vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-19 07:54:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Merge branch 'github.dev' into flow_info-3.2

Browse source
This commit is contained in:
Vitaly Lavrov 2020-08-21 19:44:06 +03:00
commit b3fa670906
43 changed files with 517 additions and 244 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.travis.yml
View file

@ -170,6 +170,7 @@ before_script:
script:
- if [ -n "$QA_FUZZ" ]; then ./configure --enable-fuzztargets ; else ./configure ; fi
- make
- make -C example ndpiSimpleIntegration
#after_script:
- cd tests

2
Makefile.am
View file

@ -1,5 +1,5 @@
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src/lib example tests
SUBDIRS = src/lib @EXTRA_TARGETS@
if BUILD_FUZZTARGETS
SUBDIRS += fuzz

20
configure.seed
View file

@ -4,6 +4,14 @@ AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE([foreign subdir-objects])
EXTRA_TARGETS="example tests"
AC_ARG_WITH(only-libndpi, AS_HELP_STRING([--with-only-libndpi], [Build only libndpi (no examples, tests etc)]))
AS_IF([test "${with_only_libndpi+set}" = set],[
EXTRA_TARGETS=""
])
AC_ARG_WITH(sanitizer, AS_HELP_STRING([--with-sanitizer], [Build with support for address, undefined and leak sanitizer]))
AC_ARG_ENABLE(fuzztargets, AS_HELP_STRING([--enable-fuzztargets], [Enable fuzz targets]),[enable_fuzztargets=$enableval],[enable_fuzztargets=no])
AM_CONDITIONAL([BUILD_FUZZTARGETS], [test "x$enable_fuzztargets" = "xyes"])
@ -59,6 +67,8 @@ else
NDPI_API_VERSION=`date +%s | cut -c7-10`
fi
NDPI_API_VERSION=`echo $NDPI_API_VERSION | sed 's/^0*//'`
AC_DEFINE_UNQUOTED(NDPI_GIT_RELEASE, "${GIT_RELEASE}", [GIT Release])
AC_DEFINE_UNQUOTED(NDPI_GIT_DATE, "${GIT_DATE}", [Last GIT change])
@ -68,16 +78,15 @@ ADDITIONAL_LIBS=
PCAP_HOME=$HOME/PF_RING/userland
DPDK_TARGET=
AC_MSG_CHECKING([DPDK (used by ndpiReader)])
if test -d $HOME/DPDK; then :
echo "Enabling DPDK support in ndpiReader"
AC_MSG_RESULT(yes)
DPDK_TARGET=dpdk
else
echo "DPDK support disabled (missing $HOME/DPDK)"
AC_MSG_RESULT([no (missing $HOME/DPDK)])
fi
if test -d $PCAP_HOME; then :
echo -n ""
else
if ! test -d $PCAP_HOME; then :
PCAP_HOME=`pwd`/../../PF_RING/userland
fi
SHORT_MACHINE=`uname -m | cut -b1-3`
@ -187,4 +196,5 @@ AC_SUBST(DPDK_TARGET)
AC_SUBST(HAVE_PTHREAD_SETAFFINITY_NP)
AC_SUBST(CUSTOM_NDPI)
AC_SUBST(NDPI_API_VERSION)
AC_SUBST(EXTRA_TARGETS)
AC_OUTPUT

5
example/ndpiReader.c
View file

@ -3146,7 +3146,7 @@ void * processing_thread(void *_thread_id) {
gettimeofday(&h.ts, NULL);
ndpi_process_packet((u_char*)&thread_id, &h, (const u_char *)data);
rte_pktmbuf_ndpi_free(bufs[i]);
rte_pktmbuf_free(bufs[i]);
}
}
#else
@ -3346,7 +3346,7 @@ static void dgaUnitTest() {
};
int i;
NDPI_PROTOCOL_BITMASK all;
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(ndpi_no_prefs);
struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(ndpi_no_prefs);
assert(ndpi_str != NULL);
@ -3363,7 +3363,6 @@ static void dgaUnitTest() {
for(i=0; non_dga[i] != NULL; i++)
assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)non_dga[i]) == 0);
ndpi_exit_detection_module(ndpi_str);
}

41
example/ndpiSimpleIntegration.c
View file

@ -9,6 +9,7 @@
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define MAX_FLOW_ROOTS_PER_THREAD 2048
@ -133,7 +134,8 @@ static struct nDPI_workflow * init_workflow(char const * const file_or_device)
}
if (workflow->pcap_handle == NULL) {
fprintf(stderr, "pcap_open_live / pcap_open_offline_with_tstamp_precision: %s\n", pcap_error_buffer);
fprintf(stderr, "pcap_open_live / pcap_open_offline_with_tstamp_precision: %.*s\n",
(int) PCAP_ERRBUF_SIZE, pcap_error_buffer);
free_workflow(&workflow);
return NULL;
}
@ -204,9 +206,25 @@ static void free_workflow(struct nDPI_workflow ** const workflow)
*workflow = NULL;
}
static char * get_default_pcapdev(char *errbuf)
{
char * ifname;
pcap_if_t * all_devices = NULL;
if (pcap_findalldevs(&all_devices, errbuf) != 0)
{
return NULL;
}
ifname = strdup(all_devices[0].name);
pcap_freealldevs(all_devices);
return ifname;
}
static int setup_reader_threads(char const * const file_or_device)
{
char const * file_or_default_device;
char * file_or_default_device;
char pcap_error_buffer[PCAP_ERRBUF_SIZE];
if (reader_thread_count > MAX_READER_THREADS) {
@ -214,23 +232,28 @@ static int setup_reader_threads(char const * const file_or_device)
}
if (file_or_device == NULL) {
file_or_default_device = pcap_lookupdev(pcap_error_buffer);
file_or_default_device = get_default_pcapdev(pcap_error_buffer);
if (file_or_default_device == NULL) {
fprintf(stderr, "pcap_lookupdev: %s\n", pcap_error_buffer);
fprintf(stderr, "pcap_findalldevs: %.*s\n", (int) PCAP_ERRBUF_SIZE, pcap_error_buffer);
return 1;
}
} else {
file_or_default_device = file_or_device;
file_or_default_device = strdup(file_or_device);
if (file_or_default_device == NULL) {
return 1;
}
}
for (int i = 0; i < reader_thread_count; ++i) {
reader_threads[i].workflow = init_workflow(file_or_default_device);
if (reader_threads[i].workflow == NULL)
{
free(file_or_default_device);
return 1;
}
}
free(file_or_default_device);
return 0;
}
@ -847,7 +870,7 @@ static void ndpi_process_packet(uint8_t * const args,
}
}
if (flow_to_process->ndpi_flow->num_extra_packets_checked <
if (flow_to_process->ndpi_flow->num_extra_packets_checked <=
flow_to_process->ndpi_flow->max_extra_packets_to_check)
{
/*
@ -873,7 +896,8 @@ static void ndpi_process_packet(uint8_t * const args,
workflow->packets_captured,
reader_thread->array_index,
flow_to_process->flow_id,
ndpi_ssl_version2str(flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version,
ndpi_ssl_version2str(flow_to_process->ndpi_flow,
flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version,
&unknown_tls_version),
flow_to_process->ndpi_flow->protos.stun_ssl.ssl.client_requested_server_name,
(flow_to_process->ndpi_flow->protos.stun_ssl.ssl.alpn != NULL ?
@ -889,7 +913,8 @@ static void ndpi_process_packet(uint8_t * const args,
workflow->packets_captured,
reader_thread->array_index,
flow_to_process->flow_id,
ndpi_ssl_version2str(flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version,
ndpi_ssl_version2str(flow_to_process->ndpi_flow,
flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version,
&unknown_tls_version),
flow_to_process->ndpi_flow->protos.stun_ssl.ssl.server_names_len,
flow_to_process->ndpi_flow->protos.stun_ssl.ssl.server_names,

8
example/reader_util.c
View file

@ -698,7 +698,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
u_int8_t **payload,
u_int16_t *payload_len,
u_int8_t *src_to_dst_direction,
struct timeval when) {
pkt_timeval when) {
u_int32_t idx, l4_offset, hashval;
struct ndpi_flow_info flow;
void *ret;
@ -985,7 +985,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo
u_int8_t **payload,
u_int16_t *payload_len,
u_int8_t *src_to_dst_direction,
struct timeval when) {
pkt_timeval when) {
struct ndpi_iphdr iph;
memset(&iph, 0, sizeof(iph));
@ -1308,7 +1308,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
u_int16_t ipsize, u_int16_t rawsize,
const struct pcap_pkthdr *header,
const u_char *packet,
struct timeval when,
pkt_timeval when,
FILE * csv_fp) {
struct ndpi_id_struct *src, *dst;
struct ndpi_flow_info *flow = NULL;
@ -1338,7 +1338,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
&payload, &payload_len, &src_to_dst_direction, when);
if(flow != NULL) {
struct timeval tdiff;
pkt_timeval tdiff;
workflow->stats.ip_packet_count++;
workflow->stats.total_wire_bytes += rawsize + 24 /* CRC etc */,

11
example/reader_util.h
View file

@ -31,6 +31,7 @@
#include "uthash.h"
#include <pcap.h>
#include "ndpi_includes.h"
#include "ndpi_classify.h"
#include "ndpi_typedefs.h"
@ -128,13 +129,13 @@ struct flow_metrics {
struct ndpi_entropy {
// Entropy fields
struct timeval src2dst_last_pkt_time, dst2src_last_pkt_time, flow_last_pkt_time;
pkt_timeval src2dst_last_pkt_time, dst2src_last_pkt_time, flow_last_pkt_time;
u_int16_t src2dst_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */
struct timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */
pkt_timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */
u_int16_t dst2src_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */
struct timeval dst2src_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */
struct timeval src2dst_start; /*!< first packet arrival time */
struct timeval dst2src_start; /*!< first packet arrival time */
pkt_timeval dst2src_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */
pkt_timeval src2dst_start; /*!< first packet arrival time */
pkt_timeval dst2src_start; /*!< first packet arrival time */
u_int32_t src2dst_opackets; /*!< non-zero packet counts */
u_int32_t dst2src_opackets; /*!< non-zero packet counts */
u_int16_t src2dst_pkt_count; /*!< packet counts */

