diff --git a/.travis.yml b/.travis.yml index 2c359b356..c583c3a0b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -170,6 +170,7 @@ before_script: script: - if [ -n "$QA_FUZZ" ]; then ./configure --enable-fuzztargets ; else ./configure ; fi - make + - make -C example ndpiSimpleIntegration #after_script: - cd tests diff --git a/Makefile.am b/Makefile.am index e4d8c58c9..6238c8b3c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = src/lib example tests +SUBDIRS = src/lib @EXTRA_TARGETS@ if BUILD_FUZZTARGETS SUBDIRS += fuzz diff --git a/configure.seed b/configure.seed index b344064cd..ecde0579b 100644 --- a/configure.seed +++ b/configure.seed @@ -4,6 +4,14 @@ AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([foreign subdir-objects]) +EXTRA_TARGETS="example tests" +AC_ARG_WITH(only-libndpi, AS_HELP_STRING([--with-only-libndpi], [Build only libndpi (no examples, tests etc)])) +AS_IF([test "${with_only_libndpi+set}" = set],[ + EXTRA_TARGETS="" +]) + + + AC_ARG_WITH(sanitizer, AS_HELP_STRING([--with-sanitizer], [Build with support for address, undefined and leak sanitizer])) AC_ARG_ENABLE(fuzztargets, AS_HELP_STRING([--enable-fuzztargets], [Enable fuzz targets]),[enable_fuzztargets=$enableval],[enable_fuzztargets=no]) AM_CONDITIONAL([BUILD_FUZZTARGETS], [test "x$enable_fuzztargets" = "xyes"]) @@ -59,6 +67,8 @@ else NDPI_API_VERSION=`date +%s | cut -c7-10` fi +NDPI_API_VERSION=`echo $NDPI_API_VERSION | sed 's/^0*//'` + AC_DEFINE_UNQUOTED(NDPI_GIT_RELEASE, "${GIT_RELEASE}", [GIT Release]) AC_DEFINE_UNQUOTED(NDPI_GIT_DATE, "${GIT_DATE}", [Last GIT change]) @@ -68,16 +78,15 @@ ADDITIONAL_LIBS= PCAP_HOME=$HOME/PF_RING/userland DPDK_TARGET= +AC_MSG_CHECKING([DPDK (used by ndpiReader)]) if test -d $HOME/DPDK; then : - echo "Enabling DPDK support in ndpiReader" + AC_MSG_RESULT(yes) DPDK_TARGET=dpdk else - echo "DPDK support disabled (missing $HOME/DPDK)" + AC_MSG_RESULT([no (missing $HOME/DPDK)]) fi -if test -d $PCAP_HOME; then : - echo -n "" -else +if ! test -d $PCAP_HOME; then : PCAP_HOME=`pwd`/../../PF_RING/userland fi SHORT_MACHINE=`uname -m | cut -b1-3` @@ -187,4 +196,5 @@ AC_SUBST(DPDK_TARGET) AC_SUBST(HAVE_PTHREAD_SETAFFINITY_NP) AC_SUBST(CUSTOM_NDPI) AC_SUBST(NDPI_API_VERSION) +AC_SUBST(EXTRA_TARGETS) AC_OUTPUT diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b00a6be08..30df4af70 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -3146,7 +3146,7 @@ void * processing_thread(void *_thread_id) { gettimeofday(&h.ts, NULL); ndpi_process_packet((u_char*)&thread_id, &h, (const u_char *)data); - rte_pktmbuf_ndpi_free(bufs[i]); + rte_pktmbuf_free(bufs[i]); } } #else @@ -3346,7 +3346,7 @@ static void dgaUnitTest() { }; int i; NDPI_PROTOCOL_BITMASK all; - struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(ndpi_no_prefs); + struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(ndpi_no_prefs); assert(ndpi_str != NULL); @@ -3363,7 +3363,6 @@ static void dgaUnitTest() { for(i=0; non_dga[i] != NULL; i++) assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)non_dga[i]) == 0); - ndpi_exit_detection_module(ndpi_str); } diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index d5bd117d8..eedf86ffc 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #define MAX_FLOW_ROOTS_PER_THREAD 2048 @@ -133,7 +134,8 @@ static struct nDPI_workflow * init_workflow(char const * const file_or_device) } if (workflow->pcap_handle == NULL) { - fprintf(stderr, "pcap_open_live / pcap_open_offline_with_tstamp_precision: %s\n", pcap_error_buffer); + fprintf(stderr, "pcap_open_live / pcap_open_offline_with_tstamp_precision: %.*s\n", + (int) PCAP_ERRBUF_SIZE, pcap_error_buffer); free_workflow(&workflow); return NULL; } @@ -204,9 +206,25 @@ static void free_workflow(struct nDPI_workflow ** const workflow) *workflow = NULL; } +static char * get_default_pcapdev(char *errbuf) +{ + char * ifname; + pcap_if_t * all_devices = NULL; + + if (pcap_findalldevs(&all_devices, errbuf) != 0) + { + return NULL; + } + + ifname = strdup(all_devices[0].name); + pcap_freealldevs(all_devices); + + return ifname; +} + static int setup_reader_threads(char const * const file_or_device) { - char const * file_or_default_device; + char * file_or_default_device; char pcap_error_buffer[PCAP_ERRBUF_SIZE]; if (reader_thread_count > MAX_READER_THREADS) { @@ -214,23 +232,28 @@ static int setup_reader_threads(char const * const file_or_device) } if (file_or_device == NULL) { - file_or_default_device = pcap_lookupdev(pcap_error_buffer); + file_or_default_device = get_default_pcapdev(pcap_error_buffer); if (file_or_default_device == NULL) { - fprintf(stderr, "pcap_lookupdev: %s\n", pcap_error_buffer); + fprintf(stderr, "pcap_findalldevs: %.*s\n", (int) PCAP_ERRBUF_SIZE, pcap_error_buffer); return 1; } } else { - file_or_default_device = file_or_device; + file_or_default_device = strdup(file_or_device); + if (file_or_default_device == NULL) { + return 1; + } } for (int i = 0; i < reader_thread_count; ++i) { reader_threads[i].workflow = init_workflow(file_or_default_device); if (reader_threads[i].workflow == NULL) { + free(file_or_default_device); return 1; } } + free(file_or_default_device); return 0; } @@ -847,7 +870,7 @@ static void ndpi_process_packet(uint8_t * const args, } } - if (flow_to_process->ndpi_flow->num_extra_packets_checked < + if (flow_to_process->ndpi_flow->num_extra_packets_checked <= flow_to_process->ndpi_flow->max_extra_packets_to_check) { /* @@ -873,7 +896,8 @@ static void ndpi_process_packet(uint8_t * const args, workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id, - ndpi_ssl_version2str(flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version, + ndpi_ssl_version2str(flow_to_process->ndpi_flow, + flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version, &unknown_tls_version), flow_to_process->ndpi_flow->protos.stun_ssl.ssl.client_requested_server_name, (flow_to_process->ndpi_flow->protos.stun_ssl.ssl.alpn != NULL ? @@ -889,7 +913,8 @@ static void ndpi_process_packet(uint8_t * const args, workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id, - ndpi_ssl_version2str(flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version, + ndpi_ssl_version2str(flow_to_process->ndpi_flow, + flow_to_process->ndpi_flow->protos.stun_ssl.ssl.ssl_version, &unknown_tls_version), flow_to_process->ndpi_flow->protos.stun_ssl.ssl.server_names_len, flow_to_process->ndpi_flow->protos.stun_ssl.ssl.server_names, diff --git a/example/reader_util.c b/example/reader_util.c index b7ca00699..d64612f56 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -698,7 +698,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow u_int8_t **payload, u_int16_t *payload_len, u_int8_t *src_to_dst_direction, - struct timeval when) { + pkt_timeval when) { u_int32_t idx, l4_offset, hashval; struct ndpi_flow_info flow; void *ret; @@ -985,7 +985,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo u_int8_t **payload, u_int16_t *payload_len, u_int8_t *src_to_dst_direction, - struct timeval when) { + pkt_timeval when) { struct ndpi_iphdr iph; memset(&iph, 0, sizeof(iph)); @@ -1308,7 +1308,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, u_int16_t ipsize, u_int16_t rawsize, const struct pcap_pkthdr *header, const u_char *packet, - struct timeval when, + pkt_timeval when, FILE * csv_fp) { struct ndpi_id_struct *src, *dst; struct ndpi_flow_info *flow = NULL; @@ -1338,7 +1338,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, &payload, &payload_len, &src_to_dst_direction, when); if(flow != NULL) { - struct timeval tdiff; + pkt_timeval tdiff; workflow->stats.ip_packet_count++; workflow->stats.total_wire_bytes += rawsize + 24 /* CRC etc */, diff --git a/example/reader_util.h b/example/reader_util.h index db5434df7..4686d75c5 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -31,6 +31,7 @@ #include "uthash.h" #include +#include "ndpi_includes.h" #include "ndpi_classify.h" #include "ndpi_typedefs.h" @@ -128,13 +129,13 @@ struct flow_metrics { struct ndpi_entropy { // Entropy fields - struct timeval src2dst_last_pkt_time, dst2src_last_pkt_time, flow_last_pkt_time; + pkt_timeval src2dst_last_pkt_time, dst2src_last_pkt_time, flow_last_pkt_time; u_int16_t src2dst_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ - struct timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ + pkt_timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ u_int16_t dst2src_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ - struct timeval dst2src_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ - struct timeval src2dst_start; /*!< first packet arrival time */ - struct timeval dst2src_start; /*!< first packet arrival time */ + pkt_timeval dst2src_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ + pkt_timeval src2dst_start; /*!< first packet arrival time */ + pkt_timeval dst2src_start; /*!< first packet arrival time */ u_int32_t src2dst_opackets; /*!< non-zero packet counts */ u_int32_t dst2src_opackets; /*!< non-zero packet counts */ u_int16_t src2dst_pkt_count; /*!< packet counts */ diff --git a/packages/openwrt/Makefile b/packages/openwrt/Makefile index 4b8429b59..5d56e18ad 100644 --- a/packages/openwrt/Makefile +++ b/packages/openwrt/Makefile @@ -1,22 +1,22 @@ # -# Copyright (C) 2018 - ntop.org +# Copyright (C) 2018-20 - ntop.org # include $(TOPDIR)/rules.mk PKG_NAME:=libndpi -PKG_VERSION:=1333.ab2f3ce +PKG_VERSION:=17022020 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/ntop/nDPI.git -PKG_SOURCE_VERSION:=ab2f3cefc89017d73e67faa4eb4011e7e3f2044d +PKG_SOURCE_VERSION:=1f921562d1d7962f1d23ca5b59c25f9b65073460 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_PROTO:=git -PKG_MAINTAINER:=Emanuele Faranda +PKG_MAINTAINER:=Luca Deri PKG_LICENSE:=GPL3 -PKG_BUILD_DEPENDS:=+libpcap +PKG_BUILD_DEPENDS:= PKG_BUILD_PARALLEL:=1 # autogen fix @@ -27,7 +27,6 @@ include $(INCLUDE_DIR)/package.mk define Package/libndpi SECTION:=network CATEGORY:=Network - #DEPENDS:=+libc +libjson-c +libpthread TITLE:=nDPI Deep Packet Inspection Library URL:=https://www.ntop.org endef @@ -37,8 +36,7 @@ define Package/libndpi/description endef CONFIGURE_ARGS += \ - --with-pic \ - --disable-json-c \ + --with-only-libndpi define Build/Prepare $(call Build/Prepare/Default) diff --git a/packages/openwrt/README b/packages/openwrt/README new file mode 100644 index 000000000..5a2cf2712 --- /dev/null +++ b/packages/openwrt/README @@ -0,0 +1,25 @@ +Howto Compile lindpi on OpenWRT +------------------------------- + +cd myopenwrt_directory +mkdir package/network/services/libndpi +cd package/network/services/libndpi +cp ~/nDPI/packages/openwrt/Makefile . +cd myopenwrt_directory +make menuconfig + +Go under network and select + + libndpi.............................. nDPI