search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.84k stars 896 forks source link

OOKLA not detected #491

Closed dillinger79 closed 6 years ago

dillinger79 commented 6 years ago

ookla.zip i am uploading 2 ookla traces that are not classified by ndpi.

kYroL01 commented 6 years ago

@dillinger79 I check your traces and I see there is information to understand that traffic is OOKLA. All the packets in the pcaps are just TCP. Only some TCP has data part but is impossibile to extract information to associate with OOKLA; same behaviour for IP addresses and port used (traffic passed via 8080). I did a check running ndpiReader and www.speedtest.net/ and it seems that nDPI detect the traffic correctly

Ookla packets: 11944 bytes: 10076005 flows: 31

1 TCP 192.168.1.102:59563 <-> 185.58.7.66:8080 [proto: 7.191/HTTP.Ookla][1461 pkts/97253 bytes <-> 2389 pkts/3276907 bytes][Host: srv-st01.arcolink.it:8080]

Reopen if necessary, but for me there is no issue

dillinger79 commented 6 years ago

i did a little further investigation for this and as stated in this link https://support.speedtest.net/hc/en-us/articles/203845400-How-does-the-test-itself-work-How-is-the-result-calculated- the tests are now most of the time tcp and not http, i've taken some traces from my mobile phone and ndpi classifies the speedtests as http_proxy probably due to 8080 port, but i have not been able to detect a pattern in tcp payload that can be applied, maybe someone has something in mind as to how ndpi could detect ookla through tcp? anyway this is not a bug, but a feature i think.

kYroL01 commented 6 years ago

@dillinger79 the only way is the one we do in nDPI, so port + ip_address. Did u try to recompile the dev branch ? Now your pcap are succesfully classified as OOKLA

dillinger79 commented 6 years ago

oh, i will surely check right now thanks

dillinger79 commented 6 years ago

well i did recompile, but i do not see the ookla classification, it is still http_proxy

kYroL01 commented 6 years ago

Are u sure you're using the dev branch ? It's impossibile that u can't see Ookla with that branch.

dillinger79 commented 6 years ago

yes i am pretty sure, to which pcaps are you referring to? the test pcap of ndpi was always classified as ookla, the pcaps i attached to this issue are still classified as http_proxy as well as some extra pcaps that i have taken