Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add First Packet Classification capability #2322

Open
IvanNardi opened this issue Feb 19, 2024 · 18 comments
Open

Add First Packet Classification capability #2322

IvanNardi opened this issue Feb 19, 2024 · 18 comments
Labels
enhancement

Comments

@IvanNardi
Copy link
Collaborator

In some contexts/deployments (load-balancing or QoS involved, routing on different interfaces based on classification...) is quite important to have a flow classification on the very FIRST packet of the flow, even if that classification is not as precise as it could be if more packets are analyzed.

Note that, for TCP, "first packet" means (usually) the SYN packet...
@mmanoj
Copy link
Contributor

mmanoj commented Jun 6, 2024

@IvanNardi

This is good to have,I like to implement this feature, if you can guide me.

@IvanNardi
Copy link
Collaborator Author

@mmanoj , very sorry for the delay.
FPC is a complex topic, but the most easy (and obvious) ways to achieve that are:

  • via IP match, improving the IP lists. nDPI already has some ip lists of the most important services (see /util and utils/asn_update.sh. We might add some other protocols/lists
  • using the DNS information. If clientA triggers the DNS transaction hostnameXXX/PROTOCOL_Y -> IP_XXX, then it is likely that a future flow from clientA to IP_XXX is related to PROTOCOL_Y

If you are still interested, we can discuss about the details

@mmanoj
Copy link
Contributor

mmanoj commented Jun 27, 2024

@IvanNardi Thx for the reply, Yes I'm interested and done some initial work with nDPIsimple integration as well.Can we discuss in detail with some actionable steps, so we can focus on the step by step implementation.

@IvanNardi
Copy link
Collaborator Author

  1. Extend the ip lists. Take a look at the existing lists (in /util and utils/asn_update.sh) and try adding other ones: new important/used applications/services, new streaming services, new game networks, missing CDN providers.... There are already examples about integrating a list from a csv or txt file, or from BGP info: the hard part is to find an official/reliable source for those ips...

  2. Create a new LRU cache where the key is the pair "Client_IP - Resolved_IP" and the value is a protocol id:

  • for each DNS A/AAAA pair create a new entry, where the protocol is the classification associated to the required hostname
  • for each flow (at the very first packet) lookup into the cache using "SRC IP - DST IP" as key and, if a match is found, save the protocol id into ndpi_flow_struct structure as a "fpc result"

@mmanoj
Copy link
Contributor

mmanoj commented Jul 2, 2024

@IvanNardi

Thanks for the update,I will work on below plan.
Step #1. Start with action item #2 with existing IP list to implement PoC with nDPI-Simple integration example.

Please clarify below point: Is current nDPI DNS dissectors support to capture DNS answer (A/AAAA) record and IP address associated with it or need to develop that part? anyway I will lookup the code as well.

Step #2. I will work on enhancing the new IP Lists.

Please advice is above approach is fine or need any changes.

@IvanNardi IvanNardi mentioned this issue Jul 2, 2024
Merged
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jul 2, 2024
@IvanNardi
Add infrastructure for explicit support of Fist Packet Classification
241470a 
Let's start with some basic helpers and with FPC based on flow addresses.

See: ntop#2322
@IvanNardi
Copy link
Collaborator Author

IvanNardi commented Jul 2, 2024
edited
Loading

Please clarify below point: Is current nDPI DNS dissectors support to capture DNS answer (A/AAAA) record and IP address associated with it or need to develop that part? anyway I will lookup the code as well.

It already does it.

The plan sounds good.

Please, take a close look at #2488: once it is merged, it provides basic common code (and output...) that you might find useful...

@mmanoj
Copy link
Contributor

mmanoj commented Jul 3, 2024

@IvanNardi

Thank you very much for the FPC base code,I will go through the fpc brach for details.

this is how I'm going to capture the first packet in nDPI simple Integration code::

tcp = (struct ndpi_tcphdr *)l4_ptr;
flow.is_flow_first_pkt = (tcp->syn == 1 ? 1 : 0);

#Then:
/* Check first Pkt logic */
if(flow.is_flow_first_pkt ==1 && flow.flow_ack_seen ==0)
{
printf("\n This is First-Pkt........\n");
#Step 1: check in LRU cache for the service/protocol based on "Client_IP - Resolved_IP"
#Step 2: if not found in LRU cache then classify and update the LRU cache. To classify I will use below method from FPC base code:
flow->fpc.protocol,
}

Is above logic and understanding if fine ? Please advice.

IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jul 3, 2024
@IvanNardi
Add infrastructure for explicit support of Fist Packet Classification
cb6817b 
Let's start with some basic helpers and with FPC based on flow addresses.

See: ntop#2322
IvanNardi added a commit that referenced this issue Jul 3, 2024
@IvanNardi
Add infrastructure for explicit support of Fist Packet Classification (
843e487 
…#2488)

Let's start with some basic helpers and with FPC based on flow addresses.

See: #2322
@mmanoj
Copy link
Contributor

mmanoj commented Jul 6, 2024

@IvanNardi

Can you please advice what is the best way to retrieve the category of the FPC protocol, I'm going to add that also to LRU cache as it's useful for blocking certain categories than individual protocols.

I try below under fpc_update() method but not work as expected. ndpi_proto->category = ndpi_get_flow_category(flow);

@mmanoj
Copy link
Contributor

mmanoj commented Jul 8, 2024

@IvanNardi

I done the base work for Action #2 LRU cache, can I send the file(s) to review?

@IvanNardi
Copy link
Collaborator Author

@IvanNardi

I done the base work for Action #2 LRU cache, can I send the file(s) to review?

Yes, please! These are busy days.. I'll take a look at it (and at your previous messages...) at the end of the week

@mmanoj
Copy link
Contributor

mmanoj commented Jul 10, 2024

@IvanNardi

Thanks for feedback and appreciate your support.I will attached the files instead pull request lets review the overall flow and structure of my FPC LRU cache implementation.Once review will proceed with DNS FPC.

@mmanoj
Copy link
Contributor

mmanoj commented Jul 12, 2024

ndpi_fpc_lru_cache.zip
@IvanNardi
Please find initial FPC_LRU cache related changes attached for your review.

Note:During testing I noticed ndpi_str->fpc_cache not initialized.Need more debugging for that.

@IvanNardi
Copy link
Collaborator Author

@mmanoj , could you push your code as a Pull Request, please? It will drastically improve the review process... Thanks

@mmanoj
Copy link
Contributor

mmanoj commented Jul 12, 2024

@IvanNardi

Thanks for the feedback, I will arrange it by today.

@mmanoj mmanoj mentioned this issue Jul 12, 2024
Merged
3 tasks
@mmanoj
Copy link
Contributor

mmanoj commented Jul 12, 2024

@IvanNardi

Please have a look pull request #2497

IvanNardi added a commit that referenced this issue Jul 22, 2024
@mmanoj @IvanNardi
FPC: add DNS correlation (#2497)
67f5cda 
Use DNS information to get a better First Packet Classification.

See: #2322

---------

Co-authored-by: Nardi Ivan <[email protected]>
@mmaatuq
Copy link
Contributor

mmaatuq commented Aug 31, 2024

Can we make FPC feature configurable, maybe through conditional compilation
The reason for suggesting this, In some scenarios to support FPC we might need additional heavy processing

  • examples:

    • ftp control, ftp data: when you have to parse the ftp control connection for commands like PORT, PSV to extract the address,port for the data connection that will start.
    • in some other application protocols: there will a specific pattern you have to follow that will till you a new connection will start for some new activities.
    • I don't have a strong opinion in this, as the requirements for FPC might not need to go for such heavy processing and we just will go with things like dns, ips, ports.

@IvanNardi
Copy link
Collaborator Author

IvanNardi commented Aug 31, 2024
edited
Loading

@mmaatuq , you can already enable/disable FPC via "fpc" configuration parameter. You can take a look a the tests under tests/fpc_disabled/ for an example.

@mmaatuq
Copy link
Contributor

mmaatuq commented Aug 31, 2024

@mmaatuq , you can already enable/disable FPC via "fpc" configuration parameter. You can take a look a the tests under tests/fpc_disabled/ for an example.

thanks for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mmanoj @mmaatuq @IvanNardi