From 73c7ccdb65a1e13e3fb1726af7882dd34534906f Mon Sep 17 00:00:00 2001 From: emanuele-f Date: Mon, 23 Dec 2019 15:20:09 +0100 Subject: [PATCH 01/12] Fix crash in ndpi_fill_ip_protocol_category when both saddr and daddr are 0 In this corner case, the "prefix" variable was not initialized leading to a failed assertion and crash: ndpi_patricia_search_best2: Assertion `prefix->bitlen <= patricia->maxbits' failed. --- src/lib/ndpi_main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 14524ff7c..fdf01fde2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4578,10 +4578,11 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str } if(!node) { - if(daddr != 0) + if(daddr != 0) { fill_prefix_v4(&prefix, (struct in_addr *)&daddr, 32, ((patricia_tree_t*)ndpi_str->protocols_ptree)->maxbits); - node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); + node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); + } } if(node) { From 257ec7cc5f372d26cba1a7178589a085116f54b0 Mon Sep 17 00:00:00 2001 From: Luca Date: Sun, 29 Dec 2019 08:07:35 +0100 Subject: [PATCH 02/12] Removed disable_metadata_export preference that is no longer useful since ndpi_process_extra_packet() can drive limited or full metadata export --- src/include/ndpi_typedefs.h | 4 +-- src/lib/ndpi_main.c | 4 --- src/lib/protocols/bittorrent.c | 4 +-- src/lib/protocols/dhcp.c | 52 +++++++++++++++------------------- src/lib/protocols/http.c | 21 ++++++-------- src/lib/protocols/mdns_proto.c | 8 ++---- src/lib/protocols/netbios.c | 11 +++---- src/lib/protocols/quic.c | 30 +++++++++----------- src/lib/protocols/ssh.c | 47 +++++++++++++----------------- src/lib/protocols/tls.c | 44 +++++++++++++--------------- src/lib/protocols/ubntac2.c | 8 ++---- src/lib/protocols/whoisdas.c | 12 ++++---- 12 files changed, 102 insertions(+), 143 deletions(-) diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 11b3394da..33ca4a724 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -941,7 +941,6 @@ typedef enum { typedef enum { ndpi_pref_direction_detect_disable = 0, - ndpi_pref_disable_metadata_export, } ndpi_detection_preference; /* ntop extensions */ @@ -1119,8 +1118,7 @@ struct ndpi_detection_module_struct { ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; u_int8_t direction_detect_disable:1, /* disable internal detection of packet direction */ - disable_metadata_export:1 /* No metadata is exported */ - ; + _pad:7; void *hyperscan; /* Intel Hyperscan */ }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fdf01fde2..84c6883a4 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -716,10 +716,6 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str ndpi_str->direction_detect_disable = (u_int8_t)value; break; - case ndpi_pref_disable_metadata_export: - ndpi_str->disable_metadata_export = (u_int8_t)value; - break; - default: return(-1); } diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index bea7622a0..09e863bb6 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -72,9 +72,7 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc } else bt_hash = (const char*)&flow->packet.payload[28]; - if(!ndpi_struct->disable_metadata_export) { - if(bt_hash) memcpy(flow->protos.bittorrent.hash, bt_hash, 20); - } + if(bt_hash) memcpy(flow->protos.bittorrent.hash, bt_hash, 20); } ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index d939df1d8..1913c5997 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -100,42 +100,36 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru if(msg_type <= 8) foundValidMsgType = 1; } else if(id == 55 /* Parameter Request List / Fingerprint */) { - if(!ndpi_struct->disable_metadata_export) { - u_int idx, offset = 0; + u_int idx, offset = 0; + + for(idx = 0; idx < len && offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) { + int rc = snprintf((char*)&flow->protos.dhcp.fingerprint[offset], + sizeof(flow->protos.dhcp.fingerprint) - offset, + "%s%u", (idx > 0) ? "," : "", + (unsigned int)dhcp->options[i+2+idx] & 0xFF); - for(idx = 0; idx < len && offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) { - int rc = snprintf((char*)&flow->protos.dhcp.fingerprint[offset], - sizeof(flow->protos.dhcp.fingerprint) - offset, - "%s%u", (idx > 0) ? "," : "", - (unsigned int)dhcp->options[i+2+idx] & 0xFF); - - if(rc < 0) break; else offset += rc; - } - - flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0'; + if(rc < 0) break; else offset += rc; } + + flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0'; } else if(id == 60 /* Class Identifier */) { - if(!ndpi_struct->disable_metadata_export) { - char *name = (char*)&dhcp->options[i+2]; - int j = 0; - - j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1); - strncpy((char*)flow->protos.dhcp.class_ident, name, j); - flow->protos.dhcp.class_ident[j] = '\0'; - } + char *name = (char*)&dhcp->options[i+2]; + int j = 0; + + j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1); + strncpy((char*)flow->protos.dhcp.class_ident, name, j); + flow->protos.dhcp.class_ident[j] = '\0'; } else if(id == 12 /* Host Name */) { - if(!ndpi_struct->disable_metadata_export) { - char *name = (char*)&dhcp->options[i+2]; - int j = 0; - + char *name = (char*)&dhcp->options[i+2]; + int j = 0; + #ifdef DHCP_DEBUG - NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len); + NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len); // while(j < len) { printf( "%c", name[j]); j++; }; printf("\n"); #endif - j = ndpi_min(len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, name, j); - flow->host_server_name[j] = '\0'; - } + j = ndpi_min(len, sizeof(flow->host_server_name)-1); + strncpy((char*)flow->host_server_name, name, j); + flow->host_server_name[j] = '\0'; } i += len + 2; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 70ca0c389..b599b82a9 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -149,9 +149,8 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */ //printf("==> %s\n", ua); - if(!ndpi_struct->disable_metadata_export) { - snprintf((char*)flow->protos.http.detected_os, sizeof(flow->protos.http.detected_os), "%s", ua); - } + snprintf((char*)flow->protos.http.detected_os, + sizeof(flow->protos.http.detected_os), "%s", ua); } /* ************************************************************* */ @@ -333,21 +332,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* Copy result for nDPI apps */ - if(!ndpi_struct->disable_metadata_export) { - len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); - flow->host_server_name[len] = '\0'; - flow->extra_packets_func = NULL; /* We're good now */ - } + len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); + strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); + flow->host_server_name[len] = '\0'; + flow->extra_packets_func = NULL; /* We're good now */ flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { len = ndpi_min(packet->forwarded_line.len, sizeof(flow->protos.http.nat_ip)-1); - if(!ndpi_struct->disable_metadata_export) { - strncpy((char*)flow->protos.http.nat_ip, (char*)packet->forwarded_line.ptr, len); - flow->protos.http.nat_ip[len] = '\0'; - } + strncpy((char*)flow->protos.http.nat_ip, (char*)packet->forwarded_line.ptr, len); + flow->protos.http.nat_ip[len] = '\0'; } ndpi_http_parse_subprotocol(ndpi_struct, flow); diff --git a/src/lib/protocols/mdns_proto.c b/src/lib/protocols/mdns_proto.c index 6297bd4bb..f41b6de0a 100644 --- a/src/lib/protocols/mdns_proto.c +++ b/src/lib/protocols/mdns_proto.c @@ -82,11 +82,9 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct /* printf("==> [%d] %s\n", j, answer); */ - if(!ndpi_struct->disable_metadata_export) { - len = ndpi_min(sizeof(flow->protos.mdns.answer)-1, j); - strncpy(flow->protos.mdns.answer, (const char *)answer, len); - flow->protos.mdns.answer[len] = '\0'; - } + len = ndpi_min(sizeof(flow->protos.mdns.answer)-1, j); + strncpy(flow->protos.mdns.answer, (const char *)answer, len); + flow->protos.mdns.answer[len] = '\0'; NDPI_LOG_INFO(ndpi_struct, "found MDNS with answer query\n"); return 1; diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 09666366a..bc33a5885 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -73,13 +73,10 @@ int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) { static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { char name[64]; - - if(!ndpi_struct->disable_metadata_export) { - u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; - - if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], name, sizeof(name)) > 0) - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); - } + u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; + + if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], name, sizeof(name)) > 0) + snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 86464ddbd..d0fd1e599 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -129,23 +129,21 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, sni_offset++; if((sni_offset+len) < udp_len) { - if(!ndpi_struct->disable_metadata_export) { - int max_len = sizeof(flow->host_server_name)-1, j = 0; - ndpi_protocol_match_result ret_match; - - if(len > max_len) len = max_len; - - while((len > 0) && (sni_offset < udp_len)) { - flow->host_server_name[j++] = packet->payload[sni_offset]; - sni_offset++, len--; - } - - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - &ret_match, - NDPI_PROTOCOL_QUIC); + int max_len = sizeof(flow->host_server_name)-1, j = 0; + ndpi_protocol_match_result ret_match; + + if(len > max_len) len = max_len; + + while((len > 0) && (sni_offset < udp_len)) { + flow->host_server_name[j++] = packet->payload[sni_offset]; + sni_offset++, len--; } + + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + &ret_match, + NDPI_PROTOCOL_QUIC); } break; diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 068d2c345..1e1671c9e 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -251,18 +251,16 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct if(flow->l4.tcp.ssh_stage == 0) { if(packet->payload_packet_len > 7 && packet->payload_packet_len < 100 && memcmp(packet->payload, "SSH-", 4) == 0) { - if(!ndpi_struct->disable_metadata_export) { - int len = ndpi_min(sizeof(flow->protos.ssh.client_signature)-1, packet->payload_packet_len); - - strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); - flow->protos.ssh.client_signature[len] = '\0'; - ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - + int len = ndpi_min(sizeof(flow->protos.ssh.client_signature)-1, packet->payload_packet_len); + + strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); + flow->protos.ssh.client_signature[len] = '\0'; + ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); + #ifdef SSH_DEBUG - printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); -#endif - } - + printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); +#endif + NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n"); flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; ndpi_int_ssh_add_connection(ndpi_struct, flow); @@ -271,24 +269,19 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } else if(flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { if(packet->payload_packet_len > 7 && packet->payload_packet_len < 500 && memcmp(packet->payload, "SSH-", 4) == 0) { - if(!ndpi_struct->disable_metadata_export) { - int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len); - - strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); - flow->protos.ssh.server_signature[len] = '\0'; - ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - + int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len); + + strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); + flow->protos.ssh.server_signature[len] = '\0'; + ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); + #ifdef SSH_DEBUG - printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); + printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); #endif - - NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; - } else { - NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); - ndpi_int_ssh_add_connection(ndpi_struct, flow); - } - + + NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + #ifdef SSH_DEBUG printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); #endif diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 79ef6cab7..1d7d2a02b 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -443,28 +443,25 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, } if(num_dots >= 1) { - if(!ndpi_struct->disable_metadata_export) { - ndpi_protocol_match_result ret_match; - u_int16_t subproto; - - stripCertificateTrailer(buffer, buffer_len); - snprintf(flow->protos.stun_ssl.ssl.server_certificate, - sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); - + ndpi_protocol_match_result ret_match; + u_int16_t subproto; + + stripCertificateTrailer(buffer, buffer_len); + snprintf(flow->protos.stun_ssl.ssl.server_certificate, + sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); + #ifdef DEBUG_TLS - printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate); + printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate); #endif - - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, - flow->protos.stun_ssl.ssl.server_certificate, - strlen(flow->protos.stun_ssl.ssl.server_certificate), - &ret_match, - NDPI_PROTOCOL_TLS); - - if(subproto != NDPI_PROTOCOL_UNKNOWN) - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS); - } - + + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, + flow->protos.stun_ssl.ssl.server_certificate, + strlen(flow->protos.stun_ssl.ssl.server_certificate), + &ret_match, + NDPI_PROTOCOL_TLS); + + if(subproto != NDPI_PROTOCOL_UNKNOWN) + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS); return(1 /* Server Certificate */); } } @@ -608,10 +605,9 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, stripCertificateTrailer(buffer, buffer_len); - if(!ndpi_struct->disable_metadata_export) { - snprintf(flow->protos.stun_ssl.ssl.client_certificate, - sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); - } + snprintf(flow->protos.stun_ssl.ssl.client_certificate, + sizeof(flow->protos.stun_ssl.ssl.client_certificate), + "%s", buffer); } } else if(extension_id == 10 /* supported groups */) { u_int16_t s_offset = offset+extension_offset + 2; diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index 6fc004228..49a63ed0a 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -64,11 +64,9 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc version[j] = '\0'; - if(!ndpi_struct->disable_metadata_export) { - len = ndpi_min(sizeof(flow->protos.ubntac2.version)-1, j); - strncpy(flow->protos.ubntac2.version, (const char *)version, len); - flow->protos.ubntac2.version[len] = '\0'; - } + len = ndpi_min(sizeof(flow->protos.ubntac2.version)-1, j); + strncpy(flow->protos.ubntac2.version, (const char *)version, len); + flow->protos.ubntac2.version[len] = '\0'; } NDPI_LOG_INFO(ndpi_struct, "UBNT AirControl 2 request\n"); diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index 381acc981..5bc5df0e8 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -40,15 +40,13 @@ void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, str u_int max_len = sizeof(flow->host_server_name) - 1; u_int i, j; - if(!ndpi_struct->disable_metadata_export) { - for(i=strlen((const char *)flow->host_server_name), j=0; (ipayload_packet_len); i++, j++) { - if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break; - flow->host_server_name[i] = packet->payload[j]; - } - - flow->host_server_name[i] = '\0'; + for(i=strlen((const char *)flow->host_server_name), j=0; (ipayload_packet_len); i++, j++) { + if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break; + flow->host_server_name[i] = packet->payload[j]; } + flow->host_server_name[i] = '\0'; + flow->server_id = ((sport == 43) || (sport == 4343)) ? flow->src : flow->dst; NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name); From 9fb3a57a7182432f89248fc65e3fe59c2cbf1963 Mon Sep 17 00:00:00 2001 From: Luca Date: Sun, 29 Dec 2019 10:45:42 +0100 Subject: [PATCH 03/12] Kerberos fixes Minor TLS cleanup --- example/ndpiReader.c | 4 +++- example/reader_util.c | 9 +++++++++ src/lib/protocols/kerberos.c | 11 +++++------ src/lib/protocols/tls.c | 15 +++------------ 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 6a52cc953..77b1a3591 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -602,7 +602,7 @@ void printCSVHeader() { fprintf(csv_fp, "client_info,server_info,"); fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,"); fprintf(csv_fp, "ja3s,tls_server_unsafe,"); - fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh"); + fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh,flow_info"); /* Joy */ if(enable_joy_stats) { @@ -1099,6 +1099,8 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa (flow->ssh_tls.client_hassh[0] != '\0') ? flow->ssh_tls.client_hassh : "", (flow->ssh_tls.server_hassh[0] != '\0') ? flow->ssh_tls.server_hassh : "" ); + + fprintf(csv_fp, ",%s", flow->info); } if((verbose != 1) && (verbose != 2)) { diff --git a/example/reader_util.c b/example/reader_util.c index 1d19e8b41..a1a712837 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -993,6 +993,15 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } else if(flow->ndpi_flow->protos.kerberos.domain[0] != '\0') snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.kerberos.domain); + +#if 0 + if(flow->info[0] != '\0') + printf("->> (%d) [%s][%s][%s]<<--\n", + htons(flow->src_port), + flow->ndpi_flow->protos.kerberos.domain, + flow->ndpi_flow->protos.kerberos.hostname, + flow->ndpi_flow->protos.kerberos.username); +#endif } /* HTTP */ else if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index 81f84a8ac..2d062ce4e 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -28,7 +28,7 @@ #include "ndpi_api.h" -//#define KERBEROS_DEBUG 1 +/* #define KERBEROS_DEBUG 1 */ #define KERBEROS_PORT 88 @@ -190,7 +190,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t name_offset; name_offset = body_offset + 13; - for(i=0; i<10; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ + for(i=0; i<20; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ #ifdef KERBEROS_DEBUG printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); @@ -222,8 +222,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, for(i=0; ipayload[name_offset+1+cname_len] == 0x1b)) { @@ -242,7 +241,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, } else snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str); - for(i=0; i<10; i++) if(packet->payload[realm_offset] != 0x1b) name_offset++; /* ASN.1 */ + for(i=0; i<14; i++) if(packet->payload[realm_offset] != 0x1b) realm_offset++; /* ASN.1 */ #ifdef KERBEROS_DEBUG printf("realm_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", realm_offset, packet->payload[realm_offset], packet->payload[realm_offset+1]); #endif @@ -279,7 +278,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, u_int name_offset, padding_offset = body_offset + 4; name_offset = padding_offset; - for(i=0; i<10; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ + for(i=0; i<14; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ #ifdef KERBEROS_DEBUG printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 1d7d2a02b..3fda1d22a 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -33,7 +33,7 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); -/* #define DEBUG_TLS 1 */ +/* #define DEBUG_TLS 1 */ /* #define DEBUG_FINGERPRINT 1 */ /* @@ -252,7 +252,6 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, } total_len += header_len; - memset(buffer, 0, buffer_len); /* Truncate total len, search at least in incomplete packet */ @@ -966,8 +965,8 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, memset(buffer, 0, buffer_len); /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - u_int num_found = 0; - u_int i, j; + u_int num_found = 0, i, j; + for(i = 9; i < packet->payload_packet_len-4; i++) { /* Organization OID: 2.5.4.10 */ if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { @@ -1083,7 +1082,6 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi getSSCertificateFingerprint(ndpi_struct, flow); } -#if 1 /* consider only specific SSL packets (handshake) */ if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { char certificate[64]; @@ -1101,12 +1099,6 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi getSSLorganization(ndpi_struct, flow, organization, sizeof(organization)); packet->tls_certificate_detected++; -#if 0 - if((flow->l4.tcp.tls_seen_server_cert == 1) - && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) - /* 0 means we've done processing extra packets (since we found what we wanted) */ - return 0; -#endif } if(flow->l4.tcp.tls_record_offset == 0) { @@ -1123,7 +1115,6 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi } } } -#endif /* 1 means keep looking for more packets */ if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) rc = 1; From 499c80535b572a0746d83dcbe2eb232e31434bc4 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 29 Dec 2019 22:27:48 +0100 Subject: [PATCH 04/12] Minor fix --- src/lib/protocols/oscar.c | 151 +++++++++++++++++++------------------- 1 file changed, 74 insertions(+), 77 deletions(-) diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index ec256b81b..426abc999 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -83,10 +83,10 @@ static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *n ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR, NDPI_PROTOCOL_UNKNOWN); - if (src != NULL) { + if(src != NULL) { src->oscar_last_safe_access_time = packet->tick_timestamp; } - if (dst != NULL) { + if(dst != NULL) { dst->oscar_last_safe_access_time = packet->tick_timestamp; } } @@ -107,10 +107,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct u_int16_t family; u_int16_t type; u_int16_t flag; - u_int32_t req_ID; - struct ndpi_packet_struct * packet = &flow->packet; - struct ndpi_id_struct * src = flow->src; struct ndpi_id_struct * dst = flow->dst; @@ -124,7 +121,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct * [ 4 byte of data ] * * */ - if (packet->payload_packet_len >= 6 && packet->payload[0] == 0x2a) + if(packet->payload_packet_len >= 6 && packet->payload[0] == 0x2a) { /* FLAP__FRAME_TYPE (Channel)*/ @@ -140,7 +137,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct + TLVs | [Class: FLAP__SIGNON_TAGS] TLVs + +--------------------------------------------------+ */ - if (channel == SIGNON && + if(channel == SIGNON && get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) && get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION)) { @@ -153,28 +150,28 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } /* /\* SCREEN_NAME *\/ */ - /* if (get_u_int16_t(packet->payload, 10) == htons(SCREEN_NAME)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x01 *\/ */ + /* if(get_u_int16_t(packet->payload, 10) == htons(SCREEN_NAME)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x01 *\/ */ /* { */ /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Screen Name \n"); */ /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ /* return; */ /* } */ /* /\* PASSWD *\/ */ - /* if (get_u_int16_t(packet->payload, 10) == htons(PASSWD)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x02 *\/ */ + /* if(get_u_int16_t(packet->payload, 10) == htons(PASSWD)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x02 *\/ */ /* { */ /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Password (roasted) \n"); */ /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ /* return; */ /* } */ /* CLIENT_NAME */ - if (get_u_int16_t(packet->payload, 10) == htons(CLIENT_NAME)) /* packet->payload[10] == 0x00 && packet->payload[11] == 0x03 */ + if(get_u_int16_t(packet->payload, 10) == htons(CLIENT_NAME)) /* packet->payload[10] == 0x00 && packet->payload[11] == 0x03 */ { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client Name \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* LOGIN_COOKIE */ - if (get_u_int16_t(packet->payload, 10) == htons(LOGIN_COOKIE) && + if(get_u_int16_t(packet->payload, 10) == htons(LOGIN_COOKIE) && get_u_int16_t(packet->payload, 12) == htons(0x0100)) { if(get_u_int16_t(packet->payload, packet->payload_packet_len - 5) == htons(MULTICONN_FLAGS)) /* MULTICONN_FLAGS */ @@ -191,35 +188,35 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* MAJOR_VERSION */ - if (get_u_int16_t(packet->payload, 10) == htons(MAJOR_VERSION)) + if(get_u_int16_t(packet->payload, 10) == htons(MAJOR_VERSION)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Major_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* MINOR_VERSION */ - if (get_u_int16_t(packet->payload, 10) == htons(MINOR_VERSION)) + if(get_u_int16_t(packet->payload, 10) == htons(MINOR_VERSION)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Minor_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* POINT_VERSION */ - if (get_u_int16_t(packet->payload, 10) == htons(POINT_VERSION)) + if(get_u_int16_t(packet->payload, 10) == htons(POINT_VERSION)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Point_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* BUILD_NUM */ - if (get_u_int16_t(packet->payload, 10) == htons(BUILD_NUM)) + if(get_u_int16_t(packet->payload, 10) == htons(BUILD_NUM)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Build_Num \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* CLIENT_RECONNECT */ - if (get_u_int16_t(packet->payload, 10) == htons(CLIENT_RECONNECT)) + if(get_u_int16_t(packet->payload, 10) == htons(CLIENT_RECONNECT)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client_Reconnect \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -244,24 +241,24 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct + requestId | 4 byte + +----------------------------------------------+ */ - if (channel == DATA) + if(channel == DATA) { - if (packet->payload_packet_len >= 8) + if(packet->payload_packet_len >= 8) family = get_u_int16_t(packet->payload, 6); else family = 0; - if (packet->payload_packet_len >= 10) + if(packet->payload_packet_len >= 10) type = get_u_int16_t(packet->payload, 8); else type = 0; - if (family == 0 || type == 0) + if(family == 0 || type == 0) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Family 0x0001 */ - if (family == htons(GE_SE_CTL)) + if(family == htons(GE_SE_CTL)) { switch (type) { @@ -297,7 +294,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0002 */ - if (family == htons(LOC_SRV)) + if(family == htons(LOC_SRV)) { switch (type) { @@ -320,7 +317,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0003 */ - if (family == htons(BUDDY_LIST)) + if(family == htons(BUDDY_LIST)) { switch (type) { @@ -340,7 +337,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0004 */ - if (family == htons(IM)) + if(family == htons(IM)) { switch (type) { @@ -361,7 +358,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0006 */ - if (family == htons(IS)) + if(family == htons(IS)) { switch (type) { @@ -372,7 +369,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0007 */ - if (family == htons(ACC_ADM)) + if(family == htons(ACC_ADM)) { switch (type) { @@ -389,7 +386,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0008 */ - if (family == htons(POPUP)) + if(family == htons(POPUP)) { switch (type) { @@ -399,7 +396,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0009 */ - if (family == htons(PMS)) + if(family == htons(PMS)) { switch (type) { @@ -418,7 +415,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000b */ - if (family == htons(USS)) + if(family == htons(USS)) { switch (type) { @@ -430,7 +427,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000d */ - if (family == htons(CHAT_ROOM_SETUP)) + if(family == htons(CHAT_ROOM_SETUP)) { switch (type) { @@ -447,7 +444,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000e */ - if (family == htons(CHAT_ROOM_ACT)) + if(family == htons(CHAT_ROOM_ACT)) { switch (type) { @@ -464,7 +461,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000f */ - if (family == htons(USER_SRCH)) + if(family == htons(USER_SRCH)) { switch (type) { @@ -477,7 +474,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0010 */ - if (family == htons(BUDDY_ICON_SERVER)) + if(family == htons(BUDDY_ICON_SERVER)) { switch (type) { @@ -492,7 +489,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0013 */ - if (family == htons(SERVER_STORED_INFO)) + if(family == htons(SERVER_STORED_INFO)) { switch (type) { @@ -521,7 +518,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0015 */ - if (family == htons(ICQ)) + if(family == htons(ICQ)) { switch (type) { @@ -532,7 +529,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0017 */ - if (family == htons(INIT_AUTH)) + if(family == htons(INIT_AUTH)) { switch (type) { @@ -549,12 +546,12 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0018 */ - if (family == htons(EMAIL)) + if(family == htons(EMAIL)) { /* TODO */ } /* Family 0x0085 */ - if (family == htons(IS_EXT)) + if(family == htons(IS_EXT)) { switch (type) { @@ -571,15 +568,15 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } /* flag */ - if (packet->payload_packet_len >= 12) + if(packet->payload_packet_len >= 12) { flag = get_u_int16_t(packet->payload, 10); - if (flag == htons(0x0000)|| flag == htons(0x8000) || flag == htons(0x0001)) + if(flag == htons(0x0000)|| flag == htons(0x8000) || flag == htons(0x0001)) { - if (packet->payload_packet_len >= 16) + if(packet->payload_packet_len >= 16) { /* request ID */ - req_ID = get_u_int32_t(packet->payload, 12); + // u_int32_t req_ID = get_u_int32_t(packet->payload, 12); /* if((req_ID <= ((u_int32_t)-1))) */ { NDPI_LOG_INFO(ndpi_struct, "found OSCAR\n"); @@ -594,7 +591,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct ERROR -> FLAP__ERROR_CHANNEL_0x03 A FLAP error - rare */ - if (channel == O_ERROR) + if(channel == O_ERROR) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Error frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -604,7 +601,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct Close down the FLAP connection gracefully. SIGNOFF: FLAP__SIGNOFF_CHANNEL_0x04 */ - if (channel == SIGNOFF) + if(channel == SIGNOFF) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Signoff frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -614,7 +611,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct Send a heartbeat to server to help keep connection open. KEEP_ALIVE: FLAP__KEEP_ALIVE_CHANNEL_0x05 */ - if (channel == KEEP_ALIVE) + if(channel == KEEP_ALIVE) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Keep Alive frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -624,11 +621,11 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct /* detect http connections */ - if (packet->payload_packet_len >= 18) { - if ((packet->payload[0] == 'P') && (memcmp(packet->payload, "POST /photo/upload", 18) == 0)) { + if(packet->payload_packet_len >= 18) { + if((packet->payload[0] == 'P') && (memcmp(packet->payload, "POST /photo/upload", 18) == 0)) { NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if (packet->host_line.len >= 18 && packet->host_line.ptr != NULL) { - if (memcmp(packet->host_line.ptr, "lifestream.aol.com", 18) == 0) { + if(packet->host_line.len >= 18 && packet->host_line.ptr != NULL) { + if(memcmp(packet->host_line.ptr, "lifestream.aol.com", 18) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP, POST method\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -637,9 +634,9 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } } - if (packet->payload_packet_len > 40) { - if ((packet->payload[0] == 'G') && (memcmp(packet->payload, "GET /", 5) == 0)) { - if ((memcmp(&packet->payload[5], "aim/fetchEvents?aimsid=", 23) == 0) || + if(packet->payload_packet_len > 40) { + if((packet->payload[0] == 'G') && (memcmp(packet->payload, "GET /", 5) == 0)) { + if((memcmp(&packet->payload[5], "aim/fetchEvents?aimsid=", 23) == 0) || (memcmp(&packet->payload[5], "aim/startSession?", 17) == 0) || (memcmp(&packet->payload[5], "aim/gromit/aim_express", 22) == 0) || (memcmp(&packet->payload[5], "b/ss/aolwpaim", 13) == 0) || @@ -649,9 +646,9 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } - if ((memcmp(&packet->payload[5], "aim", 3) == 0) || (memcmp(&packet->payload[5], "im", 2) == 0)) { + if((memcmp(&packet->payload[5], "aim", 3) == 0) || (memcmp(&packet->payload[5], "im", 2) == 0)) { NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if (packet->user_agent_line.len > 15 && packet->user_agent_line.ptr != NULL && + if(packet->user_agent_line.len > 15 && packet->user_agent_line.ptr != NULL && ((memcmp(packet->user_agent_line.ptr, "mobileAIM/", 10) == 0) || (memcmp(packet->user_agent_line.ptr, "ICQ/", 4) == 0) || (memcmp(packet->user_agent_line.ptr, "mobileICQ/", 10) == 0) || @@ -663,14 +660,14 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if (packet->referer_line.ptr != NULL && packet->referer_line.len >= 22) { + if(packet->referer_line.ptr != NULL && packet->referer_line.len >= 22) { - if (memcmp(&packet->referer_line.ptr[packet->referer_line.len - NDPI_STATICSTRING_LEN("WidgetMain.swf")], + if(memcmp(&packet->referer_line.ptr[packet->referer_line.len - NDPI_STATICSTRING_LEN("WidgetMain.swf")], "WidgetMain.swf", NDPI_STATICSTRING_LEN("WidgetMain.swf")) == 0) { u_int16_t i; for (i = 0; i < (packet->referer_line.len - 22); i++) { - if (packet->referer_line.ptr[i] == 'a') { - if (memcmp(&packet->referer_line.ptr[i + 1], "im/gromit/aim_express", 21) == 0) { + if(packet->referer_line.ptr[i] == 'a') { + if(memcmp(&packet->referer_line.ptr[i + 1], "im/gromit/aim_express", 21) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP : aim/gromit/aim_express\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -681,13 +678,13 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } } - if (memcmp(packet->payload, "CONNECT ", 8) == 0) { - if (memcmp(packet->payload, "CONNECT login.icq.com:443 HTTP/1.", 33) == 0) { + if(memcmp(packet->payload, "CONNECT ", 8) == 0) { + if(memcmp(packet->payload, "CONNECT login.icq.com:443 HTTP/1.", 33) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - if (memcmp(packet->payload, "CONNECT login.oscar.aol.com:5190 HTTP/1.", 40) == 0) { + if(memcmp(packet->payload, "CONNECT login.oscar.aol.com:5190 HTTP/1.", 40) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; @@ -696,32 +693,32 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } - if (packet->payload_packet_len > 43 + if(packet->payload_packet_len > 43 && memcmp(packet->payload, "GET http://http.proxy.icq.com/hello HTTP/1.", 43) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP PROXY\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - if (packet->payload_packet_len > 46 + if(packet->payload_packet_len > 46 && memcmp(packet->payload, "GET http://aimhttp.oscar.aol.com/hello HTTP/1.", 46) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP PROXY\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - if (packet->payload_packet_len > 5 && get_u_int32_t(packet->payload, 0) == htonl(0x05010003)) { + if(packet->payload_packet_len > 5 && get_u_int32_t(packet->payload, 0) == htonl(0x05010003)) { NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); return; } - if (packet->payload_packet_len == 10 && get_u_int32_t(packet->payload, 0) == htonl(0x05000001) && + if(packet->payload_packet_len == 10 && get_u_int32_t(packet->payload, 0) == htonl(0x05000001) && get_u_int32_t(packet->payload, 4) == 0) { NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); return; } - if (packet->payload_packet_len >= 70 && + if(packet->payload_packet_len >= 70 && memcmp(&packet->payload[packet->payload_packet_len - 26], "\x67\x00\x65\x00\x74\x00\x43\x00\x61\x00\x74\x00\x61\x00\x6c\x00\x6f\x00\x67", 19) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); @@ -729,9 +726,9 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_OSCAR) != 0) { + if(NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_OSCAR) != 0) { - if (flow->packet_counter == 1 + if(flow->packet_counter == 1 && ((packet->payload_packet_len == 9 && memcmp(packet->payload, "\x00\x09\x00\x00\x83\x01\xc0\x00\x00", 9) == 0) @@ -742,13 +739,13 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } #if 0 - if (flow->oscar_video_voice && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len + if(flow->oscar_video_voice && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) { } #endif - if (packet->payload_packet_len >= 70 && ntohs(get_u_int16_t(packet->payload, 4)) == packet->payload_packet_len) { - if (memcmp(packet->payload, "OFT", 3) == 0 && + if(packet->payload_packet_len >= 70 && ntohs(get_u_int16_t(packet->payload, 4)) == packet->payload_packet_len) { + if(memcmp(packet->payload, "OFT", 3) == 0 && ((packet->payload[3] == '3' && ((memcmp(&packet->payload[4], "\x01\x00\x01\x01", 4) == 0) || (memcmp(&packet->payload[6], "\x01\x01\x00", 3) == 0))) || (packet->payload[3] == '2' && ((memcmp(&packet->payload[6], "\x01\x01", 2) @@ -760,7 +757,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } - if (memcmp(packet->payload, "ODC2", 4) == 0 && memcmp(&packet->payload[6], "\x00\x01\x00\x06", 4) == 0) { + if(memcmp(packet->payload, "ODC2", 4) == 0 && memcmp(&packet->payload[6], "\x00\x01\x00\x06", 4) == 0) { //PICTURE TRANSFER PATTERN EXMAPLE:: //4f 44 43 32 00 4c 00 01 00 06 00 00 00 00 00 00 ODC2.L.......... NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); @@ -768,7 +765,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } } - if (packet->payload_packet_len > 40 && (memcmp(&packet->payload[2], "\x04\x4a\x00", 3) == 0) + if(packet->payload_packet_len > 40 && (memcmp(&packet->payload[2], "\x04\x4a\x00", 3) == 0) && (memcmp(&packet->payload[6], "\x00\x00", 2) == 0) && packet->payload[packet->payload_packet_len - 15] == 'F' && packet->payload[packet->payload_packet_len - 12] == 'L' @@ -776,21 +773,21 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct && (memcmp(&packet->payload[packet->payload_packet_len - 2], "\x00\x00", 2) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); - if (ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) { + if(ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) { flow->oscar_ssl_voice_stage = 1; } return; } } - if (flow->packet_counter < 3 && packet->payload_packet_len > 11 && (memcmp(packet->payload, "\x00\x37\x04\x4a", 4) + if(flow->packet_counter < 3 && packet->payload_packet_len > 11 && (memcmp(packet->payload, "\x00\x37\x04\x4a", 4) || memcmp(packet->payload, "\x00\x0a\x04\x4a", 4))) { return; } - if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_OSCAR) { + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_OSCAR) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -800,7 +797,7 @@ void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search OSCAR\n"); - if (packet->tcp != NULL) { + if(packet->tcp != NULL) { ndpi_search_oscar_tcp_connect(ndpi_struct, flow); } } From daae1cc9b1ae6b7c6b4187003fabb2a6ffab44f0 Mon Sep 17 00:00:00 2001 From: Luca Date: Wed, 1 Jan 2020 12:59:19 +0100 Subject: [PATCH 05/12] Reworked TLS dissection --- example/ndpiReader.c | 2 + example/reader_util.c | 68 +- example/reader_util.h | 4 +- src/include/ndpi_api.h | 15 + src/include/ndpi_typedefs.h | 26 +- src/lib/ndpi_content_match.c.inc | 2 +- src/lib/ndpi_main.c | 59 +- src/lib/ndpi_utils.c | 7 +- src/lib/protocols/http.c | 8 +- src/lib/protocols/tls.c | 2149 +++++++---------- tests/pcap/dtls.pcap | Bin 0 -> 450 bytes tests/result/1kxun.pcap.out | 8 +- tests/result/6in4tunnel.pcap.out | 4 +- tests/result/KakaoTalk_chat.pcap.out | 16 +- tests/result/KakaoTalk_talk.pcap.out | 4 +- tests/result/anyconnect-vpn.pcap.out | 8 +- tests/result/dns_dot.pcap.out | 2 +- tests/result/dnscrypt.pcap.out | 8 +- tests/result/dtls.pcap.out | 8 + tests/result/facebook.pcap.out | 2 +- tests/result/google_ssl.pcap.out | 6 +- tests/result/http_ipv6.pcap.out | 12 +- tests/result/instagram.pcap.out | 14 +- tests/result/malware.pcap.out | 2 +- tests/result/netflix.pcap.out | 36 +- tests/result/nintendo.pcap.out | 4 +- tests/result/pps.pcap.out | 2 +- tests/result/signal.pcap.out | 20 +- tests/result/skype.pcap.out | 10 +- tests/result/skype_no_unknown.pcap.out | 12 +- tests/result/tor.pcap.out | 18 +- tests/result/viber.pcap.out | 12 +- tests/result/waze.pcap.out | 26 +- tests/result/webex.pcap.out | 56 +- tests/result/wechat.pcap.out | 56 +- tests/result/weibo.pcap.out | 4 +- tests/result/whatsapp_login_call.pcap.out | 116 +- tests/result/whatsapp_login_chat.pcap.out | 22 +- .../whatsapp_voice_and_message.pcap.out | 7 +- tests/result/whatsappfiles.pcap.out | 2 +- tests/result/youtubeupload.pcap.out | 2 +- tests/result/zoom.pcap.out | 16 +- 42 files changed, 1266 insertions(+), 1589 deletions(-) create mode 100644 tests/pcap/dtls.pcap create mode 100644 tests/result/dtls.pcap.out diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 77b1a3591..9ccef7e8e 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1214,6 +1214,8 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa print_cipher(flow->ssh_tls.client_unsafe_cipher)); if(flow->ssh_tls.server_info[0] != '\0') fprintf(out, "[Server: %s]", flow->ssh_tls.server_info); + + if(flow->ssh_tls.server_names) fprintf(out, "[ServerNames: %s]", flow->ssh_tls.server_names); if(flow->ssh_tls.server_hassh[0] != '\0') fprintf(out, "[HASSH-S: %s]", flow->ssh_tls.server_hassh); if(flow->ssh_tls.ja3_server[0] != '\0') fprintf(out, "[JA3S: %s%s]", flow->ssh_tls.ja3_server, diff --git a/example/reader_util.c b/example/reader_util.c index a1a712837..57286cb0f 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -306,8 +306,6 @@ void ndpi_report_payload_stats() { } } - - /* ***************************************************** */ void ndpi_free_flow_info_half(struct ndpi_flow_info *flow) { @@ -457,9 +455,12 @@ void ndpi_flow_info_freer(void *node) { struct ndpi_flow_info *flow = (struct ndpi_flow_info*)node; ndpi_free_flow_info_half(flow); - ndpi_free_flow_data_analysis(flow); + if(flow->ssh_tls.server_names) { + ndpi_free(flow->ssh_tls.server_names); flow->ssh_tls.server_names = NULL; + } + ndpi_free(flow); } @@ -548,7 +549,7 @@ ndpi_flow_update_byte_count(struct ndpi_flow_info *flow, const void *x, if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { /* octet count was already incremented before processing this payload */ u_int32_t current_count; - + if(src_to_dst_direction) { current_count = flow->entropy.src2dst_l4_bytes - len; } else { @@ -558,7 +559,7 @@ ndpi_flow_update_byte_count(struct ndpi_flow_info *flow, const void *x, if(current_count < ETTA_MIN_OCTETS) { u_int32_t i; const unsigned char *data = x; - + for(i=0; ientropy.src2dst_byte_count[data[i]]++; @@ -590,10 +591,10 @@ ndpi_flow_update_byte_dist_mean_var(ndpi_flow_info_t *flow, const void *x, if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { unsigned int i; - + for(i=0; ientropy.src2dst_num_bytes += 1; delta = ((double)data[i] - flow->entropy.src2dst_bd_mean); @@ -617,9 +618,9 @@ float ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], int i; float sum = 0.0; - for(i=0; i<256; i++) { + for(i=0; i<256; i++) { float tmp = (float) byte_count[i] / (float) num_bytes; - + if(tmp > FLT_EPSILON) { sum -= tmp * logf(tmp); } @@ -687,7 +688,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow workflow->stats.packet_len[4]++; else if(l4_packet_len >= 1500) workflow->stats.packet_len[5]++; - + if(l4_packet_len > workflow->stats.max_packet_len) workflow->stats.max_packet_len = l4_packet_len; @@ -885,7 +886,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow rflow->entropy.dst2src_opackets++; } } - + return(rflow); } } @@ -1033,8 +1034,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); - snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); + + if(flow->ndpi_flow->protos.stun_ssl.ssl.server_names_len > 0) + flow->ssh_tls.server_names = ndpi_strdup(flow->ndpi_flow->protos.stun_ssl.ssl.server_names); snprintf(flow->ssh_tls.server_organization, sizeof(flow->ssh_tls.server_organization), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); flow->ssh_tls.notBefore = flow->ndpi_flow->protos.stun_ssl.ssl.notBefore; @@ -1046,8 +1048,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; memcpy(flow->ssh_tls.sha1_cert_fingerprint, - flow->ndpi_flow->l4.tcp.tls_sha1_certificate_fingerprint, 20); - } + flow->ndpi_flow->l4.tcp.tls.sha1_certificate_fingerprint, 20); + } if(flow->detection_completed && (!flow->check_extra_packets)) { if(is_ndpi_proto(flow, NDPI_PROTOCOL_UNKNOWN)) { @@ -1178,7 +1180,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(flow->entropy.flow_last_pkt_time.tv_sec) { ndpi_timer_sub(&when, &flow->entropy.flow_last_pkt_time, &tdiff); - + if(flow->iat_flow && (tdiff.tv_sec >= 0) /* Discard backward time */ ) { @@ -1195,7 +1197,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ndpi_timer_sub(&when, &flow->entropy.src2dst_last_pkt_time, &tdiff); if(flow->iat_c_to_s - && (tdiff.tv_sec >= 0) /* Discard backward time */ + && (tdiff.tv_sec >= 0) /* Discard backward time */ ) { u_int32_t ms = ndpi_timeval_to_milliseconds(tdiff); @@ -1300,11 +1302,11 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, u_int enough_packets = (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_udp_dissected_pkts)) || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_tcp_dissected_pkts))) ? 