14
packages/openwrt/Makefile
View file

@ -1,22 +1,22 @@
#
# Copyright (C) 2018 - ntop.org
# Copyright (C) 2018-20 - ntop.org
#
include $(TOPDIR)/rules.mk
PKG_NAME:=libndpi
PKG_VERSION:=1333.ab2f3ce
PKG_VERSION:=17022020
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/ntop/nDPI.git
PKG_SOURCE_VERSION:=ab2f3cefc89017d73e67faa4eb4011e7e3f2044d
PKG_SOURCE_VERSION:=1f921562d1d7962f1d23ca5b59c25f9b65073460
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE_PROTO:=git
PKG_MAINTAINER:=Emanuele Faranda <faranda@ntop.org>
PKG_MAINTAINER:=Luca Deri <deri@ntop.org>
PKG_LICENSE:=GPL3
PKG_BUILD_DEPENDS:=+libpcap
PKG_BUILD_DEPENDS:=
PKG_BUILD_PARALLEL:=1
# autogen fix
@ -27,7 +27,6 @@ include $(INCLUDE_DIR)/package.mk
define Package/libndpi
SECTION:=network
CATEGORY:=Network
#DEPENDS:=+libc +libjson-c +libpthread
TITLE:=nDPI Deep Packet Inspection Library
URL:=https://www.ntop.org
endef
@ -37,8 +36,7 @@ define Package/libndpi/description
endef
CONFIGURE_ARGS += \
--with-pic \
--disable-json-c \
--with-only-libndpi
define Build/Prepare
$(call Build/Prepare/Default)

25
packages/openwrt/README Normal file
View file

@ -0,0 +1,25 @@
Howto Compile lindpi on OpenWRT
-------------------------------
cd myopenwrt_directory
mkdir package/network/services/libndpi
cd package/network/services/libndpi
cp ~/nDPI/packages/openwrt/Makefile .
cd myopenwrt_directory
make menuconfig
Go under network and select
<M> libndpi.............................. nDPI Deep Packet Inspection Library
Build Commands
--------------
If you want to build just libndpi do:
make -j1 V=s package/network/services/libndpi/clean
make -j1 V=s package/network/services/libndpi/compile
Other Documents
---------------
https://openwrt.org/packages/pkgdata/libndpi

10
python/ndpi.py
View file

@ -312,6 +312,8 @@ typedef enum {
NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
NDPI_SMB_INSECURE_VERSION,
NDPI_TLS_SUSPICIOUS_ESNI_USAGE,
NDPI_BLACKLISTED_HOST,
/* Leave this as last member */
NDPI_MAX_RISK
} ndpi_risk_enum;
@ -821,6 +823,12 @@ typedef enum {
NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY,
NDPI_PROTOCOL_CATEGORY_FILE_SHARING,
/*
The category below is used by sites who are used
to test connectivity
*/
NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK,
/* Some custom categories */
CUSTOM_CATEGORY_MINING = 99,
CUSTOM_CATEGORY_MALWARE = 100,
@ -1446,4 +1454,4 @@ class NDPI():
def ndpi_exit_detection_module(self):
""" Exit function for nDPI module """
self._ndpi.ndpi_exit_detection_module(self._mod)
self._ffi.dlclose(self._ndpi)
self._ffi.dlclose(self._ndpi)

1
src/include/Makefile.am
View file

@ -8,4 +8,5 @@ library_include_HEADERS = ndpi_api.h \
ndpi_protocol_ids.h \
ndpi_protocols.h \
ndpi_win32.h \
ndpi_includes_OpenBSD.h \
ndpi_includes.h

4
src/include/ndpi_api.h.in
View file

@ -921,7 +921,9 @@ extern "C" {
void ndpi_user_pwd_payload_copy(u_int8_t *dest, u_int dest_len, u_int offset,
const u_int8_t *src, u_int src_len);
u_char* ndpi_base64_decode(const u_char *src, size_t len, size_t *out_len);
char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len);
char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len); /* NOTE: caller MUST free the returned pointer */
void ndpi_string_sha1_hash(const uint8_t *message, size_t len, u_char *hash /* 20-bytes */);
int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str,
const char *path, u_int16_t protocol_id);
#ifndef __KERNEL__

26
src/include/ndpi_classify.h
View file

@ -43,7 +43,7 @@
#ifndef NDPI_CLASSIFY_H
#define NDPI_CLASSIFY_H
#include "ndpi_includes.h"
/* constants */
#define NUM_PARAMETERS_SPLT_LOGREG 208
@ -66,27 +66,27 @@ extern float parameters_bd[NUM_PARAMETERS_BD_LOGREG];
extern float parameters_splt[NUM_PARAMETERS_SPLT_LOGREG];
/* Classifier functions */
float ndpi_classify(const unsigned short *pkt_len, const struct timeval *pkt_time,
const unsigned short *pkt_len_twin, const struct timeval *pkt_time_twin,
struct timeval start_time, struct timeval start_time_twin, uint32_t max_num_pkt_len,
float ndpi_classify(const unsigned short *pkt_len, const pkt_timeval *pkt_time,
const unsigned short *pkt_len_twin, const pkt_timeval *pkt_time_twin,
pkt_timeval start_time, pkt_timeval start_time_twin, uint32_t max_num_pkt_len,
uint16_t sp, uint16_t dp, uint32_t op, uint32_t ip, uint32_t np_o, uint32_t np_i,
uint32_t ob, uint32_t ib, uint16_t use_bd, const uint32_t *bd, const uint32_t *bd_t);
void ndpi_merge_splt_arrays(const uint16_t *pkt_len, const struct timeval *pkt_time,
const uint16_t *pkt_len_twin, const struct timeval *pkt_time_twin,
struct timeval start_time, struct timeval start_time_twin,
void ndpi_merge_splt_arrays(const uint16_t *pkt_len, const pkt_timeval *pkt_time,
const uint16_t *pkt_len_twin, const pkt_timeval *pkt_time_twin,
pkt_timeval start_time, pkt_timeval start_time_twin,
uint16_t s_idx, uint16_t r_idx,
uint16_t *merged_lens, uint16_t *merged_times);
void ndpi_update_params(classifier_type_codes_t param_type, const char *param_file);
void ndpi_flow_info_freer(void *node);
unsigned int ndpi_timer_eq(const struct timeval *a, const struct timeval *b);
unsigned int ndpi_timer_lt(const struct timeval *a, const struct timeval *b);
void ndpi_timer_sub(const struct timeval *a, const struct timeval *b, struct timeval *result);
void ndpi_timer_clear(struct timeval *a);
unsigned int ndpi_timeval_to_milliseconds(struct timeval ts);
unsigned int ndpi_timeval_to_microseconds(struct timeval ts);
unsigned int ndpi_timer_eq(const pkt_timeval *a, const pkt_timeval *b);
unsigned int ndpi_timer_lt(const pkt_timeval *a, const pkt_timeval *b);
void ndpi_timer_sub(const pkt_timeval *a, const pkt_timeval *b, pkt_timeval *result);
void ndpi_timer_clear(pkt_timeval *a);
unsigned int ndpi_timeval_to_milliseconds(pkt_timeval ts);
unsigned int ndpi_timeval_to_microseconds(pkt_timeval ts);
void ndpi_log_timestamp(char *log_ts, uint32_t log_ts_len);
#endif /* NDPI_CLASSIFY_H */

2
src/include/ndpi_define.h.in
View file

@ -50,7 +50,9 @@
#include <endian.h>
#define __BYTE_ORDER BYTE_ORDER
#if BYTE_ORDER == LITTLE_ENDIAN
#ifndef __LITTLE_ENDIAN__
#define __LITTLE_ENDIAN__
#endif /* __LITTLE_ENDIAN__ */
#else
#define __BIG_ENDIAN__
#endif/* BYTE_ORDER */

47
src/include/ndpi_includes.h
View file

@ -24,7 +24,21 @@
#ifndef __NDPI_INCLUDES_H__
#define __NDPI_INCLUDES_H__
#ifndef __KERNEL__
#ifdef __KERNEL__
#include <asm/byteorder.h>
#include <linux/types.h>
#include <linux/spinlock.h>
#include <linux/in.h>
#include <linux/times.h>
#include <linux/ctype.h>
#include <linux/slab.h>
#define printf(format, ...) printk(format,##__VA_ARGS__)
#ifndef IPVERSION
#define IPVERSION 4
#endif
#else
#include <stdint.h>
#include <stdio.h>
@ -58,31 +72,20 @@
#if defined __NetBSD__ || defined __OpenBSD__
#include <netinet/in_systm.h>
#endif
#ifdef __OpenBSD__
#endif
#endif
#if defined __OpenBSD__
#include <pthread.h>
#endif
#endif
#endif
#endif
#include "ndpi_includes_OpenBSD.h"
#else
typedef struct timeval pkt_timeval;
#endif /* __OpenBSD__ */
#endif /* Win32 */
#else /* KERNEL */
#include <asm/byteorder.h>
#include <linux/types.h>
#include <linux/spinlock.h>
#include <linux/in.h>
#include <linux/times.h>
#include <linux/ctype.h>
#include <linux/slab.h>
#define printf(format, ...) printk(format,##__VA_ARGS__)
#ifndef IPVERSION
#define IPVERSION 4
#endif
#endif
#endif /* __KERNEL__ */
#endif /* __NDPI_INCLUDES_H__ */

35
src/include/ndpi_includes_OpenBSD.h Normal file
View file

@ -0,0 +1,35 @@
/*
* ndpi_includes_OpenBSD.h
*
* Copyright (C) 2011-16 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef __NDPI_INCLUDES_OPENBSD_H__
#define __NDPI_INCLUDES_OPENBSD_H__
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif /* IPPROTO_SCTP */
#include <net/bpf.h>
typedef struct bpf_timeval pkt_timeval;
#endif /* __NDPI_INCLUDES_OPENBSD_H__ */

3
src/include/ndpi_protocol_ids.h
View file

@ -87,7 +87,7 @@ typedef enum {
NDPI_PROTOCOL_ZATTOO = 55,
NDPI_PROTOCOL_SHOUTCAST = 56,
NDPI_PROTOCOL_SOPCAST = 57,
NDPI_PROTOCOL_FREE_58 = 58, /* Free */
NDPI_PROTOCOL_DISCORD = 58,
NDPI_PROTOCOL_TVUPLAYER = 59,
NDPI_PROTOCOL_HTTP_DOWNLOAD = 60,
NDPI_PROTOCOL_QQLIVE = 61,
@ -282,6 +282,7 @@ typedef enum {
NDPI_PROTOCOL_MSTEAMS = 250,
NDPI_PROTOCOL_WEBSOCKET = 251, /* Leonn Paiva <leonn.paiva@gmail.com> */
NDPI_PROTOCOL_ANYDESK = 252, /* Toni Uhlig <matzeton@googlemail.com> */
NDPI_PROTOCOL_SOAP = 253, /* Toni Uhlig <matzeton@googlemail.com> */
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"

1
src/include/ndpi_protocols.h
View file

@ -218,5 +218,6 @@ void init_dnp3_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_s7comm_dissector(struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_websocket_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_soap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
#endif /* __NDPI_PROTOCOLS_H__ */

