mmanoj
commented
1 month ago @IvanNardi
This is good to have,I like to implement this feature, if you can guide me.
Open IvanNardi opened 4 months ago
mmanoj
commented
1 month ago @IvanNardi
This is good to have,I like to implement this feature, if you can guide me.
IvanNardi
commented
1 week ago @mmanoj , very sorry for the delay. FPC is a complex topic, but the most easy (and obvious) ways to achieve that are:
/util and utils/asn_update.sh. We might add some other protocols/lists If you are still interested, we can discuss about the details
mmanoj
commented
1 week ago @IvanNardi Thx for the reply, Yes I'm interested and done some initial work with nDPIsimple integration as well.Can we discuss in detail with some actionable steps, so we can focus on the step by step implementation.
IvanNardi
commented
1 week ago 1) Extend the ip lists. Take a look at the existing lists (in /util and utils/asn_update.sh) and try adding other ones: new important/used applications/services, new streaming services, new game networks, missing CDN providers.... There are already examples about integrating a list from a csv or txt file, or from BGP info: the hard part is to find an official/reliable source for those ips...
2) Create a new LRU cache where the key is the pair "Client_IP - Resolved_IP" and the value is a protocol id:
ndpi_flow_struct structure as a "fpc result"mmanoj
commented
6 days ago @IvanNardi
Thanks for the update,I will work on below plan. Step #1. Start with action item #2 with existing IP list to implement PoC with nDPI-Simple integration example.
Please clarify below point: Is current nDPI DNS dissectors support to capture DNS answer (A/AAAA) record and IP address associated with it or need to develop that part? anyway I will lookup the code as well.
Step #2. I will work on enhancing the new IP Lists.
Please advice is above approach is fine or need any changes.
IvanNardi
commented
6 days ago Please clarify below point: Is current nDPI DNS dissectors support to capture DNS answer (A/AAAA) record and IP address associated with it or need to develop that part? anyway I will lookup the code as well.
It already does it.
The plan sounds good.
Please, take a close look at #2488: once it is merged, it provides basic common code (and output...) that you might find useful...
mmanoj
commented
5 days ago @IvanNardi
Thank you very much for the FPC base code,I will go through the fpc brach for details.
tcp = (struct ndpi_tcphdr *)l4_ptr; flow.is_flow_first_pkt = (tcp->syn == 1 ? 1 : 0);
/ Check first Pkt logic / if(flow.is_flow_first_pkt ==1 && flow.flow_ack_seen ==0) { printf("\n This is First-Pkt........\n");
flow->fpc.protocol, }
Is above logic and understanding if fine ? Please advice.
mmanoj
commented
2 days ago @IvanNardi
Can you please advice what is the best way to retrieve the category of the FPC protocol, I'm going to add that also to LRU cache as it's useful for blocking certain categories than individual protocols.
I try below under fpc_update() method but not work as expected. ndpi_proto->category = ndpi_get_flow_category(flow);
mmanoj
commented
8 hours ago @IvanNardi
I done the base work for Action #2 LRU cache, can I send the file(s) to review?
In some contexts/deployments (load-balancing or QoS involved, routing on different interfaces based on classification...) is quite important to have a flow classification on the very FIRST packet of the flow, even if that classification is not as precise as it could be if more packets are analyzed.
Note that, for TCP, "first packet" means (usually) the SYN packet...