Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TFTP with blksize option being recognized as NOE #2075

Closed
1 task done
thomasjwinter opened this issue Aug 21, 2023 · 1 comment
Closed
1 task done

TFTP with blksize option being recognized as NOE #2075

thomasjwinter opened this issue Aug 21, 2023 · 1 comment
Labels
bug

Comments

@thomasjwinter
Copy link
Contributor

thomasjwinter commented Aug 21, 2023
edited
Loading

Describe the bug

TFTP transaction with blksize options is being detected as the NOE protocol.

This is happening because the Optional Acknowledgement tftp packet with the blksize option happens to match the check in the noe disector. I don't know if this is actually intentional as I've never heard of the noe protocol before.

noe.c:

    } else if((packet->payload_packet_len >= 25) &&
	      (packet->payload[0] == 0x00 &&
	       packet->payload[1] == 0x06 &&
	       packet->payload[2] == 0x62 &&
	       packet->payload[3] == 0x6c)) {
      ndpi_int_noe_add_connection(ndpi_struct, flow);
      return;
    }

tftp packet 2:

0x00 0x06 0x62 0x6c
2 byte opcode 0x00 0x06 is Optional Acknowledgement
0x62 0x6c is ascii for 'bl' part of the blksize option string following the opcode

I have submitted a pull request #2074 to improve tftp detection with options but this issue still remains.

Expected behavior

TFTP transaction with blksize options should be detected as TFTP.

Obtained behavior

TFTP transaction with blksize options is being detected as the NOE protocol.

nDPI Environment (please complete the following information):

  • OS name: Ubuntu
  • OS version: 20.04
  • Architecture: x86
  • nDPI version or commit hash: 4.6

How to reproduce the reported bug

Reproducible using ndpiReader?

  • The reported bug is reproducible using ndpiReader.

If applicable, the used ndpiReader options:

./ndpiReader -i tftp_as_noe.pcap 
Detected protocols:
        TFTP                 packets: 1             bytes: 87            flows: 1            
        NOE                  packets: 139           bytes: 106418        flows: 1

If your bug is reproducible using a pcap, please attach a pcap file (or a valid link to download it)

Example: tftp_as_noe.pcap

Steps to reproduce the behavior:

  1. Run '...'
  2. Set '....'
  3. Do '....'
  4. See error

Additional context

Add any other context about the problem here.
@thomasjwinter
Copy link
Contributor Author

tftp_as_noe.tar.gz

utoni added a commit to utoni/nDPI that referenced this issue Nov 14, 2023
@utoni
Improved TFTP. Fixes ntop#2075.
b934ecc 
Signed-off-by: Toni Uhlig <[email protected]>
@utoni utoni mentioned this issue Nov 14, 2023
Merged
utoni added a commit to utoni/nDPI that referenced this issue Nov 14, 2023
@utoni
Improved TFTP. Fixes ntop#2075.
4e756a0 
Signed-off-by: Toni Uhlig <[email protected]>
utoni added a commit to utoni/nDPI that referenced this issue Nov 14, 2023
@utoni
Improved TFTP. Fixes ntop#2075.
daed65c 
Signed-off-by: Toni Uhlig <[email protected]>
utoni added a commit to utoni/nDPI that referenced this issue Nov 21, 2023
@utoni
Improved TFTP. Fixes ntop#2075.
44e824f 
Signed-off-by: Toni Uhlig <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thomasjwinter