10
src/include/ndpi_typedefs.h
View file

@ -85,6 +85,8 @@ typedef enum {
NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
NDPI_SMB_INSECURE_VERSION,
NDPI_TLS_SUSPICIOUS_ESNI_USAGE,
NDPI_BLACKLISTED_HOST,
/* Leave this as last member */
NDPI_MAX_RISK
@ -733,6 +735,9 @@ struct ndpi_flow_tcp_struct {
/* NDPI_PROTOCOL_MAIL_IMAP */
u_int32_t mail_imap_stage:3, mail_imap_starttls:2;
/* NDPI_PROTOCOL_SOAP */
u_int32_t soap_stage:1;
/* NDPI_PROTOCOL_SKYPE */
u_int8_t skype_packet_id;
@ -961,6 +966,11 @@ typedef enum {
NDPI_PROTOCOL_CATEGORY_SHOPPING,
NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY,
NDPI_PROTOCOL_CATEGORY_FILE_SHARING,
/*
The category below is used by sites who are used
to test connectivity
*/
NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK,
/* Some custom categories */
CUSTOM_CATEGORY_MINING = 99,

3
src/include/ndpi_win32.h
View file

@ -76,9 +76,6 @@ typedef unsigned __int64 u_int64_t;
extern unsigned long waitForNextEvent(unsigned long ulDelay /* ms */);
#define sleep(a /* sec */) waitForNextEvent(1000*a /* ms */)
#ifndef localtime_r
#define localtime_r(a, b) localtime_s(b, a)
#endif
#define strtok_r strtok_s
#define timegm _mkgmtime

1
src/lib/Makefile.am
View file

@ -141,6 +141,7 @@ libndpi_a_SOURCES = ndpi_content_match.c.inc \
protocols/skype.c \
protocols/smb.c \
protocols/snmp_proto.c \
protocols/soap.c \
protocols/socks45.c \
protocols/sopcast.c \
protocols/soulseek.c \

52
src/lib/ndpi_classify.c
View file

@ -240,9 +240,9 @@ float ndpi_parameters_bd[NUM_PARAMETERS_BD_LOGREG] = {
};
/**
* \fn void ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time,
const uint16_t *pkt_len_twin, const struct timeval *pkt_time_twin,
struct timeval start_time, struct timeval start_time_twin,
* \fn void ndpi_merge_splt_arrays (const uint16_t *pkt_len, const pkt_timeval *pkt_time,
const uint16_t *pkt_len_twin, const pkt_timeval *pkt_time_twin,
pkt_timeval start_time, pkt_timeval start_time_twin,
uint16_t s_idx, uint16_t r_idx,
uint16_t *merged_lens, uint16_t *merged_times,
uint32_t max_num_pkt_len, uint32_t max_merged_num_pkts)
@ -260,16 +260,16 @@ float ndpi_parameters_bd[NUM_PARAMETERS_BD_LOGREG] = {
* \return none
*/
void
ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time,
const uint16_t *pkt_len_twin, const struct timeval *pkt_time_twin,
struct timeval start_time, struct timeval start_time_twin,
ndpi_merge_splt_arrays (const uint16_t *pkt_len, const pkt_timeval *pkt_time,
const uint16_t *pkt_len_twin, const pkt_timeval *pkt_time_twin,
pkt_timeval start_time, pkt_timeval start_time_twin,
uint16_t s_idx, uint16_t r_idx,
uint16_t *merged_lens, uint16_t *merged_times)
{
int s,r;
struct timeval ts_start = { 0, 0 }; /* initialize to avoid spurious warnings */
struct timeval tmp, tmp_r;
struct timeval start_m;
pkt_timeval ts_start = { 0, 0 }; /* initialize to avoid spurious warnings */
pkt_timeval tmp, tmp_r;
pkt_timeval start_m;
if(r_idx + s_idx == 0) {
return ;
@ -419,9 +419,9 @@ ndpi_get_mc_rep_times (uint16_t *times, float *time_mc, uint16_t num_packets)
}
/**
* \fn float classify (const unsigned short *pkt_len, const struct timeval *pkt_time,
const unsigned short *pkt_len_twin, const struct timeval *pkt_time_twin,
struct timeval start_time, struct timeval start_time_twin, uint32_t max_num_pkt_len,
* \fn float classify (const unsigned short *pkt_len, const pkt_timeval *pkt_time,
const unsigned short *pkt_len_twin, const pkt_timeval *pkt_time_twin,
pkt_timeval start_time, pkt_timeval start_time_twin, uint32_t max_num_pkt_len,
uint16_t sp, uint16_t dp, uint32_t op, uint32_t ip, uint32_t np_o, uint32_t np_i,
uint32_t ob, uint32_t ib, uint16_t use_bd, const uint32_t *bd, const uint32_t *bd_t)
* \param pkt_len length of the packet
@ -445,9 +445,9 @@ ndpi_get_mc_rep_times (uint16_t *times, float *time_mc, uint16_t num_packets)
* \return float score
*/
float
ndpi_classify (const unsigned short *pkt_len, const struct timeval *pkt_time,
const unsigned short *pkt_len_twin, const struct timeval *pkt_time_twin,
struct timeval start_time, struct timeval start_time_twin, uint32_t max_num_pkt_len,
ndpi_classify (const unsigned short *pkt_len, const pkt_timeval *pkt_time,
const unsigned short *pkt_len_twin, const pkt_timeval *pkt_time_twin,
pkt_timeval start_time, pkt_timeval start_time_twin, uint32_t max_num_pkt_len,
uint16_t sp, uint16_t dp, uint32_t op, uint32_t ip, uint32_t np_o, uint32_t np_i,
uint32_t ob, uint32_t ib, uint16_t use_bd, const uint32_t *bd, const uint32_t *bd_t)
{
@ -604,8 +604,8 @@ ndpi_update_params (classifier_type_codes_t param_type, const char *param_file)
* \return 1 if equal, 0 otherwise
*/
unsigned int
ndpi_timer_eq(const struct timeval *a,
const struct timeval *b)
ndpi_timer_eq(const pkt_timeval *a,
const pkt_timeval *b)
{
if(a->tv_sec == b->tv_sec && a->tv_usec == b->tv_usec) {
return 1;
@ -615,8 +615,8 @@ ndpi_timer_eq(const struct timeval *a,
}
unsigned int
ndpi_timer_lt(const struct timeval *a,
const struct timeval *b)
ndpi_timer_lt(const pkt_timeval *a,
const pkt_timeval *b)
{
return (a->tv_sec == b->tv_sec) ?
(a->tv_usec < b->tv_usec):(a->tv_sec < b->tv_sec);
@ -630,9 +630,9 @@ ndpi_timer_lt(const struct timeval *a,
* \return none
*/
void
ndpi_timer_sub(const struct timeval *a,
const struct timeval *b,
struct timeval *result)
ndpi_timer_sub(const pkt_timeval *a,
const pkt_timeval *b,
pkt_timeval *result)
{
result->tv_sec = a->tv_sec - b->tv_sec;
result->tv_usec = a->tv_usec - b->tv_usec;
@ -648,7 +648,7 @@ ndpi_timer_sub(const struct timeval *a,
* \return none
*/
void
ndpi_timer_clear(struct timeval *a)
ndpi_timer_clear(pkt_timeval *a)
{
a->tv_sec = a->tv_usec = 0;
}
@ -659,7 +659,7 @@ ndpi_timer_clear(struct timeval *a)
* \return unsigned int - Milliseconds
*/
unsigned int
ndpi_timeval_to_milliseconds(struct timeval ts)
ndpi_timeval_to_milliseconds(pkt_timeval ts)
{
unsigned int result = ts.tv_usec / 1000 + ts.tv_sec * 1000;
return result;
@ -671,7 +671,7 @@ ndpi_timeval_to_milliseconds(struct timeval ts)
* \return unsigned int - Milliseconds
*/
unsigned int
ndpi_timeval_to_microseconds(struct timeval ts)
ndpi_timeval_to_microseconds(pkt_timeval ts)
{
unsigned int result = ts.tv_usec + ts.tv_sec * 1000 * 1000;
return result;
@ -680,7 +680,7 @@ ndpi_timeval_to_microseconds(struct timeval ts)
void
ndpi_log_timestamp(char *log_ts, uint32_t log_ts_len)
{
struct timeval tv;
pkt_timeval tv;
time_t nowtime;
struct tm nowtm_r;
char tmbuf[NDPI_TIMESTAMP_LEN];

14
src/lib/ndpi_community_id.c
View file

@ -31,6 +31,7 @@
#include "ndpi_api.h"
#include "ndpi_config.h"
#include "ndpi_includes.h"
#include <time.h>
#ifndef WIN32
@ -167,13 +168,15 @@ static int ndpi_community_id_peer_v4_is_less_than(u_int32_t ip1, u_int32_t ip2,
static int ndpi_community_id_peer_v6_is_less_than(struct ndpi_in6_addr *ip1, struct ndpi_in6_addr *ip2, u_int16_t p1, u_int16_t p2) {
int comp = memcmp(ip1, ip2, sizeof(struct ndpi_in6_addr));
return comp < 0 || (comp == 0 && p1 < p2);
}
/* **************************************************** */
static void ndpi_community_id_sha1_hash(const uint8_t *message, size_t len, u_char *hash /* 20-bytes */) {
void ndpi_string_sha1_hash(const uint8_t *message, size_t len, u_char *hash /* 20-bytes */) {
SHA1_CTX ctx;
SHA1Init(&ctx);
SHA1Update(&ctx, message, len);
SHA1Final(hash, &ctx);
@ -185,7 +188,8 @@ static void ndpi_community_id_sha1_hash(const uint8_t *message, size_t len, u_ch
https://github.com/corelight/community-id-spec/blob/bda913f617389df07cdaa23606e11bbd318e265c/community-id.py#L285
*/
static int ndpi_community_id_finalize_and_compute_hash(u_int8_t *comm_buf, u_int16_t off, u_int8_t l4_proto,
u_int16_t src_port, u_int16_t dst_port, char *hash_buf, u_int8_t hash_buf_len) {
u_int16_t src_port, u_int16_t dst_port,
char *hash_buf, u_int8_t hash_buf_len) {
u_int8_t pad = 0;
uint32_t hash[5];
char *community_id;
@ -209,12 +213,12 @@ static int ndpi_community_id_finalize_and_compute_hash(u_int8_t *comm_buf, u_int
}
/* Compute SHA1 */
ndpi_community_id_sha1_hash(comm_buf, off, (u_char*)hash);
ndpi_string_sha1_hash(comm_buf, off, (u_char*)hash);
/* Base64 encoding */
community_id = ndpi_base64_encode((u_int8_t*)hash, sizeof(hash));
if (community_id == NULL)
if(community_id == NULL)
return -1;
#if 0 /* Debug Info */
@ -231,7 +235,7 @@ static int ndpi_community_id_finalize_and_compute_hash(u_int8_t *comm_buf, u_int
printf("Base64: %s\n", community_id);
#endif
if (hash_buf_len < 2 || hash_buf_len-2 < strlen(community_id)+1) {
if(hash_buf_len < 2 || hash_buf_len-2 < strlen(community_id)+1) {
ndpi_free(community_id);
return -1;
}

