nDPI does mark Cisco HSRP traffic as Skype VoIP

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit

http://www.ntop.org

GNU Lesser General Public License v3.0

3.81k stars 893 forks source link

nDPI does mark Cisco HSRP traffic as Skype VoIP #1002

Closed martinscheu closed 2 years ago

martinscheu commented 4 years ago

Hello

nDPI does mark Cisco HSRP (hot standby router protocol) as skype traffic:

pcap: skype-public.zip

nDPI Version: 3.3.0-2691-59ac73b3

regards, Martin

utoni commented 4 years ago

I can confirm this issue. It seems that the skype detection patterns are not sufficient and need to be improved. Does PR #1003 fix the issue (quick-fix) ?

IvanNardi commented 3 years ago

pcap: skype-public.zip

Hi @martinscheu, I know it was a long time ago, but any chance that you remember the origin of this trace? I am asking, because it is quite strange, IMO:

according to all the HSRP documentation I have found, the ip destination of HSRP packets should always be some kind of multicast address
the packets in the trace seems to be HSRPv2 (even if Wireshark is not able to recognize them!!) but they have a non multicast (and global!!) address as ip destination

Are you sure that was HSRP traffic? Do you sanitize/anonymize this trace somehow? Thanks

IvanNardi commented 2 years ago

pcap: skype-public.zip

Hi @martinscheu, I know it was a long time ago, but any chance that you remember the origin of this trace? I am asking, because it is quite strange, IMO:
* according to all the HSRP documentation I have found, the ip destination of HSRP packets should always be some kind of multicast address

* the packets in the trace seems to be HSRPv2 (even if Wireshark is not able to recognize them!!) but they have a non multicast  (and global!!) address as ip destination
Are you sure that was HSRP traffic? Do you sanitize/anonymize this trace somehow? Thanks

@martinscheu, kindly pinging...

IvanNardi commented 2 years ago

Closing for inactivity