Closed jean-christophe-manciot closed 8 years ago
Please provide a pcap file with BGP traffic
@jean-christophe-manciot Try to see if now, after last commit, your BGP traffic is correctly detected. If not, please, provide a pcap. Thanks!
pcap file: https://drive.google.com/file/d/0B5fXyIn0-GDFMjZaVXg4TFZtQVE/view?usp=sharing
Ok. Thanks for the details.
@jean-christophe-manciot Well, I opened you pcap with nDPI, and yes, no BGP is detected. But I also opened it with Wireshark and no BGP packet is detected!! Tha majority of the packets are Spanning Tree Protocol, that is different from BGP. Ok a STP is nedded in my opinion, but your pcap is not a BGP pcap. Maybe you passed a different pcap ?
The only thing that I agree with you is the NetBios that maybe need to be fix. I'll take a look.
I confirm all the bugs described earlier, each one of them; from the pcap file I uploaded: The latest Wireshark 1.12.8 (along with the latest libpcap 1.7.4) is available here for Ubuntu 15.04: https://github.com/jean-christophe-manciot/wireshark
@jean-christophe-manciot could you provide an example pcap for this condition with actual BGP packets to accelerate reproducing? In our lab tests traces containing BGP are correctly detected while the port used is not an element of course, unless forced to be so by use or protos mapping.
@jean-christophe-manciot For the others points you posted in your list, I think that is not nDPI issue (except netBios), while is speaking about ntopng.
@lmangani: Cf. my second post in this thread. @kYroL01: I don't know what are the specs of nDPI vs ntopng; I suppose both dev teams pull together.
@jean-christophe-manciot there are only BGP ports used in that PCAP and no BGP traffic as far as we could see. nDPI works by inspecting the protocol and not by assuming the ports unless instructed so.
As of the second question from @kYroL01 this is to keep issues in the repository where they belong (nDPI vs. ntopng) and to help our team track and work those issues efficiently. Thanks for understanding!
If I understand correctly, all these issues come from ntopng, not nDPI. How can we transfer this thread to ntop/ntopng?
I will try to simulate some BGP traffic with an open connection between neighbors.
Here's a pcapng file with an open BGP connection between peers with exchange of UPDATE: https://drive.google.com/file/d/0B5fXyIn0-GDFbU02TDNmX2daQnc/view?usp=sharing The results are the same with this traffic.
I believe I've found the issue:
@jean-christophe-manciot The issue for the missing detection of a protocol is good if you let on nDPI, the other things that you see wrong on ntopng (MAC addresses missing and things like this) are issues for ntopng. Thanks for the new pcap, tomorrow I'll take a look and I follow your details. Thanks for collaboration.
Fixed BGP detection with 74b016c8b6d74e0c2c9be55fd3ac331d23bbdbb4