1 : 0; - + #if 0 - printf("%s()\n", __FUNCTION__); + printf("%s()\n", __FUNCTION__); #endif - + flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time, src, dst); @@ -1322,14 +1324,14 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(ndpi_flow && ndpi_flow->check_extra_packets) flow->check_extra_packets = 1; #endif - + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { u_int8_t proto_guessed; - + flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow, enable_protocol_guess, &proto_guessed); } - + process_ndpi_collected_info(workflow, flow); } } @@ -1372,7 +1374,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, struct ndpi_proto nproto = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; ndpi_packet_tunnel tunnel_type = ndpi_no_tunnel; - + /* lengths and offsets */ u_int16_t eth_offset = 0; u_int16_t radio_len; @@ -1521,7 +1523,7 @@ ether_type_check: type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; ip_offset += 4; vlan_packet = 1; - + // double tagging for 802.1Q while((type == 0x8100) && (ip_offset < (u_int16_t)header->caplen)) { vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; @@ -1530,7 +1532,7 @@ ether_type_check: } recheck_type = 1; break; - + case MPLS_UNI: case MPLS_MULTI: mpls.u32 = *((uint32_t *) &packet[ip_offset]); @@ -1545,21 +1547,21 @@ ether_type_check: } recheck_type = 1; break; - + case PPPoE: workflow->stats.pppoe_count++; type = ETH_P_IP; ip_offset += 8; recheck_type = 1; break; - + default: break; } - + if(recheck_type) goto ether_type_check; - + workflow->stats.vlan_count += vlan_packet; iph_check: @@ -1641,7 +1643,7 @@ ether_type_check: u_int8_t message_type = packet[offset+1]; tunnel_type = ndpi_gtp_tunnel; - + if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && (message_type == 0xFF /* T-PDU */)) { @@ -1665,7 +1667,7 @@ ether_type_check: u_int16_t encapsulates = ntohs(*((u_int16_t*)&packet[offset+2])); tunnel_type = ndpi_tzsp_tunnel; - + if((version == 1) && (ts_type == 0) && (encapsulates == 1)) { u_int8_t stop = 0; @@ -1703,7 +1705,7 @@ ether_type_check: if((offset+40) < header->caplen) { u_int16_t msg_len = packet[offset+1] >> 1; - + offset += msg_len; if(packet[offset] == 0x02) { diff --git a/example/reader_util.h b/example/reader_util.h index c420ca211..d4f638d0b 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -94,7 +94,7 @@ typedef struct ndpi_ja3_info { // external hash table (host ip -> ) // used to aggregate ja3 fingerprints by hosts -typedef struct ndpi_host_ja3_fingerprints{ +typedef struct ndpi_host_ja3_fingerprints { u_int32_t ip; char *ip_string; char *dns_name; @@ -196,7 +196,7 @@ typedef struct ndpi_flow_info { struct { u_int16_t ssl_version; char client_info[64], server_info[64], - client_hassh[33], server_hassh[33], + client_hassh[33], server_hassh[33], *server_names, server_organization[64], ja3_client[33], ja3_server[33], sha1_cert_fingerprint[20]; diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 669f59dda..c1d8845dc 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -506,6 +506,21 @@ extern "C" { u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *ndpi_mod, u_int16_t protoId); + /** + * Set hostname-based protocol + * + * @par ndpi_mod = the detection module + * @par flow = the flow to which this communication belongs to + * @par master_protocol = the master protocol for this flow + * @par name = the host name + * @par name_len = length of the host name + * + */ + int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_mod, + struct ndpi_flow_struct *flow, + u_int16_t master_protocol, + char *name, u_int name_len); + /** * Get protocol category as string * diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 33ca4a724..ba00185ea 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -637,17 +637,19 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_TELNET */ u_int32_t telnet_stage:2; // 0 - 2 - void* tls_srv_cert_fingerprint_ctx; + struct { + struct { + u_int8_t *buffer; + u_int buffer_len, buffer_used; + } message; + + void* srv_cert_fingerprint_ctx; /* SHA-1 */ - /* NDPI_PROTOCOL_TLS */ - u_int8_t tls_seen_client_cert:1, - tls_seen_server_cert:1, - tls_seen_certificate:1, - tls_srv_cert_fingerprint_found:1, - tls_srv_cert_fingerprint_processed:1, - tls_stage:2, _pad:1; // 0 - 5 - int16_t tls_record_offset, tls_fingerprint_len; /* Need to be signed */ - u_int8_t tls_sha1_certificate_fingerprint[20]; + /* NDPI_PROTOCOL_TLS */ + u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1, _pad:5; + int16_t fingerprint_len; /* Need to be signed */ + u_int8_t sha1_certificate_fingerprint[20]; + } tls; /* NDPI_PROTOCOL_POSTGRES */ u_int32_t postgres_stage:3; @@ -1217,8 +1219,8 @@ struct ndpi_flow_struct { struct { struct { - u_int16_t ssl_version; - char client_certificate[64], server_certificate[64], server_organization[64]; + u_int16_t ssl_version, server_names_len; + char client_certificate[64], *server_names, server_organization[64]; u_int32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index cd9ae19bf..9f960277b 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8754,7 +8754,7 @@ static ndpi_protocol_match host_match[] = { // { ".googlezip.net", NULL, "\\.googlezip" TLD, "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { "dns.google", NULL, "dns\\.google" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, - // { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ + { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ { "cloudflare-dns.com", NULL, "cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "commons.host", NULL, "commons\\.host" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "doh.li", NULL, "doh\\.li" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 84c6883a4..c5269171c 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -651,7 +651,6 @@ static int init_hyperscan(struct ndpi_detection_module_struct *ndpi_str) { ndpi_free(expressions[i]); ndpi_free(expressions), ndpi_free(ids); - ndpi_free(need_to_be_free); return(rc); @@ -3834,6 +3833,9 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str if(flow->http.content_type) ndpi_free(flow->http.content_type); if(flow->http.user_agent) ndpi_free(flow->http.user_agent); + if(flow->l4.tcp.tls.message.buffer) + ndpi_free(flow->l4.tcp.tls.message.buffer); + backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; backup2 = flow->guessed_host_protocol_id; @@ -4216,13 +4218,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st || (flow->guessed_protocol_id == NDPI_PROTOCOL_MESSENGER) || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); - else if((flow->l4.tcp.tls_seen_client_cert == 1) + else if((flow->l4.tcp.tls.hello_processed == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->packet.l4_protocol == IPPROTO_TCP) - && (flow->l4.tcp.tls_stage > 1)) + && flow->l4.tcp.tls.hello_processed) flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id; @@ -4270,7 +4272,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st } } } else { - flow->detected_protocol_stack[1] = flow->guessed_protocol_id, + if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) + flow->detected_protocol_stack[1] = flow->guessed_protocol_id; + + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; if(flow->detected_protocol_stack[1] == flow->detected_protocol_stack[0]) @@ -4347,9 +4352,10 @@ void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, if(flow->extra_packets_func) { if((flow->extra_packets_func(ndpi_str, flow)) == 0) flow->check_extra_packets = 0; - } - flow->num_extra_packets_checked++; + if(++flow->num_extra_packets_checked == flow->max_extra_packets_to_check) + flow->extra_packets_func = NULL; /* Enough packets detected */ + } } /* ********************************************************************************* */ @@ -4614,7 +4620,7 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, } } - if((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { + if(flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') { unsigned long id; int rc = ndpi_match_custom_category(ndpi_str, (char *)flow->protos.stun_ssl.ssl.client_certificate, @@ -6329,6 +6335,33 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ return(rc); } +/* **************************************** */ + +int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t master_protocol, + char *name, u_int name_len) { + ndpi_protocol_match_result ret_match; + u_int16_t subproto, what_len; + char *what; + + if((name_len > 2) && (name[0] == '*') && (name[1] == '.')) + what = &name[1], what_len = name_len - 1; + else + what = name, what_len = name_len; + + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, + what, what_len, + &ret_match, master_protocol); + + if(subproto != NDPI_PROTOCOL_UNKNOWN) { + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, master_protocol); + ndpi_int_change_category(ndpi_struct, flow, ret_match.protocol_category); + return(1); + } else + return(0); +} + /* ****************************************************** */ u_int16_t ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *ndpi_str, @@ -6378,10 +6411,12 @@ void ndpi_free_flow(struct ndpi_flow_struct *flow) { if(flow->http.content_type) ndpi_free(flow->http.content_type); if(flow->http.user_agent) ndpi_free(flow->http.user_agent); if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf); - + if(flow->protos.stun_ssl.ssl.server_names) + ndpi_free(flow->protos.stun_ssl.ssl.server_names); + if(flow->l4_proto == IPPROTO_TCP) { - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) - ndpi_free(flow->l4.tcp.tls_srv_cert_fingerprint_ctx); + if(flow->l4.tcp.tls.srv_cert_fingerprint_ctx) + ndpi_free(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); } ndpi_free(flow); @@ -6561,8 +6596,8 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp switch(proto) { case NDPI_PROTOCOL_TLS: - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(1); + if(!flow->l4.tcp.tls.certificate_processed) + return(1); /* TODO: add check for TLS 1.3 */ break; case NDPI_PROTOCOL_HTTP: diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index cc44df2e2..6979d099c 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1044,7 +1044,8 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_start_of_block(serializer, "tls"); ndpi_serialize_string_string(serializer, "version", version); ndpi_serialize_string_string(serializer, "client_cert", flow->protos.stun_ssl.ssl.client_certificate); - ndpi_serialize_string_string(serializer, "server_cert", flow->protos.stun_ssl.ssl.server_certificate); + if(flow->protos.stun_ssl.ssl.server_names) + ndpi_serialize_string_string(serializer, "server_names", flow->protos.stun_ssl.ssl.server_names); ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization); if(before) { @@ -1061,10 +1062,10 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.stun_ssl.ssl.server_unsafe_cipher); ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.stun_ssl.ssl.server_cipher)); - if(flow->l4.tcp.tls_sha1_certificate_fingerprint[0] != '\0') { + if(flow->l4.tcp.tls.sha1_certificate_fingerprint[0] != '\0') { for(i=0, off=0; i<20; i++) { int rc = snprintf(&buf[off], sizeof(buf)-off,"%s%02X", (i > 0) ? ":" : "", - flow->l4.tcp.tls_sha1_certificate_fingerprint[i] & 0xFF); + flow->l4.tcp.tls.sha1_certificate_fingerprint[i] & 0xFF); if(rc <= 0) break; else off += rc; } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index b599b82a9..0e995aa46 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -159,14 +159,12 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp struct ndpi_flow_struct *flow) { if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); - ndpi_protocol_match_result ret_match; if(double_col) double_col[0] = '\0'; - ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, - strlen((const char *)flow->host_server_name), - &ret_match, - NDPI_PROTOCOL_HTTP); + ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, + (char *)flow->host_server_name, + strlen((const char *)flow->host_server_name)); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 3fda1d22a..1130eb7fe 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -31,9 +31,17 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); +extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + +#if 0 +#define DEBUG_TLS_MEMORY 1 +#define DEBUG_TLS 1 +#endif -/* #define DEBUG_TLS 1 */ +// #define DEBUG_CERTIFICATE_HASH + /* #define DEBUG_FINGERPRINT 1 */ /* @@ -60,8 +68,8 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* stun.c */ extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); -extern int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); +static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol); /* **************************************** */ @@ -93,30 +101,61 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st } } - return protocol; + return(protocol); } /* **************************************** */ -static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { - flow->check_extra_packets = 1; +void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; - /* At most 7 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 7; - flow->extra_packets_func = sslTryAndRetrieveServerCertificate; -} + /* TCP */ +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Handling TCP/TLS flow [payload_len: %u][buffer_len: %u][direction: %u]\n", + packet->payload_packet_len, + flow->l4.tcp.tls.message.buffer_len, + packet->packet_direction); +#endif -/* **************************************** */ + if(flow->l4.tcp.tls.message.buffer == NULL) { + /* Allocate buffer */ + flow->l4.tcp.tls.message.buffer_len = 2048, flow->l4.tcp.tls.message.buffer_used = 0; + flow->l4.tcp.tls.message.buffer = (u_int8_t*)ndpi_malloc(flow->l4.tcp.tls.message.buffer_len); -static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol) { - if(protocol != NDPI_PROTOCOL_TLS) - ; - else - protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); + if(flow->l4.tcp.tls.message.buffer == NULL) + return; - ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); - sslInitExtraPacketProcessing(flow); +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Allocating %u buffer\n", flow->l4.tcp.tls.message.buffer_len); +#endif + } + + u_int avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used; + if(avail_bytes < packet->payload_packet_len) { + u_int new_len = flow->l4.tcp.tls.message.buffer_len + packet->payload_packet_len; + void *newbuf = ndpi_realloc(flow->l4.tcp.tls.message.buffer, + flow->l4.tcp.tls.message.buffer_len, new_len); + if(!newbuf) return; + + flow->l4.tcp.tls.message.buffer = (u_int8_t*)newbuf, flow->l4.tcp.tls.message.buffer_len = new_len; + avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used; + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Enlarging %u -> %u buffer\n", flow->l4.tcp.tls.message.buffer_len, new_len); +#endif + } + + if(avail_bytes >= packet->payload_packet_len) { + memcpy(&flow->l4.tcp.tls.message.buffer[flow->l4.tcp.tls.message.buffer_used], + packet->payload, packet->payload_packet_len); + + flow->l4.tcp.tls.message.buffer_used += packet->payload_packet_len; +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Copied data to buffer [%u/%u bytes]\n", + flow->l4.tcp.tls.message.buffer_used, flow->l4.tcp.tls.message.buffer_len); +#endif + } } /* **************************************** */ @@ -134,9 +173,12 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp /* **************************************** */ -static void stripCertificateTrailer(char *buffer, int buffer_len) { - int i, is_puny; - +static void cleanupServerName(char *buffer, int buffer_len) { + u_int i; + +#if 0 + int is_puny; + // printf("->%s<-\n", buffer); for(i = 0; i < buffer_len; i++) { @@ -159,7 +201,6 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { // not a punycode string - need more checks if(is_puny == 0) { - if(i > 0) i--; while(i > 0) { @@ -177,7 +218,8 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { buffer[i] = '\0', buffer_len = i; } } - +#endif + /* Now all lowecase */ for(i=0; ipacket; - struct ja3_info ja3; - u_int8_t invalid_ja3 = 0; - u_int16_t pkt_tls_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len; - char ja3_str[JA3_STR_LEN]; - ndpi_MD5_CTX ctx; - u_char md5_hash[16]; - int i; - - if(packet->udp) { - /* Check if this is DTLS or return */ - if((packet->payload[1] != 0xfe) - || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return(0); - } - } - - flow->protos.stun_ssl.ssl.ssl_version = pkt_tls_version; - - memset(&ja3, 0, sizeof(ja3)); - -#ifdef DEBUG_TLS - { - u_int16_t tls_len = (packet->payload[3] << 8) + packet->payload[4]; - - printf("SSL Record [version: 0x%04X][len: %u]\n", pkt_tls_version, tls_len); - } -#endif - - /* - Nothing matched so far: let's decode the certificate with some heuristics - Patches courtesy of Denys Fedoryshchenko - */ - if(packet->payload[0] == 0x16 /* Handshake */) { - u_int16_t total_len; - u_int8_t handshake_protocol, header_len; - - if(packet->tcp) { - header_len = 5; /* SSL Header */ - handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ - total_len = (packet->payload[3] << 8) + packet->payload[4]; - } else { - header_len = 13; /* DTLS header */ - handshake_protocol = packet->payload[13]; - total_len = ntohs(*((u_int16_t*)&packet->payload[11])); - } - - total_len += header_len; - memset(buffer, 0, buffer_len); - - /* Truncate total len, search at least in incomplete packet */ - if(total_len > packet->payload_packet_len) - total_len = packet->payload_packet_len; - - /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ - if(total_len > 4) { - u_int16_t base_offset = packet->tcp ? 