Discussion:
[Ntop] nDPI HTTP dissection
Семенищев Павел Леонидович
2017-07-19 07:06:10 UTC
Permalink
Hello ntop teem,

I was unpleasantly surprised that the nDPI product does not actually inspect the pacts so deeply.
For example, it does not know how to parse HTTP packets and upload information about the User Agent.

As far as I understand, to solve my task, I have to use nProbe product with plug-ins?

Does Ntop plan to integrate plugins into the nDPI product?

Kind regards,
Pavel Semenishhev
Head of WiFi networks group

Enforta ("Prestige-Internet")
E-mail: ***@enforta.com<mailto:***@enforta.com>
Phone: +7 (495) 739-75-59 (ext. 7718)
Mobile: +7 (903) 509-25-18
Skype: htechnoo
Address: Ovchinnikovskaya emb. 20, bldg. 2, Moscow, Russia, 115184
www.enforta.com<http://www.enforta.com/>
Семенищев Павел Леонидович
2017-07-19 08:12:49 UTC
Permalink
Hi Luca,
Thanks for answer. But why my nDPI instance doesn’t generate HTTP_UA field? All HTTP fields but not UA. Do I have to make some settings?
[cid:***@01D3007F.BAC007B0]

Kind regards,
Pavel Semenishhev
Head of WiFi networks group
Enforta ("Prestige-Internet")
Mobile: +7 (903) 509-25-18

From: ntop-***@listgateway.unipi.it [mailto:ntop-***@listgateway.unipi.it] On Behalf Of Luca Deri
Sent: Wednesday, July 19, 2017 10:12 AM
To: ***@unipi.it
Cc: ***@listgateway.unipi.it
Subject: Re: [Ntop] nDPI HTTP dissection

Pavel,
not quite true: https://github.com/ntop/nDPI/blob/dev/src/lib/protocols/http.c#L272 . The information is parsed by nDPI, so apps (like ntopng or nProbe) can use it.

Regards Luca

On 19 Jul 2017, at 09:06, СеЌеМОщев Павел ЛеПМОЎПвОч <***@enforta.com<mailto:***@enforta.com>> wrote:

Hello ntop teem,

I was unpleasantly surprised that the nDPI product does not actually inspect the pacts so deeply.
For example, it does not know how to parse HTTP packets and upload information about the User Agent.

As far as I understand, to solve my task, I have to use nProbe product with plug-ins?

Does Ntop plan to integrate plugins into the nDPI product?

Kind regards,
Pavel Semenishhev
Head of WiFi networks group

Enforta ("Prestige-Internet")
E-mail: ***@enforta.com<mailto:***@enforta.com>
Phone: +7 (495) 739-75-59 (ext. 7718)
Mobile: +7 (903) 509-25-18
Skype: htechnoo
Address: Ovchinnikovskaya emb. 20, bldg. 2, Moscow, Russia, 115184
www.enforta.com<http://www.enforta.com/>

_______________________________________________
Ntop mailing list
***@listgateway.unipi.it<mailto:***@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop
Семенищев Павел Леонидович
2017-07-20 09:49:25 UTC
Permalink
I use:
Ntopng: 3.0.170719 - Pro [Small Business Edition] Edition
nDPI: 2.0.0-836-3cfcc05

As far as I understand you, my nDPI instance can parse HTTP packets as much as possible, but the ntopng product itself can not get this data from nDPI
I'm right?

Do I need to use a different product for this?

Regards,
Pavel Semenishhev

From: ntop-***@listgateway.unipi.it [mailto:ntop-***@listgateway.unipi.it] On Behalf Of Simone Mainardi
Sent: Wednesday, July 19, 2017 4:19 PM
To: ***@unipi.it
Cc: ***@listgateway.unipi.it
Subject: Re: [Ntop] nDPI HTTP dissection

Pavel,


Can you please explain what is your nDPI instance?

If you have nProbe and you want the HTTP fields, then you need the HTTP plugin that gives you access to the following elements:

Plugin HTTP Protocol templates:
[NFv9 57652][IPFIX 35632.180] %HTTP_URL HTTP URL (IXIA URI)
[NFv9 57832][IPFIX 35632.360] %HTTP_METHOD HTTP METHOD
[NFv9 57653][IPFIX 35632.181] %HTTP_RET_CODE HTTP return code (e.g. 200, 304...)
[NFv9 57654][IPFIX 35632.182] %HTTP_REFERER HTTP Referer
[NFv9 57655][IPFIX 35632.183] %HTTP_UA HTTP User Agent
[NFv9 57656][IPFIX 35632.184] %HTTP_MIME HTTP Mime Type
[NFv9 57659][IPFIX 35632.187] %HTTP_HOST HTTP Host Name (IXIA Host Name)
[NFv9 57833][IPFIX 35632.361] %HTTP_SITE HTTP server without host name
[NFv9 57932][IPFIX 35632.460] %HTTP_X_FORWARDED_FOR HTTP X-Forwarded-For
[NFv9 57933][IPFIX 35632.461] %HTTP_VIA HTTP Via

Regards,

Simone



On 19 Jul 2017, at 10:12, СеЌеМОщев Павел ЛеПМОЎПвОч <***@enforta.com<mailto:***@enforta.com>> wrote:

Hi Luca,
Thanks for answer. But why my nDPI instance doesn’t generate HTTP_UA field? All HTTP fields but not UA. Do I have to make some settings?
<image001.png>

Kind regards,
Pavel Semenishhev
Head of WiFi networks group
Enforta ("Prestige-Internet")
Mobile: +7 (903) 509-25-18

From: ntop-***@listgateway.unipi.it<mailto:ntop-***@listgateway.unipi.it> [mailto:ntop-***@listgateway.unipi.it] On Behalf Of Luca Deri
Sent: Wednesday, July 19, 2017 10:12 AM
To: ***@unipi.it<mailto:***@unipi.it>
Cc: ***@listgateway.unipi.it<mailto:***@listgateway.unipi.it>
Subject: Re: [Ntop] nDPI HTTP dissection

Pavel,
not quite true: https://github.com/ntop/nDPI/blob/dev/src/lib/protocols/http.c#L272 . The information is parsed by nDPI, so apps (like ntopng or nProbe) can use it.

Regards Luca

On 19 Jul 2017, at 09:06, СеЌеМОщев Павел ЛеПМОЎПвОч <***@enforta.com<mailto:***@enforta.com>> wrote:

Hello ntop teem,

I was unpleasantly surprised that the nDPI product does not actually inspect the pacts so deeply.
For example, it does not know how to parse HTTP packets and upload information about the User Agent.

As far as I understand, to solve my task, I have to use nProbe product with plug-ins?

Does Ntop plan to integrate plugins into the nDPI product?

Kind regards,
Pavel Semenishhev
Head of WiFi networks group

Enforta ("Prestige-Internet")
E-mail: ***@enforta.com<mailto:***@enforta.com>
Phone: +7 (495) 739-75-59 (ext. 7718)
Mobile: +7 (903) 509-25-18
Skype: htechnoo
Address: Ovchinnikovskaya emb. 20, bldg. 2, Moscow, Russia, 115184
www.enforta.com<http://www.enforta.com/>

_______________________________________________
Ntop mailing list
***@listgateway.unipi.it<mailto:***@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
***@listgateway.unipi.it<mailto:***@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Loading...