24
src/lib/ndpi_content_match.c.inc
View file

@ -9139,6 +9139,13 @@ ndpi_protocol_match host_match[] =
{ ".net.anydesk.com", "AnyDesk", NDPI_PROTOCOL_ANYDESK, NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_ACCEPTABLE },
{ "discordapp.com", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
{ "discordapp.net", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
{ "discord.com", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
{ "discord.gg", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
{ "discord.media", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
{ NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE }
};
@ -9176,6 +9183,21 @@ static ndpi_category_match category_match[] = {
{ "iptv.sky.", NDPI_PROTOCOL_CATEGORY_STREAMING },
{ "pcdn.skycdn.", NDPI_PROTOCOL_CATEGORY_STREAMING },
/* https://success.tanaza.com/s/article/How-Automatic-Detection-of-Captive-Portal-works */
{ "captive.apple.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "thinkdifferent.us", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "airport.us", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "gsp1.apple.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "msftconnecttest.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "testconnectivity.microsoft.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "msftncsi.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "msftncsi.com.edgesuite.net", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "teredo.ipv6.microsoft.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "teredo.ipv6.microsoft.com.nsatc.net", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "detectportal.firefox.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "connectivitycheck.android.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "connectivitycheck.gstatic.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
/* Hulu Streaming services AS23286 */
{ "8.28.124.0/24", NDPI_PROTOCOL_CATEGORY_STREAMING },
{ "8.28.125.0/24", NDPI_PROTOCOL_CATEGORY_STREAMING },
@ -9327,7 +9349,7 @@ static const char *ndpi_en_popular_bigrams[] = {
static const char *ndpi_en_impossible_bigrams[] = {
"bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */
"fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", /* "jc", jcrew.com */ "jd", "jf", "jg", "jh", "jk",
"jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx",
"jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", /* "kg", */ "kq", "kv", "kx",
"kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", /* "mq", mqtt */ "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii",
"qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu",
"qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */

193
src/lib/ndpi_main.c
View file

@ -953,8 +953,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, no_master, "Sopcast", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_58, 0 /* can_have_a_subprotocol */,
no_master, no_master, "Free58", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DISCORD, 0 /* can_have_a_subprotocol */,
no_master, no_master, "Discord", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TVUPLAYER, 0 /* can_have_a_subprotocol */,
@ -1532,6 +1532,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "AnyDesk", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOAP, 1 /* no subprotocol */,
no_master, no_master, "SOAP", NDPI_PROTOCOL_CATEGORY_RPC,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_main.c"
@ -1924,7 +1928,7 @@ static const char *categories[] = {
"Shopping",
"Productivity",
"FileSharing",
"",
"ConnectivityCheck",
"",
"",
"",
@ -2623,79 +2627,85 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule,
}
}
if (def == NULL) {
if (!do_add) {
/* We need to remove a rule */
NDPI_LOG_ERR(ndpi_str, "Unable to find protocol '%s': skipping rule '%s'\n", proto, rule);
return (-3);
} else {
ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
u_int16_t no_master[2] = {NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO};
if(def == NULL) {
if(!do_add) {
/* We need to remove a rule */
NDPI_LOG_ERR(ndpi_str, "Unable to find protocol '%s': skipping rule '%s'\n", proto, rule);
return(-3);
} else {
ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
u_int16_t no_master[2] = {NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO};
if (ndpi_str->ndpi_num_custom_protocols >= (NDPI_MAX_NUM_CUSTOM_PROTOCOLS - 1)) {
NDPI_LOG_ERR(ndpi_str, "Too many protocols defined (%u): skipping protocol %s\n",
ndpi_str->ndpi_num_custom_protocols, proto);
return (-2);
}
if(ndpi_str->ndpi_num_custom_protocols >= (NDPI_MAX_NUM_CUSTOM_PROTOCOLS - 1)) {
NDPI_LOG_ERR(ndpi_str, "Too many protocols defined (%u): skipping protocol %s\n",
ndpi_str->ndpi_num_custom_protocols, proto);
return(-2);
}
ndpi_set_proto_defaults(
ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, ndpi_str->ndpi_num_supported_protocols,
0 /* can_have_a_subprotocol */, no_master, no_master, proto,
NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, /* TODO add protocol category support in rules */
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
def = &ndpi_str->proto_defaults[ndpi_str->ndpi_num_supported_protocols];
subprotocol_id = ndpi_str->ndpi_num_supported_protocols;
ndpi_str->ndpi_num_supported_protocols++, ndpi_str->ndpi_num_custom_protocols++;
}
ndpi_set_proto_defaults(
ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, ndpi_str->ndpi_num_supported_protocols,
0 /* can_have_a_subprotocol */, no_master, no_master, proto,
NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, /* TODO add protocol category support in rules */
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
def = &ndpi_str->proto_defaults[ndpi_str->ndpi_num_supported_protocols];
subprotocol_id = ndpi_str->ndpi_num_supported_protocols;
ndpi_str->ndpi_num_supported_protocols++, ndpi_str->ndpi_num_custom_protocols++;
}
}
while ((elem = strsep(&rule, ",")) != NULL) {
char *attr = elem, *value = NULL;
ndpi_port_range range;
int is_tcp = 0, is_udp = 0, is_ip = 0;
if(strncmp(attr, "tcp:", 4) == 0)
is_tcp = 1, value = &attr[4];
else if(strncmp(attr, "udp:", 4) == 0)
is_udp = 1, value = &attr[4];
else if(strncmp(attr, "ip:", 3) == 0)
is_ip = 1, value = &attr[3];
else if(strncmp(attr, "host:", 5) == 0) {
/* host:"<value>",host:"<value>",.....@<subproto> */
u_int i, max_len;
value = &attr[5];
if(value[0] == '"')
value++; /* remove leading " */
max_len = strlen(value) - 1;
if(value[max_len] == '"')
value[max_len] = '\0'; /* remove trailing " */
for(i=0; i<max_len; i++) value[i] = tolower(value[i]);
}
while ((elem = strsep(&rule, ",")) != NULL) {
char *attr = elem, *value = NULL;
ndpi_port_range range;
int is_tcp = 0, is_udp = 0, is_ip = 0;
if (is_tcp || is_udp) {
u_int p_low, p_high;
if (strncmp(attr, "tcp:", 4) == 0)
is_tcp = 1, value = &attr[4];
else if (strncmp(attr, "udp:", 4) == 0)
is_udp = 1, value = &attr[4];
else if (strncmp(attr, "ip:", 3) == 0)
is_ip = 1, value = &attr[3];
else if (strncmp(attr, "host:", 5) == 0) {
/* host:"<value>",host:"<value>",.....@<subproto> */
value = &attr[5];
if (value[0] == '"')
value++; /* remove leading " */
if (value[strlen(value) - 1] == '"')
value[strlen(value) - 1] = '\0'; /* remove trailing " */
}
if (sscanf(value, "%u-%u", &p_low, &p_high) == 2)
range.port_low = p_low, range.port_high = p_high;
else
range.port_low = range.port_high = atoi(&elem[4]);
if (is_tcp || is_udp) {
u_int p_low, p_high;
if (sscanf(value, "%u-%u", &p_low, &p_high) == 2)
range.port_low = p_low, range.port_high = p_high;
else
range.port_low = range.port_high = atoi(&elem[4]);
if (do_add)
addDefaultPort(ndpi_str, &range, def, 1 /* Custom user proto */,
is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot, __FUNCTION__, __LINE__);
else
removeDefaultPort(&range, def, is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot);
} else if (is_ip) {
/* NDPI_PROTOCOL_TOR */
ndpi_add_host_ip_subprotocol(ndpi_str, value, subprotocol_id);
} else if(value) {
if (do_add)
ndpi_add_host_url_subprotocol(ndpi_str, value, subprotocol_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED,
NDPI_PROTOCOL_ACCEPTABLE);
else
ndpi_remove_host_url_subprotocol(ndpi_str, value, subprotocol_id);
}
if (do_add)
addDefaultPort(ndpi_str, &range, def, 1 /* Custom user proto */,
is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot, __FUNCTION__, __LINE__);
else
removeDefaultPort(&range, def, is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot);
} else if (is_ip) {
/* NDPI_PROTOCOL_TOR */
ndpi_add_host_ip_subprotocol(ndpi_str, value, subprotocol_id);
} else if(value) {
if (do_add)
ndpi_add_host_url_subprotocol(ndpi_str, value, subprotocol_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED,
NDPI_PROTOCOL_ACCEPTABLE);
else
ndpi_remove_host_url_subprotocol(ndpi_str, value, subprotocol_id);
}
}
return(0);
return(0);
}
/* ******************************************************************** */
@ -3382,6 +3392,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* WEBSOCKET */
init_websocket_dissector(ndpi_str, &a, detection_bitmask);
/* SOAP */
init_soap_dissector(ndpi_str, &a, detection_bitmask);
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_main_init.c"
#endif
@ -4836,21 +4849,34 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
if(found
&& (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN)
&& (found->proto->protoId != ret.master_protocol)) {
&& (found->proto->protoId != ret.master_protocol)
&& (found->proto->protoId != ret.app_protocol)
) {
// printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol);
if(!ndpi_check_protocol_port_mismatch_exceptions(ndpi_str, flow, found, &ret))
NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
} else if(default_ports && (default_ports[0] != 0)) {
u_int8_t found = 0, i;
u_int8_t found = 0, i, num_loops = 0;
check_default_ports:
for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i] != 0); i++) {
if((default_ports[i] == sport) || (default_ports[i] == dport)) {
found = 1;
break;
}
}
} /* for */
if((num_loops == 0) && (!found)) {
if(flow->packet.udp)
default_ports = ndpi_str->proto_defaults[ret.app_protocol].udp_default_ports;
else
default_ports = ndpi_str->proto_defaults[ret.app_protocol].tcp_default_ports;
num_loops = 1;
goto check_default_ports;
}
if(!found) {
// printf("******** Invalid default port\n");
NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
@ -6228,7 +6254,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_
int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow,
u_int16_t master_protocol, char *name, u_int name_len) {
ndpi_protocol_match_result ret_match;
u_int16_t subproto, what_len;
u_int16_t subproto, what_len, i;
char *what;
if((name_len > 2) && (name[0] == '*') && (name[1] == '.'))
@ -6236,6 +6262,9 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc
else
what = name, what_len = name_len;
/* Convert it first to lowercase: we assume meory is writable as in nDPI dissctors */
for(i=0; i<name_len; i++) what[i] = tolower(what[i]);
subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, what, what_len, &ret_match, master_protocol);
if(subproto != NDPI_PROTOCOL_UNKNOWN) {
@ -6700,7 +6729,7 @@ static int enough(int a, int b) {
/* ******************************************************************** */
// #define DGA_DEBUG 1
/* #define DGA_DEBUG 1 */
int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
struct ndpi_flow_struct *flow,
@ -6777,18 +6806,16 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
printf("-> Checking %c%c\n", word[i], word[i+1]);
#endif
if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) {
num_found++;
} else {
if(ndpi_match_bigram(ndpi_str,
&ndpi_str->impossible_bigrams_automa,
&word[i])) {
if(ndpi_match_bigram(ndpi_str,
&ndpi_str->impossible_bigrams_automa,
&word[i])) {
#ifdef DGA_DEBUG
printf("IMPOSSIBLE %s\n", &word[i]);
printf("IMPOSSIBLE %s\n", &word[i]);
#endif
num_impossible++;
}
}
num_impossible++;
} else if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) {
num_found++;
}
} /* for */
} /* for */