43 : 59; - -#ifdef DEBUG_TLS - printf("SSL [len: %u][handshake_protocol: %02X]\n", packet->payload_packet_len, handshake_protocol); -#endif - - if((handshake_protocol == 0x02) - || (handshake_protocol == 0x0b) /* Server Hello and Certificate message types are interesting for us */) { - u_int num_found = 0; - u_int16_t tls_version; - int i, rc; - - if(packet->tcp) - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); - else - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); - - ja3.tls_handshake_version = tls_version; - - if(handshake_protocol == 0x02) { - u_int16_t offset = base_offset, extension_len, j; - u_int8_t session_id_len = packet->payload[offset]; - -#ifdef DEBUG_TLS - printf("SSL Server Hello [version: 0x%04X]\n", tls_version); -#endif - - /* - The server hello decides about the SSL version of this flow - https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 - */ - flow->protos.stun_ssl.ssl.ssl_version = tls_version; - - if(packet->udp) - offset += 1; - else { - if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) - offset += session_id_len+1; - } - - ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); - flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); - flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; - -#ifdef DEBUG_TLS - printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); -#endif - - offset += 2 + 1; - - if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */ - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); - else - extension_len = 0; - -#ifdef DEBUG_TLS - printf("TLS [server][extension_len: %u]\n", extension_len); -#endif - offset += 2; - - for(i=0; i= (packet->payload_packet_len+4)) break; - - extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); - - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; - -#ifdef DEBUG_TLS - printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", - extension_id, extension_id, extension_len); -#endif - - if(extension_id == 43 /* supported versions */) { - if(extension_len >= 2) { - u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4])); - -#ifdef DEBUG_TLS - printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); -#endif - - flow->protos.stun_ssl.ssl.ssl_version = tls_version; - } - } - - i += 4 + extension_len, offset += 4 + extension_len; - } - - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); - - for(i=0; i 0) ? "-" : "", ja3.cipher[i]); - - if(rc <= 0) break; else ja3_str_len += rc; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ - - for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); - - if(rc <= 0) break; else ja3_str_len += rc; - } - -#ifdef DEBUG_TLS - printf("TLS [server] %s\n", ja3_str); -#endif - -#ifdef DEBUG_TLS - printf("[JA3] Server: %s \n", ja3_str); -#endif - - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - ndpi_MD5Final(md5_hash, &ctx); - - for(i=0, j=0; i<16; i++) { - int rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], - sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); - if(rc <= 0) break; else j += rc; - } - -#ifdef DEBUG_TLS - printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); -#endif - - flow->l4.tcp.tls_seen_server_cert = 1; - } else - flow->l4.tcp.tls_seen_certificate = 1; - - /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - for(i = 9; i < packet->payload_packet_len-3; i++) { - if(((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x0c)) - || ((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x13)) - || ((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03))) { - u_int8_t server_len, off = 0; - - if(packet->payload[i] == 0x55) { - num_found++, off++; - - if(num_found != 2) continue; - } - - server_len = packet->payload[i+3+off]; - - if((server_len+i+3) < packet->payload_packet_len) { - char *server_name = (char*)&packet->payload[i+4+off]; - u_int8_t begin = 0, len, j, num_dots; - - while(begin < server_len) { - if(!ndpi_isprint(server_name[begin])) - begin++; - else - break; - } - - len = ndpi_min(server_len-begin, buffer_len-1); - // len = buffer_len-1; - - strncpy(buffer, &server_name[begin], len); - buffer[len] = '\0'; - - // if(len != (buffer_len-1)) printf("len=%u / buffer_len-1=%u\n", len, buffer_len-1); - - /* We now have to check if this looks like an IP address or host name */ - for(j=0, num_dots = 0; j=1) break; - } - } - - if(num_dots >= 1) { - ndpi_protocol_match_result ret_match; - u_int16_t subproto; - - stripCertificateTrailer(buffer, buffer_len); - snprintf(flow->protos.stun_ssl.ssl.server_certificate, - sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); - -#ifdef DEBUG_TLS - printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate); -#endif - - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, - flow->protos.stun_ssl.ssl.server_certificate, - strlen(flow->protos.stun_ssl.ssl.server_certificate), - &ret_match, - NDPI_PROTOCOL_TLS); - - if(subproto != NDPI_PROTOCOL_UNKNOWN) - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS); - return(1 /* Server Certificate */); - } - } - } - } - } else if(handshake_protocol == 0x01 /* Client Hello */) { - u_int offset; - -#ifdef DEBUG_TLS - printf("[base_offset: %u][payload_packet_len: %u]\n", base_offset, packet->payload_packet_len); -#endif - - if(base_offset + 2 <= packet->payload_packet_len) { - u_int16_t session_id_len; - u_int16_t tls_version; - - if(packet->tcp) - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); - else - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); - - session_id_len = packet->payload[base_offset]; - - ja3.tls_handshake_version = tls_version; - - if((session_id_len+base_offset+2) <= total_len) { - u_int16_t cipher_len, cipher_offset; - - if(packet->tcp) { - cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); - cipher_offset = base_offset + session_id_len + 3; - } else { - cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2])); - cipher_offset = base_offset+4; - } - -#ifdef DEBUG_TLS - printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); -#endif - - if((cipher_offset+cipher_len) <= total_len) { - for(i=0; ipayload[cipher_offset+i]; - -#ifdef DEBUG_TLS - printf("Client SSL [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); -#endif - if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { - /* - Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] - https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 - */ - - if(ja3.num_cipher < MAX_NUM_JA3) - ja3.cipher[ja3.num_cipher++] = ntohs(*id); - else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); -#endif - } - } - - i += 2; - } - } else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); -#endif - } - - offset = base_offset + session_id_len + cipher_len + 2; - - flow->l4.tcp.tls_seen_client_cert = 1; - - if(offset < total_len) { - u_int16_t compression_len; - u_int16_t extensions_len; - - offset += packet->tcp ? 1 : 2; - compression_len = packet->payload[offset]; - offset++; - -#ifdef DEBUG_TLS - printf("Client SSL [compression_len: %u]\n", compression_len); -#endif - - // offset += compression_len + 3; - offset += compression_len; - - if(offset < total_len) { - extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); - offset += 2; - -#ifdef DEBUG_TLS - printf("Client SSL [extensions_len: %u]\n", extensions_len); -#endif - - if((extensions_len+offset) <= total_len) { - /* Move to the first extension - Type is u_int to avoid possible overflow on extension_len addition */ - u_int extension_offset = 0; - u_int32_t j; - - while(extension_offset < extensions_len) { - u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; - - extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; - - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; - -#ifdef DEBUG_TLS - printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); -#endif - - if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { - /* Skip GREASE */ - - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; - else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); -#endif - } - } - - if(extension_id == 0 /* server name */) { - u_int16_t len; - - len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; - len = (u_int)ndpi_min(len, buffer_len-1); - - if((offset+extension_offset+5+len) < packet->payload_packet_len) { - strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); - buffer[len] = '\0'; - - stripCertificateTrailer(buffer, buffer_len); - - snprintf(flow->protos.stun_ssl.ssl.client_certificate, - sizeof(flow->protos.stun_ssl.ssl.client_certificate), - "%s", buffer); - } - } else if(extension_id == 10 /* supported groups */) { - u_int16_t s_offset = offset+extension_offset + 2; - -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); -#endif - - if((s_offset+extension_len-2) <= total_len) { - for(i=0; ipayload[s_offset+i])); - -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); -#endif - if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { - /* Skip GREASE */ - if(ja3.num_elliptic_curve < MAX_NUM_JA3) - ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; - else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); -#endif - } - } - - i += 2; - } - } else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); -#endif - } - } else if(extension_id == 11 /* ec_point_formats groups */) { - u_int16_t s_offset = offset+extension_offset + 1; - -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); -#endif - if((s_offset+extension_len) < total_len) { - for(i=0; ipayload[s_offset+i]; - -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); -#endif - - if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) - ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; - else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); -#endif - } - } - } else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); -#endif - } - } else if(extension_id == 43 /* supported versions */) { - u_int8_t version_len = packet->payload[offset+4]; - - if(version_len == (extension_len-1)) { -#ifdef DEBUG_TLS - u_int8_t j; - - for(j=0; jpayload[offset+5+j])); - - printf("Client SSL [TLS version: 0x%04X]\n", tls_version); - } -#endif - } - } - - extension_offset += extension_len; - -#ifdef DEBUG_TLS - printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); -#endif - } /* while */ - - if(!invalid_ja3) { - int rc; - - compute_ja3c: - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); - - for(i=0; i 0) ? "-" : "", ja3.cipher[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ - - for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ - - for(i=0; i 0) ? "-" : "", ja3.elliptic_curve[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - for(i=0; i 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - -#ifdef DEBUG_TLS - printf("[JA3] Client: %s \n", ja3_str); -#endif - - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - ndpi_MD5Final(md5_hash, &ctx); - - for(i=0, j=0; i<16; i++) { - rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], - sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", - md5_hash[i]); - if(rc > 0) j += rc; else break; - } -#ifdef DEBUG_TLS - printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); -#endif - } - - return(2 /* Client Certificate */); - } - } else if(offset == total_len) { - /* SSL does not have extensions etc */ - goto compute_ja3c; - } - } - } - } - } - } - } - - return(0); /* Not found */ -} - -/* **************************************** */ - /* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ -int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +static void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t offset, u_int16_t certificate_len) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t multiple_messages; - - if(flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(0); /* We're good */ + u_int num_found = 0, i, j; + char buffer[64] = { '\0' }; #ifdef DEBUG_TLS - printf("=>> [TLS] %s() [tls_record_offset=%d][payload_packet_len=%u][direction: %u][%02X %02X %02X...]\n", - __FUNCTION__, flow->l4.tcp.tls_record_offset, packet->payload_packet_len, - packet->packet_direction, - packet->payload[0], packet->payload[1], packet->payload[2]); + printf("[TLS] %s() [offset: %u][certificate_len: %u]\n", __FUNCTION__, offset, certificate_len); #endif - - if((packet->packet_direction == 0) /* Client -> Server */ - || (packet->payload_packet_len == 0)) - return(1); /* More packets please */ - else if(flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(0); /* We're good */ - - if(packet->payload_packet_len <= flow->l4.tcp.tls_record_offset) { - /* Avoid invalid memory accesses */ - return(1); - } - - if(flow->l4.tcp.tls_fingerprint_len > 0) { - unsigned int avail = packet->payload_packet_len - flow->l4.tcp.tls_record_offset; - - if(avail > flow->l4.tcp.tls_fingerprint_len) - avail = flow->l4.tcp.tls_fingerprint_len; - -#ifdef DEBUG_TLS - printf("=>> [TLS] Certificate record [%02X %02X %02X...][missing: %u][offset: %u][avail: %u] (B)\n", - packet->payload[flow->l4.tcp.tls_record_offset], - packet->payload[flow->l4.tcp.tls_record_offset+1], - packet->payload[flow->l4.tcp.tls_record_offset+2], - flow->l4.tcp.tls_fingerprint_len, flow->l4.tcp.tls_record_offset, avail - ); -#endif - -#ifdef DEBUG_CERTIFICATE_HASH - for(i=0;ipayload[flow->l4.tcp.tls_record_offset+i]); - printf("\n"); -#endif - - SHA1Update(flow->l4.tcp.tls_srv_cert_fingerprint_ctx, - &packet->payload[flow->l4.tcp.tls_record_offset], - avail); - - flow->l4.tcp.tls_fingerprint_len -= avail; - - if(flow->l4.tcp.tls_fingerprint_len == 0) { - SHA1Final(flow->l4.tcp.tls_sha1_certificate_fingerprint, flow->l4.tcp.tls_srv_cert_fingerprint_ctx); - -#ifdef DEBUG_TLS - { - int i; - - printf("=>> [TLS] SHA-1: "); - for(i=0;i<20;i++) - printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls_sha1_certificate_fingerprint[i]); - printf("\n"); - } -#endif - - flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1; - return(0); /* We're good */ - } else { - flow->l4.tcp.tls_record_offset = 0; -#ifdef DEBUG_TLS - printf("=>> [TLS] Certificate record: still missing %u bytes\n", flow->l4.tcp.tls_fingerprint_len); -#endif - return(1); /* More packets please */ - } - } - - if(packet->payload[flow->l4.tcp.tls_record_offset] == 0x15 /* Alert */) { - u_int len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset+3]) + 5 /* SSL header len */; - - if(len < 10 /* Sanity check */) { - if((flow->l4.tcp.tls_record_offset+len) < packet->payload_packet_len) - flow->l4.tcp.tls_record_offset += len; - } else - goto invalid_len; - } - - multiple_messages = (packet->payload[flow->l4.tcp.tls_record_offset] == 0x16 /* Handshake */) ? 0 : 1; - -#ifdef DEBUG_TLS - printf("=>> [TLS] [multiple_messages: %d]\n", multiple_messages); -#endif - - if((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset] != 0x16 /* Handshake */)) - return(1); - else if(((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset+5] == 0xb) /* Certificate */) - || (packet->payload[flow->l4.tcp.tls_record_offset] == 0xb) /* Certificate */) { - /* TODO: Do not take into account all certificates but only the first one */ -#ifdef DEBUG_TLS - printf("=>> [TLS] Certificate found\n"); -#endif - - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx == NULL) - flow->l4.tcp.tls_srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX)); - else { -#ifdef DEBUG_TLS - printf("[TLS] Internal error: double allocation\n:"); -#endif - } - - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) { - SHA1Init(flow->l4.tcp.tls_srv_cert_fingerprint_ctx); - flow->l4.tcp.tls_srv_cert_fingerprint_found = 1; - flow->l4.tcp.tls_record_offset += (!multiple_messages) ? 13 : 8; - flow->l4.tcp.tls_fingerprint_len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset]); - flow->l4.tcp.tls_record_offset = flow->l4.tcp.tls_record_offset+2; -#ifdef DEBUG_TLS - printf("=>> [TLS] Certificate [total certificate len: %u][certificate initial offset: %u]\n", - flow->l4.tcp.tls_fingerprint_len, flow->l4.tcp.tls_record_offset); -#endif - return(getSSCertificateFingerprint(ndpi_struct, flow)); - } else - return(0); /* That's all */ - } else if(flow->l4.tcp.tls_seen_certificate) - return(0); /* That's all */ - else if(packet->payload_packet_len > flow->l4.tcp.tls_record_offset+7+1/* +1 because we are going to read 2 bytes */) { - /* This is a handshake but not a certificate record */ - u_int16_t len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset+7]); - -#ifdef DEBUG_TLS - printf("=>> [TLS] Found record %02X [len: %u]\n", - packet->payload[flow->l4.tcp.tls_record_offset+5], len); -#endif - - if(len > 4096) { - invalid_len: - /* This looks an invalid len: we giveup */ - flow->l4.tcp.tls_record_offset = 0, flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1; -#ifdef DEBUG_TLS - printf("=>> [TLS] Invalid fingerprint processing %u <-> %u\n", - ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); -#endif - return(0); - } else { - flow->l4.tcp.tls_record_offset += len + 9; - - if(flow->l4.tcp.tls_record_offset < packet->payload_packet_len) - return(getSSCertificateFingerprint(ndpi_struct, flow)); - else { - flow->l4.tcp.tls_record_offset -= packet->payload_packet_len; - } - } - } - - flow->extra_packets_func = NULL; /* We're good now */ - return(1); -} - -/* **************************************** */ - -/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ -void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - char *buffer, int buffer_len) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t total_len; - u_int8_t handshake_protocol; - - if(packet->payload[0] != 0x16 /* Handshake */) - return; - - total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */; - handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ - - if((handshake_protocol != 0x02) - && (handshake_protocol != 0xb) /* Server Hello and Certificate message types are interesting for us */) - return; - -#ifdef DEBUG_TLS - printf("=>> [TLS] Certificate [total_len: %u/%u]\n", ntohs(*(u_int16_t*)&packet->payload[3]), total_len); -#endif - - /* Truncate total len, search at least in incomplete packet */ - if(total_len > packet->payload_packet_len) - total_len = packet->payload_packet_len; - - memset(buffer, 0, buffer_len); /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - u_int num_found = 0, i, j; - - for(i = 9; i < packet->payload_packet_len-4; i++) { + for(i = offset; i < certificate_len; i++) { /* Organization OID: 2.5.4.10 */ if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { u_int8_t server_len = packet->payload[i+4]; @@ -983,13 +256,13 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, char *server_org = (char*)&packet->payload[i+5]; - u_int len = (u_int)ndpi_min(server_len, buffer_len-1); + u_int len = (u_int)ndpi_min(server_len, sizeof(buffer)-1); strncpy(buffer, server_org, len); buffer[len] = '\0'; // check if organization string are all printable u_int8_t is_printable = 1; - for (j = 0; j < len; j++) { + for(j = 0; j < len; j++) { if(!ndpi_isprint(buffer[j])) { is_printable = 0; break; @@ -1004,6 +277,7 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, #endif } } else if((packet->payload[i] == 0x30) && (packet->payload[i+1] == 0x1e) && (packet->payload[i+2] == 0x17)) { + /* Certificate Validity */ u_int8_t len = packet->payload[i+3]; u_int offset = i+4; @@ -1066,518 +340,853 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, } } } - } - } -} + } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) { + /* Organization OID: 2.5.29.17 (subjectAltName) */ + u_int16_t servernames_len = 0; + char servernames[2048]; -/* **************************************** */ - -int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - int rc = 1; - - if(packet->tcp) { - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - getSSCertificateFingerprint(ndpi_struct, flow); - } - - /* consider only specific SSL packets (handshake) */ - if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { - char certificate[64]; - int rc; - - certificate[0] = '\0'; - rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); - packet->tls_certificate_num_checks++; - - if(rc > 0) { - char organization[64]; - - // try fetch server organization once server certificate is found - organization[0] = '\0'; - getSSLorganization(ndpi_struct, flow, organization, sizeof(organization)); - - packet->tls_certificate_detected++; - } - - if(flow->l4.tcp.tls_record_offset == 0) { - /* Client hello, Server Hello, and certificate packets probably all checked in this case */ - if(((packet->tls_certificate_num_checks >= 3) - && (flow->l4.tcp.seen_syn) - && (flow->l4.tcp.seen_syn_ack) - && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */ - && flow->l4.tcp.tls_srv_cert_fingerprint_processed) - /* || (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') */ - ) { - /* We're done processing extra packets since we've probably checked all possible cert packets */ - return(rc); - } - } - } - - /* 1 means keep looking for more packets */ - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) rc = 1; - return(rc); -} - -/* **************************************** */ - -int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t skip_cert_processing) { - struct ndpi_packet_struct *packet = &flow->packet; - - if((!skip_cert_processing) && packet->tcp) { - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - getSSCertificateFingerprint(ndpi_struct, flow); - } - - if((packet->payload_packet_len > 9) - && (packet->payload[0] == 0x16 /* consider only specific SSL packets (handshake) */)) { - if((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)) { - char certificate[64]; - int rc; - - certificate[0] = '\0'; - rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); - packet->tls_certificate_num_checks++; - - if(rc > 0) { - packet->tls_certificate_detected++; #ifdef DEBUG_TLS - NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); + printf("******* [TLS] Found subjectAltName\n"); #endif - ndpi_protocol_match_result ret_match; - u_int16_t subproto; - if(certificate[0] == '\0') - subproto = NDPI_PROTOCOL_UNKNOWN; - else - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, - strlen(certificate), - &ret_match, - NDPI_PROTOCOL_TLS); - - if(subproto != NDPI_PROTOCOL_UNKNOWN) { - /* If we've detected the subprotocol from client certificate but haven't had a chance - * to see the server certificate yet, set up extra packet processing to wait - * a few more packets. */ - if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) - && ((flow->l4.tcp.tls_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) { - sslInitExtraPacketProcessing(flow); + i += 3 /* skip the initial patten 55 1D 11 */; + i++; /* skip the first type, 0x04 == BIT STRING, and jump to it's length */ + i += packet->payload[i] & 0x80 ? packet->payload[i] & 0x7F : 0; /* skip BIT STRING length */ + i += 2; /* skip the second type, 0x30 == SEQUENCE, and jump to it's length */ + i += packet->payload[i] & 0x80 ? packet->payload[i] & 0x7F : 0; /* skip SEQUENCE length */ + i++; + + while(i < packet->payload_packet_len) { + if(packet->payload[i] == 0x82) { + if((i < (packet->payload_packet_len - 1)) + && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) { + u_int8_t len = packet->payload[i + 1]; + char dNSName[256]; + int rc; + + i += 2; + + strncpy(dNSName, (const char*)&packet->payload[i], len); + dNSName[len] = '\0'; + + cleanupServerName(dNSName, len); + + rc = snprintf(&servernames[servernames_len], sizeof(servernames)-servernames_len, "%s%s", + (servernames_len == 0) ? "" : ",", dNSName); + + if(rc > 0) + servernames_len += rc; + +#if DEBUG_TLS + printf("[TLS] dNSName %s [%s]\n", dNSName, servernames); +#endif + + if(flow->protos.stun_ssl.ssl.server_names == NULL) + flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); + else { + u_int16_t dNSName_len = strlen(dNSName); + u_int16_t newstr_len = flow->protos.stun_ssl.ssl.server_names_len + dNSName_len + 1; + char *newstr = (char*)ndpi_realloc(flow->protos.stun_ssl.ssl.server_names, flow->protos.stun_ssl.ssl.server_names_len+1, newstr_len+1); + + if(newstr) { + flow->protos.stun_ssl.ssl.server_names = newstr; + flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len] = ','; + strncpy(&flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len+1], + dNSName, dNSName_len); + flow->protos.stun_ssl.ssl.server_names[newstr_len] = '\0'; + flow->protos.stun_ssl.ssl.server_names_len = newstr_len; + } + } + + if(!flow->l4.tcp.tls.subprotocol_detected) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, len)) + flow->l4.tcp.tls.subprotocol_detected = 1; + + i += len; + } else { +#if DEBUG_TLS + printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); +#endif + break; } - - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_tls_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS)); - return(rc); + } else { + break; } - - if(ndpi_is_tls_tor(ndpi_struct, flow, certificate) != 0) - return(rc); - } - -#ifdef DEBUG_TLS - printf("[TLS] %s() [tls_certificate_num_checks: %u][tls_srv_cert_fingerprint_processed: %u][tls_certificate_detected: %u][%u/%u]", - __FUNCTION__, packet->tls_certificate_num_checks, flow->l4.tcp.tls_srv_cert_fingerprint_processed, - packet->tls_certificate_detected, - flow->l4.tcp.tls_seen_client_cert, - flow->l4.tcp.tls_seen_server_cert - ); -#endif - - - if(((packet->tls_certificate_num_checks >= 1) -#if 0 - && (flow->l4.tcp.seen_syn /* User || to be tolerant */ - || flow->l4.tcp.seen_syn_ack - || flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) -#endif - && (flow->l4.tcp.tls_srv_cert_fingerprint_processed - || flow->l4.tcp.tls_seen_client_cert - || flow->l4.tcp.tls_seen_server_cert - || packet->tls_certificate_detected) - ) - /* - || ((flow->l4.tcp.tls_seen_certificate == 1) - && (flow->l4.tcp.tls_seen_server_cert == 1) - && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) - */ - /* || ((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */ - ) { - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } + } /* while */ } } +} + +/* **************************************** */ + +/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ +int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; + u_int16_t certificates_offset = 7; + u_int8_t num_certificates_found = 0; +#ifdef DEBUG_TLS + printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n", + __FUNCTION__, packet->payload_packet_len, + packet->packet_direction, + packet->payload[0], packet->payload[1], packet->payload[2], + packet->payload[3], packet->payload[4], packet->payload[5]); +#endif + + if(packet->payload_packet_len != (length + 4)) + return(-1); /* Invalid length */ + + certificates_length = (packet->payload[4] << 16) + (packet->payload[5] << 8) + packet->payload[6]; + + if((certificates_length+3) != length) + return(-2); /* Invalid length */ + + if((flow->l4.tcp.tls.srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX))) == NULL) + return(-3); /* Not enough memory */ + + /* Now let's process each individual certificates */ + while(certificates_offset < certificates_length) { + u_int16_t certificate_len = (packet->payload[certificates_offset] << 16) + (packet->payload[certificates_offset+1] << 8) + packet->payload[certificates_offset+2]; + + certificates_offset += 3; +#ifdef DEBUG_TLS + printf("[TLS] Processing %u bytes certificate [%02X %02X %02X]\n", + certificate_len, + packet->payload[certificates_offset], + packet->payload[certificates_offset+1], + packet->payload[certificates_offset+2]); +#endif + + if(num_certificates_found++ == 0) /* Dissect only the first certificate that is the one we care */ { + /* For SHA-1 we take into account only the first certificate and not all of them */ + + SHA1Init(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + +#ifdef DEBUG_CERTIFICATE_HASH + { + int i; + + for(i=0;ipayload[certificates_offset+i]); + + printf("\n"); + } +#endif + + SHA1Update(flow->l4.tcp.tls.srv_cert_fingerprint_ctx, + &packet->payload[certificates_offset], + certificate_len); + + SHA1Final(flow->l4.tcp.tls.sha1_certificate_fingerprint, flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + +#ifdef DEBUG_TLS + { + int i; + + printf("[TLS] SHA-1: "); + for(i=0;i<20;i++) + printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls.sha1_certificate_fingerprint[i]); + printf("\n"); + } +#endif + + processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len); + } + + certificates_offset += certificate_len; + } + + flow->extra_packets_func = NULL; /* We're good now */ + return(1); +} + +/* **************************************** */ + +static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + switch(packet->payload[0] /* block type */) { + case 0x01: /* Client Hello */ + case 0x02: /* Server Hello */ + processClientServerHello(ndpi_struct, flow); + flow->l4.tcp.tls.hello_processed = 1; + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + break; + + case 0x0b: /* Certificate */ + processCertificate(ndpi_struct, flow); + flow->l4.tcp.tls.certificate_processed = 1; + break; + + default: + return(-1); + } + return(0); } /* **************************************** */ -static void tls_mark_and_payload_search(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t skip_cert_processing) { +static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t a; - u_int32_t end; + int rc = 1; +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] ndpi_search_tls_tcp() [payload_packet_len: %u]\n", + packet->payload_packet_len); +#endif + + if(packet->payload_packet_len == 0) + return(1); /* Keep working */ + + ndpi_search_tls_tcp_memory(ndpi_struct, flow); + + while(1) { + u_int16_t len, p_len; + const u_int8_t *p; + + if(flow->l4.tcp.tls.message.buffer_used < 5) + return(1); /* Keep working */ + + len = (flow->l4.tcp.tls.message.buffer[3] << 8) + flow->l4.tcp.tls.message.buffer[4] + 5; + + if(len > flow->l4.tcp.tls.message.buffer_used) { +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Not enough TLS data [%u < %u][%02X %02X %02X %02X %02X]\n", + len, flow->l4.tcp.tls.message.buffer_used, + flow->l4.tcp.tls.message.buffer[0], + flow->l4.tcp.tls.message.buffer[1], + flow->l4.tcp.tls.message.buffer[2], + flow->l4.tcp.tls.message.buffer[3], + flow->l4.tcp.tls.message.buffer[4]); +#endif + break; + } + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Processing %u bytes message\n", len); +#endif + + /* Overwriting packet payload */ + p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ + + /* Split the element in blocks */ + u_int16_t processed = 5; + + while(processed < len) { + const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed]; + u_int16_t block_len = (block[1] << 16) + (block[2] << 8) + block[3]; + + packet->payload = block, packet->payload_packet_len = block_len+4; + + if((processed+packet->payload_packet_len) > len) + break; + +#ifdef DEBUG_TLS_MEMORY + printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n", + packet->payload_packet_len, + packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]); +#endif + + + processTLSBlock(ndpi_struct, flow); + processed += packet->payload_packet_len; + } + + packet->payload = p, packet->payload_packet_len = p_len; /* Restore */ + flow->l4.tcp.tls.message.buffer_used -= len; + + memmove(flow->l4.tcp.tls.message.buffer, + &flow->l4.tcp.tls.message.buffer[len], + flow->l4.tcp.tls.message.buffer_used); + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Left memory buffer %u bytes\n", flow->l4.tcp.tls.message.buffer_used); +#endif + } + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Returning %u\n", rc); +#endif + + return(rc); +} + +/* **************************************** */ + +static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int8_t handshake_type; + u_int32_t handshake_len; + u_int16_t p_len; + const u_int8_t *p; + #ifdef DEBUG_TLS printf("[TLS] %s()\n", __FUNCTION__); #endif - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) - goto check_for_tls_payload; - - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0) - goto check_for_tls_payload; - else - goto no_check_for_tls_payload; - - check_for_tls_payload: - end = packet->payload_packet_len - 20; - for (a = 5; a < end; a++) { - - if(packet->payload[a] == 't') { - if(memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK - (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) { - NDPI_LOG_INFO(ndpi_struct, "found ssl jabber unencrypted\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); - return; - } - } - } - - if(packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c' - || packet->payload[a] == 'h') { - if(((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0) - // || (end - c > 3 memcmp (&packet->payload[c],"AOL", 3) == 0 ) - // || (end - c > 7 && memcmp (&packet->payload[c], "AOL LLC", 7) == 0) - || ((a + 15) < packet->payload_packet_len && memcmp(&packet->payload[a], "kdc.uas.aol.com", 15) == 0) - || ((a + 14) < packet->payload_packet_len && memcmp(&packet->payload[a], "corehc@aol.net", 14) == 0) - || ((a + 41) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://crl.aol.com/AOLMSPKI/aolServerCert", 41) == 0) - || ((a + 28) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://ocsp.web.aol.com/ocsp", 28) == 0) - || ((a + 32) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); - - if(flow->dst != NULL && packet->payload_packet_len > 75) { - memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32); - flow->dst->oscar_ssl_session_id[32] = '\0'; - flow->dst->oscar_last_safe_access_time = packet->tick_timestamp; - } - - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); - return; - } - } - - if(packet->payload[a] == 'm' || packet->payload[a] == 's') { - if((a + 21) < packet->payload_packet_len && - (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 - || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { - NDPI_LOG_DBG(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); - return; - } - } + /* Consider only specific SSL packets (handshake) */ + if((packet->payload_packet_len < 17) + || (packet->payload[0] != 0x16) + || (packet->payload[1] != 0xfe) /* We ignore old DTLS versions */ + || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd)) + || ((ntohs(*((u_int16_t*)&packet->payload[11]))+13) != packet->payload_packet_len) + ) { + no_dtls: + +#ifdef DEBUG_TLS + printf("[TLS] No DTLS found\n"); +#endif + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return(0); /* Giveup */ } - no_check_for_tls_payload: - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); - tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing); + handshake_type = packet->payload[13]; + handshake_len = (packet->payload[14] << 16) + (packet->payload[15] << 8) + packet->payload[16]; -#ifdef DEBUG_TLS - printf("[TLS] %s() [tls_seen_client_cert: %u][tls_seen_server_cert: %u]\n", __FUNCTION__, - flow->l4.tcp.tls_seen_client_cert, flow->l4.tcp.tls_seen_server_cert); + if((handshake_len+25) != packet->payload_packet_len) + goto no_dtls; + + /* Overwriting packet payload */ + p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ + packet->payload = &packet->payload[13], packet->payload_packet_len -= 13; + + processTLSBlock(ndpi_struct, flow); + + packet->payload = p, packet->payload_packet_len = p_len; /* Restore */ + + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + return(1); /* Keep working */ +} + +/* **************************************** */ + +static void tlsInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + + /* At most 12 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 12; + flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp; +} + +/* **************************************** */ + +static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol) { +#if DEBUG_TLS + printf("[TLS] %s()\n", __FUNCTION__); #endif - if(!packet->tls_certificate_detected - && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) { - /* SSL without certificate (Skype, Ultrasurf?) */ - NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } else if((packet->tls_certificate_num_checks >= 3) - && flow->l4.tcp.tls_srv_cert_fingerprint_processed) { - NDPI_LOG_INFO(ndpi_struct, "found ssl\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } + if((flow->detected_protocol_stack[0] == protocol) + || (flow->detected_protocol_stack[1] == protocol)) { + if(!flow->check_extra_packets) + tlsInitExtraPacketProcessing(flow); + return; } + + if(protocol != NDPI_PROTOCOL_TLS) + ; + else + protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); + + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); + tlsInitExtraPacketProcessing(flow); } /* **************************************** */ -static u_int8_t ndpi_search_tlsv3_direction1(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; +/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ - if((packet->payload_packet_len >= 5) - && ((packet->payload[0] == 0x16) || packet->payload[0] == 0x17) - && (packet->payload[1] == 0x03) - && ((packet->payload[2] == 0x00) || (packet->payload[2] == 0x01) || - (packet->payload[2] == 0x02) || (packet->payload[2] == 0x03))) { - u_int32_t temp; - NDPI_LOG_DBG2(ndpi_struct, "search sslv3\n"); - // SSLv3 Record - if(packet->payload_packet_len >= 1300) { - return 1; - } - temp = ntohs(get_u_int16_t(packet->payload, 3)) + 5; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp - || (temp < packet->payload_packet_len && packet->payload_packet_len > 500)) { - return 1; - } +#define JA3_STR_LEN 1024 +#define MAX_NUM_JA3 128 - if(packet->payload_packet_len < temp && temp < 5000 && packet->payload_packet_len > 9) { - /* the server hello may be split into small packets */ - u_int32_t cert_start; - - NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets\n"); - - /* lets hope at least the server hello and the start of the certificate block are in the first packet */ - cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 4; - NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); - - if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); - return 2; - } - } - - if((packet->payload_packet_len > temp) && (packet->payload_packet_len > 100)) { - /* the server hello may be split into small packets and the certificate has its own SSL Record - * so temp contains only the length for the first ServerHello block */ - u_int32_t cert_start; - - NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets but with seperate record for the certificate\n"); - - /* lets hope at least the server hello record and the start of the certificate record are in the first packet */ - cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 5 + 4; - NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); - - if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); - return 2; - } - } - - - if(packet->payload_packet_len >= temp + 5 && (packet->payload[temp] == 0x14 || packet->payload[temp] == 0x16) - && packet->payload[temp + 1] == 0x03) { - u_int32_t temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp) { - return 1; - } - if(packet->payload_packet_len >= temp + 5 && - packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { - temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp) { - return 1; - } - if(packet->payload_packet_len >= temp + 5 && - packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { - temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(temp == packet->payload_packet_len) { - return 1; - } - } - } - } - } - - return 0; -} +struct ja3_info { + u_int16_t tls_handshake_version; + u_int16_t num_cipher, cipher[MAX_NUM_JA3]; + u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; + u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; +}; /* **************************************** */ -void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, +int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t ret, skip_cert_processing = 0; + struct ja3_info ja3; + u_int8_t invalid_ja3 = 0; + u_int16_t tls_version, ja3_str_len; + char ja3_str[JA3_STR_LEN]; + ndpi_MD5_CTX ctx; + u_char md5_hash[16]; + int i; + u_int16_t total_len; + u_int8_t handshake_type; + char buffer[64] = { '\0' }; + +#ifdef DEBUG_TLS + printf("SSL %s() called\n", __FUNCTION__); +#endif + + memset(&ja3, 0, sizeof(ja3)); + + handshake_type = packet->payload[0]; + total_len = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; + + if(total_len > packet->payload_packet_len) + return(0); /* Not found */ + + total_len = packet->payload_packet_len; + + /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ + if(total_len > 4) { + u_int16_t base_offset = packet->tcp ? 38 : 46; + u_int16_t version_offset = packet->tcp ? 4 : 12; + u_int16_t offset = 38, extension_len, j; + u_int8_t session_id_len = packet->tcp ? packet->payload[offset] : packet->payload[46]; + +#ifdef DEBUG_TLS + printf("SSL [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type); +#endif + + tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); + flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; + + if(handshake_type == 0x02 /* Server Hello */) { + int i, rc; + +#ifdef DEBUG_TLS + printf("SSL Server Hello [version: 0x%04X]\n", tls_version); +#endif + + /* + The server hello decides about the SSL version of this flow + https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 + */ + if(packet->udp) + offset += 1; + else { + if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) + offset += session_id_len+1; + } + + ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); + flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; #ifdef DEBUG_TLS - printf("==>> %u [len: %u][version: %u]\n", + printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); +#endif + + offset += 2 + 1; + + if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */ + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + else + extension_len = 0; + +#ifdef DEBUG_TLS + printf("TLS [server][extension_len: %u]\n", extension_len); +#endif + offset += 2; + + for(i=0; i= (packet->payload_packet_len+4)) break; + + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); + + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + +#ifdef DEBUG_TLS + printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", + extension_id, extension_id, extension_len); +#endif + + if(extension_id == 43 /* supported versions */) { + if(extension_len >= 2) { + u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4])); + +#ifdef DEBUG_TLS + printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); +#endif + + flow->protos.stun_ssl.ssl.ssl_version = tls_version; + } + } + + i += 4 + extension_len, offset += 4 + extension_len; + } + + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); + + for(i=0; i 0) ? "-" : "", ja3.cipher[i]); + + if(rc <= 0) break; else ja3_str_len += rc; + } + + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; + + /* ********** */ + + for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); + + if(rc <= 0) break; else ja3_str_len += rc; + } + +#ifdef DEBUG_TLS + printf("TLS [server] %s\n", ja3_str); +#endif + +#ifdef DEBUG_TLS + printf("[JA3] Server: %s \n", ja3_str); +#endif + + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); + + for(i=0, j=0; i<16; i++) { + int rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); + if(rc <= 0) break; else j += rc; + } + +#ifdef DEBUG_TLS + printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); +#endif + } else if(handshake_type == 0x01 /* Client Hello */) { + u_int16_t cipher_len, cipher_offset; + + if(packet->tcp) { + cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); + cipher_offset = base_offset + session_id_len + 3; + } else { + cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2])); + cipher_offset = base_offset+4; + } + +#ifdef DEBUG_TLS + printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); +#endif + + if((cipher_offset+cipher_len) <= total_len) { + for(i=0; ipayload[cipher_offset+i]; + +#ifdef DEBUG_TLS + printf("Client SSL [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); +#endif + if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { + /* + Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] + https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 + */ + + if(ja3.num_cipher < MAX_NUM_JA3) + ja3.cipher[ja3.num_cipher++] = ntohs(*id); + else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); +#endif + } + } + + i += 2; + } + } else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); +#endif + } + + offset = base_offset + session_id_len + cipher_len + 2; + + if(offset < total_len) { + u_int16_t compression_len; + u_int16_t extensions_len; + + offset += packet->tcp ? 1 : 2; + compression_len = packet->payload[offset]; + offset++; + +#ifdef DEBUG_TLS + printf("Client SSL [compression_len: %u]\n", compression_len); +#endif + + // offset += compression_len + 3; + offset += compression_len; + + if(offset < total_len) { + extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + offset += 2; + +#ifdef DEBUG_TLS + printf("Client SSL [extensions_len: %u]\n", extensions_len); +#endif + + if((extensions_len+offset) <= total_len) { + /* Move to the first extension + Type is u_int to avoid possible overflow on extension_len addition */ + u_int extension_offset = 0; + u_int32_t j; + + while(extension_offset < extensions_len) { + u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; + + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; + + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; + +#ifdef DEBUG_TLS + printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); +#endif + + if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { + /* Skip GREASE */ + + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); +#endif + } + } + + if(extension_id == 0 /* server name */) { + u_int16_t len; + +#ifdef DEBUG_TLS + printf("[TLS] Extensions: found server name\n"); +#endif + + len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; + len = (u_int)ndpi_min(len, sizeof(buffer)-1); + + if((offset+extension_offset+5+len) < packet->payload_packet_len) { + strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); + buffer[len] = '\0'; + + cleanupServerName(buffer, sizeof(buffer)); + + snprintf(flow->protos.stun_ssl.ssl.client_certificate, + sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); + + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) + flow->l4.tcp.tls.subprotocol_detected = 1; + } else { +#ifdef DEBUG_TLS + printf("[TLS] Extensions server len too short: %u vs %u\n", + offset+extension_offset+5+len, + packet->payload_packet_len); +#endif + } + } else if(extension_id == 10 /* supported groups */) { + u_int16_t s_offset = offset+extension_offset + 2; + +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); +#endif + + if((s_offset+extension_len-2) <= total_len) { + for(i=0; ipayload[s_offset+i])); + +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); +#endif + if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { + /* Skip GREASE */ + if(ja3.num_elliptic_curve < MAX_NUM_JA3) + ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; + else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); +#endif + } + } + + i += 2; + } + } else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); +#endif + } + } else if(extension_id == 11 /* ec_point_formats groups */) { + u_int16_t s_offset = offset+extension_offset + 1; + +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); +#endif + if((s_offset+extension_len) < total_len) { + for(i=0; ipayload[s_offset+i]; + +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); +#endif + + if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) + ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; + else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); +#endif + } + } + } else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); +#endif + } + } else if(extension_id == 43 /* supported versions */) { + u_int8_t version_len = packet->payload[offset+4]; + + if(version_len == (extension_len-1)) { +#ifdef DEBUG_TLS + u_int8_t j; + + for(j=0; jpayload[offset+5+j])); + + printf("Client SSL [TLS version: 0x%04X]\n", tls_version); + } +#endif + } + } + + extension_offset += extension_len; + +#ifdef DEBUG_TLS + printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); +#endif + } /* while */ + + if(!invalid_ja3) { + int rc; + + compute_ja3c: + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); + + for(i=0; i 0) ? "-" : "", ja3.cipher[i]); + if(rc > 0) ja3_str_len += rc; else break; + } + + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; + + /* ********** */ + + for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); + if(rc > 0) ja3_str_len += rc; else break; + } + + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; + + /* ********** */ + + for(i=0; i 0) ? "-" : "", ja3.elliptic_curve[i]); + if(rc > 0) ja3_str_len += rc; else break; + } + + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; + + for(i=0; i 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); + if(rc > 0) ja3_str_len += rc; else break; + } + +#ifdef DEBUG_TLS + printf("[JA3] Client: %s \n", ja3_str); +#endif + + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); + + for(i=0, j=0; i<16; i++) { + rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", + md5_hash[i]); + if(rc > 0) j += rc; else break; + } +#ifdef DEBUG_TLS + printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); +#endif + } + + return(2 /* Client Certificate */); + } else { +#ifdef DEBUG_TLS + printf("[TLS] Client: too short [%u vs %u]\n", + (extensions_len+offset), total_len); +#endif + } + } else if(offset == total_len) { + /* SSL does not have extensions etc */ + goto compute_ja3c; + } + } else { +#ifdef DEBUG_TLS + printf("[JA3] Client: invalid length detected\n"); +#endif + } + } + } + + return(0); /* Not found */ +} + +/* **************************************** */ + +static void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + +#ifdef DEBUG_TLS + printf("==>> %s() %u [len: %u][version: %u]\n", + __FUNCTION__, flow->guessed_host_protocol_id, packet->payload_packet_len, flow->protos.stun_ssl.ssl.ssl_version); #endif - - if(packet->udp != NULL) { - /* DTLS dissector */ - int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); - - if((rc == 0) && (flow->protos.stun_ssl.ssl.ssl_version != 0)) { - flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; - if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { - if(ndpi_struct->stun_cache == NULL) - ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); - - if(ndpi_struct->stun_cache) { -#ifdef DEBUG_TLS - printf("[LRU] Adding Signal cached keys\n"); -#endif - - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 0), NDPI_PROTOCOL_SIGNAL); - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 1), NDPI_PROTOCOL_SIGNAL); - } - - /* In Signal protocol STUN turns into DTLS... */ - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL); - } else if(flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') { - /* Wait the server certificate the bless this flow as TLS */ - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } - } - - return; - } - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { - if(flow->l4.tcp.tls_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) { - /* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets - * so go on checking for certificate patterns for a couple more packets - */ - NDPI_LOG_DBG2(ndpi_struct, - "ssl flow but check another packet for patterns\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { - /* still ssl so check another packet */ - return; - } else { - /* protocol has changed so we are done */ - return; - } - } - - return; - } - - NDPI_LOG_DBG(ndpi_struct, "search ssl\n"); - - /* Check if this is whatsapp first (this proto runs over port 443) */ - if((packet->payload_packet_len > 5) - && ((packet->payload[0] == 'W') - && (packet->payload[1] == 'A') - && (packet->payload[4] == 0) - && (packet->payload[2] <= 9) - && (packet->payload[3] <= 9))) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); - return; - } else if((packet->payload_packet_len == 4) - && (packet->payload[0] == 'W') - && (packet->payload[1] == 'A')) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); - return; - } else { - /* No whatsapp, let's try SSL */ - if(tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing) > 0) - return; - else - skip_cert_processing = 1; - } - - if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 0) { - NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n"); - // SSLv2 Record - if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 - && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) - && (packet->payload_packet_len - packet->payload[1] == 2)) { - NDPI_LOG_DBG2(ndpi_struct, "sslv2 len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - - if(packet->payload[0] == 0x16 && packet->payload[1] == 0x03 - && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02) - && (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) { - // SSLv3 Record - NDPI_LOG_DBG2(ndpi_struct, "sslv3 len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - - // Application Data pkt - if(packet->payload[0] == 0x17 && packet->payload[1] == 0x03 - && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || - packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) { - if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) { - NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - } - } - - if(packet->payload_packet_len > 40 && - flow->l4.tcp.tls_stage == 1 + packet->packet_direction - && flow->packet_direction_counter[packet->packet_direction] < 5) { - return; - } - - if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 2 - packet->packet_direction) { - NDPI_LOG_DBG2(ndpi_struct, "second ssl packet\n"); - // SSLv2 Record - if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 - && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) - && (packet->payload_packet_len - 2) >= packet->payload[1]) { - NDPI_LOG_DBG2(ndpi_struct, "sslv2 server len match\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - return; - } - - ret = ndpi_search_tlsv3_direction1(ndpi_struct, flow); - if(ret == 1) { - NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - return; - } else if(ret == 2) { - NDPI_LOG_DBG2(ndpi_struct, - "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) - flow->l4.tcp.tls_stage = 3; - return; - } - - if(packet->payload_packet_len > 40 && flow->packet_direction_counter[packet->packet_direction] < 5) { - NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); - return; - } - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - - return; + if(packet->udp != NULL) + ndpi_search_tls_udp(ndpi_struct, flow); + else + ndpi_search_tls_tcp(ndpi_struct, flow); } /* **************************************** */ diff --git a/tests/pcap/dtls.pcap b/tests/pcap/dtls.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2c2def22839322a7812a08782b4ad7cb448c1429 GIT binary patch literal 450 zcmca|c+)~A1{MYcU}0bcavE49V_IhOG8_f6K{#R~KY#m&maUGtGcq_BTp1X)i(PPF za1d-4Jg|cIG!R?PSH5$YVX<|$*uVd9!}@?mH9>hz|NfrakgLUVT1!;?(4(}sx!We^ zU9R$iTo<(Ft9Pm0<}pD HOHTm+;s$TV literal 0 HcmV?d00001 diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 7cede1bfa..cdfe2b1f6 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -36,11 +36,11 @@ JA3 Host Stats: 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Goodput ratio: 71.2/71.7][1.09 sec][Host: vv.video.qq.com][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 70.1/191.0 476/506 135.7/201.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 197.2/200.0 499/372 175.9/149.1][URL: vv.video.qq.com/getvinfo][StatusCode: 100][ContentType: ][UserAgent: Mozilla/5.0][PLAIN TEXT (POST /getvinfo HTTP/1.1)] 16 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][cat: Network/14][14 pkts/4788 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][43.01 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 412/0 3105.8/0.0 12289/0 3176.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0] 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][4 pkts/2050 bytes <-> 5 pkts/2297 bytes][Goodput ratio: 87.1/85.6][0.18 sec][bytes ratio: -0.057 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/0 60.0/44.0 176/133 82.0/54.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 512.5/459.4 1159/1464 468.4/535.8] - 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.6/72.1][20.95 sec][bytes ratio: 0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 2322.6/4176.2 15252/15254 4895.4/5951.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 178.1/210.4 1067/1055 287.5/323.1][TLSv1.2][Client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.5/72.1][6.76 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 746.1/1336.2 5987/5987 1865.2/2340.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 177.7/210.4 1067/1055 287.4/323.1][TLSv1.2][Client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][Goodput ratio: 68.6/74.8][6.08 sec][bytes ratio: 0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 753.4/1500.5 5998/5998 1982.3/2596.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 189.5/231.9 1067/1055 298.9/340.1][TLSv1.2][Client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.6/72.1][20.95 sec][bytes ratio: 0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 2322.6/4176.2 15252/15254 4895.4/5951.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 178.1/210.4 1067/1055 287.5/323.1][TLSv1.2][Client: 192.168.115.75][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.5/72.1][6.76 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 746.1/1336.2 5987/5987 1865.2/2340.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 177.7/210.4 1067/1055 287.4/323.1][TLSv1.2][Client: 192.168.115.75][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][Goodput ratio: 68.6/74.8][6.08 sec][bytes ratio: 0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 753.4/1500.5 5998/5998 1982.3/2596.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 189.5/231.9 1067/1055 298.9/340.1][TLSv1.2][Client: 192.168.115.75][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Goodput ratio: 59.5/87.3][0.09 sec][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.338 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6.2/16.0 36/43 13.3/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 141.0/456.4 390/1314 143.8/511.5][URL: jp.kankan.1kxun.mobi/api/videos/10410.json][StatusCode: 200][ContentType: application/json][UserAgent: ][PLAIN TEXT (GET /api/videos/10410.j)] - 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][Goodput ratio: 66.3/63.0][8.90 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 981.8/1763.2 6000/6000 1977.8/2381.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 176.6/158.4 1051/639 283.0/188.4][TLSv1.2][Client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][Goodput ratio: 66.3/63.0][8.90 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 981.8/1763.2 6000/6000 1977.8/2381.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 176.6/158.4 1051/639 283.0/188.4][TLSv1.2][Client: 192.168.115.75][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Goodput ratio: 59.5/83.1][45.16 sec][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.024 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 5638.9/28.5 44799/53 14801.4/24.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 139.4/366.0 468/1272 164.4/523.1][URL: jp.kankan.1kxun.mobi/api/videos/10410.json?callback=jQuery18306855657112319022_1470103242123&_=1470104377698][StatusCode: 200][ContentType: application/x-javascript][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /api/videos/10410.j)] 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1006 bytes <-> 5 pkts/1487 bytes][Goodput ratio: 67.1/77.8][0.26 sec][bytes ratio: -0.193 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 63.5/63.5 205/212 84.1/87.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 201.2/297.4 471/1223 139.5/462.8] 25 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/2450 bytes -> 0 pkts/0 bytes][Goodput ratio: 76.0/0.0][56.94 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2968/0 4488.2/0.0 17921/0 4136.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index 8682fab94..bf068cc80 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -9,8 +9,8 @@ JA3 Host Stats: 1 2001:470:1f17:13f:3e97:eff:fe73:4dec 2 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/TLS][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][Goodput ratio: 35.5/88.6][0.60 sec][bytes ratio: -0.700 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 52.8/36.3 142/142 56.7/54.5][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 165.1/934.6 629/1847 138.8/679.8][TLSv1.2][Client: mail.tomasu.net][JA3C: 812d8bce0f85487ba7834d36568ed586][Server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: 9C:00:A2:31:8F:66:C6:E2:D8:E8:1E:6F:52:49:AD:15:0A:8B:7C:68][Validity: 2014-01-29 00:00:00 - 2019-01-28 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][Goodput ratio: 72.2/76.8][0.53 sec][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 20.1/23.5 98/97 33.1/35.6][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 383.0/468.8 1504/1911 467.5/575.9][TLSv1.2][Client: www.facebook.com][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: 93:C6:FD:1A:84:90:BB:F1:B2:3B:49:A0:9B:1F:6F:0B:46:7A:31:41][Validity: 2014-08-28 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/TLS][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][Goodput ratio: 35.5/88.6][0.60 sec][bytes ratio: -0.700 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 52.8/36.3 142/142 56.7/54.5][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 165.1/934.6 629/1847 138.8/679.8][TLSv1.2][Client: mail.tomasu.net][JA3C: 812d8bce0f85487ba7834d36568ed586][ServerNames: mail.tomasu.net,www.mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: 9C:00:A2:31:8F:66:C6:E2:D8:E8:1E:6F:52:49:AD:15:0A:8B:7C:68][Validity: 2014-01-29 00:00:00 - 2019-01-28 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][Goodput ratio: 72.2/76.8][0.53 sec][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 20.1/23.5 98/97 33.1/35.6][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 383.0/468.8 1504/1911 467.5/575.9][TLSv1.2][Client: www.facebook.com][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][ServerNames: *.facebook.com,facebook.com,*.xz.fbcdn.net,messenger.com,fb.com,*.m.facebook.com,*.fbsbx.com,*.xy.fbcdn.net,*.messenger.com,*.fb.com,*.fbcdn.net,*.xx.fbcdn.net,*.facebook.net][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: 93:C6:FD:1A:84:90:BB:F1:B2:3B:49:A0:9B:1F:6F:0B:46:7A:31:41][Validity: 2014-08-28 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] 3 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][cat: Network/14][23 pkts/3174 bytes <-> 23 pkts/3174 bytes][Goodput ratio: 40.6/40.6][22.14 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1000/992 1000.8/1000.8 1001/1012 0.4/4.2][Pkt Len c2s/s2c min/avg/max/stddev: 138/138 138.0/138.0 138/138 0.0/0.0] 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Goodput ratio: 18.0/57.0][0.82 sec][Host: mail.tomasu.net][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 163.8/56.0 495/110 170.8/54.0][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 131.0/251.5 248/680 52.4/247.4][URL: mail.tomasu.net/][StatusCode: 301][ContentType: text/html][UserAgent: Wget/1.16.3 (linux-gnu)][PLAIN TEXT (GET / HTTP/1.1)] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/1314 bytes -> 0 pkts/0 bytes][Goodput ratio: 93.7/0.0][< 1 sec][PLAIN TEXT (ds 0/u6)] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 56040e1be..2909a3160 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -13,16 +13,16 @@ JA3 Host Stats: 1 10.24.82.188 3 - 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][Goodput ratio: 71.9/84.5][0.98 sec][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33.1/57.0 123/297 41.2/77.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 203.6/364.4 1053/1336 304.3/448.8][TLSv1.2][Client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][Goodput ratio: 68.8/86.9][0.55 sec][bytes ratio: -0.433 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/34.8 106/208 36.5/55.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 183.9/433.5 1257/1336 331.5/513.1][TLSv1.2][Client: developers.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][Goodput ratio: 73.3/87.9][0.77 sec][bytes ratio: -0.329 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 95.6/75.0 312/350 98.3/119.1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 258.4/569.2 1401/1456 416.1/539.9][TLSv1.2][Client: api.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][Goodput ratio: 59.3/78.5][10.77 sec][bytes ratio: -0.249 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 410.8/374.9 2329/2320 582.3/599.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 142.4/263.4 710/1336 154.7/439.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][Goodput ratio: 65.7/85.4][0.86 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.3/71.2 489/365 131.0/103.2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 167.2/388.7 899/1336 222.0/490.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][Goodput ratio: 57.0/78.6][28.98 sec][bytes ratio: -0.332 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2049.7/118.1 26937/448 6904.3/126.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 132.8/264.6 578/1336 133.6/439.4][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Web/5][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][Goodput ratio: 63.2/84.4][11.34 sec][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1113.6/74.5 10357/172 3082.4/61.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Kakao Corp.][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][Goodput ratio: 71.9/84.5][0.98 sec][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33.1/57.0 123/297 41.2/77.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 203.6/364.4 1053/1336 304.3/448.8][TLSv1.2][Client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][Goodput ratio: 68.8/86.9][0.55 sec][bytes ratio: -0.433 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/34.8 106/208 36.5/55.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 183.9/433.5 1257/1336 331.5/513.1][TLSv1.2][Client: developers.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][Goodput ratio: 73.3/87.9][0.77 sec][bytes ratio: -0.329 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 95.6/75.0 312/350 98.3/119.1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 258.4/569.2 1401/1456 416.1/539.9][TLSv1.2][Client: api.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][Goodput ratio: 59.3/78.5][10.77 sec][bytes ratio: -0.249 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 410.8/374.9 2329/2320 582.3/599.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 142.4/263.4 710/1336 154.7/439.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][Goodput ratio: 65.7/85.4][0.86 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.3/71.2 489/365 131.0/103.2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 167.2/388.7 899/1336 222.0/490.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][Goodput ratio: 57.0/78.6][28.98 sec][bytes ratio: -0.332 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2049.7/118.1 26937/448 6904.3/126.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 132.8/264.6 578/1336 133.6/439.4][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][Goodput ratio: 63.2/84.4][11.34 sec][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1113.6/74.5 10357/172 3082.4/61.