Greetings,
I'm mailing on this list for guidance. I want to learn adding a new
protocol or fixing an existing protocol in NDPI. I've collected spotify
packets and been comparing it with the results, the pcap dump is available
here (
https://drive.google.com/file/d/13sN3BkkxNdud2Nr8szeZJMSu3KOtvU35/view?usp=sharing
).
feeding this dump to ndpiReader I get the following stats.
Detected protocols:
DNS packets: 66 bytes: 9465 flows: 33
MDNS packets: 121 bytes: 11111 flows: 4
NetBIOS packets: 15 bytes: 1380 flows: 1
SSDP packets: 157 bytes: 51525 flows: 48
SNMP packets: 4 bytes: 476 flows: 1
IGMP packets: 15 bytes: 682 flows: 6
TLS packets: 16095 bytes: 14205389 flows: 9
ICMPV6 packets: 12 bytes: 992 flows: 3
Google packets: 706 bytes: 165715 flows: 9
LLMNR packets: 42 bytes: 3370 flows: 22
Spotify packets: 87 bytes: 27349 flows: 4
Microsoft365 packets: 98 bytes: 47219 flows: 4
MS_OneDrive packets: 26 bytes: 7204 flows: 1
Following are few questions, I hope someone could make me understand this
process more clearly
Why does majority of packets go under TLS, I understand it might be using
TLS but shouldn't it be under Spotify? This means the spotify.c in
protocols needs to be fixed?
How do you guys infer packet protocols looking at the payload, I've seen
few checks with hardcoded bytes, but what if the payload changes our logic
would fail?
Regards,
Abid Zaidi
I'm mailing on this list for guidance. I want to learn adding a new
protocol or fixing an existing protocol in NDPI. I've collected spotify
packets and been comparing it with the results, the pcap dump is available
here (
https://drive.google.com/file/d/13sN3BkkxNdud2Nr8szeZJMSu3KOtvU35/view?usp=sharing
).
feeding this dump to ndpiReader I get the following stats.
Detected protocols:
DNS packets: 66 bytes: 9465 flows: 33
MDNS packets: 121 bytes: 11111 flows: 4
NetBIOS packets: 15 bytes: 1380 flows: 1
SSDP packets: 157 bytes: 51525 flows: 48
SNMP packets: 4 bytes: 476 flows: 1
IGMP packets: 15 bytes: 682 flows: 6
TLS packets: 16095 bytes: 14205389 flows: 9
ICMPV6 packets: 12 bytes: 992 flows: 3
Google packets: 706 bytes: 165715 flows: 9
LLMNR packets: 42 bytes: 3370 flows: 22
Spotify packets: 87 bytes: 27349 flows: 4
Microsoft365 packets: 98 bytes: 47219 flows: 4
MS_OneDrive packets: 26 bytes: 7204 flows: 1
Following are few questions, I hope someone could make me understand this
process more clearly
Why does majority of packets go under TLS, I understand it might be using
TLS but shouldn't it be under Spotify? This means the spotify.c in
protocols needs to be fixed?
How do you guys infer packet protocols looking at the payload, I've seen
few checks with hardcoded bytes, but what if the payload changes our logic
would fail?
Regards,
Abid Zaidi