5
src/lib/ndpi_network_list_compile.h
View file

@ -58,7 +58,7 @@ _P(NDPI_PROTOCOL_PPSTREAM),
_P(NDPI_PROTOCOL_ZATTOO),
_P(NDPI_PROTOCOL_SHOUTCAST),
_P(NDPI_PROTOCOL_SOPCAST),
_P(NDPI_PROTOCOL_FREE_58),
_P(NDPI_PROTOCOL_DISCORD),
_P(NDPI_PROTOCOL_TVUPLAYER),
_P(NDPI_PROTOCOL_HTTP_DOWNLOAD),
_P(NDPI_PROTOCOL_QQLIVE),
@ -252,6 +252,7 @@ _P(NDPI_PROTOCOL_ZABBIX),
_P(NDPI_PROTOCOL_S7COMM),
_P(NDPI_PROTOCOL_MSTEAMS),
_P(NDPI_PROTOCOL_WEBSOCKET),
_P(NDPI_PROTOCOL_ANYDESK)
_P(NDPI_PROTOCOL_ANYDESK),
_P(NDPI_PROTOCOL_SOAP)
};

6
src/lib/ndpi_utils.c
View file

@ -881,6 +881,7 @@ u_char* ndpi_base64_decode(const u_char *src, size_t len, size_t *out_len) {
/* ********************************** */
/* NOTE: caller MUST free returned pointer */
char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len) {
size_t len = 0, ret_size;
char *ret;
@ -1543,7 +1544,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_SMB_INSECURE_VERSION:
return("SMB Insecure Version");
case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
return("TLS Suspicious ESNI Usage");
default:
snprintf(buf, sizeof(buf), "%d", (int)risk);
return(buf);

10
src/lib/protocols/http.c
View file

@ -70,6 +70,7 @@ static void ndpi_analyze_content_signature(struct ndpi_flow_struct *flow) {
static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
ndpi_search_http_tcp(ndpi_struct, flow);
#ifdef HTTP_DEBUG
@ -133,7 +134,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
}
/* check for attachment */
if (packet->content_disposition_line.len > 0) {
if(packet->content_disposition_line.len > 0) {
u_int8_t attachment_len = sizeof("attachment; filename");
if(packet->content_disposition_line.len > attachment_len) {
@ -224,7 +225,7 @@ static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct
static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, char *ua) {
if ( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000";
if( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000";
else if(!strcmp(ua, "Windows NT 5.1")) ua = "Windows XP";
else if(!strcmp(ua, "Windows NT 5.2")) ua = "Windows Server 2003";
else if(!strcmp(ua, "Windows NT 6.0")) ua = "Windows Vista";
@ -749,7 +750,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
packet->packet_lines_parsed_complete = 0;
/* Check if we so far detected the protocol in the request or not. */
if(flow->l4.tcp.http_stage == 0) {
if((packet->payload_packet_len > 0) /* Needed in case of extra packet processing */
&& (flow->l4.tcp.http_stage == 0)) {
/* Expected a request */
flow->http_detected = 0;
@ -831,7 +833,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
/* try to get some additional request header info even if the packet may not be HTTP */
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->http_num_headers > 0) {
if(packet->http_num_headers > 0) {
check_content_type_and_change_protocol(ndpi_struct, flow);
return;
}

2
src/lib/protocols/mysql.c
View file

@ -40,7 +40,7 @@ void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, str
&& get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length
&& get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet
&& get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0
&& get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7
&& get_u_int8_t(packet->payload, 5) < 0x39 //server version < 9
&& get_u_int8_t(packet->payload, 6) == 0x2e //dot
) {
#if 0

70
src/lib/protocols/soap.c Normal file
View file

@ -0,0 +1,70 @@
/*
* soap.c
*
* Copyright (C) 2020 - ntop.org
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*
*/
#include "ndpi_protocol_ids.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOAP
#include "ndpi_api.h"
static void ndpi_int_soap_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
{
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_UNKNOWN);
}
void ndpi_search_soap(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
NDPI_LOG_DBG(ndpi_struct, "search soap\n");
if (flow->packet_counter > 3)
{
if (flow->l4.tcp.soap_stage == 1)
{
ndpi_int_soap_add_connection(ndpi_struct, flow);
}
else {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
if (flow->l4.tcp.soap_stage == 0 &&
packet->payload_packet_len >= 19)
{
if (strncmp((char*)packet->payload, "<?xml version=\"1.0\"", 19) == 0)
{
flow->l4.tcp.soap_stage = 1;
}
}
}
void init_soap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id,
NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
ndpi_set_bitmask_protocol_detection(
"SOAP", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_SOAP, ndpi_search_soap, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK);
*id += 1;
}

6
src/lib/protocols/telnet.c
View file

@ -42,9 +42,9 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct,
printf("==> %s() [%s][direction: %u]\n", __FUNCTION__, packet->payload, packet->packet_direction);
#endif
if (packet->payload == NULL || packet->payload_packet_len == 0)
return(1);
if(packet->payload[0] == 0xFF)
if((packet->payload == NULL)
|| (packet->payload_packet_len == 0)
|| (packet->payload[0] == 0xFF))
return(1);
if(flow->protos.telnet.username_detected) {

11
src/lib/protocols/tls.c
View file

@ -326,7 +326,9 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
printf("[TLS] %s() IssuerDN [%s]\n", __FUNCTION__, rdnSeqBuf);
#endif
if(rdn_len) flow->protos.stun_ssl.ssl.issuerDN = ndpi_strdup(rdnSeqBuf);
if(rdn_len && (flow->protos.stun_ssl.ssl.issuerDN == NULL))
flow->protos.stun_ssl.ssl.issuerDN = ndpi_strdup(rdnSeqBuf);
rdn_len = 0; /* Reset buffer */
}
@ -1444,6 +1446,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
}
/* Suspicious Domain Fronting:
https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
if(flow->protos.stun_ssl.ssl.encrypted_sni.esni &&
flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') {
NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
}
return(2 /* Client Certificate */);
} else {
#ifdef DEBUG_TLS

52
src/lib/third_party/src/hll/hll.c vendored
View file

@ -34,6 +34,7 @@ u_int32_t _hll_hash(const struct ndpi_hll *hll) {
return MurmurHash3_x86_32(hll->registers, (u_int32_t)hll->size, 0);
}
/* Count the number of leading zero's */
static __inline u_int8_t _hll_rank(u_int32_t hash, u_int8_t bits) {
u_int8_t i;
@ -48,24 +49,26 @@ static __inline u_int8_t _hll_rank(u_int32_t hash, u_int8_t bits) {
}
/*
IMPORTANT: memory usage notes
IMPORTANT: HyperLogLog Memory and StandardError Notes
[i: 4] 16 bytes
[i: 5] 32 bytes
[i: 6] 64 bytes
[i: 7] 128 bytes
[i: 8] 256 bytes
[i: 9] 512 bytes
[i: 10] 1024 bytes
[i: 11] 2048 bytes
[i: 12] 4096 bytes
[i: 13] 8192 bytes
[i: 14] 16384 bytes
[i: 15] 32768 bytes
[i: 16] 65536 bytes
[i: 17] 131072 bytes
[i: 18] 262144 bytes
[i: 19] 524288 bytes
StdError = 1.04/sqrt(2^i)
[i: 4] 16 bytes [StdError: 26% ]
[i: 5] 32 bytes [StdError: 18.4%]
[i: 6] 64 bytes [StdError: 13% ]
[i: 7] 128 bytes [StdError: 9.2% ]
[i: 8] 256 bytes [StdError: 6.5% ]
[i: 9] 512 bytes [StdError: 4.6% ]
[i: 10] 1024 bytes [StdError: 3.25%]
[i: 11] 2048 bytes [StdError: 2.3% ]
[i: 12] 4096 bytes [StdError: 1.6% ]
[i: 13] 8192 bytes [StdError: 1.15%]
[i: 14] 16384 bytes [StdError: 0.81%]
[i: 15] 32768 bytes [StdError: 0.57%]
[i: 16] 65536 bytes [StdError: 0.41%]
[i: 17] 131072 bytes [StdError: 0.29%]
[i: 18] 262144 bytes [StdError: 0.2% ]
[i: 19] 524288 bytes [StdError: 0.14%]
*/
int hll_init(struct ndpi_hll *hll, u_int8_t bits) {
if(bits < 4 || bits > 20) {
@ -73,9 +76,9 @@ int hll_init(struct ndpi_hll *hll, u_int8_t bits) {
return -1;
}
hll->bits = bits;
hll->size = (size_t)1 << bits;
hll->registers = ndpi_calloc(hll->size, 1);
hll->bits = bits; /* Number of bits of buckets number */
hll->size = (size_t)1 << bits; /* Number of buckets 2^bits */
hll->registers = ndpi_calloc(hll->size, 1); /* Create the bucket register counters */
/* printf("%lu bytes\n", hll->size); */
return 0;
@ -96,12 +99,11 @@ void hll_reset(struct ndpi_hll *hll) {
static __inline void _hll_add_hash(struct ndpi_hll *hll, u_int32_t hash) {
if(hll->registers) {
u_int32_t index = hash >> (32 - hll->bits);
u_int8_t rank = _hll_rank(hash, hll->bits);
u_int32_t index = hash >> (32 - hll->bits); /* Use the first 'hll->bits' bits as bucket index */
u_int8_t rank = _hll_rank(hash, hll->bits); /* Count the number of leading 0 */
if(rank > hll->registers[index]) {
hll->registers[index] = rank;
}
if(rank > hll->registers[index])
hll->registers[index] = rank; /* Store the largest number of lesding zeros for the bucket */
}
}

BIN
tests/pcap/mysql-8.pcap Normal file
View file

Binary file not shown.

BIN
tests/pcap/tls_esni_sni_both.pcap Normal file
View file

Binary file not shown.