Deep Packet Inspection Library + + +Build Commands +-------------- + +If you want to build just libndpi do: +make -j1 V=s package/network/services/libndpi/clean +make -j1 V=s package/network/services/libndpi/compile + +Other Documents +--------------- +https://openwrt.org/packages/pkgdata/libndpi \ No newline at end of file diff --git a/python/ndpi.py b/python/ndpi.py index 227db5bb5..ee33f6a37 100644 --- a/python/ndpi.py +++ b/python/ndpi.py @@ -312,6 +312,8 @@ typedef enum { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_SMB_INSECURE_VERSION, + NDPI_TLS_SUSPICIOUS_ESNI_USAGE, + NDPI_BLACKLISTED_HOST, /* Leave this as last member */ NDPI_MAX_RISK } ndpi_risk_enum; @@ -821,6 +823,12 @@ typedef enum { NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY, NDPI_PROTOCOL_CATEGORY_FILE_SHARING, + /* + The category below is used by sites who are used + to test connectivity + */ + NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK, + /* Some custom categories */ CUSTOM_CATEGORY_MINING = 99, CUSTOM_CATEGORY_MALWARE = 100, @@ -1446,4 +1454,4 @@ class NDPI(): def ndpi_exit_detection_module(self): """ Exit function for nDPI module """ self._ndpi.ndpi_exit_detection_module(self._mod) - self._ffi.dlclose(self._ndpi) \ No newline at end of file + self._ffi.dlclose(self._ndpi) diff --git a/src/include/Makefile.am b/src/include/Makefile.am index db4e40f35..19d6c60cf 100644 --- a/src/include/Makefile.am +++ b/src/include/Makefile.am @@ -8,4 +8,5 @@ library_include_HEADERS = ndpi_api.h \ ndpi_protocol_ids.h \ ndpi_protocols.h \ ndpi_win32.h \ + ndpi_includes_OpenBSD.h \ ndpi_includes.h diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 574908e7f..15f845a7b 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -921,7 +921,9 @@ extern "C" { void ndpi_user_pwd_payload_copy(u_int8_t *dest, u_int dest_len, u_int offset, const u_int8_t *src, u_int src_len); u_char* ndpi_base64_decode(const u_char *src, size_t len, size_t *out_len); - char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len); + char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len); /* NOTE: caller MUST free the returned pointer */ + void ndpi_string_sha1_hash(const uint8_t *message, size_t len, u_char *hash /* 20-bytes */); + int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str, const char *path, u_int16_t protocol_id); #ifndef __KERNEL__ diff --git a/src/include/ndpi_classify.h b/src/include/ndpi_classify.h index 4d2cfff97..ab9212832 100644 --- a/src/include/ndpi_classify.h +++ b/src/include/ndpi_classify.h @@ -43,7 +43,7 @@ #ifndef NDPI_CLASSIFY_H #define NDPI_CLASSIFY_H - +#include "ndpi_includes.h" /* constants */ #define NUM_PARAMETERS_SPLT_LOGREG 208 @@ -66,27 +66,27 @@ extern float parameters_bd[NUM_PARAMETERS_BD_LOGREG]; extern float parameters_splt[NUM_PARAMETERS_SPLT_LOGREG]; /* Classifier functions */ -float ndpi_classify(const unsigned short *pkt_len, const struct timeval *pkt_time, - const unsigned short *pkt_len_twin, const struct timeval *pkt_time_twin, - struct timeval start_time, struct timeval start_time_twin, uint32_t max_num_pkt_len, +float ndpi_classify(const unsigned short *pkt_len, const pkt_timeval *pkt_time, + const unsigned short *pkt_len_twin, const pkt_timeval *pkt_time_twin, + pkt_timeval start_time, pkt_timeval start_time_twin, uint32_t max_num_pkt_len, uint16_t sp, uint16_t dp, uint32_t op, uint32_t ip, uint32_t np_o, uint32_t np_i, uint32_t ob, uint32_t ib, uint16_t use_bd, const uint32_t *bd, const uint32_t *bd_t); -void ndpi_merge_splt_arrays(const uint16_t *pkt_len, const struct timeval *pkt_time, - const uint16_t *pkt_len_twin, const struct timeval *pkt_time_twin, - struct timeval start_time, struct timeval start_time_twin, +void ndpi_merge_splt_arrays(const uint16_t *pkt_len, const pkt_timeval *pkt_time, + const uint16_t *pkt_len_twin, const pkt_timeval *pkt_time_twin, + pkt_timeval start_time, pkt_timeval start_time_twin, uint16_t s_idx, uint16_t r_idx, uint16_t *merged_lens, uint16_t *merged_times); void ndpi_update_params(classifier_type_codes_t param_type, const char *param_file); void ndpi_flow_info_freer(void *node); -unsigned int ndpi_timer_eq(const struct timeval *a, const struct timeval *b); -unsigned int ndpi_timer_lt(const struct timeval *a, const struct timeval *b); -void ndpi_timer_sub(const struct timeval *a, const struct timeval *b, struct timeval *result); -void ndpi_timer_clear(struct timeval *a); -unsigned int ndpi_timeval_to_milliseconds(struct timeval ts); -unsigned int ndpi_timeval_to_microseconds(struct timeval ts); +unsigned int ndpi_timer_eq(const pkt_timeval *a, const pkt_timeval *b); +unsigned int ndpi_timer_lt(const pkt_timeval *a, const pkt_timeval *b); +void ndpi_timer_sub(const pkt_timeval *a, const pkt_timeval *b, pkt_timeval *result); +void ndpi_timer_clear(pkt_timeval *a); +unsigned int ndpi_timeval_to_milliseconds(pkt_timeval ts); +unsigned int ndpi_timeval_to_microseconds(pkt_timeval ts); void ndpi_log_timestamp(char *log_ts, uint32_t log_ts_len); #endif /* NDPI_CLASSIFY_H */ diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index 8eae6c0ba..481d67234 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -50,7 +50,9 @@ #include #define __BYTE_ORDER BYTE_ORDER #if BYTE_ORDER == LITTLE_ENDIAN +#ifndef __LITTLE_ENDIAN__ #define __LITTLE_ENDIAN__ +#endif /* __LITTLE_ENDIAN__ */ #else #define __BIG_ENDIAN__ #endif/* BYTE_ORDER */ diff --git a/src/include/ndpi_includes.h b/src/include/ndpi_includes.h index 90de8d429..7d58d9efb 100644 --- a/src/include/ndpi_includes.h +++ b/src/include/ndpi_includes.h @@ -24,7 +24,21 @@ #ifndef __NDPI_INCLUDES_H__ #define __NDPI_INCLUDES_H__ -#ifndef __KERNEL__ +#ifdef __KERNEL__ + +#include +#include +#include +#include +#include +#include +#include +#define printf(format, ...) printk(format,##__VA_ARGS__) +#ifndef IPVERSION +#define IPVERSION 4 +#endif + +#else #include #include @@ -58,31 +72,20 @@ #if defined __NetBSD__ || defined __OpenBSD__ #include +#endif -#ifdef __OpenBSD__ +#endif +#endif + +#if defined __OpenBSD__ #include - -#endif -#endif -#endif -#endif +#include "ndpi_includes_OpenBSD.h" +#else +typedef struct timeval pkt_timeval; +#endif /* __OpenBSD__ */ #endif /* Win32 */ -#else /* KERNEL */ - -#include -#include -#include -#include -#include -#include -#include -#define printf(format, ...) printk(format,##__VA_ARGS__) -#ifndef IPVERSION -#define IPVERSION 4 -#endif - -#endif +#endif /* __KERNEL__ */ #endif /* __NDPI_INCLUDES_H__ */ diff --git a/src/include/ndpi_includes_OpenBSD.h b/src/include/ndpi_includes_OpenBSD.h new file mode 100644 index 000000000..65716c8f3 --- /dev/null +++ b/src/include/ndpi_includes_OpenBSD.h @@ -0,0 +1,35 @@ +/* + * ndpi_includes_OpenBSD.h + * + * Copyright (C) 2011-16 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + +#ifndef __NDPI_INCLUDES_OPENBSD_H__ +#define __NDPI_INCLUDES_OPENBSD_H__ + +#ifndef IPPROTO_SCTP +#define IPPROTO_SCTP 132 +#endif /* IPPROTO_SCTP */ + +#include + +typedef struct bpf_timeval pkt_timeval; + +#endif /* __NDPI_INCLUDES_OPENBSD_H__ */ diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 01f54c0f9..07f444e8e 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -87,7 +87,7 @@ typedef enum { NDPI_PROTOCOL_ZATTOO = 55, NDPI_PROTOCOL_SHOUTCAST = 56, NDPI_PROTOCOL_SOPCAST = 57, - NDPI_PROTOCOL_FREE_58 = 58, /* Free */ + NDPI_PROTOCOL_DISCORD = 58, NDPI_PROTOCOL_TVUPLAYER = 59, NDPI_PROTOCOL_HTTP_DOWNLOAD = 60, NDPI_PROTOCOL_QQLIVE = 61, @@ -282,6 +282,7 @@ typedef enum { NDPI_PROTOCOL_MSTEAMS = 250, NDPI_PROTOCOL_WEBSOCKET = 251, /* Leonn Paiva */ NDPI_PROTOCOL_ANYDESK = 252, /* Toni Uhlig */ + NDPI_PROTOCOL_SOAP = 253, /* Toni Uhlig */ #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index d2c4718bf..740f9e40b 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -218,5 +218,6 @@ void init_dnp3_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_s7comm_dissector(struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_websocket_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_soap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 1bde75fdc..06271a3d6 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -85,6 +85,8 @@ typedef enum { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_SMB_INSECURE_VERSION, + NDPI_TLS_SUSPICIOUS_ESNI_USAGE, + NDPI_BLACKLISTED_HOST, /* Leave this as last member */ NDPI_MAX_RISK @@ -733,6 +735,9 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_MAIL_IMAP */ u_int32_t mail_imap_stage:3, mail_imap_starttls:2; + /* NDPI_PROTOCOL_SOAP */ + u_int32_t soap_stage:1; + /* NDPI_PROTOCOL_SKYPE */ u_int8_t skype_packet_id; @@ -961,6 +966,11 @@ typedef enum { NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY, NDPI_PROTOCOL_CATEGORY_FILE_SHARING, + /* + The category below is used by sites who are used + to test connectivity + */ + NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK, /* Some custom categories */ CUSTOM_CATEGORY_MINING = 99, diff --git a/src/include/ndpi_win32.h b/src/include/ndpi_win32.h index 7b0b37de1..a39a2401a 100644 --- a/src/include/ndpi_win32.h +++ b/src/include/ndpi_win32.h @@ -76,9 +76,6 @@ typedef unsigned __int64 u_int64_t; extern unsigned long waitForNextEvent(unsigned long ulDelay /* ms */); #define sleep(a /* sec */) waitForNextEvent(1000*a /* ms */) -#ifndef localtime_r -#define localtime_r(a, b) localtime_s(b, a) -#endif #define strtok_r strtok_s #define timegm _mkgmtime diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 85377d8d1..bac7499d0 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -141,6 +141,7 @@ libndpi_a_SOURCES = ndpi_content_match.c.inc \ protocols/skype.c \ protocols/smb.c \ protocols/snmp_proto.c \ + protocols/soap.c \ protocols/socks45.c \ protocols/sopcast.c \ protocols/soulseek.c \ diff --git a/src/lib/ndpi_classify.c b/src/lib/ndpi_classify.c index 9791db324..7b410e05f 100644 --- a/src/lib/ndpi_classify.c +++ b/src/lib/ndpi_classify.c @@ -240,9 +240,9 @@ float ndpi_parameters_bd[NUM_PARAMETERS_BD_LOGREG] = { }; /** - * \fn void ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time, - const uint16_t *pkt_len_twin, const struct timeval *pkt_time_twin, - struct timeval start_time, struct timeval start_time_twin, + * \fn void ndpi_merge_splt_arrays (const uint16_t *pkt_len, const pkt_timeval *pkt_time, + const uint16_t *pkt_len_twin, const pkt_timeval *pkt_time_twin, + pkt_timeval start_time, pkt_timeval start_time_twin, uint16_t s_idx, uint16_t r_idx, uint16_t *merged_lens, uint16_t *merged_times, uint32_t max_num_pkt_len, uint32_t max_merged_num_pkts) @@ -260,16 +260,16 @@ float ndpi_parameters_bd[NUM_PARAMETERS_BD_LOGREG] = { * \return none */ void -ndpi_merge_splt_arrays (const uint16_t *pkt_len, const