Mailing List Archive: Help required to identify protocols (Spotify)

Help required to identify protocols (Spotify)

Jun 2, 2020, 4:55 AM

Post #1 of 3 (1049 views)

Greetings,

I'm mailing on this list for guidance. I want to learn adding a new
protocol or fixing an existing protocol in NDPI. I've collected spotify
packets and been comparing it with the results, the pcap dump is available
here (
https://drive.google.com/file/d/13sN3BkkxNdud2Nr8szeZJMSu3KOtvU35/view?usp=sharing
).
feeding this dump to ndpiReader I get the following stats.

Detected protocols:
DNS packets: 66 bytes: 9465 flows: 33

MDNS packets: 121 bytes: 11111 flows: 4

NetBIOS packets: 15 bytes: 1380 flows: 1

SSDP packets: 157 bytes: 51525 flows: 48

SNMP packets: 4 bytes: 476 flows: 1

IGMP packets: 15 bytes: 682 flows: 6

TLS packets: 16095 bytes: 14205389 flows: 9

ICMPV6 packets: 12 bytes: 992 flows: 3

Google packets: 706 bytes: 165715 flows: 9

LLMNR packets: 42 bytes: 3370 flows: 22

Spotify packets: 87 bytes: 27349 flows: 4

Microsoft365 packets: 98 bytes: 47219 flows: 4

MS_OneDrive packets: 26 bytes: 7204 flows: 1

Following are few questions, I hope someone could make me understand this
process more clearly
Why does majority of packets go under TLS, I understand it might be using
TLS but shouldn't it be under Spotify? This means the spotify.c in
protocols needs to be fixed?
How do you guys infer packet protocols looking at the payload, I've seen
few checks with hardcoded bytes, but what if the payload changes our logic
would fail?

Regards,
Abid Zaidi

Re: Help required to identify protocols (Spotify) [ In reply to ]

deri at ntop

Jun 2, 2020, 6:00 AM

Post #2 of 3 (1049 views)

Permalink

Hi Abid,
just fixed
https://github.com/ntop/nDPI/commit/5afa3ad818a9bbfd83526f03507e60575c6c83bc

Regards Luca

> On 2 Jun 2020, at 13:55, Abid Zaidi <abidzaidi.dev@gmail.com> wrote:
>
> Greetings,
>
> I'm mailing on this list for guidance. I want to learn adding a new protocol or fixing an existing protocol in NDPI. I've collected spotify packets and been comparing it with the results, the pcap dump is available here ( https://drive.google.com/file/d/13sN3BkkxNdud2Nr8szeZJMSu3KOtvU35/view?usp=sharing <https://drive.google.com/file/d/13sN3BkkxNdud2Nr8szeZJMSu3KOtvU35/view?usp=sharing> ). feeding this dump to ndpiReader I get the following stats.
>
>
> Detected protocols:
> DNS packets: 66 bytes: 9465 flows: 33
> MDNS packets: 121 bytes: 11111 flows: 4
> NetBIOS packets: 15 bytes: 1380 flows: 1
> SSDP packets: 157 bytes: 51525 flows: 48
> SNMP packets: 4 bytes: 476 flows: 1
> IGMP packets: 15 bytes: 682 flows: 6
> TLS packets: 16095 bytes: 14205389 flows: 9
> ICMPV6 packets: 12 bytes: 992 flows: 3
> Google packets: 706 bytes: 165715 flows: 9
> LLMNR packets: 42 bytes: 3370 flows: 22
> Spotify packets: 87 bytes: 27349 flows: 4
> Microsoft365 packets: 98 bytes: 47219 flows: 4
> MS_OneDrive packets: 26 bytes: 7204 flows: 1
>
> Following are few questions, I hope someone could make me understand this process more clearly
> Why does majority of packets go under TLS, I understand it might be using TLS but shouldn't it be under Spotify? This means the spotify.c in protocols needs to be fixed?
> How do you guys infer packet protocols looking at the payload, I've seen few checks with hardcoded bytes, but what if the payload changes our logic would fail?
>
> Regards,
> Abid Zaidi
> _______________________________________________
> Ntop-dev mailing list
> Ntop-dev@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-dev