10
tests/result/android.pcap.out
View file

@ -27,8 +27,8 @@ JA3 Host Stats:
7 TCP 192.168.2.16:50384 <-> 172.217.168.206:443 [proto: 91.126/TLS.Google][cat: Web/5][11 pkts/1365 bytes <-> 9 pkts/5365 bytes][Goodput ratio: 45/89][2.49 sec][ALPN: http/1.1][bytes ratio: -0.594 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 277/69 1716/301 516/102][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 124/596 407/1484 105/544][TLSv1.2][Client: app-measurement.com][JA3C: 6ec2896feff5746955f700c0023f5804][ServerNames: *.google-analytics.com,*.fps.goog,app-measurement.com,fps.goog,google-analytics.com,googleoptimize.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googleoptimize.com,www.googletagmanager.com][JA3S: 9d9ce860f1b1cbef07b019450cb368d8][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google-analytics.com][Certificate SHA-1: B0:D9:D3:57:C2:34:87:2C:FB:F5:E6:BD:7F:9F:54:65:08:61:AF:01][Validity: 2020-02-12 11:37:03 - 2020-05-06 11:37:03][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,11,0,0,11,0,0,0,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
8 TCP 192.168.2.16:52486 <-> 172.217.20.74:443 [proto: 91.239/TLS.GoogleServices][cat: Web/5][12 pkts/1298 bytes <-> 10 pkts/5186 bytes][Goodput ratio: 38/87][1.75 sec][ALPN: http/1.1][bytes ratio: -0.600 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 194/37 1374/212 422/70][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108/519 286/1484 76/570][TLSv1.2][Client: play.googleapis.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.storage.googleapis.com,*.appspot.com.storage.googleapis.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.googleapis.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.select.googleapis.com,commondatastorage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com][Certificate SHA-1: BA:BA:BA:55:69:9F:E0:BD:48:80:23:A4:B3:AD:C1:FF:EA:4E:17:C9][Validity: 2020-02-12 11:45:22 - 2020-05-06 11:45:22][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,10,10,0,20,10,10,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,20,0,0,0]
9 TCP 192.168.2.16:32988 <-> 216.239.38.120:443 [proto: 91.228/TLS.PlayStore][cat: SoftwareUpdate/19][8 pkts/2089 bytes <-> 7 pkts/4242 bytes][Goodput ratio: 74/89][0.97 sec][bytes ratio: -0.340 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 158/80 530/246 186/98][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 261/606 1038/1484 338/639][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.3][Client: android.clients.google.com][JA3C: 9c815150ea821166faecf80757d8826a][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0]
10 TCP 192.168.2.16:36888 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1175 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 47/90][1.62 sec][ALPN: http/1.1][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 27/28 203/104 522/277 176/93][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/680 327/1484 93/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0]
11 TCP 192.168.2.16:36890 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1151 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 48/90][0.84 sec][ALPN: http/1.1][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 120/15 647/36 217/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/680 327/1484 95/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com][Certificate SHA-1: 80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42][Validity: 2020-02-12 11:47:11 - 2020-05-06 11:47:11][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0]
10 TCP 192.168.2.16:36888 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: ConnectivityCheck/30][9 pkts/1175 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 47/90][1.62 sec][ALPN: http/1.1][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 27/28 203/104 522/277 176/93][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/680 327/1484 93/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0]
11 TCP 192.168.2.16:36890 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: ConnectivityCheck/30][9 pkts/1151 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 48/90][0.84 sec][ALPN: http/1.1][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 120/15 647/36 217/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/680 327/1484 95/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com][Certificate SHA-1: 80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42][Validity: 2020-02-12 11:47:11 - 2020-05-06 11:47:11][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0]
12 TCP 192.168.2.16:33014 <-> 216.239.38.120:443 [proto: 91.126/TLS.Google][cat: Web/5][11 pkts/1877 bytes <-> 7 pkts/3708 bytes][Goodput ratio: 61/87][0.20 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.328 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/11 96/40 29/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/530 583/1484 180/574][TLSv1.3][Client: www.google.com][JA3C: 66918128f1b9b03303d77c6f2eefd128][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 22,0,22,0,0,0,0,0,0,0,0,0,0,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,11,0,0,0]
13 TCP 192.168.2.16:51944 <-> 172.217.21.202:443 [proto: 91.46/TLS.DataSaver][cat: Web/5][12 pkts/2171 bytes <-> 12 pkts/2705 bytes][Goodput ratio: 63/70][0.20 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.110 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/11 39/64 15/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 181/225 660/646 208/202][TLSv1.3][Client: datasaver.googleapis.com][JA3C: 554719594ba90b02ae410c297c6e50ad][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 15,15,15,0,0,0,15,0,0,0,7,0,0,0,0,7,0,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
14 TCP 192.168.2.16:43646 <-> 172.217.20.76:443 [proto: 91.46/TLS.DataSaver][cat: Web/5][8 pkts/1053 bytes <-> 6 pkts/3460 bytes][Goodput ratio: 49/88][0.20 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.533 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/16 51/61 18/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 132/577 583/1484 171/646][TLSv1.3][Client: proxy.googlezip.net][JA3C: 66918128f1b9b03303d77c6f2eefd128][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0]
@ -37,7 +37,7 @@ JA3 Host Stats:
17 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][12 pkts/4088 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][82.22 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 130/0 6001/0 8764/0 3124/0][Pkt Len c2s/s2c min/avg/max/stddev: 328/0 341/0 342/0 4/0][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][PLAIN TEXT (android)][Plen Bins: 0,0,0,0,0,0,0,0,8,91,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
18 TCP 192.168.2.16:36834 <-> 173.194.79.114:80 [proto: 7.46/HTTP.DataSaver][cat: Web/5][8 pkts/1130 bytes <-> 5 pkts/1254 bytes][Goodput ratio: 53/73][0.30 sec][Host: check.googlezip.net][bytes ratio: -0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 41/59 105/141 31/59][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 141/251 363/524 128/223][URL: check.googlezip.net/connect][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 2.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.93 Mobile Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /connect HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
19 TCP 192.168.2.16:44374 <-> 172.217.22.10:443 [proto: 91.239/TLS.GoogleServices][cat: Web/5][3 pkts/723 bytes <-> 3 pkts/1624 bytes][Goodput ratio: 71/87][0.10 sec][bytes ratio: -0.384 (Download)][IAT c2s/s2c min/avg/max/stddev: 26/9 33/38 40/66 7/28][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241/541 583/1484 242/667][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.3][Client: android.googleapis.com][JA3C: 629b587f706aee60430ec3879c6edb66][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0]
20 TCP 192.168.2.16:58338 <-> 17.253.53.201:80 [proto: 7.140/HTTP.Apple][cat: Web/5][6 pkts/607 bytes <-> 5 pkts/1053 bytes][Goodput ratio: 33/68][0.16 sec][Host: captive.apple.com][bytes ratio: -0.269 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 25/23 42/46 15/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/211 269/781 75/285][URL: captive.apple.com/][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
20 TCP 192.168.2.16:58338 <-> 17.253.53.201:80 [proto: 7.140/HTTP.Apple][cat: ConnectivityCheck/30][6 pkts/607 bytes <-> 5 pkts/1053 bytes][Goodput ratio: 33/68][0.16 sec][Host: captive.apple.com][bytes ratio: -0.269 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 25/23 42/46 15/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/211 269/781 75/285][URL: captive.apple.com/][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
21 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][3 pkts/1656 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][60.10 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
22 TCP 192.168.2.16:36848 <-> 173.194.79.114:80 [proto: 7.46/HTTP.DataSaver][cat: Web/5][4 pkts/569 bytes <-> 3 pkts/664 bytes][Goodput ratio: 52/69][0.11 sec][Host: check.googlezip.net][bytes ratio: -0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 31/1 37/36 41/72 4/36][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/221 363/524 127/214][URL: check.googlezip.net/connect][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 2.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.93 Mobile Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /connect HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
23 TCP 17.248.176.75:443 -> 192.168.2.17:50580 [proto: 91.140/TLS.Apple][cat: Web/5][8 pkts/1067 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][18.90 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 294/0 2700/0 9727/0 3229/0][Pkt Len c2s/s2c min/avg/max/stddev: 97/0 133/0 143/0 17/0][Plen Bins: 12,12,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@ -45,13 +45,13 @@ JA3 Host Stats:
25 TCP 192.168.2.16:52514 <-> 172.217.20.74:443 [proto: 91.239/TLS.GoogleServices][cat: Web/5][3 pkts/723 bytes <-> 1 pkts/74 bytes][Goodput ratio: 71/0][0.27 sec][ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.2][Client: semanticlocation-pa.googleapis.com][JA3C: 33490b1d5377580b19f7f9b5849d7991][PLAIN TEXT (semanticlocation)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
26 UDP 192.168.2.1:67 -> 192.168.2.16:68 [proto: 18/DHCP][cat: Network/14][2 pkts/684 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][0.13 sec][PLAIN TEXT (iMac.local)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
27 TCP 17.248.185.10:443 -> 192.168.2.17:50702 [proto: 91.140/TLS.Apple][cat: Web/5][7 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][13.42 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 427/0 2236/0 6975/0 2385/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 93/0 97/0 11/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
28 UDP 192.168.2.16:52953 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.53.201][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
28 UDP 192.168.2.16:52953 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: ConnectivityCheck/30][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.53.201][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
29 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][3 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][60.02 sec][PLAIN TEXT (SpotUdp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
30 UDP [fe80::4e6a:f6ff:fe9f:f627]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][2 pkts/228 bytes -> 0 pkts/0 bytes][Goodput ratio: 45/0][2.16 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
31 UDP 192.168.2.16:35825 <-> 192.168.2.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/140 bytes][Goodput ratio: 44/70][0.04 sec][Host: time.android.com][216.239.35.8][PLAIN TEXT (android)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
32 TCP 192.168.2.16:36850 <-> 173.194.79.114:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/140 bytes <-> 1 pkts/74 bytes][Goodput ratio: 0/0][0.04 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
33 UDP 192.168.2.16:35689 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][cat: Web/5][1 pkts/94 bytes <-> 1 pkts/110 bytes][Goodput ratio: 55/61][0.04 sec][Host: semanticlocation-pa.googleapis.com][172.217.20.74][PLAIN TEXT (semanticlocation)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
34 UDP 192.168.2.16:47081 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/89 bytes <-> 1 pkts/105 bytes][Goodput ratio: 52/59][0.04 sec][Host: connectivitycheck.gstatic.com][172.217.18.3][PLAIN TEXT (connectivitycheck)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
34 UDP 192.168.2.16:47081 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][cat: ConnectivityCheck/30][1 pkts/89 bytes <-> 1 pkts/105 bytes][Goodput ratio: 52/59][0.04 sec][Host: connectivitycheck.gstatic.com][172.217.18.3][PLAIN TEXT (connectivitycheck)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
35 UDP 192.168.2.16:36613 <-> 192.168.2.1:53 [proto: 5.228/DNS.PlayStore][cat: SoftwareUpdate/19][1 pkts/86 bytes <-> 1 pkts/102 bytes][Goodput ratio: 51/58][0.00 sec][Host: android.clients.google.com][216.239.38.120][PLAIN TEXT (android)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
36 UDP 192.168.2.16:7660 <-> 192.168.2.1:53 [proto: 5.46/DNS.DataSaver][cat: Web/5][1 pkts/84 bytes <-> 1 pkts/100 bytes][Goodput ratio: 49/57][0.04 sec][Host: datasaver.googleapis.com][172.217.21.202][PLAIN TEXT (datasaver)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
37 UDP 192.168.2.16:18379 <-> 192.168.2.1:53 [proto: 5.46/DNS.DataSaver][cat: Web/5][1 pkts/84 bytes <-> 1 pkts/100 bytes][Goodput ratio: 49/57][0.00 sec][Host: datasaver.googleapis.com][172.217.21.202][PLAIN TEXT (datasaver)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

6
tests/result/anyconnect-vpn.pcap.out
View file

@ -27,11 +27,11 @@ JA3 Host Stats:
4 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][Risk: ** Self-signed Certificate **** TLS (probably) not carrying HTTPS **][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,44,3,3,3,3,3,0,3,3,3,0,3,7,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,3,0,3,0,0,0,0,0]
5 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61/87][0.35 sec][ALPN: http/1.1][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/26 48/88 21/29][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/522 1175/1514 274/624][Risk: ** Weak TLS cipher **** TLS Certificate Mismatch **][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,8,0,0,8,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,8,0,25,0,0]
6 TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 64/61][11.47 sec][ALPN: h2;http/1.1][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866/28 11074/80 2947/34][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184/171 853/487 228/155][TLSv1.2][Client: slack.com][JA3C: d8dc5f8940df366b3a58b935569143e8][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,0,8,0,0,0,0,0,0,0,8,16,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 67/81][18.51 sec][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824/3642 10081/10083 3593/4385][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 192/340 373/450 153/173][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: ConnectivityCheck/30][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 67/81][18.51 sec][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824/3642 10081/10083 3593/4385][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 192/340 373/450 153/173][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 TCP 10.0.0.227:56320 <-> 10.0.0.149:8009 [proto: 161/CiscoVPN][cat: VPN/2][20 pkts/2420 bytes <-> 10 pkts/1760 bytes][Goodput ratio: 45/62][45.04 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/5003 2648/5004 5001/5006 2495/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/176 121/176 176/176 55/0][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
9 ICMPV6 [fe80::2e7e:81ff:feb0:4aa1]:0 -> [ff02::1]:0 [proto: 102/ICMPV6][cat: Network/14][16 pkts/2784 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][45.47 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2867/0 3028/0 3072/0 84/0][Pkt Len c2s/s2c min/avg/max/stddev: 174/0 174/0 174/0 0/0][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
10 TCP 10.0.0.227:56955 <-> 10.0.0.151:8060 [proto: 7/HTTP][cat: Web/5][6 pkts/650 bytes <-> 5 pkts/1668 bytes][Goodput ratio: 37/80][4.02 sec][Host: 10.0.0.151][bytes ratio: -0.439 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 4/4 9/6 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108/334 308/1206 89/442][URL: 10.0.0.151:8060/dial/dd.xml][StatusCode: 200][Content-Type: text/xml][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known protocol on non standard port **** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /dial/dd.xml HTTP/1.1)][Plen Bins: 0,0,0,0,0,33,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0]
11 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Goodput ratio: 62/74][18.47 sec][Host: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694/6151 10081/10078 4344/4052][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 163/258 368/450 145/192][URL: detectportal.firefox.com/success.txt][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
11 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: ConnectivityCheck/30][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Goodput ratio: 62/74][18.47 sec][Host: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694/6151 10081/10078 4344/4052][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 163/258 368/450 145/192][URL: detectportal.firefox.com/success.txt][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
12 TCP 10.0.0.227:56954 <-> 10.0.0.149:8008 [proto: 7/HTTP][cat: Web/5][4 pkts/527 bytes <-> 3 pkts/1401 bytes][Goodput ratio: 48/85][0.01 sec][Host: 10.0.0.149][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 2/3 6/3 3/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 132/467 317/1261 107/561][URL: 10.0.0.149:8008/ssdp/device-desc.xml][StatusCode: 200][Content-Type: application/xml][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known protocol on non standard port **** HTTP Suspicious User-Agent **][PLAIN TEXT (HGET /ssdp/device)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0]
13 UDP [fe80::408:3e45:3abc:1552]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][9 pkts/1628 bytes -> 0 pkts/0 bytes][Goodput ratio: 66/0][25.40 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 152/0 181/0 206/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
14 UDP 10.0.0.227:137 -> 10.0.0.255:137 [proto: 10/NetBIOS][cat: System/18][15 pkts/1542 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][6.05 sec][Host: lp-rkerur-osx][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 465/0 1499/0 677/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 103/0 110/0 9/0][PLAIN TEXT ( EMFACNFCELEFFC)][Plen Bins: 0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@ -55,7 +55,7 @@ JA3 Host Stats:
32 TCP 10.0.0.227:56886 <-> 17.57.144.116:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][3 pkts/174 bytes <-> 2 pkts/185 bytes][Goodput ratio: 0/28][0.02 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
33 UDP 10.0.0.151:1900 -> 10.0.0.227:61328 [proto: 12/SSDP][cat: System/18][1 pkts/353 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
34 TCP 10.0.0.227:56910 <-> 35.201.124.9:443 [proto: 91/TLS][cat: Web/5][2 pkts/170 bytes <-> 2 pkts/164 bytes][Goodput ratio: 22/19][0.05 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
35 UDP 10.0.0.227:62427 <-> 75.75.75.75:53 [proto: 5/DNS][cat: Network/14][1 pkts/84 bytes <-> 1 pkts/242 bytes][Goodput ratio: 49/82][0.02 sec][Host: detectportal.firefox.com][184.25.56.82][PLAIN TEXT (detectportal)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
35 UDP 10.0.0.227:62427 <-> 75.75.75.75:53 [proto: 5/DNS][cat: ConnectivityCheck/30][1 pkts/84 bytes <-> 1 pkts/242 bytes][Goodput ratio: 49/82][0.02 sec][Host: detectportal.firefox.com][184.25.56.82][PLAIN TEXT (detectportal)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
36 UDP 10.0.0.227:58074 <-> 75.75.75.75:53 [proto: 5/DNS][cat: Network/14][1 pkts/75 bytes <-> 1 pkts/230 bytes][Goodput ratio: 43/81][0.01 sec][Host: www.outlook.com][40.97.222.34][PLAIN TEXT (outlook)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
37 UDP 10.0.0.227:60341 <-> 75.75.75.75:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/73 bytes <-> 1 pkts/224 bytes][Goodput ratio: 42/81][0.01 sec][Host: www.apple.com][184.27.115.161][PLAIN TEXT (edgekey)][Plen Bins: 50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
38 UDP 10.0.0.227:64193 <-> 75.75.75.75:53 [proto: 5.238/DNS.ApplePush][cat: Cloud/13][1 pkts/85 bytes <-> 1 pkts/192 bytes][Goodput ratio: 50/78][0.02 sec][Host: 24-courier.push.apple.com][17.57.144.20][PLAIN TEXT (courier)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

10
tests/result/googledns_android10.pcap.out
View file

@ -6,11 +6,11 @@ JA3 Host Stats:
1 192.168.1.159 2
1 TCP 192.168.1.159:48210 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][121 pkts/19065 bytes <-> 120 pkts/45726 bytes][Goodput ratio: 58/83][72.27 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 711/474 15173/5940 1940/1160][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/381 384/1484 93/280][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,42,0,0,0,0,5,0,0,0,0,0,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]
2 TCP 192.168.1.159:48098 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][68 pkts/9706 bytes <-> 65 pkts/18916 bytes][Goodput ratio: 54/77][117.95 sec][bytes ratio: -0.322 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2097/1988 15177/15193 3804/3968][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/291 583/565 94/247][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: b734f75d22aaff9866fbd5d27eef9106][JA3S: 1249fb68f48c0444718e4d3b48b27188][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,1,0,0,49,0,0,0,0,0,0,0,0,0,0,47,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3 TCP 192.168.1.159:48048 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][52 pkts/7375 bytes <-> 52 pkts/20720 bytes][Goodput ratio: 53/83][41.01 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 882/623 15271/15287 2537/2442][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/398 384/1484 84/406][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,0,1,0,44,0,0,1,0,3,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,3,0,0,0]
4 TCP 192.168.1.159:48044 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.12 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/9 34/19 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
5 TCP 192.168.1.159:56024 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.14 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/12 46/31 17/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
1 TCP 192.168.1.159:48210 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][121 pkts/19065 bytes <-> 120 pkts/45726 bytes][Goodput ratio: 58/83][72.27 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 711/474 15173/5940 1940/1160][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/381 384/1484 93/280][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,42,0,0,0,0,5,0,0,0,0,0,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]
2 TCP 192.168.1.159:48098 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][68 pkts/9706 bytes <-> 65 pkts/18916 bytes][Goodput ratio: 54/77][117.95 sec][bytes ratio: -0.322 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2097/1988 15177/15193 3804/3968][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/291 583/565 94/247][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: b734f75d22aaff9866fbd5d27eef9106][JA3S: 1249fb68f48c0444718e4d3b48b27188][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,1,0,0,49,0,0,0,0,0,0,0,0,0,0,47,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3 TCP 192.168.1.159:48048 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][52 pkts/7375 bytes <-> 52 pkts/20720 bytes][Goodput ratio: 53/83][41.01 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 882/623 15271/15287 2537/2442][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/398 384/1484 84/406][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,0,1,0,44,0,0,1,0,3,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,3,0,0,0]
4 TCP 192.168.1.159:48044 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.12 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/9 34/19 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
5 TCP 192.168.1.159:56024 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.14 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/12 46/31 17/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
6 ICMP 192.168.1.159:0 <-> 8.8.8.8:0 [proto: 81.126/ICMP.Google][cat: Network/14][2 pkts/196 bytes <-> 2 pkts/196 bytes][Goodput ratio: 57/57][0.99 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 TCP 8.8.8.8:853 <-> 192.168.1.159:55856 [proto: 196.126/DoH_DoT.Google][cat: Web/5][5 pkts/330 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][1.80 sec][bytes ratio: 0.719 (Upload)][IAT c2s/s2c min/avg/max/stddev: 223/0 449/0 911/0 281/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/54 66/54 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 TCP 8.8.4.4:853 <-> 192.168.1.159:47968 [proto: 196.126/DoH_DoT.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][0.09 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

