search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.78k stars 892 forks source link

BGP traffic is not detected #107

Closed jean-christophe-manciot closed 8 years ago

jean-christophe-manciot commented 8 years ago

bgp traffic no bgp traffic

lucaderi commented 8 years ago

Please provide a pcap file with BGP traffic

kYroL01 commented 8 years ago

@jean-christophe-manciot Try to see if now, after last commit, your BGP traffic is correctly detected. If not, please, provide a pcap. Thanks!

jean-christophe-manciot commented 8 years ago

pcap file: https://drive.google.com/file/d/0B5fXyIn0-GDFMjZaVXg4TFZtQVE/view?usp=sharing

kYroL01 commented 8 years ago

Ok. Thanks for the details.

kYroL01 commented 8 years ago

@jean-christophe-manciot Well, I opened you pcap with nDPI, and yes, no BGP is detected. But I also opened it with Wireshark and no BGP packet is detected!! Tha majority of the packets are Spanning Tree Protocol, that is different from BGP. Ok a STP is nedded in my opinion, but your pcap is not a BGP pcap. Maybe you passed a different pcap ?

stp

kYroL01 commented 8 years ago

The only thing that I agree with you is the NetBios that maybe need to be fix. I'll take a look.

jean-christophe-manciot commented 8 years ago

I confirm all the bugs described earlier, each one of them; from the pcap file I uploaded: bgp The latest Wireshark 1.12.8 (along with the latest libpcap 1.7.4) is available here for Ubuntu 15.04: https://github.com/jean-christophe-manciot/wireshark

lmangani commented 8 years ago

@jean-christophe-manciot could you provide an example pcap for this condition with actual BGP packets to accelerate reproducing? In our lab tests traces containing BGP are correctly detected while the port used is not an element of course, unless forced to be so by use or protos mapping.

kYroL01 commented 8 years ago

@jean-christophe-manciot For the others points you posted in your list, I think that is not nDPI issue (except netBios), while is speaking about ntopng.

jean-christophe-manciot commented 8 years ago

@lmangani: Cf. my second post in this thread. @kYroL01: I don't know what are the specs of nDPI vs ntopng; I suppose both dev teams pull together.

lmangani commented 8 years ago

@jean-christophe-manciot there are only BGP ports used in that PCAP and no BGP traffic as far as we could see. nDPI works by inspecting the protocol and not by assuming the ports unless instructed so.

As of the second question from @kYroL01 this is to keep issues in the repository where they belong (nDPI vs. ntopng) and to help our team track and work those issues efficiently. Thanks for understanding!

jean-christophe-manciot commented 8 years ago

If I understand correctly, all these issues come from ntopng, not nDPI. How can we transfer this thread to ntop/ntopng?

jean-christophe-manciot commented 8 years ago

I will try to simulate some BGP traffic with an open connection between neighbors.

jean-christophe-manciot commented 8 years ago

Here's a pcapng file with an open BGP connection between peers with exchange of UPDATE: https://drive.google.com/file/d/0B5fXyIn0-GDFbU02TDNmX2daQnc/view?usp=sharing The results are the same with this traffic.

jean-christophe-manciot commented 8 years ago

I believe I've found the issue:

kYroL01 commented 8 years ago

@jean-christophe-manciot The issue for the missing detection of a protocol is good if you let on nDPI, the other things that you see wrong on ntopng (MAC addresses missing and things like this) are issues for ntopng. Thanks for the new pcap, tomorrow I'll take a look and I follow your details. Thanks for collaboration.

kYroL01 commented 8 years ago

Fixed BGP detection with 74b016c8b6d74e0c2c9be55fd3ac331d23bbdbb4