Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improved Kafka dissector. #2456

Merged
merged 2 commits into from
May 27, 2024
Merged

Improved Kafka dissector. #2456

merged 2 commits into from
May 27, 2024

Conversation

utoni
Copy link
Collaborator

@utoni utoni commented May 24, 2024

  • detect more Kafka request packet's
  • requires less flow memory
  • same detection behavior as before e.g. no asym detection implemented (can be done by dissecting responses, requires more effort)

Please sign (check) the below before submitting the Pull Request:

Describe changes:

Some Kafka packets were not detected on my side.
The behavior is pretty much the same, but no additional flow memory needed anymore.
Asymmetric detection is not implemented and was not before (dissector was relying on a previously seen request packet), but can be done in the future (see kafka.pcap asym responses captured).

@utoni
Copy link
Collaborator Author

utoni commented May 24, 2024

Note: I removed current_pkt_from_client_to_server(), because it does not work reliable on my side (I do not provide struct ndpi_flow_input_info to ndpi_detection_process_packet()).

 * detect more Kafka request packet's
 * requires less flow memory
 * same detection behavior as before e.g. no asym detection implemented
   (can be done by dissecting responses, requires more effort)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
@IvanNardi
Copy link
Collaborator

Is it possible to merge the two kafka traces?

@utoni
Copy link
Collaborator Author

utoni commented May 24, 2024

libpcap does not like having different interface types in one pcap file. Do you know how I can change that? 😄

@0xA50C1A1
Copy link
Contributor

libpcap does not like having different interface types in one pcap file. Do you know how I can change that? 😄

I only know one way, but it's pretty crude and dumb..... recreate the session with scappy.

Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@IvanNardi IvanNardi merged commit abce6d4 into ntop:dev May 27, 2024
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants