utoni
commented
2 years ago The issue here is that the kerberos protocol dissector's username parsing is completely wrong and needs to be fixed. Even the kerberos pcap in the nDPI repository does not result in any cname's and Wireshark confirms that there should be some.
Describe the bug
I have a pcap that I feed into a flow sensor that leverages the ndpi library for dissection. When dissecting some kerberos traffic I see some unexpected non alphanumeric characters within some of the fields.
Expected behavior
I expect printable alphanumeric characters to be contained within the kerberos fields within the ndpi flow struct
Obtained behavior
There are unexpected characters in the output of some Kerberos fields. In this field, only printable, alphanumeric characters were expected but other symbols were observed present.
00000510: 2c30 2c2c 302c 2c2c 2c2c 7465 7374 6265 ,0,,0,,,,,testbe 00000520: 6431 2e63 615c 39e2 b7fa a275 fe64 0f78 d1.ca\9....u.d.x 00000530: d1f2 ae31 ccb1 fcb1 325f c4c6 2c30 3b30 ...1....2_..,0;0
Note the characters after '.ca' in the above dump (output is from -dev).
nDPI Environment (please complete the following information):
config.logfile generated after./configureran (if you are building from source).How to reproduce the reported bug
Reproducible using ndpiReader? Yes
If applicable, the used ndpiReader options:
Default options
If your bug is reproducible using a pcap, please attach a pcap file (or a valid link to download it)
I've attached a zip file below with the pcap in question as well as output from the provided reader command for 4.0 4.2 and dev Example: kerberos.pcap
Steps to reproduce the behavior:
Run examples/pcapReader on pcap that contains Kerberos events. This is a subset of pcap taken from https://www.unb.ca/cic/datasets/ids-2017.html 'ThursdayWorkingHours.pcap'.
Additional context
Output seems to differ across versions which may make sense based on the changelog ndpi-bug.zip Please contact me if more details are required email: hleta@liveaction.com -Henry Leta