4
tests/result/iphone.pcap.out
View file

@ -34,7 +34,7 @@ JA3 Host Stats:
16 UDP 169.254.225.216:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/2123 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Lucas iMac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0]
17 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/2094 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Lucas iMac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0]
18 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][3 pkts/2067 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][33.08 sec][Lucas iMac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0]
19 TCP 192.168.2.17:49152 <-> 17.253.105.202:80 [proto: 7.140/HTTP.Apple][cat: Web/5][5 pkts/473 bytes <-> 4 pkts/968 bytes][Goodput ratio: 28/72][0.33 sec][Host: captive.apple.com][bytes ratio: -0.344 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 82/80 171/158 82/78][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 95/242 197/762 51/300][URL: captive.apple.com/hotspot-detect.html][StatusCode: 200][Content-Type: text/html][User-Agent: CaptiveNetworkSupport-390.60.1 wispr][PLAIN TEXT (GET /hotspot)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
19 TCP 192.168.2.17:49152 <-> 17.253.105.202:80 [proto: 7.140/HTTP.Apple][cat: ConnectivityCheck/30][5 pkts/473 bytes <-> 4 pkts/968 bytes][Goodput ratio: 28/72][0.33 sec][Host: captive.apple.com][bytes ratio: -0.344 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 82/80 171/158 82/78][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 95/242 197/762 51/300][URL: captive.apple.com/hotspot-detect.html][StatusCode: 200][Content-Type: text/html][User-Agent: CaptiveNetworkSupport-390.60.1 wispr][PLAIN TEXT (GET /hotspot)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
20 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1104 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
21 UDP 192.168.2.1:67 -> 192.168.2.17:68 [proto: 18/DHCP][cat: Network/14][2 pkts/684 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][1.02 sec][PLAIN TEXT (iMac.local)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
22 UDP [fe80::823:3f17:8298:a29c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/512 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][3.56 sec][PLAIN TEXT (homekit)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@ -50,7 +50,7 @@ JA3 Host Stats:
32 UDP 192.168.2.17:63677 <-> 192.168.2.1:53 [proto: 5.145/DNS.AppleiTunes][cat: Streaming/17][1 pkts/81 bytes <-> 1 pkts/222 bytes][Goodput ratio: 48/81][0.04 sec][Host: sync.itunes.apple.com][95.101.24.53][PLAIN TEXT (itunes)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
33 UDP 192.168.2.17:53983 <-> 192.168.2.1:53 [proto: 5.145/DNS.AppleiTunes][cat: Streaming/17][1 pkts/80 bytes <-> 1 pkts/221 bytes][Goodput ratio: 47/81][0.05 sec][Host: bag.itunes.apple.com][95.101.24.53][PLAIN TEXT (itunes)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
34 UDP 192.168.2.17:63377 <-> 192.168.2.1:53 [proto: 5.145/DNS.AppleiTunes][cat: Streaming/17][1 pkts/80 bytes <-> 1 pkts/221 bytes][Goodput ratio: 47/81][0.05 sec][Host: bag.itunes.apple.com][95.101.24.53][PLAIN TEXT (itunes)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
35 UDP 192.168.2.17:51007 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.105.202][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
35 UDP 192.168.2.17:51007 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: ConnectivityCheck/30][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.105.202][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
36 UDP 192.168.2.17:55457 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/74 bytes <-> 1 pkts/214 bytes][Goodput ratio: 43/80][0.04 sec][Host: mesu.apple.com][17.253.105.202][PLAIN TEXT (akadns)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
37 UDP 192.168.2.17:62526 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/73 bytes <-> 1 pkts/212 bytes][Goodput ratio: 42/80][0.05 sec][Host: cl4.apple.com][104.73.61.30][PLAIN TEXT (origin)][Plen Bins: 50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
38 UDP 192.168.2.17:52682 <-> 192.168.2.1:53 [proto: 5.143/DNS.AppleiCloud][cat: Web/5][1 pkts/74 bytes <-> 1 pkts/203 bytes][Goodput ratio: 43/79][0.04 sec][Host: www.icloud.com][23.45.74.46][PLAIN TEXT (icloud)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

3
tests/result/mysql-8.pcap.out Normal file
View file

@ -0,0 +1,3 @@
MySQL 4 367 1
1 TCP 192.168.1.105:8738 <-> 10.42.18.198:3306 [proto: 20/MySQL][cat: Database/11][2 pkts/140 bytes <-> 2 pkts/227 bytes][Goodput ratio: 0/38][0.00 sec][PLAIN TEXT (DDDDDD)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

2
tests/result/smb_deletefile.pcap.out
View file

@ -1,3 +1,3 @@
SMBv23 101 30748 1
1 TCP 192.168.1.118:56848 <-> 192.168.1.187:445 [proto: 10.41/NetBIOS.SMBv23][cat: System/18][62 pkts/14382 bytes <-> 39 pkts/16366 bytes][Goodput ratio: 77/87][2.38 sec][bytes ratio: -0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/80 2157/2158 299/394][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 232/420 530/1514 194/299][Risk: ** Known protocol on non standard port **][Plen Bins: 0,0,4,7,1,0,1,1,0,1,7,9,20,21,6,13,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0]
1 TCP 192.168.1.118:56848 <-> 192.168.1.187:445 [proto: 10.41/NetBIOS.SMBv23][cat: System/18][62 pkts/14382 bytes <-> 39 pkts/16366 bytes][Goodput ratio: 77/87][2.38 sec][bytes ratio: -0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/80 2157/2158 299/394][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 232/420 530/1514 194/299][Plen Bins: 0,0,4,7,1,0,1,1,0,1,7,9,20,21,6,13,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0]

2
tests/result/teams.pcap.out
View file

@ -95,7 +95,7 @@ JA3 Host Stats:
74 UDP 192.168.1.6:51033 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/80 bytes <-> 1 pkts/182 bytes][Goodput ratio: 47/77][0.04 sec][Host: eu-api.asm.skype.com][52.114.75.69][PLAIN TEXT (trafficmanager)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
75 UDP 192.168.1.6:51309 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/169 bytes][Goodput ratio: 54/75][0.01 sec][Host: skypedataprdcolneu04.cloudapp.net][::][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
76 UDP 192.168.1.6:62863 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][cat: Collaborative/15][1 pkts/103 bytes <-> 1 pkts/158 bytes][Goodput ratio: 59/73][0.07 sec][Host: emea.ng.msg.teams-msgapi.trafficmanager.net][52.114.108.8][PLAIN TEXT (msgapi)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
77 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Host: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
77 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5.140/DNS.Apple][cat: ConnectivityCheck/30][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Host: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
78 UDP 192.168.1.6:60813 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/109 bytes][Goodput ratio: 54/61][0.01 sec][Host: skypedataprdcolneu04.cloudapp.net][52.114.77.33][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
79 TCP 192.168.1.6:58533 -> 149.154.167.91:443 [proto: 91.185/TLS.Telegram][cat: Chat/9][3 pkts/186 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][4.29 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
80 ICMP 93.71.110.205:0 -> 192.168.1.6:0 [proto: 81/ICMP][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

9
tests/result/tls_esni_sni_both.pcap.out Normal file
View file

@ -0,0 +1,9 @@
Cloudflare 38 15899 2
JA3 Host Stats:
IP Address # JA3C
1 192.168.1.21 1
1 TCP 192.168.1.21:55500 <-> 104.17.175.85:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][11 pkts/1461 bytes <-> 9 pkts/7270 bytes][Goodput ratio: 58/93][0.13 sec][bytes ratio: -0.665 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/10 53/43 21/15][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 133/808 688/1514 179/685][Risk: ** TLS (probably) not carrying HTTPS **** TLS Suspicious ESNI Usage **][TLSv1.3][Client: these-are-not-the-droids-youre-looking-for.com][JA3C: 077d20c3f8c5a1f091dc937c515b69c1][JA3S: d75f9129bb5d05492a65ff78e081bcb2][ESNI: B8845D1A37225D055CB7187B6D7CBD852ADFDA5269097680CB388AF4FC9F5C7BCE03772D5259820AFC2DA5C949A663F997D270BBD2525D0D7C4D83E6FA9CFA038C1E78C2C847BB2033853998E7D391737C1CBB3796A9F7F24D5E88F6C5AF94E95D93C2F8A168E73F18D090EAB69D7C689AFA7AD9BCAAFEFCF496509DD4DFEB3E96CE334F2B00A6C03C1F9C1BF5040BA031E789D03185DDB6BD2D2105A91463519A23CAAE0295E3F068B701D99B1AB486583C7254DDA07BE99D50C23E4681CB62A5FAA669ADFEF76693137788B3C0A5B0EEC36E004F8A11E7B5B14DD37F50C1F6F20D68828620BEFB7460A5D6910255C126F921FE6B70F2E9C7299683FAE6F9D068B139BAD1EF709DA821642B00FA7FD1BBA44EF6C3DAC61043C434224F3E570F62DAA4BF][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_CHACHA20_POLY1305_SHA256][PLAIN TEXT (mw/KUc)][Plen Bins: 11,0,11,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,11,0,33,0,0]
2 TCP 192.168.1.21:55514 <-> 104.17.175.85:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][10 pkts/1412 bytes <-> 8 pkts/5756 bytes][Goodput ratio: 60/92][0.12 sec][bytes ratio: -0.606 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/11 50/38 20/14][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 141/720 693/1514 188/676][Risk: ** TLS (probably) not carrying HTTPS **** TLS Suspicious ESNI Usage **][TLSv1.3][Client: you-think-thats-normal-tls-traffic-youre-seeing.com][JA3C: 077d20c3f8c5a1f091dc937c515b69c1][JA3S: d75f9129bb5d05492a65ff78e081bcb2][ESNI: 4B80F11C3E3E40385229D888F5DB7398460E5FF5EC9E03E8331810BCD314C33227B55F4F0DADD4B813C9274B884ABDC0D2434429EBB559832A5D54B5D55B138366BDA28FF8DE68A292825CA14522CB5FB23A04CC654E9C6D9C5B967B20520D7FC4EFEC9D04154A40428DD4FB89742AFBAADD01105020F05B23C44F216802FDA5F9CDFBD129BAA1CCA4A4235E9F1E9D16A96FE72CEF01ACA433C697DD49D2389E1AAF817F54E971E4F290DE91ECB83A5876A3B37B97E66EBCBB90AEFE3BF39455BA2AECB7B4161D157606BCBE1E4D0C0391D57652585A1E6C49290F4D40FD6DE2EEBA63F76D6D7D924134335BA9EBE813A4197DAAC8EF6603A8B6C71AAF6A6FAAD92B1345DF53A2943845A7AB6A09CFC3783C8FBC72AD48B2ED5C04924E9DFBF57EBCDEBF][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 12,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,12,0,25,0,0]