Simone Mainardi

App and master protocols swapped with custom protocols file

1

``` simone@devel:~/ntopng$ cat /tmp/proto tcp:3000@NTOP simone@devel:~/ntopng$ sudo ./ntopng -i eno1 --disable-login 1 --dont-change-user --ndpi-protocols /tmp/proto ```  I'm posting here as I've verified that protocols arrive exchanged from nDPI.

Detect DNS Fast Flux

3

See if an heuristic can be implemented to detect DNS Fast Flux. An example heuristic is described at https://osqa-ask.wireshark.org/questions/18394/help-with-filters-for-detecting-fast-flux-in-dns-queries

nProbe only exports a subset of flows and without all IEs to ntopng. Example: ``` ./nprobe -i ../nDPI/tests/pcap/tls_certificate_too_long.pcap --zmq tcp://127.0.0.1:1234 -T "@NTOPNG@ %TLS_CIPHER %TLS_VERSION %SRC_TO_DST_MAX_THROUGHPUT %JA3C_HASH %JA3S_HASH" --zmq-format j --json-labels...

Add an INFO information element to export flow info without the need of plugins

1

It would be desirable to have an `%NTOPNG_ENTERPRISE_INFO` IE containing information which is similar to the wireshark INFO column or the ntopng INFO column. Such IE would contain nDPI-provided data:...

Default template in collector mode (`EXPANDED_NTOPNG_SHORTCUT_COLLECTOR_MODE`) should only include `%TCP_FLAGS` and not `%CLIENT_TCP_FLAGS %SERVER_TCP_FLAGS`. This because NetFlow flags are cumulative. V5: > 37 | tcp_flags | Cumulative OR of TCP...

``` simone@devel:~/nProbe$ sudo apt-get install nprobe ntopng-data simone@devel:~/nProbe$ ls -lha /usr/share/ntopng/httpdocs/geoip/dbip* -rw-rw-r-- 1 root root 6.8M Oct 8 15:39 /usr/share/ntopng/httpdocs/geoip/dbip-asn-lite.mmdb -rw-rw-r-- 1 root root 5.0M Oct 8 15:39 /usr/share/ntopng/httpdocs/geoip/dbip-country-lite.mmdb ```...

It seems nprobe doesn't export (or count) TCP packets that have been lost. It would be desirable to have information elements similar to what we have for OOO and RETX.

nProbe yields different counters (traffic, ooo) to ntopng, depending on how it is executed. pcap to reproduce available upon request. Following is what happens: ``` sudo ./nprobe -i ../ntopng/../OOO_small.pcap --zmq...

current behavior: - [--in-iface-idx|-u] fills INPUT_SNMP with the last two bytes of the MAC address of the flow sender. - [--out-iface-idx|-Q] fills OUTPUT_SNMP with the last two bytes of the...

Dear kayzh, you might want to consider a pull of my changes.