About protocol default port

[banghy]

Hi, I have some issue with protocol detect, and i seems to be a problem with set default ports For example, SSH flow with not using port 22.

in ndpi_main.c SSH default port set with ndpi_build_default_ports(ports_a, 22, 0, 0, 0, 0) but some other protocol set default port with ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0)

I have some question here, First, I think, when default port not set like (0, 0, 0, 0, 0), then all packet will be search. if default port set like (22, 0, 0, 0, 0) it only work on port 22 or the 0 behind it has any effect?

Second, If I need to detect all well known protocols(FTP,SSH,TELNET,SMTP,POP3,,,) that do not use regular ports, should i change default port to ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0)?

Thanks.

[utoni]

AFAIK default ports are used for protocol guessing and a risk flag (protocol on non-standard port). The protocol classification routines are running independent of any default port.

[banghy]

AFAIK default ports are used for protocol guessing and a risk flag (protocol on non-standard port). The protocol classification routines are running independent of any default port.

It means, default port has no effect on protocol classification routines. So, you means non-standard port protocol should be detect.

There's one more thing I'm suspicious of. I'm using two places where nDPI determines the protocol and I receive it. First, struct ndpi_proto p = ndpi-workflow_process_packet , in ndpi_process_packet Second, process_ndpi_collected_info in node_proto_guess_walker I used first one, could this be the cause?