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Kakao Corp.][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][Goodput ratio: 47.8/63.4][46.77 sec][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2833.0/4340.0 12590/13131 4126.4/4406.8][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131.2/188.3 657/274 136.4/75.5] 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes][Goodput ratio: 70.9/25.0][24.52 sec][bytes ratio: 0.442 (Upload)][IAT c2s/s2c min/avg/max/stddev: 40/104 3455.9/3426.0 12765/12806 4427.1/4479.6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 193.0/74.7 303/98 122.5/20.9] - 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][Goodput ratio: 26.8/86.7][0.31 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Organization: SAMSUNG ELECTRONICS CO., LTD][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Validity: 1999-12-31 15:02:10 - 2049-12-18 15:02:10][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][Goodput ratio: 26.8/86.7][0.31 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65] 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Goodput ratio: 38.3/45.1][21.97 sec][Host: www.facebook.com][bytes ratio: -0.126 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 40/40 114.7/101.7 264/210 105.6/76.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/104.5 243/339 73.2/104.9][URL: www.facebook.com/mobile/status.php][StatusCode: 204][ContentType: ][UserAgent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.3.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Goodput ratio: 38.3/49.5][21.81 sec][Host: www.facebook.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 43/38 5451.5/101.3 21457/215 9241.2/80.5][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/114.2 243/339 73.2/112.4][URL: www.facebook.com/mobile/status.php][StatusCode: 204][ContentType: ][UserAgent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.3.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] 13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes][Goodput ratio: 0.0/0.0][25.75 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 136/98 3845.2/3844.4 13075/13111 4718.5/4734.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 56.0/56.0 56/56 0.0/0.0] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 6efaf36b6..748a1b62a 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -15,8 +15,8 @@ JA3 Host Stats: 1 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes][Goodput ratio: 68.7/65.0][45.42 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 56.7/47.6 202/340 48.7/48.1][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 140.5/125.9 234/236 43.2/33.1][PLAIN TEXT (46yOXQ)] 2 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes][Goodput ratio: 65.0/68.8][45.02 sec][bytes ratio: -0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/0 58.3/49.1 112/476 22.7/54.4][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 125.9/141.0 236/234 33.1/43.4][PLAIN TEXT (46yOXQ)] - 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 71.7/75.9][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358.4/3527.6 20472/21237 5097.7/5912.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242.1/289.6 878/920 253.9/276.1][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][Server: kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64.1/73.3][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691.3/1317.3 6069/10226 1399.3/2632.2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190.4/260.4 814/920 164.3/240.9][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][Server: kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 71.7/75.9][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358.4/3527.6 20472/21237 5097.7/5912.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242.1/289.6 878/920 253.9/276.1][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64.1/73.3][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691.3/1317.3 6069/10226 1399.3/2632.2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190.4/260.4 814/920 164.3/240.9][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 70.6/27.4][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 140.8/117.3 494/295 163.1/91.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195.5/78.0 735/189 228.1/34.6][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][Goodput ratio: 68.8/69.0][45.10 sec][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4202.8/4246.6 4716/5160 1130.8/719.3][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141.0/142.0 150/142 6.1/0.0] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][Goodput ratio: 68.6/68.6][43.84 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266.5/3766.4 4903/4991 1244.7/1143.7][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140.2/140.2 142/142 5.7/5.7] diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out index e4841247f..5e3702ed3 100644 --- a/tests/result/anyconnect-vpn.pcap.out +++ b/tests/result/anyconnect-vpn.pcap.out @@ -21,10 +21,10 @@ JA3 Host Stats: 1 10.0.0.227 4 - 1 TCP 10.0.0.227:56929 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][48 pkts/9073 bytes <-> 44 pkts/18703 bytes][Goodput ratio: 64.9/84.4][21.89 sec][bytes ratio: -0.347 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/10.8 97/138 21.4/26.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 189.0/425.1 1514/1514 245.6/579.0][TLSv1.2][JA3C: c9f0b47c9805f516e6d3900cb51f7841][Server: *.pandion.viasat.com][JA3S: 01cbbd332fc4ce7d5925ebd825882842 (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 2 TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 79.5/89.8][23.14 sec][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1047.6/486.8 11570/9008 2986.7/2008.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 324.6/651.7 1514/1514 493.8/646.0][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][Server: *.pandion.viasat.com][JA3S: 01cbbd332fc4ce7d5925ebd825882842 (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 3 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64.1/75.5][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 90.8/63.5 593/619 144.9/135.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185.3/270.7 1261/1434 259.0/387.4][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] - 4 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61.0/87.3][0.35 sec][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.8/26.1 48/88 21.3/28.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171.2/522.5 1175/1514 273.9/624.5][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][Server: *.pandion.viasat.com][JA3S: 01cbbd332fc4ce7d5925ebd825882842 (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.0.0.227:56929 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][48 pkts/9073 bytes <-> 44 pkts/18703 bytes][Goodput ratio: 64.9/84.4][21.89 sec][bytes ratio: -0.347 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/10.8 97/138 21.4/26.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 189.0/425.1 1514/1514 245.6/579.0][TLSv1.2][JA3C: c9f0b47c9805f516e6d3900cb51f7841][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 2 TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 79.5/89.8][23.14 sec][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1047.6/486.8 11570/9008 2986.7/2008.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 324.6/651.7 1514/1514 493.8/646.0][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 3 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64.1/75.5][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 90.8/63.5 593/619 144.9/135.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185.3/270.7 1261/1434 259.0/387.4][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Organization: Code42][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] + 4 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61.0/87.3][0.35 sec][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.8/26.1 48/88 21.3/28.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171.2/522.5 1175/1514 273.9/624.5][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 5 TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 63.8/60.8][11.47 sec][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866.5/28.1 11074/80 2946.8/34.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184.3/170.5 853/487 228.0/155.1][TLSv1.2][Client: slack.com][JA3C: d8dc5f8940df366b3a58b935569143e8][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 6 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 66.6/80.6][18.51 sec][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824.1/3641.6 10081/10083 3592.5/4384.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 191.9/340.3 373/450 153.1/173.5][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][ContentType: ][UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt)] 7 TCP 10.0.0.227:56320 <-> 10.0.0.149:8009 [proto: 161/CiscoVPN][cat: VPN/2][20 pkts/2420 bytes <-> 10 pkts/1760 bytes][Goodput ratio: 45.4/62.5][45.04 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/5003 2648.5/5003.6 5001/5006 2494.5/1.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/176 121.0/176.0 176/176 55.0/0.0] diff --git a/tests/result/dns_dot.pcap.out b/tests/result/dns_dot.pcap.out index f555047b0..0fdb72f4b 100644 --- a/tests/result/dns_dot.pcap.out +++ b/tests/result/dns_dot.pcap.out @@ -5,4 +5,4 @@ JA3 Host Stats: 1 192.168.1.185 1 - 1 TCP 192.168.1.185:58290 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Web/5][14 pkts/1480 bytes <-> 10 pkts/4389 bytes][Goodput ratio: 37.0/84.8][3.01 sec][bytes ratio: -0.496 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 269.6/181.6 1596/1192 531.3/412.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.7/438.9 264/3135 52.7/903.0][TLSv1.2][JA3C: 4fe4099926d0acdc9b2fe4b02013659f][Server: dns.google][JA3S: 2b341b88c742e940cfb485ce7d93dde7][Organization: Google LLC][Certificate SHA-1: BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53][Validity: 2017-06-15 00:00:42 - 2021-12-15 00:00:42][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] + 1 TCP 192.168.1.185:58290 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][14 pkts/1480 bytes <-> 10 pkts/4389 bytes][Goodput ratio: 37.0/84.8][3.01 sec][bytes ratio: -0.496 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 269.6/181.6 1596/1192 531.3/412.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.7/438.9 264/3135 52.7/903.0][TLSv1.2][JA3C: 4fe4099926d0acdc9b2fe4b02013659f][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: 2b341b88c742e940cfb485ce7d93dde7][Organization: Google LLC][Certificate SHA-1: BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53][Validity: 2019-10-10 20:58:42 - 2020-01-02 20:58:42][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] diff --git a/tests/result/dnscrypt.pcap.out b/tests/result/dnscrypt.pcap.out index 1d51685ac..6877ec9e9 100644 --- a/tests/result/dnscrypt.pcap.out +++ b/tests/result/dnscrypt.pcap.out @@ -5,7 +5,7 @@ JA3 Host Stats: 1 192.168.43.167 2 - 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][Goodput ratio: 44.9/92.1][0.71 sec][bytes ratio: -0.782 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.3/19.9 114/119 43.4/33.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.3/694.3 272/1364 67.6/593.9][TLSv1.2][Client: simplednscrypt.org][JA3C: b8f81673c0e1d29908346f3bab892b9b][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][Goodput ratio: 50.5/89.4][0.52 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/24.9 105/106 34.0/34.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 110.4/516.1 334/1364 76.2/542.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.44 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72.5/31.5 188/124 74.3/50.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.36 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 59.5/32.5 136/140 58.9/52.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][Goodput ratio: 44.9/92.1][0.71 sec][bytes ratio: -0.782 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.3/19.9 114/119 43.4/33.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.3/694.3 272/1364 67.6/593.9][TLSv1.2][Client: simplednscrypt.org][JA3C: b8f81673c0e1d29908346f3bab892b9b][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][Goodput ratio: 50.5/89.4][0.52 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/24.9 105/106 34.0/34.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 110.4/516.1 334/1364 76.2/542.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.44 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72.5/31.5 188/124 74.3/50.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.36 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 59.5/32.5 136/140 58.9/52.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/dtls.pcap.out b/tests/result/dtls.pcap.out new file mode 100644 index 000000000..16c4cf556 --- /dev/null +++ b/tests/result/dtls.pcap.out @@ -0,0 +1,8 @@ +TLS 2 394 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.13.203 1 + + + 1 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 91/TLS][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78.5/0.0][< 1 sec][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5] diff --git a/tests/result/facebook.pcap.out b/tests/result/facebook.pcap.out index 043e9d33e..357bb7a09 100644 --- a/tests/result/facebook.pcap.out +++ b/tests/result/facebook.pcap.out @@ -6,4 +6,4 @@ JA3 Host Stats: 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][Goodput ratio: 52.6/93.4][0.68 sec][bytes ratio: -0.785 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.1/30.5 154/154 52.5/52.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 140.2/1004.6 583/1454 137.4/604.5][TLSv1.2][Client: www.facebook.com][JA3C: 5c60e71f1b8cd40e4d40ed5b6d666e3f][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][Goodput ratio: 55.2/84.8][1.30 sec][bytes ratio: -0.532 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 148.4/73.2 414/313 171.7/127.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 149.4/440.0 449/1454 124.6/521.5][TLSv1.2][Client: facebook.com][JA3C: bfcc1a3891601edb4f137ab7ab25b840][Server: *.facebook.com][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9][Validity: 2014-08-28 00:00:00 - 2016-12-30 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][Goodput ratio: 55.2/84.8][1.30 sec][bytes ratio: -0.532 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 148.4/73.2 414/313 171.7/127.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 149.4/440.0 449/1454 124.6/521.5][TLSv1.2][Client: facebook.com][JA3C: bfcc1a3891601edb4f137ab7ab25b840][ServerNames: *.facebook.com,*.facebook.net,*.fb.com,*.fbcdn.net,*.fbsbx.com,*.m.facebook.com,*.messenger.com,*.xx.fbcdn.net,*.xy.fbcdn.net,*.xz.fbcdn.net,facebook.com,fb.com,messenger.com][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9][Validity: 2014-08-28 00:00:00 - 2016-12-30 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out index 4a2aa2c90..271f80d35 100644 --- a/tests/result/google_ssl.pcap.out +++ b/tests/result/google_ssl.pcap.out @@ -1,7 +1,3 @@ Google 28 9108 1 -JA3 Host Stats: - IP Address # JA3C - - - 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/TLS.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][Goodput ratio: 42.6/91.1][6.67 sec][bytes ratio: -0.668 (Download)][IAT c2s/s2c min/avg/max/stddev: 76/66 422.0/543.8 1185/1213 375.8/401.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94.5/633.0 368/1484 86.7/622.2][TLSv1][Server: www.google.com][JA3S: 7252ecc446aba4a3e474793ae320609a (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_SHA] + 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/TLS.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][Goodput ratio: 42.6/91.1][6.67 sec][bytes ratio: -0.668 (Download)][IAT c2s/s2c min/avg/max/stddev: 76/66 422.0/543.8 1185/1213 375.8/401.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94.5/633.0 368/1484 86.7/622.2][PLAIN TEXT (@zgsiP)] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index 21606f75a..48a0e99da 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -10,12 +10,12 @@ JA3 Host Stats: 1 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:45931 <-> [2a00:1450:4001:803::1017]:443 [proto: 188.126/QUIC.Google][cat: Web/5][33 pkts/7741 bytes <-> 29 pkts/8236 bytes][Goodput ratio: 73.6/78.2][11.12 sec][Host: www.google.it][bytes ratio: -0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 11/2 411.9/168.2 6008/1778 1177.1/366.5][Pkt Len c2s/s2c min/avg/max/stddev: 99/91 234.6/284.0 1412/1412 285.7/300.8][PLAIN TEXT (www.google.it)] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][Goodput ratio: 69.4/91.1][0.43 sec][bytes ratio: -0.492 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.6/44.3 229/290 62.1/87.8][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 283.5/970.7 919/1514 323.7/538.6][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 26.1/87.8][0.17 sec][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.4/10.8 64/27 19.3/12.4][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 117.5/715.2 298/1514 67.4/607.6][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 28.0/87.8][0.12 sec][bytes ratio: -0.652 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14.8/9.0 50/23 16.2/10.3][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/715.2 298/1514 69.9/607.6][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][Goodput ratio: 28.0/89.2][0.17 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19.8/8.8 63/25 19.7/10.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/805.1 298/2754 69.9/929.1][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][Goodput ratio: 36.4/89.6][0.06 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3.4/2.7 8/7 3.4/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 137.1/845.4 310/2942 82.6/1077.9][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][Server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2008-04-02 12:00:00 - 2022-04-03 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][Goodput ratio: 40.0/91.5][0.06 sec][bytes ratio: -0.651 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 11.8/5.3 43/8 15.9/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 145.7/1035.2 310/3633 86.4/1503.0][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][Server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2008-04-02 12:00:00 - 2022-04-03 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][Goodput ratio: 69.4/91.1][0.43 sec][bytes ratio: -0.492 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.6/44.3 229/290 62.1/87.8][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 283.5/970.7 919/1514 323.7/538.6][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 26.1/87.8][0.17 sec][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.4/10.8 64/27 19.3/12.4][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 117.5/715.2 298/1514 67.4/607.6][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 28.0/87.8][0.12 sec][bytes ratio: -0.652 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14.8/9.0 50/23 16.2/10.3][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/715.2 298/1514 69.9/607.6][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][Goodput ratio: 28.0/89.2][0.17 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19.8/8.8 63/25 19.7/10.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/805.1 298/2754 69.9/929.1][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][Goodput ratio: 36.4/89.6][0.06 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3.4/2.7 8/7 3.4/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 137.1/845.4 310/2942 82.6/1077.9][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: *.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2015-08-12 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][Goodput ratio: 40.0/91.5][0.06 sec][bytes ratio: -0.651 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 11.8/5.3 43/8 15.9/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 145.7/1035.2 310/3633 86.4/1503.0][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: *.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2015-08-12 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/TLS][cat: Web/5][7 pkts/860 bytes <-> 7 pkts/1353 bytes][Goodput ratio: 30.0/55.5][0.12 sec][bytes ratio: -0.223 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/6.0 30/30 13.4/12.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 122.9/193.3 268/592 61.5/171.9] 9 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][cat: Web/5][2 pkts/359 bytes <-> 1 pkts/143 bytes][Goodput ratio: 65.3/56.2][0.07 sec] 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes][Goodput ratio: 0.0/0.0][0.04 sec] diff --git a/tests/result/instagram.pcap.out b/tests/result/instagram.pcap.out index c038f30fc..64f0d32f0 100644 --- a/tests/result/instagram.pcap.out +++ b/tests/result/instagram.pcap.out @@ -14,18 +14,18 @@ JA3 Host Stats: 1 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][103 pkts/150456 bytes <-> 47 pkts/3102 bytes][Goodput ratio: 95.5/0.0][1.71 sec][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.6/40.9 1246/1247 136.9/216.6][Pkt Len c2s/s2c min/avg/max/stddev: 1128/66 1460.7/66.0 1464/66 32.9/0.0][PLAIN TEXT (dnlN/L)] 2 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Goodput ratio: 23.2/95.6][0.07 sec][Host: photos-h.ak.instagram.com][bytes ratio: -0.962 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5.6/0.3 33/2 11.2/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/1484 86.0/1484.0 326/1484 69.3/0.0][URL: photos-h.ak.instagram.com/hphotos-ak-xap1/t51.2885-15/e35/10859994_1009433792434447_1627646062_n.jpg?se=7][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] 3 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Goodput ratio: 9.6/95.4][0.09 sec][Host: photos-g.ak.instagram.com][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2.4/0.5 62/2 11.3/0.