Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Twitter miss classification #209

Closed
netcons opened this issue Jan 16, 2025 · 3 comments
Closed

Twitter miss classification #209

netcons opened this issue Jan 16, 2025 · 3 comments
Labels
bug

Comments

@netcons
Copy link

netcons commented Jan 16, 2025

Hi Vitaly,

Not sure if this is nDPI itself or xt_ndpi causing the miss classification, could you verify please?

cat /proc/net/xt_ndpi/flows | grep Twitter | grep dropbox
1737034618 1737035399 4 6 192.168.2.100 50718 162.125.21.3 443 2990 995 10 10 I=62,6 SN=122.132.16.162,50718 P=Twitter,TLS H=beacon.dropbox.com c=t12d1408h2_d1637c2d00c3_2dae41c691ec C=effe9b59e99e730d14f23d971080682b V=TLSv1.2
1737034598 1737035332 4 6 192.168.2.100 50885 162.125.21.3 443 11700 1114 12 16 I=57,6 SN=122.132.16.162,50885 P=Twitter,TLS H=bolt.dropbox.com c=t12d1208h2_9e6316305715_2dae41c691ec C=3fce0c7d883f10bd14e9bdb365a129cf V=TLSv1.2
1737034556 1737035367 4 6 192.168.2.100 50716 162.125.21.3 443 3294 1197 6 12 I=62,6 SN=122.132.16.162,50716 P=Twitter,TLS H=thunder.dropbox.com c=t12d1408h2_d1637c2d00c3_2dae41c691ec C=effe9b59e99e730d14f23d971080682b V=TLSv1.2
1737034494 1737035395 4 6 192.168.2.100 52327 162.125.21.2 443 39461 5992 38 22 I=76,6 SN=122.132.16.162,52327 P=Twitter,TLS H=t8.dropbox.com c=t12d1408h2_d1637c2d00c3_2dae41c691ec C=effe9b59e99e730d14f23d971080682b V=TLSv1.2

cat /proc/net/xt_ndpi/flows | grep Twitter | grep imedidata
1737026975 1737026975 4 6 192.168.2.53 51512 163.171.177.25 443 584 7135 7 5 I=3,4 SN=122.132.16.162,51512 P=Twitter,TLS H=cdnw-gambit-rave-prod.imedidata.com c=t13d1611h2_1711a4c0508c_6d021c4c45cd C=4f2d63c6a35e03e0917bcb5c7d1d6540 F=316b3c4d6bd84c5396b34441f2e44c3855ca7a63 V=TLSv1.2
1737026975 1737026975 4 6 192.168.2.53 51511 163.171.177.25 443 801 7612 8 7 I=3,4 SN=122.132.16.162,51511 P=Twitter,TLS H=cdnw-gambit-rave-prod.imedidata.com c=t13d1611h2_1711a4c0508c_6d021c4c45cd C=4f2d63c6a35e03e0917bcb5c7d1d6540 F=316b3c4d6bd84c5396b34441f2e44c3855ca7a63 V=TLSv1.2

I suspect the destinations are CDN's and the classification is done based on IP.

Tested on Commit fb92073.

Thanks.
@netcons netcons added the bug label Jan 16, 2025
@vel21ripn
Copy link
Owner

Why it classifies this connection as "Twitter" is not yet clear.
I got a slightly different classification on the test configuration:

1737547526 1737547526 4 6 10.0.0.122 10788 162.125.21.3 443 1132 4551 10 8 I=18 P=Twitter,TLS H=beacon.dropbox.com L=7 R=15 c=t12d850600_972b7b87df62_a1e935682795 F=c3f688dc1d5ae29a2617b3dfb496e817db416a1c

ndpiReader shows the correct classification proto "91.121/TLS.Dropbox"
I need time to figure it out.

vel21ripn added a commit that referenced this issue Jan 23, 2025
@vel21ripn
Fixed issue #209
5d08dcf 
Invalid hostname mapping.
@vel21ripn
Copy link
Owner

Thanks for finding this bug.
This bug is fixed in commit 5d08dcf

@netcons
Copy link
Author

netcons commented Jan 24, 2025

Thank you Vitaly.

@netcons netcons closed this as completed Jan 24, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vel21ripn @netcons