Hi, As far as I have explored the nDPI code (in particular dhcp.c file), nDPI peforms port based detection as well as string-matching/signature-based detection.Below is an extract from the file src/lib/protocols/dhcp.c:
Line #1: if (packet->payload_packet_len >= 244 Line#2: && (packet->udp->source == htons(67) || packet->udp->source == htons(68)) && (packet->udp->dest == htons(67) || packet->udp->dest == htons(68)) Line#3: && get_u32(packet->payload, 236) == htonl(0x63825363) && get_u16 (packet->payload, 240) == htons(0x3501)) In Line#1: packet size is being checked (UDP packet size is normally greater that 300 bytes, as far as I know, might be incorrect) In Line#2: source and destination port is being checked which is UDP/67 or UDP/68. In Line#3: What I have understood is that, first 236 bytes of the DHCP packet are matched against the signature (0x63825363). My Questions are: 1- How is this signature obtained? using Aho-Corasick Algorithm? 2- get_u32(packet->payload, 236): Am I right saying that this function matches first 236 bytes against the signature? If not, what does the number 236 represent? Thanks in advance.
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
