RE: [Ntop] can Ntop see RTP protocols ???

Wed, 09 Mar 2005 09:01:55 -0800 

Yes and no.  

First off, you need to learn something about protocols and the differences
between tcp/ip, tcp and udp.

Bits move over wires.  Groups of those bits are combined into a 'frame'
which a low level protocol named 'Ethernet' understands (there are others
that ntop understands, but let's keep this simple).

ntop cares about this 'layer 2' protocol, because it contains (among other
things), the MAC address. So the Ethernet frame looks like this:
    srcMAC, dstMAC, flags, (data)

tcp/ip is the 'Transmission Control Protocol/Internet Protocol' (often just
called IP).  This is the (layer 3) protocol that interprets the data portion
of Ethernet frames (and other transport protocols, but let's still keep
things simple (hah)).  The tcp/ip packet looks sort of like this:

   srcIP, dstIP, flags, (data)

tcp and udp are the layer 4 protocols that interpret tcp/ip 'data' - this is
where the common 'port' numbers occur:

   srcPORT, dstPORT, flags, (data)


Put it all together and you get:

   srcMAC, dstMAC, flags, (srcIP, dstIP, flags, (srcPORT, dstPORT, flags,
(data)))


The -p | --protocol defines the port-based (layer 4) tcp/ip protocols that
ntop will monitor (i.e. count).  At this level, ntop does not distinguish
between tcp and udp.  A port is a port is a port...   In your typical list,
you are defining http (port 80 in /etc/services) and https (port 443
/etc/services) as a group called 'HTTP'.  ntop counts traffic on these ports
and combines it in one bucket for reporting.

So to add H.323, you would need to figure out the layer 4 ports that it
uses...

$ grep 323 /etc/services 
h323hostcallsc  1300/tcp                        # H323 Host Call Secure
h323hostcallsc  1300/udp                        # H323 Host Call Secure
h323gatedisc    1718/tcp
h323gatedisc    1718/udp
h323gatestat    1719/tcp
h323gatestat    1719/udp
h323hostcall    1720/tcp
h323hostcall    1720/udp
h323callsigalt  11720/tcp                       # H323 Call Signal Alternate
h323callsigalt  11720/udp                       # H323 Call Signal Alternate

So adding H323=1300|1718-1720|11720 will teach ntop to group all traffic on
those 5 ports together, count it and report on it.

BUT:

As we both know, H323 and other protocols aren't that simple.  Most
peer-to-peer (and VoIP fits in that category) protocols exchange a few setup
packets on the well know ports and then switch to a (random port) <->
(random port) connection for the bulk of their traffic.  That traffic - on
the well known ports - is all ntop sees out of the box.

To go beyond port numbers, ntop has CODE, which I usually call deep packet
inspection, that understands part of each protocol and deciphers it.  The
basic flow is from the libpcap device -> (directly or via queuePacket()
dequeuePacket()) to routines in pbuf.c called processPkt() and thence to
processIpPkt().

Inside processIpPkt() (and code called from it) are these blocks of
inspection code ... Some trivial, others quite complex.  To properly handle
a p2p type protocol, you would have to write quite a bit of code.  Much of
this is in handleTCPSession() - sessions.c in the 1800s.


So, put it all together and you get your "yes and no" answer.

If you want to take this further into the code, let's move to ntop-dev.

-----Burton


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aldo
Werner
Sent: Wednesday, March 09, 2005 9:20 AM
To: [email protected]
Subject: [Ntop] can Ntop see RTP protocols ???

Hi all !!

I need your help....  in fact... 

...I need to know more about Ntop...  more exactly a
part to capture and watch the packets rtp...   

  ...Can I add the port of H.323, SIP, UDP,  RTP... 
who has relationship with VoIP...  into  protocol.list ???

thanks  for All....  

ALDO !!!!

my protocol.list  are:

+FTP=ftp|ftp-data,PROXY=3128|8080,HTTP=http|www|https,DNS=name|domain,Te
+lnet=telnet|login,NBios-IP=netbios-ns|netbios-dgm|netbios-ssn,Mail=pop-
+2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-trap,NEWS=nntp,DHCP-BOOTP=6
+7-68,NFS=mount|pcnfs|bwnfs|nfs|nfsd-status,X11=6000-6010,SSH=ssh,Gnutel
+la=6346|6347|6348,Kazaa=1214,WinMX=6699|7730,eDonkey=4661-4665,Messenge
+r=1863|5000|5001|5190-5193,

Chaooo   ...  bye!!!


        
                
__________________________________
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web
http://birthday.yahoo.com/netrospective/
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to