search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.73k stars 884 forks source link

Low number of detected IP packets #847

Closed linparkkin closed 2 years ago

linparkkin commented 4 years ago

Hi everyone, I'm currently involved in a project where I need to use ndpiReader. As you can see from the attached image I have very few detected IP packets (just 452638 of 2231702). I noticed also that there are many VLAN packets to deal with, and it seems that nDPI is not able to dissect them or it does not recognize them as IP packets. What could be the reason? The packets are sFlow sampled and truncated at 128 bytes.

immagine

emarshswe commented 4 years ago

You need to supply a pcap that recreates this particular problem so we can investigate this. Screenshots will not cut it I'm afraid.

In my experience, nDPI has no problems recognizing VLAN packages. However, nDPI creates a flow hash id that includes VLAN as a part of the hash and I have had problems when VLAN is used for parts of the flow (but not for both directions). This would lead to a problem where nDPI is splitting flows if VLAN is not set in both directions of the flow. Hope this helps.

lucaderi commented 4 years ago

@linparkkin Can you please provide a pcap for reproducing the issue?

IvanNardi commented 2 years ago

Missing traces. If you are still facing this problem, open a new issue and attached a full trace, please