struct timeval *pkt_time, - const uint16_t *pkt_len_twin, const struct timeval *pkt_time_twin, - struct timeval start_time, struct timeval start_time_twin, +ndpi_merge_splt_arrays (const uint16_t *pkt_len, const pkt_timeval *pkt_time, + const uint16_t *pkt_len_twin, const pkt_timeval *pkt_time_twin, + pkt_timeval start_time, pkt_timeval start_time_twin, uint16_t s_idx, uint16_t r_idx, uint16_t *merged_lens, uint16_t *merged_times) { int s,r; - struct timeval ts_start = { 0, 0 }; /* initialize to avoid spurious warnings */ - struct timeval tmp, tmp_r; - struct timeval start_m; + pkt_timeval ts_start = { 0, 0 }; /* initialize to avoid spurious warnings */ + pkt_timeval tmp, tmp_r; + pkt_timeval start_m; if(r_idx + s_idx == 0) { return ; @@ -419,9 +419,9 @@ ndpi_get_mc_rep_times (uint16_t *times, float *time_mc, uint16_t num_packets) } /** - * \fn float classify (const unsigned short *pkt_len, const struct timeval *pkt_time, - const unsigned short *pkt_len_twin, const struct timeval *pkt_time_twin, - struct timeval start_time, struct timeval start_time_twin, uint32_t max_num_pkt_len, + * \fn float classify (const unsigned short *pkt_len, const pkt_timeval *pkt_time, + const unsigned short *pkt_len_twin, const pkt_timeval *pkt_time_twin, + pkt_timeval start_time, pkt_timeval start_time_twin, uint32_t max_num_pkt_len, uint16_t sp, uint16_t dp, uint32_t op, uint32_t ip, uint32_t np_o, uint32_t np_i, uint32_t ob, uint32_t ib, uint16_t use_bd, const uint32_t *bd, const uint32_t *bd_t) * \param pkt_len length of the packet @@ -445,9 +445,9 @@ ndpi_get_mc_rep_times (uint16_t *times, float *time_mc, uint16_t num_packets) * \return float score */ float -ndpi_classify (const unsigned short *pkt_len, const struct timeval *pkt_time, - const unsigned short *pkt_len_twin, const struct timeval *pkt_time_twin, - struct timeval start_time, struct timeval start_time_twin, uint32_t max_num_pkt_len, +ndpi_classify (const unsigned short *pkt_len, const pkt_timeval *pkt_time, + const unsigned short *pkt_len_twin, const pkt_timeval *pkt_time_twin, + pkt_timeval start_time, pkt_timeval start_time_twin, uint32_t max_num_pkt_len, uint16_t sp, uint16_t dp, uint32_t op, uint32_t ip, uint32_t np_o, uint32_t np_i, uint32_t ob, uint32_t ib, uint16_t use_bd, const uint32_t *bd, const uint32_t *bd_t) { @@ -604,8 +604,8 @@ ndpi_update_params (classifier_type_codes_t param_type, const char *param_file) * \return 1 if equal, 0 otherwise */ unsigned int -ndpi_timer_eq(const struct timeval *a, - const struct timeval *b) +ndpi_timer_eq(const pkt_timeval *a, + const pkt_timeval *b) { if(a->tv_sec == b->tv_sec && a->tv_usec == b->tv_usec) { return 1; @@ -615,8 +615,8 @@ ndpi_timer_eq(const struct timeval *a, } unsigned int -ndpi_timer_lt(const struct timeval *a, - const struct timeval *b) +ndpi_timer_lt(const pkt_timeval *a, + const pkt_timeval *b) { return (a->tv_sec == b->tv_sec) ? (a->tv_usec < b->tv_usec):(a->tv_sec < b->tv_sec); @@ -630,9 +630,9 @@ ndpi_timer_lt(const struct timeval *a, * \return none */ void -ndpi_timer_sub(const struct timeval *a, - const struct timeval *b, - struct timeval *result) +ndpi_timer_sub(const pkt_timeval *a, + const pkt_timeval *b, + pkt_timeval *result) { result->tv_sec = a->tv_sec - b->tv_sec; result->tv_usec = a->tv_usec - b->tv_usec; @@ -648,7 +648,7 @@ ndpi_timer_sub(const struct timeval *a, * \return none */ void -ndpi_timer_clear(struct timeval *a) +ndpi_timer_clear(pkt_timeval *a) { a->tv_sec = a->tv_usec = 0; } @@ -659,7 +659,7 @@ ndpi_timer_clear(struct timeval *a) * \return unsigned int - Milliseconds */ unsigned int -ndpi_timeval_to_milliseconds(struct timeval ts) +ndpi_timeval_to_milliseconds(pkt_timeval ts) { unsigned int result = ts.tv_usec / 1000 + ts.tv_sec * 1000; return result; @@ -671,7 +671,7 @@ ndpi_timeval_to_milliseconds(struct timeval ts) * \return unsigned int - Milliseconds */ unsigned int -ndpi_timeval_to_microseconds(struct timeval ts) +ndpi_timeval_to_microseconds(pkt_timeval ts) { unsigned int result = ts.tv_usec + ts.tv_sec * 1000 * 1000; return result; @@ -680,7 +680,7 @@ ndpi_timeval_to_microseconds(struct timeval ts) void ndpi_log_timestamp(char *log_ts, uint32_t log_ts_len) { - struct timeval tv; + pkt_timeval tv; time_t nowtime; struct tm nowtm_r; char tmbuf[NDPI_TIMESTAMP_LEN]; diff --git a/src/lib/ndpi_community_id.c b/src/lib/ndpi_community_id.c index 30519b59e..cc8436928 100644 --- a/src/lib/ndpi_community_id.c +++ b/src/lib/ndpi_community_id.c @@ -31,6 +31,7 @@ #include "ndpi_api.h" #include "ndpi_config.h" +#include "ndpi_includes.h" #include #ifndef WIN32 @@ -167,13 +168,15 @@ static int ndpi_community_id_peer_v4_is_less_than(u_int32_t ip1, u_int32_t ip2, static int ndpi_community_id_peer_v6_is_less_than(struct ndpi_in6_addr *ip1, struct ndpi_in6_addr *ip2, u_int16_t p1, u_int16_t p2) { int comp = memcmp(ip1, ip2, sizeof(struct ndpi_in6_addr)); + return comp < 0 || (comp == 0 && p1 < p2); } /* **************************************************** */ -static void ndpi_community_id_sha1_hash(const uint8_t *message, size_t len, u_char *hash /* 20-bytes */) { +void ndpi_string_sha1_hash(const uint8_t *message, size_t len, u_char *hash /* 20-bytes */) { SHA1_CTX ctx; + SHA1Init(&ctx); SHA1Update(&ctx, message, len); SHA1Final(hash, &ctx); @@ -185,7 +188,8 @@ static void ndpi_community_id_sha1_hash(const uint8_t *message, size_t len, u_ch https://github.com/corelight/community-id-spec/blob/bda913f617389df07cdaa23606e11bbd318e265c/community-id.py#L285 */ static int ndpi_community_id_finalize_and_compute_hash(u_int8_t *comm_buf, u_int16_t off, u_int8_t l4_proto, - u_int16_t src_port, u_int16_t dst_port, char *hash_buf, u_int8_t hash_buf_len) { + u_int16_t src_port, u_int16_t dst_port, + char *hash_buf, u_int8_t hash_buf_len) { u_int8_t pad = 0; uint32_t hash[5]; char *community_id; @@ -209,12 +213,12 @@ static int ndpi_community_id_finalize_and_compute_hash(u_int8_t *comm_buf, u_int } /* Compute SHA1 */ - ndpi_community_id_sha1_hash(comm_buf, off, (u_char*)hash); + ndpi_string_sha1_hash(comm_buf, off, (u_char*)hash); /* Base64 encoding */ community_id = ndpi_base64_encode((u_int8_t*)hash, sizeof(hash)); - if (community_id == NULL) + if(community_id == NULL) return -1; #if 0 /* Debug Info */ @@ -231,7 +235,7 @@ static int ndpi_community_id_finalize_and_compute_hash(u_int8_t *comm_buf, u_int printf("Base64: %s\n", community_id); #endif - if (hash_buf_len < 2 || hash_buf_len-2 < strlen(community_id)+1) { + if(hash_buf_len < 2 || hash_buf_len-2 < strlen(community_id)+1) { ndpi_free(community_id); return -1; } diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index a894cc37e..c06330127 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -9139,6 +9139,13 @@ ndpi_protocol_match host_match[] = { ".net.anydesk.com", "AnyDesk", NDPI_PROTOCOL_ANYDESK, NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_ACCEPTABLE }, + { "discordapp.com", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "discordapp.net", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "discord.com", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "discord.gg", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "discord.media", "Discord", NDPI_PROTOCOL_DISCORD, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + + { NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE } }; @@ -9176,6 +9183,21 @@ static ndpi_category_match category_match[] = { { "iptv.sky.", NDPI_PROTOCOL_CATEGORY_STREAMING }, { "pcdn.skycdn.", NDPI_PROTOCOL_CATEGORY_STREAMING }, + /* https://success.tanaza.com/s/article/How-Automatic-Detection-of-Captive-Portal-works */ + { "captive.apple.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "thinkdifferent.us", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "airport.us", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "gsp1.apple.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "msftconnecttest.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "testconnectivity.microsoft.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "msftncsi.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "msftncsi.com.edgesuite.net", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "teredo.ipv6.microsoft.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "teredo.ipv6.microsoft.com.nsatc.net", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "detectportal.firefox.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "connectivitycheck.android.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "connectivitycheck.gstatic.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + /* Hulu Streaming services AS23286 */ { "8.28.124.0/24", NDPI_PROTOCOL_CATEGORY_STREAMING }, { "8.28.125.0/24", NDPI_PROTOCOL_CATEGORY_STREAMING }, @@ -9327,7 +9349,7 @@ static const char *ndpi_en_popular_bigrams[] = { static const char *ndpi_en_impossible_bigrams[] = { "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */ "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", /* "jc", jcrew.com */ "jd", "jf", "jg", "jh", "jk", - "jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", + "jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", /* "kg", */ "kq", "kv", "kx", "kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", /* "mq", mqtt */ "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6e6dea082..fab4f5a66 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -953,8 +953,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, no_master, "Sopcast", NDPI_PROTOCOL_CATEGORY_VIDEO, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_58, 0 /* can_have_a_subprotocol */, - no_master, no_master, "Free58", NDPI_PROTOCOL_CATEGORY_VIDEO, + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DISCORD, 0 /* can_have_a_subprotocol */, + no_master, no_master, "Discord", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TVUPLAYER, 0 /* can_have_a_subprotocol */, @@ -1532,6 +1532,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "AnyDesk", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOAP, 1 /* no subprotocol */, + no_master, no_master, "SOAP", NDPI_PROTOCOL_CATEGORY_RPC, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" @@ -1924,7 +1928,7 @@ static const char *categories[] = { "Shopping", "Productivity", "FileSharing", - "", + "ConnectivityCheck", "", "", "", @@ -2623,79 +2627,85 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule, } } - if (def == NULL) { - if (!do_add) { - /* We need to remove a rule */ - NDPI_LOG_ERR(ndpi_str, "Unable to find protocol '%s': skipping rule '%s'\n", proto, rule); - return (-3); - } else { - ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS]; - u_int16_t no_master[2] = {NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO}; + if(def == NULL) { + if(!do_add) { + /* We need to remove a rule */ + NDPI_LOG_ERR(ndpi_str, "Unable to find protocol '%s': skipping rule '%s'\n", proto, rule); + return(-3); + } else { + ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS]; + u_int16_t no_master[2] = {NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO}; - if (ndpi_str->ndpi_num_custom_protocols >= (NDPI_MAX_NUM_CUSTOM_PROTOCOLS - 1)) { - NDPI_LOG_ERR(ndpi_str, "Too many protocols defined (%u): skipping protocol %s\n", - ndpi_str->ndpi_num_custom_protocols, proto); - return (-2); - } + if(ndpi_str->ndpi_num_custom_protocols >= (NDPI_MAX_NUM_CUSTOM_PROTOCOLS - 1)) { + NDPI_LOG_ERR(ndpi_str, "Too many protocols defined (%u): skipping protocol %s\n", + ndpi_str->ndpi_num_custom_protocols, proto); + return(-2); + } - ndpi_set_proto_defaults( - ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, ndpi_str->ndpi_num_supported_protocols, - 0 /* can_have_a_subprotocol */, no_master, no_master, proto, - NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, /* TODO add protocol category support in rules */ - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - def = &ndpi_str->proto_defaults[ndpi_str->ndpi_num_supported_protocols]; - subprotocol_id = ndpi_str->ndpi_num_supported_protocols; - ndpi_str->ndpi_num_supported_protocols++, ndpi_str->ndpi_num_custom_protocols++; - } + ndpi_set_proto_defaults( + ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, ndpi_str->ndpi_num_supported_protocols, + 0 /* can_have_a_subprotocol */, no_master, no_master, proto, + NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, /* TODO add protocol category support in rules */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + def = &ndpi_str->proto_defaults[ndpi_str->ndpi_num_supported_protocols]; + subprotocol_id = ndpi_str->ndpi_num_supported_protocols; + ndpi_str->ndpi_num_supported_protocols++, ndpi_str->ndpi_num_custom_protocols++; + } + } + + while ((elem = strsep(&rule, ",")) != NULL) { + char *attr = elem, *value = NULL; + ndpi_port_range range; + int is_tcp = 0, is_udp = 0, is_ip = 0; + + if(strncmp(attr, "tcp:", 4) == 0) + is_tcp = 1, value = &attr[4]; + else if(strncmp(attr, "udp:", 4) == 0) + is_udp = 1, value = &attr[4]; + else if(strncmp(attr, "ip:", 3) == 0) + is_ip = 1, value = &attr[3]; + else if(strncmp(attr, "host:", 5) == 0) { + /* host:"",host:"",.....@ */ + u_int i, max_len; + + value = &attr[5]; + if(value[0] == '"') + value++; /* remove leading " */ + + max_len = strlen(value) - 1; + if(value[max_len] == '"') + value[max_len] = '\0'; /* remove trailing " */ + + for(i=0; i",host:"",.....@ */ - value = &attr[5]; - if (value[0] == '"') - value++; /* remove leading " */ - if (value[strlen(value) - 1] == '"') - value[strlen(value) - 1] = '\0'; /* remove trailing " */ - } + if (sscanf(value, "%u-%u", &p_low, &p_high) == 2) + range.port_low = p_low, range.port_high = p_high; + else + range.port_low = range.port_high = atoi(&elem[4]); - if (is_tcp || is_udp) { - u_int p_low, p_high; - - if (sscanf(value, "%u-%u", &p_low, &p_high) == 2) - range.port_low = p_low, range.port_high = p_high; - else - range.port_low = range.port_high = atoi(&elem[4]); - - if (do_add) - addDefaultPort(ndpi_str, &range, def, 1 /* Custom user proto */, - is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot, __FUNCTION__, __LINE__); - else - removeDefaultPort(&range, def, is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot); - } else if (is_ip) { - /* NDPI_PROTOCOL_TOR */ - ndpi_add_host_ip_subprotocol(ndpi_str, value, subprotocol_id); - } else if(value) { - if (do_add) - ndpi_add_host_url_subprotocol(ndpi_str, value, subprotocol_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, - NDPI_PROTOCOL_ACCEPTABLE); - else - ndpi_remove_host_url_subprotocol(ndpi_str, value, subprotocol_id); - } + if (do_add) + addDefaultPort(ndpi_str, &range, def, 1 /* Custom user proto */, + is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot, __FUNCTION__, __LINE__); + else + removeDefaultPort(&range, def, is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot); + } else if (is_ip) { + /* NDPI_PROTOCOL_TOR */ + ndpi_add_host_ip_subprotocol(ndpi_str, value, subprotocol_id); + } else if(value) { + if (do_add) + ndpi_add_host_url_subprotocol(ndpi_str, value, subprotocol_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, + NDPI_PROTOCOL_ACCEPTABLE); + else + ndpi_remove_host_url_subprotocol(ndpi_str, value, subprotocol_id); } + } - return(0); + return(0); } /* ******************************************************************** */ @@ -3382,6 +3392,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* WEBSOCKET */ init_websocket_dissector(ndpi_str, &a, detection_bitmask); + /* SOAP */ + init_soap_dissector(ndpi_str, &a, detection_bitmask); + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main_init.c" #endif @@ -4836,21 +4849,34 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(found && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN) - && (found->proto->protoId != ret.master_protocol)) { + && (found->proto->protoId != ret.master_protocol) + && (found->proto->protoId != ret.app_protocol) + ) { // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol); if(!ndpi_check_protocol_port_mismatch_exceptions(ndpi_str, flow, found, &ret)) NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } else if(default_ports && (default_ports[0] != 0)) { - u_int8_t found = 0, i; + u_int8_t found = 0, i, num_loops = 0; + check_default_ports: for(i=0; (ipacket.udp) + default_ports = ndpi_str->proto_defaults[ret.app_protocol].udp_default_ports; + else + default_ports = ndpi_str->proto_defaults[ret.app_protocol].tcp_default_ports; + + num_loops = 1; + goto check_default_ports; + } + if(!found) { // printf("******** Invalid default port\n"); NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); @@ -6228,7 +6254,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t master_protocol, char *name, u_int name_len) { ndpi_protocol_match_result ret_match; - u_int16_t subproto, what_len; + u_int16_t subproto, what_len, i; char *what; if((name_len > 2) && (name[0] == '*') && (name[1] == '.')) @@ -6236,6 +6262,9 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc else what = name, what_len = name_len; + /* Convert it first to lowercase: we assume meory is writable as in nDPI dissctors */ + for(i=0; i Checking %c%c\n", word[i], word[i+1]); #endif - if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) { - num_found++; - } else { - if(ndpi_match_bigram(ndpi_str, - &ndpi_str->impossible_bigrams_automa, - &word[i])) { + if(ndpi_match_bigram(ndpi_str, + &ndpi_str->impossible_bigrams_automa, + &word[i])) { #ifdef DGA_DEBUG - printf("IMPOSSIBLE %s\n", &word[i]); + printf("IMPOSSIBLE %s\n", &word[i]); #endif - num_impossible++; - } - } + num_impossible++; + } else if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) { + num_found++; + } } /* for */ } /* for */ diff --git a/src/lib/ndpi_network_list_compile.h b/src/lib/ndpi_network_list_compile.h index 4d5f95eea..e310e2d2d 100644 --- a/src/lib/ndpi_network_list_compile.h +++ b/src/lib/ndpi_network_list_compile.h @@ -58,7 +58,7 @@ _P(NDPI_PROTOCOL_PPSTREAM), _P(NDPI_PROTOCOL_ZATTOO), _P(NDPI_PROTOCOL_SHOUTCAST), _P(NDPI_PROTOCOL_SOPCAST), -_P(NDPI_PROTOCOL_FREE_58), +_P(NDPI_PROTOCOL_DISCORD), _P(NDPI_PROTOCOL_TVUPLAYER), _P(NDPI_PROTOCOL_HTTP_DOWNLOAD), _P(NDPI_PROTOCOL_QQLIVE), @@ -252,6 +252,7 @@ _P(NDPI_PROTOCOL_ZABBIX), _P(NDPI_PROTOCOL_S7COMM), _P(NDPI_PROTOCOL_MSTEAMS), _P(NDPI_PROTOCOL_WEBSOCKET), -_P(NDPI_PROTOCOL_ANYDESK) +_P(NDPI_PROTOCOL_ANYDESK), +_P(NDPI_PROTOCOL_SOAP) }; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 9ac64d9e7..e48279e16 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -881,6 +881,7 @@ u_char* ndpi_base64_decode(const u_char *src, size_t len, size_t *out_len) { /* ********************************** */ +/* NOTE: caller MUST free returned pointer */ char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len) { size_t len = 0, ret_size; char *ret; @@ -1543,7 +1544,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_SMB_INSECURE_VERSION: return("SMB Insecure Version"); - + + case NDPI_TLS_SUSPICIOUS_ESNI_USAGE: + return("TLS Suspicious ESNI Usage"); + default: snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7de9fa8e7..c4d91c728 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -70,6 +70,7 @@ static void ndpi_analyze_content_signature(struct ndpi_flow_struct *flow) { static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + ndpi_search_http_tcp(ndpi_struct, flow); #ifdef HTTP_DEBUG @@ -133,7 +134,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo } /* check for attachment */ - if (packet->content_disposition_line.len > 0) { + if(packet->content_disposition_line.len > 0) { u_int8_t attachment_len = sizeof("attachment; filename"); if(packet->content_disposition_line.len > attachment_len) { @@ -224,7 +225,7 @@ static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *ua) { - if ( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000"; + if( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000"; else if(!strcmp(ua, "Windows NT 5.1")) ua = "Windows XP"; else if(!strcmp(ua, "Windows NT 5.2")) ua = "Windows Server 2003"; else if(!strcmp(ua, "Windows NT 6.0")) ua = "Windows Vista"; @@ -749,7 +750,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct packet->packet_lines_parsed_complete = 0; /* Check if we so far detected the protocol in the request or not. */ - if(flow->l4.tcp.http_stage == 0) { + if((packet->payload_packet_len > 0) /* Needed in case of extra packet processing */ + && (flow->l4.tcp.http_stage == 0)) { /* Expected a request */ flow->http_detected = 0; @@ -831,7 +833,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* try to get some additional request header info even if the packet may not be HTTP */ ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->http_num_headers > 0) { + if(packet->http_num_headers > 0) { check_content_type_and_change_protocol(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index 485456e91..aa95d46c4 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -40,7 +40,7 @@ void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, str && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 - && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 + && get_u_int8_t(packet->payload, 5) < 0x39 //server version < 9 && get_u_int8_t(packet->payload, 6) == 0x2e //dot ) { #if 0 diff --git a/src/lib/protocols/soap.c b/src/lib/protocols/soap.c new file mode 100644 index 000000000..dfbaf6c1e --- /dev/null +++ b/src/lib/protocols/soap.c @@ -0,0 +1,70 @@ +/* + * soap.c + * + * Copyright (C) 2020 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOAP + +#include "ndpi_api.h" + +static void ndpi_int_soap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_UNKNOWN); +} + +void ndpi_search_soap(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG_DBG(ndpi_struct, "search soap\n"); + + if (flow->packet_counter > 3) + { + if (flow->l4.tcp.soap_stage == 1) + { + ndpi_int_soap_add_connection(ndpi_struct, flow); + } + else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } + } + + if (flow->l4.tcp.soap_stage == 0 && + packet->payload_packet_len >= 19) + { + if (strncmp((char*)packet->payload, "l4.tcp.soap_stage = 1; + } + } +} + +void init_soap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection( + "SOAP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_SOAP, ndpi_search_soap, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); + *id += 1; +} + diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index 8e688eca0..bc3211f3d 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -42,9 +42,9 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, printf("==> %s() [%s][direction: %u]\n", __FUNCTION__, packet->payload, packet->packet_direction); #endif - if (packet->payload == NULL || packet->payload_packet_len == 0) - return(1); - if(packet->payload[0] == 0xFF) + if((packet->payload == NULL) + || (packet->payload_packet_len == 0) + || (packet->payload[0] == 0xFF)) return(1); if(flow->protos.telnet.username_detected) { diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 304141e66..8b0e04f56 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -326,7 +326,9 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi printf("[TLS] %s() IssuerDN [%s]\n", __FUNCTION__, rdnSeqBuf); #endif - if(rdn_len) flow->protos.stun_ssl.ssl.issuerDN = ndpi_strdup(rdnSeqBuf); + if(rdn_len && (flow->protos.stun_ssl.ssl.issuerDN == NULL)) + flow->protos.stun_ssl.ssl.issuerDN = ndpi_strdup(rdnSeqBuf); + rdn_len = 0; /* Reset buffer */ } @@ -1444,6 +1446,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS); } + /* Suspicious Domain Fronting: + https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */ + if(flow->protos.stun_ssl.ssl.encrypted_sni.esni && + flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') { + NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE); + } + return(2 /* Client Certificate */); } else { #ifdef DEBUG_TLS diff --git a/src/lib/third_party/src/hll/hll.c b/src/lib/third_party/src/hll/hll.c index a7006c7ed..c526c6af0 100644 --- a/src/lib/third_party/src/hll/hll.c +++ b/src/lib/third_party/src/hll/hll.c @@ -34,6 +34,7 @@ u_int32_t _hll_hash(const struct ndpi_hll *hll) { return MurmurHash3_x86_32(hll->registers, (u_int32_t)hll->size, 0); } +/* Count the number of leading zero's */ static __inline u_int8_t _hll_rank(u_int32_t hash, u_int8_t bits) { u_int8_t i; @@ -48,24 +49,26 @@ static __inline u_int8_t _hll_rank(u_int32_t hash, u_int8_t bits) { } /* - IMPORTANT: memory usage notes + IMPORTANT: HyperLogLog Memory and StandardError Notes - [i: 4] 16 bytes - [i: 5] 32 bytes - [i: 6] 64 bytes - [i: 7] 128 bytes - [i: 8] 256 bytes - [i: 9] 512 bytes - [i: 10] 1024 bytes - [i: 11] 2048 bytes - [i: 12] 4096 bytes - [i: 13] 8192 bytes - [i: 14] 16384 bytes - [i: 15] 32768 bytes - [i: 16] 65536 bytes - [i: 17] 131072 bytes - [i: 18] 262144 bytes - [i: 19] 524288 bytes + StdError = 1.04/sqrt(2^i) + + [i: 4] 16 bytes [StdError: 26% ] + [i: 5] 32 bytes [StdError: 18.4%] + [i: 6] 64 bytes [StdError: 13% ] + [i: 7] 128 bytes [StdError: 9.2% ] + [i: 8] 256 bytes [StdError: 6.5% ] + [i: 9] 512 bytes [StdError: 4.6% ] + [i: 10] 1024 bytes [StdError: 3.25%] + [i: 11] 2048 bytes [StdError: 2.3% ] + [i: 12] 4096 bytes [StdError: 1.6% ] + [i: 13] 8192 bytes [StdError: 1.15%] + [i: 14] 16384 bytes [StdError: 0.81%] + [i: 15] 32768 bytes [StdError: 0.57%] + [i: 16] 65536 bytes [StdError: 0.41%] + [i: 17] 131072 bytes [StdError: 0.29%] + [i: 18] 262144 bytes [StdError: 0.2% ] + [i: 19] 524288 bytes [StdError: 0.14%] */ int hll_init(struct ndpi_hll *hll, u_int8_t bits) { if(bits < 4 || bits > 20) { @@ -73,9 +76,9 @@ int hll_init(struct ndpi_hll *hll, u_int8_t bits) { return -1; } - hll->bits = bits; - hll->size = (size_t)1 << bits; - hll->registers = ndpi_calloc(hll->size, 1); + hll->bits = bits; /* Number of bits of buckets number */ + hll->size = (size_t)1 << bits; /* Number of buckets 2^bits */ + hll->registers = ndpi_calloc(hll->size, 1); /* Create the bucket register counters */ /* printf("%lu bytes\n", hll->size); */ return 0; @@ -96,12 +99,11 @@ void hll_reset(struct ndpi_hll *hll) { static __inline void _hll_add_hash(struct ndpi_hll *hll, u_int32_t hash) { if(hll->registers) { - u_int32_t index = hash >> (32 - hll->bits); - u_int8_t rank = _hll_rank(hash, hll->bits); + u_int32_t index = hash >> (32 - hll->bits); /* Use the first 'hll->bits' bits as bucket index */ + u_int8_t rank = _hll_rank(hash, hll->bits); /* Count the number of leading 0 */ - if(rank > hll->registers[index]) { - hll->registers[index] = rank; - } + if(rank > hll->registers[index]) + hll->registers[index] = rank; /* Store the largest number of lesding zeros for the bucket */ } } diff --git a/tests/pcap/mysql-8.pcap b/tests/pcap/mysql-8.pcap new file mode 100644 index 000000000..7cd92c7e0 Binary files /dev/null and b/tests/pcap/mysql-8.pcap differ diff --git a/tests/pcap/tls_esni_sni_both.pcap b/tests/pcap/tls_esni_sni_both.pcap new file mode 100644 index 000000000..7d7834798 Binary files /dev/null and b/tests/pcap/tls_esni_sni_both.pcap differ diff --git a/tests/result/android.pcap.out b/tests/result/android.pcap.out index 320c84bb6..3b500859b 100644 --- a/tests/result/android.pcap.out +++ b/tests/result/android.pcap.out @@ -27,8 +27,8 @@ JA3 Host Stats: 7 TCP 192.168.2.16:50384 <-> 172.217.168.206:443 [proto: 91.126/TLS.Google][cat: Web/5][11 pkts/1365 bytes <-> 9 pkts/5365 bytes][Goodput ratio: 45/89][2.49 sec][ALPN: http/1.1][bytes ratio: -0.594 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 277/69 1716/301 516/102][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 124/596 407/1484 105/544][TLSv1.2][Client: app-measurement.com][JA3C: 6ec2896feff5746955f700c0023f5804][ServerNames: *.google-analytics.com,*.fps.goog,app-measurement.com,fps.goog,google-analytics.com,googleoptimize.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googleoptimize.com,www.googletagmanager.com][JA3S: 9d9ce860f1b1cbef07b019450cb368d8][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google-analytics.com][Certificate SHA-1: B0:D9:D3:57:C2:34:87:2C:FB:F5:E6:BD:7F:9F:54:65:08:61:AF:01][Validity: 2020-02-12 11:37:03 - 2020-05-06 11:37:03][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,11,0,0,11,0,0,0,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0] 8 TCP 192.168.2.16:52486 <-> 172.217.20.74:443 [proto: 91.239/TLS.GoogleServices][cat: Web/5][12 pkts/1298 bytes <-> 10 pkts/5186 bytes][Goodput ratio: 38/87][1.75 sec][ALPN: http/1.1][bytes ratio: -0.600 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 194/37 1374/212 422/70][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108/519 286/1484 76/570][TLSv1.2][Client: play.googleapis.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.storage.googleapis.com,*.appspot.com.storage.googleapis.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.googleapis.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.select.googleapis.com,commondatastorage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com][Certificate SHA-1: BA:BA:BA:55:69:9F:E0:BD:48:80:23:A4:B3:AD:C1:FF:EA:4E:17:C9][Validity: 2020-02-12 11:45:22 - 2020-05-06 11:45:22][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,10,10,0,20,10,10,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,20,0,0,0] 9 TCP 192.168.2.16:32988 <-> 216.239.38.120:443 [proto: 91.228/TLS.PlayStore][cat: SoftwareUpdate/19][8 pkts/2089 bytes <-> 7 pkts/4242 bytes][Goodput ratio: 74/89][0.97 sec][bytes ratio: -0.340 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 158/80 530/246 186/98][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 261/606 1038/1484 338/639][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.3][Client: android.clients.google.com][JA3C: 9c815150ea821166faecf80757d8826a][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0] - 10 TCP 192.168.2.16:36888 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1175 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 47/90][1.62 sec][ALPN: http/1.1][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 27/28 203/104 522/277 176/93][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/680 327/1484 93/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] - 11 TCP 192.168.2.16:36890 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1151 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 48/90][0.84 sec][ALPN: http/1.1][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 120/15 647/36 217/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/680 327/1484 95/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com][Certificate SHA-1: 80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42][Validity: 2020-02-12 11:47:11 - 2020-05-06 11:47:11][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] + 10 TCP 192.168.2.16:36888 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: ConnectivityCheck/30][9 pkts/1175 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 47/90][1.62 sec][ALPN: http/1.1][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 27/28 203/104 522/277 176/93][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/680 327/1484 93/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] + 11 TCP 192.168.2.16:36890 <-> 172.217.18.3:443 [proto: 91.126/TLS.Google][cat: ConnectivityCheck/30][9 pkts/1151 bytes <-> 7 pkts/4762 bytes][Goodput ratio: 48/90][0.84 sec][ALPN: http/1.1][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 120/15 647/36 217/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/680 327/1484 95/575][TLSv1.2][Client: connectivitycheck.gstatic.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com][Certificate SHA-1: 80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42][Validity: 2020-02-12 11:47:11 - 2020-05-06 11:47:11][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,12,0,0,0,12,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] 12 TCP 192.168.2.16:33014 <-> 216.239.38.120:443 [proto: 91.126/TLS.Google][cat: Web/5][11 pkts/1877 bytes <-> 7 pkts/3708 bytes][Goodput ratio: 61/87][0.20 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.328 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/11 96/40 29/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/530 583/1484 180/574][TLSv1.3][Client: www.google.com][JA3C: 66918128f1b9b03303d77c6f2eefd128][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 22,0,22,0,0,0,0,0,0,0,0,0,0,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,11,0,0,0] 13 TCP 192.168.2.16:51944 <-> 172.217.21.202:443 [proto: 91.46/TLS.DataSaver][cat: Web/5][12 pkts/2171 bytes <-> 12 pkts/2705 bytes][Goodput ratio: 63/70][0.20 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.110 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/11 39/64 15/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 181/225 660/646 208/202][TLSv1.3][Client: datasaver.googleapis.com][JA3C: 554719594ba90b02ae410c297c6e50ad][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 15,15,15,0,0,0,15,0,0,0,7,0,0,0,0,7,0,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 14 TCP 192.168.2.16:43646 <-> 172.217.20.76:443 [proto: 91.46/TLS.DataSaver][cat: Web/5][8 pkts/1053 bytes <-> 6 pkts/3460 bytes][Goodput ratio: 49/88][0.20 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.533 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/16 51/61 18/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 132/577 583/1484 171/646][TLSv1.3][Client: proxy.googlezip.net][JA3C: 66918128f1b9b03303d77c6f2eefd128][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0] @@ -37,7 +37,7 @@ JA3 Host Stats: 17 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][12 pkts/4088 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][82.22 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 130/0 6001/0 8764/0 3124/0][Pkt Len c2s/s2c min/avg/max/stddev: 328/0 341/0 342/0 4/0][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][PLAIN TEXT (android)][Plen Bins: 0,0,0,0,0,0,0,0,8,91,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 TCP 192.168.2.16:36834 <-> 173.194.79.114:80 [proto: 7.46/HTTP.DataSaver][cat: Web/5][8 pkts/1130 bytes <-> 5 pkts/1254 bytes][Goodput ratio: 53/73][0.30 sec][Host: check.googlezip.net][bytes ratio: -0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 41/59 105/141 31/59][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 141/251 363/524 128/223][URL: check.googlezip.net/connect][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 2.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.93 Mobile Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /connect HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 192.168.2.16:44374 <-> 172.217.22.10:443 [proto: 91.239/TLS.GoogleServices][cat: Web/5][3 pkts/723 bytes <-> 3 pkts/1624 bytes][Goodput ratio: 71/87][0.10 sec][bytes ratio: -0.384 (Download)][IAT c2s/s2c min/avg/max/stddev: 26/9 33/38 40/66 7/28][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241/541 583/1484 242/667][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.3][Client: android.googleapis.com][JA3C: 629b587f706aee60430ec3879c6edb66][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0] - 20 TCP 192.168.2.16:58338 <-> 17.253.53.201:80 [proto: 7.140/HTTP.Apple][cat: Web/5][6 pkts/607 bytes <-> 5 pkts/1053 bytes][Goodput ratio: 33/68][0.16 sec][Host: captive.apple.com][bytes ratio: -0.269 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 25/23 42/46 15/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/211 269/781 75/285][URL: captive.apple.com/][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 TCP 192.168.2.16:58338 <-> 17.253.53.201:80 [proto: 7.140/HTTP.Apple][cat: ConnectivityCheck/30][6 pkts/607 bytes <-> 5 pkts/1053 bytes][Goodput ratio: 33/68][0.16 sec][Host: captive.apple.com][bytes ratio: -0.269 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 25/23 42/46 15/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/211 269/781 75/285][URL: captive.apple.com/][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 21 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][3 pkts/1656 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][60.10 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 22 TCP 192.168.2.16:36848 <-> 173.194.79.114:80 [proto: 7.46/HTTP.DataSaver][cat: Web/5][4 pkts/569 bytes <-> 3 pkts/664 bytes][Goodput ratio: 52/69][0.11 sec][Host: check.googlezip.net][bytes ratio: -0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 31/1 37/36 41/72 4/36][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/221 363/524 127/214][URL: check.googlezip.net/connect][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 2.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.93 Mobile Safari/537.36][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /connect HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 23 TCP 17.248.176.75:443 -> 192.168.2.17:50580 [proto: 91.140/TLS.Apple][cat: Web/5][8 pkts/1067 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][18.90 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 294/0 2700/0 9727/0 3229/0][Pkt Len c2s/s2c min/avg/max/stddev: 97/0 133/0 143/0 17/0][Plen Bins: 12,12,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -45,13 +45,13 @@ JA3 Host Stats: 25 TCP 192.168.2.16:52514 <-> 172.217.20.74:443 [proto: 91.239/TLS.GoogleServices][cat: Web/5][3 pkts/723 bytes <-> 1 pkts/74 bytes][Goodput ratio: 71/0][0.27 sec][ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.2][Client: semanticlocation-pa.googleapis.com][JA3C: 33490b1d5377580b19f7f9b5849d7991][PLAIN TEXT (semanticlocation)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 26 UDP 192.168.2.1:67 -> 192.168.2.16:68 [proto: 18/DHCP][cat: Network/14][2 pkts/684 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][0.13 sec][PLAIN TEXT (iMac.local)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 27 TCP 17.248.185.10:443 -> 192.168.2.17:50702 [proto: 91.140/TLS.Apple][cat: Web/5][7 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][13.42 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 427/0 2236/0 6975/0 2385/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 93/0 97/0 11/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 28 UDP 192.168.2.16:52953 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.53.201][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 28 UDP 192.168.2.16:52953 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: ConnectivityCheck/30][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.53.201][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 29 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][3 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][60.02 sec][PLAIN TEXT (SpotUdp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 30 UDP [fe80::4e6a:f6ff:fe9f:f627]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][2 pkts/228 bytes -> 0 pkts/0 bytes][Goodput ratio: 45/0][2.16 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 31 UDP 192.168.2.16:35825 <-> 192.168.2.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/140 bytes][Goodput ratio: 44/70][0.04 sec][Host: time.android.com][216.239.35.8][PLAIN TEXT (android)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 32 TCP 192.168.2.16:36850 <-> 173.194.79.114:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/140 bytes <-> 1 pkts/74 bytes][Goodput ratio: 0/0][0.04 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 33 UDP 192.168.2.16:35689 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][cat: Web/5][1 pkts/94 bytes <-> 1 pkts/110 bytes][Goodput ratio: 55/61][0.04 sec][Host: semanticlocation-pa.googleapis.com][172.217.20.74][PLAIN TEXT (semanticlocation)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 34 UDP 192.168.2.16:47081 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/89 bytes <-> 1 pkts/105 bytes][Goodput ratio: 52/59][0.04 sec][Host: connectivitycheck.gstatic.com][172.217.18.3][PLAIN TEXT (connectivitycheck)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 34 UDP 192.168.2.16:47081 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][cat: ConnectivityCheck/30][1 pkts/89 bytes <-> 1 pkts/105 bytes][Goodput ratio: 52/59][0.04 sec][Host: connectivitycheck.gstatic.com][172.217.18.3][PLAIN TEXT (connectivitycheck)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 35 UDP 192.168.2.16:36613 <-> 192.168.2.1:53 [proto: 5.228/DNS.PlayStore][cat: SoftwareUpdate/19][1 pkts/86 bytes <-> 1 pkts/102 bytes][Goodput ratio: 51/58][0.00 sec][Host: android.clients.google.com][216.239.38.120][PLAIN TEXT (android)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 36 UDP 192.168.2.16:7660 <-> 192.168.2.1:53 [proto: 5.46/DNS.DataSaver][cat: Web/5][1 pkts/84 bytes <-> 1 pkts/100 bytes][Goodput ratio: 49/57][0.04 sec][Host: datasaver.googleapis.com][172.217.21.202][PLAIN TEXT (datasaver)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 37 UDP 192.168.2.16:18379 <-> 192.168.2.1:53 [proto: 5.46/DNS.DataSaver][cat: Web/5][1 pkts/84 bytes <-> 1 pkts/100 bytes][Goodput ratio: 49/57][0.00 sec][Host: datasaver.googleapis.com][172.217.21.202][PLAIN TEXT (datasaver)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out index da6d128a6..2c80f55da 100644 --- a/tests/result/anyconnect-vpn.pcap.out +++ b/tests/result/anyconnect-vpn.pcap.out @@ -27,11 +27,11 @@ JA3 Host Stats: 4 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][Risk: ** Self-signed Certificate **** TLS (probably) not carrying HTTPS **][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,44,3,3,3,3,3,0,3,3,3,0,3,7,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,3,0,3,0,0,0,0,0] 5 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61/87][0.35 sec][ALPN: http/1.1][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/26 48/88 21/29][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/522 1175/1514 274/624][Risk: ** Weak TLS cipher **** TLS Certificate Mismatch **][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,8,0,0,8,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,8,0,25,0,0] 6 TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 64/61][11.47 sec][ALPN: h2;http/1.1][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866/28 11074/80 2947/34][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184/171 853/487 228/155][TLSv1.2][Client: slack.com][JA3C: d8dc5f8940df366b3a58b935569143e8][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,0,8,0,0,0,0,0,0,0,8,16,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 67/81][18.51 sec][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824/3642 10081/10083 3593/4385][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 192/340 373/450 153/173][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: ConnectivityCheck/30][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 67/81][18.51 sec][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824/3642 10081/10083 3593/4385][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 192/340 373/450 153/173][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 TCP 10.0.0.227:56320 <-> 10.0.0.149:8009 [proto: 161/CiscoVPN][cat: VPN/2][20 pkts/2420 bytes <-> 10 pkts/1760 bytes][Goodput ratio: 45/62][45.04 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/5003 2648/5004 5001/5006 2495/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/176 121/176 176/176 55/0][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 ICMPV6 [fe80::2e7e:81ff:feb0:4aa1]:0 -> [ff02::1]:0 [proto: 102/ICMPV6][cat: Network/14][16 pkts/2784 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][45.47 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2867/0 3028/0 3072/0 84/0][Pkt Len c2s/s2c min/avg/max/stddev: 174/0 174/0 174/0 0/0][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 TCP 10.0.0.227:56955 <-> 10.0.0.151:8060 [proto: 7/HTTP][cat: Web/5][6 pkts/650 bytes <-> 5 pkts/1668 bytes][Goodput ratio: 37/80][4.02 sec][Host: 10.0.0.151][bytes ratio: -0.439 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 4/4 9/6 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108/334 308/1206 89/442][URL: 10.0.0.151:8060/dial/dd.xml][StatusCode: 200][Content-Type: text/xml][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known protocol on non standard port **** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /dial/dd.xml HTTP/1.1)][Plen Bins: 0,0,0,0,0,33,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0] - 11 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Goodput ratio: 62/74][18.47 sec][Host: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694/6151 10081/10078 4344/4052][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 163/258 368/450 145/192][URL: detectportal.firefox.com/success.txt][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: ConnectivityCheck/30][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Goodput ratio: 62/74][18.47 sec][Host: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694/6151 10081/10078 4344/4052][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 163/258 368/450 145/192][URL: detectportal.firefox.com/success.txt][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][Risk: ** HTTP Suspicious User-Agent **][PLAIN TEXT (GET /success.txt HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 TCP 10.0.0.227:56954 <-> 10.0.0.149:8008 [proto: 7/HTTP][cat: Web/5][4 pkts/527 bytes <-> 3 pkts/1401 bytes][Goodput ratio: 48/85][0.01 sec][Host: 10.0.0.149][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 2/3 6/3 3/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 132/467 317/1261 107/561][URL: 10.0.0.149:8008/ssdp/device-desc.xml][StatusCode: 200][Content-Type: application/xml][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known protocol on non standard port **** HTTP Suspicious User-Agent **][PLAIN TEXT (HGET /ssdp/device)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0] 13 UDP [fe80::408:3e45:3abc:1552]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][9 pkts/1628 bytes -> 0 pkts/0 bytes][Goodput ratio: 66/0][25.40 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 152/0 181/0 206/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 14 UDP 10.0.0.227:137 -> 10.0.0.255:137 [proto: 10/NetBIOS][cat: System/18][15 pkts/1542 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][6.05 sec][Host: lp-rkerur-osx][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 465/0 1499/0 677/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 103/0 110/0 9/0][PLAIN TEXT ( EMFACNFCELEFFC)][Plen Bins: 0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -55,7 +55,7 @@ JA3 Host Stats: 32 TCP 10.0.0.227:56886 <-> 17.57.144.116:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][3 pkts/174 bytes <-> 2 pkts/185 bytes][Goodput ratio: 0/28][0.02 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 33 UDP 10.0.0.151:1900 -> 10.0.0.227:61328 [proto: 12/SSDP][cat: System/18][1 pkts/353 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 34 TCP 10.0.0.227:56910 <-> 35.201.124.9:443 [proto: 91/TLS][cat: Web/5][2 pkts/170 bytes <-> 2 pkts/164 bytes][Goodput ratio: 22/19][0.05 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 35 UDP 10.0.0.227:62427 <-> 75.75.75.75:53 [proto: 5/DNS][cat: Network/14][1 pkts/84 bytes <-> 1 pkts/242 bytes][Goodput ratio: 49/82][0.02 sec][Host: detectportal.firefox.com][184.25.56.82][PLAIN TEXT (detectportal)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 35 UDP 10.0.0.227:62427 <-> 75.75.75.75:53 [proto: 5/DNS][cat: ConnectivityCheck/30][1 pkts/84 bytes <-> 1 pkts/242 bytes][Goodput ratio: 49/82][0.02 sec][Host: detectportal.firefox.com][184.25.56.82][PLAIN TEXT (detectportal)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 36 UDP 10.0.0.227:58074 <-> 75.75.75.75:53 [proto: 5/DNS][cat: Network/14][1 pkts/75 bytes <-> 1 pkts/230 bytes][Goodput ratio: 43/81][0.01 sec][Host: www.outlook.com][40.97.222.34][PLAIN TEXT (outlook)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 37 UDP 10.0.0.227:60341 <-> 75.75.75.75:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/73 bytes <-> 1 pkts/224 bytes][Goodput ratio: 42/81][0.01 sec][Host: www.apple.com][184.27.115.161][PLAIN TEXT (edgekey)][Plen Bins: 50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 38 UDP 10.0.0.227:64193 <-> 75.75.75.75:53 [proto: 5.238/DNS.ApplePush][cat: Cloud/13][1 pkts/85 bytes <-> 1 pkts/192 bytes][Goodput ratio: 50/78][0.02 sec][Host: 24-courier.push.apple.com][17.57.144.20][PLAIN TEXT (courier)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/googledns_android10.pcap.out b/tests/result/googledns_android10.pcap.out index 0521f3212..4b0a7f748 100644 --- a/tests/result/googledns_android10.pcap.out +++ b/tests/result/googledns_android10.pcap.out @@ -6,11 +6,11 @@ JA3 Host Stats: 1 192.168.1.159 2 - 1 TCP 192.168.1.159:48210 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][121 pkts/19065 bytes <-> 120 pkts/45726 bytes][Goodput ratio: 58/83][72.27 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 711/474 15173/5940 1940/1160][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/381 384/1484 93/280][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,42,0,0,0,0,5,0,0,0,0,0,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] - 2 TCP 192.168.1.159:48098 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][68 pkts/9706 bytes <-> 65 pkts/18916 bytes][Goodput ratio: 54/77][117.95 sec][bytes ratio: -0.322 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2097/1988 15177/15193 3804/3968][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/291 583/565 94/247][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: b734f75d22aaff9866fbd5d27eef9106][JA3S: 1249fb68f48c0444718e4d3b48b27188][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,1,0,0,49,0,0,0,0,0,0,0,0,0,0,47,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 TCP 192.168.1.159:48048 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][52 pkts/7375 bytes <-> 52 pkts/20720 bytes][Goodput ratio: 53/83][41.01 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 882/623 15271/15287 2537/2442][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/398 384/1484 84/406][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,0,1,0,44,0,0,1,0,3,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,3,0,0,0] - 4 TCP 192.168.1.159:48044 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.12 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/9 34/19 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0] - 5 TCP 192.168.1.159:56024 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.14 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/12 46/31 17/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0] + 1 TCP 192.168.1.159:48210 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][121 pkts/19065 bytes <-> 120 pkts/45726 bytes][Goodput ratio: 58/83][72.27 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 711/474 15173/5940 1940/1160][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/381 384/1484 93/280][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,42,0,0,0,0,5,0,0,0,0,0,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] + 2 TCP 192.168.1.159:48098 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][68 pkts/9706 bytes <-> 65 pkts/18916 bytes][Goodput ratio: 54/77][117.95 sec][bytes ratio: -0.322 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2097/1988 15177/15193 3804/3968][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/291 583/565 94/247][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: b734f75d22aaff9866fbd5d27eef9106][JA3S: 1249fb68f48c0444718e4d3b48b27188][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,1,0,0,49,0,0,0,0,0,0,0,0,0,0,47,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 192.168.1.159:48048 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][52 pkts/7375 bytes <-> 52 pkts/20720 bytes][Goodput ratio: 53/83][41.01 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 882/623 15271/15287 2537/2442][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/398 384/1484 84/406][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,0,1,0,44,0,0,1,0,3,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,3,0,0,0] + 4 TCP 192.168.1.159:48044 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.12 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/9 34/19 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0] + 5 TCP 192.168.1.159:56024 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.14 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/12 46/31 17/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0] 6 ICMP 192.168.1.159:0 <-> 8.8.8.8:0 [proto: 81.126/ICMP.Google][cat: Network/14][2 pkts/196 bytes <-> 2 pkts/196 bytes][Goodput ratio: 57/57][0.99 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 TCP 8.8.8.8:853 <-> 192.168.1.159:55856 [proto: 196.126/DoH_DoT.Google][cat: Web/5][5 pkts/330 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][1.80 sec][bytes ratio: 0.719 (Upload)][IAT c2s/s2c min/avg/max/stddev: 223/0 449/0 911/0 281/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/54 66/54 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 TCP 8.8.4.4:853 <-> 192.168.1.159:47968 [proto: 196.126/DoH_DoT.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][0.09 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/iphone.pcap.out b/tests/result/iphone.pcap.out index 5e1779186..9306f6805 100644 --- a/tests/result/iphone.pcap.out +++ b/tests/result/iphone.pcap.out @@ -34,7 +34,7 @@ JA3 Host Stats: 16 UDP 169.254.225.216:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/2123 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Luca’s iMac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] 17 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/2094 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Luca’s iMac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0] 18 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][3 pkts/2067 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][33.08 sec][Luca’s iMac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] - 19 TCP 192.168.2.17:49152 <-> 17.253.105.202:80 [proto: 7.140/HTTP.Apple][cat: Web/5][5 pkts/473 bytes <-> 4 pkts/968 bytes][Goodput ratio: 28/72][0.33 sec][Host: captive.apple.com][bytes ratio: -0.344 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 82/80 171/158 82/78][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 95/242 197/762 51/300][URL: captive.apple.com/hotspot-detect.html][StatusCode: 200][Content-Type: text/html][User-Agent: CaptiveNetworkSupport-390.60.1 wispr][PLAIN TEXT (GET /hotspot)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 19 TCP 192.168.2.17:49152 <-> 17.253.105.202:80 [proto: 7.140/HTTP.Apple][cat: ConnectivityCheck/30][5 pkts/473 bytes <-> 4 pkts/968 bytes][Goodput ratio: 28/72][0.33 sec][Host: captive.apple.com][bytes ratio: -0.344 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 82/80 171/158 82/78][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 95/242 197/762 51/300][URL: captive.apple.com/hotspot-detect.html][StatusCode: 200][Content-Type: text/html][User-Agent: CaptiveNetworkSupport-390.60.1 wispr][PLAIN TEXT (GET /hotspot)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 20 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1104 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 21 UDP 192.168.2.1:67 -> 192.168.2.17:68 [proto: 18/DHCP][cat: Network/14][2 pkts/684 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][1.02 sec][PLAIN TEXT (iMac.local)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 22 UDP [fe80::823:3f17:8298:a29c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/512 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][3.56 sec][PLAIN TEXT (homekit)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -50,7 +50,7 @@ JA3 Host Stats: 32 UDP 192.168.2.17:63677 <-> 192.168.2.1:53 [proto: 5.145/DNS.AppleiTunes][cat: Streaming/17][1 pkts/81 bytes <-> 1 pkts/222 bytes][Goodput ratio: 48/81][0.04 sec][Host: sync.itunes.apple.com][95.101.24.53][PLAIN TEXT (itunes)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 33 UDP 192.168.2.17:53983 <-> 192.168.2.1:53 [proto: 5.145/DNS.AppleiTunes][cat: Streaming/17][1 pkts/80 bytes <-> 1 pkts/221 bytes][Goodput ratio: 47/81][0.05 sec][Host: bag.itunes.apple.com][95.101.24.53][PLAIN TEXT (itunes)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 34 UDP 192.168.2.17:63377 <-> 192.168.2.1:53 [proto: 5.145/DNS.AppleiTunes][cat: Streaming/17][1 pkts/80 bytes <-> 1 pkts/221 bytes][Goodput ratio: 47/81][0.05 sec][Host: bag.itunes.apple.com][95.101.24.53][PLAIN TEXT (itunes)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 35 UDP 192.168.2.17:51007 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.105.202][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 35 UDP 192.168.2.17:51007 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: ConnectivityCheck/30][1 pkts/77 bytes <-> 1 pkts/221 bytes][Goodput ratio: 45/81][0.04 sec][Host: captive.apple.com][17.253.105.202][PLAIN TEXT (captive)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 36 UDP 192.168.2.17:55457 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/74 bytes <-> 1 pkts/214 bytes][Goodput ratio: 43/80][0.04 sec][Host: mesu.apple.com][17.253.105.202][PLAIN TEXT (akadns)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 37 UDP 192.168.2.17:62526 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/73 bytes <-> 1 pkts/212 bytes][Goodput ratio: 42/80][0.05 sec][Host: cl4.apple.com][104.73.61.30][PLAIN TEXT (origin)][Plen Bins: 50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 38 UDP 192.168.2.17:52682 <-> 192.168.2.1:53 [proto: 5.143/DNS.AppleiCloud][cat: Web/5][1 pkts/74 bytes <-> 1 pkts/203 bytes][Goodput ratio: 43/79][0.04 sec][Host: www.icloud.com][23.45.74.46][PLAIN TEXT (icloud)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/mysql-8.pcap.out b/tests/result/mysql-8.pcap.out new file mode 100644 index 000000000..5e2b2da0f --- /dev/null +++ b/tests/result/mysql-8.pcap.out @@ -0,0 +1,3 @@ +MySQL 4 367 1 + + 1 TCP 192.168.1.105:8738 <-> 10.42.18.198:3306 [proto: 20/MySQL][cat: Database/11][2 pkts/140 bytes <-> 2 pkts/227 bytes][Goodput ratio: 0/38][0.00 sec][PLAIN TEXT (DDDDDD)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/smb_deletefile.pcap.out b/tests/result/smb_deletefile.pcap.out index 03bcd48d9..95a35655e 100644 --- a/tests/result/smb_deletefile.pcap.out +++ b/tests/result/smb_deletefile.pcap.out @@ -1,3 +1,3 @@ SMBv23 101 30748 1 - 1 TCP 192.168.1.118:56848 <-> 192.168.1.187:445 [proto: 10.41/NetBIOS.SMBv23][cat: System/18][62 pkts/14382 bytes <-> 39 pkts/16366 bytes][Goodput ratio: 77/87][2.38 sec][bytes ratio: -0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/80 2157/2158 299/394][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 232/420 530/1514 194/299][Risk: ** Known protocol on non standard port **][Plen Bins: 0,0,4,7,1,0,1,1,0,1,7,9,20,21,6,13,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0] + 1 TCP 192.168.1.118:56848 <-> 192.168.1.187:445 [proto: 10.41/NetBIOS.SMBv23][cat: System/18][62 pkts/14382 bytes <-> 39 pkts/16366 bytes][Goodput ratio: 77/87][2.38 sec][bytes ratio: -0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/80 2157/2158 299/394][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 232/420 530/1514 194/299][Plen Bins: 0,0,4,7,1,0,1,1,0,1,7,9,20,21,6,13,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0] diff --git a/tests/result/teams.pcap.out b/tests/result/teams.pcap.out index f8bbaee62..c88ad0ee5 100644 --- a/tests/result/teams.pcap.out +++ b/tests/result/teams.pcap.out @@ -95,7 +95,7 @@ JA3 Host Stats: 74 UDP 192.168.1.6:51033 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/80 bytes <-> 1 pkts/182 bytes][Goodput ratio: 47/77][0.04 sec][Host: eu-api.asm.skype.com][52.114.75.69][PLAIN TEXT (trafficmanager)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 75 UDP 192.168.1.6:51309 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/169 bytes][Goodput ratio: 54/75][0.01 sec][Host: skypedataprdcolneu04.cloudapp.net][::][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 76 UDP 192.168.1.6:62863 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][cat: Collaborative/15][1 pkts/103 bytes <-> 1 pkts/158 bytes][Goodput ratio: 59/73][0.07 sec][Host: emea.ng.msg.teams-msgapi.trafficmanager.net][52.114.108.8][PLAIN TEXT (msgapi)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 77 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Host: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 77 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5.140/DNS.Apple][cat: ConnectivityCheck/30][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Host: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 78 UDP 192.168.1.6:60813 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/109 bytes][Goodput ratio: 54/61][0.01 sec][Host: skypedataprdcolneu04.cloudapp.net][52.114.77.33][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 79 TCP 192.168.1.6:58533 -> 149.154.167.91:443 [proto: 91.185/TLS.Telegram][cat: Chat/9][3 pkts/186 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][4.29 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 80 ICMP 93.71.110.205:0 -> 192.168.1.6:0 [proto: 81/ICMP][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/tls_esni_sni_both.pcap.out b/tests/result/tls_esni_sni_both.pcap.out new file mode 100644 index 000000000..d4220d097 --- /dev/null +++ b/tests/result/tls_esni_sni_both.pcap.out @@ -0,0 +1,9 @@ +Cloudflare 38 15899 2 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.21 1 + + + 1 TCP 192.168.1.21:55500 <-> 104.17.175.85:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][11 pkts/1461 bytes <-> 9 pkts/7270 bytes][Goodput ratio: 58/93][0.13 sec][bytes ratio: -0.665 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/10 53/43 21/15][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 133/808 688/1514 179/685][Risk: ** TLS (probably) not carrying HTTPS **** TLS Suspicious ESNI Usage **][TLSv1.3][Client: these-are-not-the-droids-youre-looking-for.com][JA3C: 077d20c3f8c5a1f091dc937c515b69c1][JA3S: d75f9129bb5d05492a65ff78e081bcb2][ESNI: B8845D1A37225D055CB7187B6D7CBD852ADFDA5269097680CB388AF4FC9F5C7BCE03772D5259820AFC2DA5C949A663F997D270BBD2525D0D7C4D83E6FA9CFA038C1E78C2C847BB2033853998E7D391737C1CBB3796A9F7F24D5E88F6C5AF94E95D93C2F8A168E73F18D090EAB69D7C689AFA7AD9BCAAFEFCF496509DD4DFEB3E96CE334F2B00A6C03C1F9C1BF5040BA031E789D03185DDB6BD2D2105A91463519A23CAAE0295E3F068B701D99B1AB486583C7254DDA07BE99D50C23E4681CB62A5FAA669ADFEF76693137788B3C0A5B0EEC36E004F8A11E7B5B14DD37F50C1F6F20D68828620BEFB7460A5D6910255C126F921FE6B70F2E9C7299683FAE6F9D068B139BAD1EF709DA821642B00FA7FD1BBA44EF6C3DAC61043C434224F3E570F62DAA4BF][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_CHACHA20_POLY1305_SHA256][PLAIN TEXT (mw/KUc)][Plen Bins: 11,0,11,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,11,0,33,0,0] + 2 TCP 192.168.1.21:55514 <-> 104.17.175.85:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][10 pkts/1412 bytes <-> 8 pkts/5756 bytes][Goodput ratio: 60/92][0.12 sec][bytes ratio: -0.606 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/11 50/38 20/14][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 141/720 693/1514 188/676][Risk: ** TLS (probably) not carrying HTTPS **** TLS Suspicious ESNI Usage **][TLSv1.3][Client: you-think-thats-normal-tls-traffic-youre-seeing.com][JA3C: 077d20c3f8c5a1f091dc937c515b69c1][JA3S: d75f9129bb5d05492a65ff78e081bcb2][ESNI: 4B80F11C3E3E40385229D888F5DB7398460E5FF5EC9E03E8331810BCD314C33227B55F4F0DADD4B813C9274B884ABDC0D2434429EBB559832A5D54B5D55B138366BDA28FF8DE68A292825CA14522CB5FB23A04CC654E9C6D9C5B967B20520D7FC4EFEC9D04154A40428DD4FB89742AFBAADD01105020F05B23C44F216802FDA5F9CDFBD129BAA1CCA4A4235E9F1E9D16A96FE72CEF01ACA433C697DD49D2389E1AAF817F54E971E4F290DE91ECB83A5876A3B37B97E66EBCBB90AEFE3BF39455BA2AECB7B4161D157606BCBE1E4D0C0391D57652585A1E6C49290F4D40FD6DE2EEBA63F76D6D7D924134335BA9EBE813A4197DAAC8EF6603A8B6C71AAF6A6FAAD92B1345DF53A2943845A7AB6A09CFC3783C8FBC72AD48B2ED5C04924E9DFBF57EBCDEBF][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 12,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,12,0,25,0,0]