano , So I can use it already in the current version, right?
Thanks,
Rony.

@cardigliano
Copy link
Member

Correct

@ronygut
Copy link
Author

ronygut commented Nov 14, 2024
edited
Loading

@cardigliano , it did not work. I used the attached PCAP , port 88 that is the default kerberos port and it still gave me KREBEROS although it does not contain kerberos data.
krb_null _pcap.txt
You need to rename the .txt to .pcap as it did not let me to attach PCAP extension.
I added the above code to my app as you suggested.
Please advise.

@cardigliano
Copy link
Member

I pushed an update which introduces a new PFRING_FT_TABLE_FLAGS_NO_GUESS flag for pfring_ft_create_table. This allows you to avoid the external ndpi handle. Please see ftflow_pcap.c as example (e.g. ftflow_pcap -i ~/krb_null.pcap -7 -N)

@ronygut
Copy link
Author

ronygut commented Nov 18, 2024

@cardigliano
Should I get both NDPI dev branch and PF_RING dev branch, or only PF_RING dev branch for this change to work?

@cardigliano
Copy link
Member

The patch is in pf_ring, however you always need to get both of them updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement ready to test
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cardigliano @ronygut