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/396 73.0/1435.2 326/1484 42.2/209.5][URL: photos-g.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11417349_1610424452559638_1559096152_n.jpg?se=7][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] - 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Goodput ratio: 15.3/94.7][7.88 sec][Host: photos-e.ak.instagram.com][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 244.3/12.2 7254/372 1260.5/65.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.7/1250.6 325/1484 55.7/506.8][URL: photos-e.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11379148_1449120228745316_607477962_n.jpg?se=7][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] + 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Goodput ratio: 15.3/94.7][7.88 sec][Host: photos-e.ak.instagram.com][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 244.3/12.2 7254/372 1260.5/65.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.7/1250.6 325/1484 55.7/506.8][URL: photos-e.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11379148_1449120228745316_607477962_n.jpg?se=7][StatusCode: 0][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] 5 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Goodput ratio: 13.8/95.4][0.51 sec][Host: photos-g.ak.instagram.com][bytes ratio: -0.927 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.5/0.3 321/2 76.4/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/186 76.5/1423.0 319/1484 50.6/248.6][URL: photos-g.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e15/11386524_110257619317430_379513654_n.jpg][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] - 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][Goodput ratio: 59.6/94.4][10.06 sec][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 364.1/362.3 7669/7709 1462.3/1471.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163.4/1180.4 1431/1464 317.9/494.8] + 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][Goodput ratio: 59.6/94.4][10.06 sec][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 364.1/362.3 7669/7709 1462.3/1471.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163.4/1180.4 1431/1464 317.9/494.8][PLAIN TEXT (ny.iaXs)] 7 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][cat: Web/5][25 pkts/37100 bytes <-> 24 pkts/1584 bytes][Goodput ratio: 95.5/0.0][0.04 sec][bytes ratio: 0.918 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.2/1.3 7/7 1.7/1.7][Pkt Len c2s/s2c min/avg/max/stddev: 1484/66 1484.0/66.0 1484/66 0.0/0.0][PLAIN TEXT (inOCIM)] 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][cat: Web/5][14 pkts/924 bytes <-> 20 pkts/28115 bytes][Goodput ratio: 0.0/95.3][7.36 sec][bytes ratio: -0.936 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 735.4/0.5 7321/3 2195.2/1.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66.0/1405.8 66/1484 0.0/309.0][PLAIN TEXT (dGQaNFV)] 9 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][cat: Web/5][16 pkts/22931 bytes <-> 9 pkts/594 bytes][Goodput ratio: 95.4/0.0][0.02 sec][bytes ratio: 0.950 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.8/1.3 5/4 1.3/1.4][Pkt Len c2s/s2c min/avg/max/stddev: 671/66 1433.2/66.0 1484/66 196.8/0.0][PLAIN TEXT (DD.DOo)] - 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][Goodput ratio: 51.2/92.4][0.19 sec][bytes ratio: -0.707 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.6/23.0 56/88 18.1/30.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/885.7 375/1484 113.9/639.8][TLSv1][Client: igcdn-photos-g-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][Goodput ratio: 56.7/90.2][0.17 sec][bytes ratio: -0.515 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.1/29.2 79/103 25.5/38.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.5/689.1 516/1484 151.0/647.4][TLSv1][Client: igcdn-photos-h-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 7df57c06f869fc3ce509521cae2f75ce][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][Goodput ratio: 51.2/92.4][0.19 sec][bytes ratio: -0.707 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.6/23.0 56/88 18.1/30.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/885.7 375/1484 113.9/639.8][TLSv1][Client: igcdn-photos-g-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][Goodput ratio: 56.7/90.2][0.17 sec][bytes ratio: -0.515 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.1/29.2 79/103 25.5/38.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.5/689.1 516/1484 151.0/647.4][TLSv1][Client: igcdn-photos-h-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 7df57c06f869fc3ce509521cae2f75ce][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 12 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/4699 bytes <-> 6 pkts/1345 bytes][Goodput ratio: 91.6/70.5][2.36 sec][bytes ratio: 0.555 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 589.8/589.8 2180/2130 921.0/894.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 783.2/224.2 1464/1015 545.1/353.7] - 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.3/11.0 70/40 26.9/16.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.8/12.0 71/47 27.1/20.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes][Goodput ratio: 74.1/90.4][2.48 sec][bytes ratio: -0.526 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.0/51.0 254/202 109.7/87.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/686.3 1015/1464 379.6/610.1] + 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.3/11.0 70/40 26.9/16.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.8/12.0 71/47 27.1/20.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes][Goodput ratio: 74.1/90.4][2.48 sec][bytes ratio: -0.526 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.0/51.0 254/202 109.7/87.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/686.3 1015/1464 379.6/610.1][PLAIN TEXT (kpaeC.)] 16 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 5 pkts/4020 bytes][Goodput ratio: 74.1/91.8][0.22 sec][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 53.8/43.0 215/172 93.1/74.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/804.0 1015/1464 379.6/595.0] 17 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Goodput ratio: 46.3/94.2][0.18 sec][Host: photos-f.ak.instagram.com][bytes ratio: -0.722 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 61.3/0.5 184/1 86.7/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 78/488 139.8/1152.0 325/1484 107.0/469.5][URL: photos-f.ak.instagram.com/hphotos-ak-xfa1/t51.2885-15/e35/11424623_1608163109450421_663315883_n.jpg?se=7][StatusCode: 0][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][Goodput ratio: 61.9/49.6][0.80 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 93.7/79.8 183/182 81.8/80.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 175.9/133.0 530/231 154.8/70.1][TLSv1][Client: telegraph-ash.instagram.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][JA3S: acb741bcdffb787c5a52654c78645bdf][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] diff --git a/tests/result/malware.pcap.out b/tests/result/malware.pcap.out index dd536f2bc..75e07b530 100644 --- a/tests/result/malware.pcap.out +++ b/tests/result/malware.pcap.out @@ -8,7 +8,7 @@ JA3 Host Stats: 1 192.168.7.7 1 - 1 TCP 192.168.7.7:35236 <-> 67.215.92.210:443 [proto: 91.225/TLS.OpenDNS][cat: Malware/100][11 pkts/1280 bytes <-> 9 pkts/5860 bytes][Goodput ratio: 52.6/91.2][0.64 sec][bytes ratio: -0.641 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.1/74.8 240/249 99.0/103.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.4/651.1 571/1514 148.2/644.4][TLSv1.2][Client: www.internetbadguys.com][JA3C: f6ce47303dce394049af395fc6d0bc20][Server: api.opendns.com][JA3S: 0c0aff9ccea5e7e1de5c3a0069d103f3][Organization: OpenDNS, Inc.][Certificate SHA-1: 21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C][Validity: 2018-04-26 00:00:00 - 2020-07-29 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.7.7:35236 <-> 67.215.92.210:443 [proto: 91.225/TLS.OpenDNS][cat: Malware/100][11 pkts/1280 bytes <-> 9 pkts/5860 bytes][Goodput ratio: 52.6/91.2][0.64 sec][bytes ratio: -0.641 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.1/74.8 240/249 99.0/103.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.4/651.1 571/1514 148.2/644.4][TLSv1.2][Client: www.internetbadguys.com][JA3C: f6ce47303dce394049af395fc6d0bc20][ServerNames: api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.opendns.com,dashboard.opendns.com,dashboard-ipv4.opendns.com,msp-login.opendns.com,api-ipv4.opendns.com,api-ipv6.opendns.com,authz.api.opendns.com,domain.opendns.com,help.vpn.opendns.com,ideabank.opendns.com,login.opendns.com,netgear.opendns.com,reseller-login.opendns.com,images.opendns.com,images-using.opendns.com,store.opendns.com,signup.opendns.com,twilio.opendns.com,updates.opendns.com,shared.opendns.com,tools.opendns.com,cache.opendns.com,api.umbrella.com,branded-login.umbrella.com,cachecheck.umbrella.com,community.umbrella.com,dashboard2.umbrella.com,dashboard.umbrella.com,dashboard-ipv4.umbrella.com,msp-login.umbrella.com,api-ipv4.umbrella.com,api-ipv6.umbrella.com,authz.api.umbrella.com,domain.umbrella.com,help.vpn.umbrella.com,ideabank.umbrella.com,login.umbrella.com,netgear.umbrella.com,reseller-login.umbrella.com,images.umbrella.com,images-using.umbrella.com,store.umbrella.com,signup.umbrella.com,twilio.umbrella.com,updates.umbrella.com,shared.umbrella.com,tools.umbrella.com,cache.umbrella.com][JA3S: 0c0aff9ccea5e7e1de5c3a0069d103f3][Organization: OpenDNS, Inc.][Certificate SHA-1: 21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C][Validity: 2018-04-26 00:00:00 - 2020-07-29 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 2 TCP 192.168.7.7:48394 <-> 67.215.92.210:80 [proto: 7.225/HTTP.OpenDNS][cat: Malware/100][1 pkts/383 bytes <-> 1 pkts/98 bytes][Goodput ratio: 85.7/44.4][0.21 sec][Host: www.internetbadguys.com][URL: www.internetbadguys.com/][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0][PLAIN TEXT (GET / HTTP/1.1)] 3 UDP 192.168.7.7:42370 <-> 1.1.1.1:53 [proto: 5/DNS][cat: Malware/100][1 pkts/106 bytes <-> 1 pkts/110 bytes][Goodput ratio: 59.8/61.3][0.02 sec][Host: www.internetbadguys.com][PLAIN TEXT (internetbadguys)] 4 ICMP 192.168.7.7:0 -> 144.139.247.220:0 [proto: 81/ICMP][cat: Malware/100][1 pkts/98 bytes -> 0 pkts/0 bytes][Goodput ratio: 56.6/0.0][< 1 sec] diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out index f36cefc2a..9cbfbe81b 100644 --- a/tests/result/netflix.pcap.out +++ b/tests/result/netflix.pcap.out @@ -13,46 +13,46 @@ JA3 Host Stats: 2 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][502 pkts/40335 bytes <-> 805 pkts/1202445 bytes][Goodput ratio: 16.5/95.6][53.10 sec][Host: 23.246.3.140][bytes ratio: -0.935 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 117.0/55.1 5026/5044 455.1/247.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/74 80.3/1493.7 581/1514 81.4/139.9][URL: 23.246.3.140/?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4][StatusCode: 206][ContentType: ][UserAgent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][PLAIN TEXT (oMrLRiWL)] 3 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][293 pkts/23170 bytes <-> 495 pkts/736113 bytes][Goodput ratio: 15.6/95.6][46.97 sec][Host: 23.246.11.133][bytes ratio: -0.939 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 193.6/107.2 26359/26393 1829.1/1320.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 79.1/1487.1 582/1514 78.6/167.2][URL: 23.246.11.133/?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10][StatusCode: 206][ContentType: ][UserAgent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][PLAIN TEXT (oMrLRiWL1)] 4 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][147 pkts/11558 bytes <-> 490 pkts/734346 bytes][Goodput ratio: 1.9/95.6][59.61 sec][Host: tp.akam.nflximg.com][bytes ratio: -0.969 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 418.0/45.1 30607/2159 2956.1/164.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 78.6/1498.7 282/1514 20.9/140.2][URL: tp.akam.nflximg.com/tpa3/616/2041779616.bif][StatusCode: 200][ContentType: text/plain][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (GET /tpa3/616/2041779616.bif HT)] - 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][Goodput ratio: 19.7/95.2][73.78 sec][bytes ratio: -0.931 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1183.5/604.0 69170/69192 8779.7/6263.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87.0/1379.1 293/1514 38.8/401.2][TLSv1.2][Client: art-s.nflximg.net][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: secure.cdn.nflximg.net][JA3S: ef6b224ce027c8e21e5a25d8a58255a3][Organization: Netflix, Inc.][Certificate SHA-1: 0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26][Validity: 2016-04-06 00:00:00 - 2017-04-05 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] + 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][Goodput ratio: 19.7/95.2][73.78 sec][bytes ratio: -0.931 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1183.5/604.0 69170/69192 8779.7/6263.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87.0/1379.1 293/1514 38.8/401.2][TLSv1.2][Client: art-s.nflximg.net][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net][JA3S: ef6b224ce027c8e21e5a25d8a58255a3][Organization: Netflix, Inc.][Certificate SHA-1: 0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26][Validity: 2016-04-06 00:00:00 - 2017-04-05 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] 6 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Goodput ratio: 23.3/95.5][6.10 sec][Host: 23.246.11.141][bytes ratio: -0.916 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 89.7/58.1 504/714 130.2/108.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/74 88.1/1463.8 582/1514 100.4/228.0][URL: 23.246.11.141/?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo][StatusCode: 206][ContentType: ][UserAgent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][PLAIN TEXT (oMrLRiWL2)] 7 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][40 pkts/3413 bytes <-> 86 pkts/125190 bytes][Goodput ratio: 7.2/95.5][34.92 sec][Host: art-2.nflximg.net][bytes ratio: -0.947 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/12 1100.9/41.1 30978/402 5646.5/66.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.3/1455.7 311/1514 38.3/273.5][URL: art-2.nflximg.net/5758c/bb636e44b87ef854c331ed7b7b6e157e4945758c.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /5758)] - 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][Goodput ratio: 84.0/88.8][47.10 sec][bytes ratio: -0.161 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 743.5/738.5 30450/30505 3962.3/4074.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 413.7/588.1 1514/1514 553.3/593.8][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][Goodput ratio: 93.9/78.5][53.21 sec][bytes ratio: 0.727 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1378.0/2893.2 51181/51242 8187.7/11726.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1091.7/317.7 1514/1514 614.5/491.5][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][Goodput ratio: 84.0/88.8][47.10 sec][bytes ratio: -0.161 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 743.5/738.5 30450/30505 3962.3/4074.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 413.7/588.1 1514/1514 553.3/593.8][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][Goodput ratio: 93.9/78.5][53.21 sec][bytes ratio: 0.727 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1378.0/2893.2 51181/51242 8187.7/11726.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1091.7/317.7 1514/1514 614.5/491.5][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 10 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2040 bytes <-> 34 pkts/45136 bytes][Goodput ratio: 17.4/95.0][1.88 sec][bytes ratio: -0.914 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 76.6/61.8 638/579 155.4/121.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.0/1327.5 422/1514 70.8/457.1][URL: 23.246.10.139/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-djGXIcbFBNzyfugqEWcrgtCpyY&random=34073607][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 11 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1868 bytes <-> 34 pkts/45139 bytes][Goodput ratio: 18.9/95.0][2.09 sec][bytes ratio: -0.921 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/2 70.5/47.3 708/633 170.8/120.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 89.0/1327.6 420/1514 74.7/456.9][URL: 23.246.3.140/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4&random=357509657][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 12 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Goodput ratio: 17.0/95.2][42.46 sec][Host: art-2.nflximg.net][bytes ratio: -0.877 (Download)][IAT c2s/s2c min/avg/max/stddev: 11/0 424.7/42.9 3643/161 850.2/34.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 93.3/1378.5 312/1514 58.6/421.3][URL: art-2.nflximg.net/af7a5/362643424e775d0393ddb46e145c2375367af7a5.webp][StatusCode: 200][ContentType: image/webp][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /af)] 13 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1826 bytes <-> 32 pkts/43179 bytes][Goodput ratio: 19.5/95.1][1.58 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 52.7/51.8 354/582 86.6/111.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87.0/1349.3 422/1514 75.3/442.6][URL: 23.246.11.145/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=5xfYVtna3GdYXL71uNs6DZ-X84Y&random=39307082][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][Goodput ratio: 68.7/93.1][38.50 sec][bytes ratio: -0.712 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1640.5/1231.6 30390/30443 6288.1/5475.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 210.9/964.4 1514/1514 376.2/637.4][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][Goodput ratio: 68.7/93.1][38.50 sec][bytes ratio: -0.712 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1640.5/1231.6 30390/30443 6288.1/5475.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 210.9/964.4 1514/1514 376.2/637.4][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 15 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Goodput ratio: 20.0/95.3][1.39 sec][Host: art-1.nflximg.net][bytes ratio: -0.942 (Download)][IAT c2s/s2c min/avg/max/stddev: 11/0 27.5/35.1 45/81 10.3/18.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101.8/1414.4 311/1514 64.1/365.9][URL: art-1.nflximg.net/8b1fa/eaa1b78cd72ca4dbdcab527691d2fcab37c8b1fa.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /8b)] 16 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2596 bytes <-> 29 pkts/37544 bytes][Goodput ratio: 13.8/94.9][7.33 sec][bytes ratio: -0.871 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 267.2/77.0 1392/465 371.7/115.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83.7/1294.6 424/1514 62.8/489.1][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJiXLBugGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPflHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JqTg0NiANIn4-aRwn3uKtWdoQ7M&random=114897][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (czGET /range/0)] 17 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Goodput ratio: 31.4/95.0][2.07 sec][Host: art-1.nflximg.net][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 166.5/93.7 1389/1416 393.8/299.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97.4/1336.5 311/1514 80.8/428.1][URL: art-1.nflximg.net/4e36d/6289889020d6cc6dfb3038c35564a41e1ca4e36d.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /4e)] - 18 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Goodput ratio: 72.0/94.2][31.31 sec][Host: appboot.netflix.com][bytes ratio: -0.781 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3092.2/20.9 30728/135 9212.0/28.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241.7/1136.3 1514/1514 404.6/584.3][URL: appboot.netflix.com/appboot/NFAPPL-02-][StatusCode: 200][ContentType: application/x-msl+json][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /appboot/NFAPPL)] + 18 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Goodput ratio: 72.0/94.2][31.31 sec][Host: appboot.netflix.com][bytes ratio: -0.781 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3092.2/20.9 30728/135 9212.0/28.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241.7/1136.3 1514/1514 404.6/584.3][URL: appboot.netflix.com/appboot/NFAPPL-02-][StatusCode: 0][ContentType: ][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /appboot/NFAPPL)] 19 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][33 pkts/2732 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 13.1/94.5][7.16 sec][bytes ratio: -0.833 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 253.5/199.3 1162/1131 295.3/282.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.8/1202.6 424/1514 61.0/563.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJZ2VKhqgGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzTho_flHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=LQ7LyXSnZaXKEHAHaRRHk-S7dKE&random=420981][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 20 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2041 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 17.5/94.5][5.93 sec][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/4 245.2/164.8 985/775 248.3/180.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.0/1202.6 423/1514 71.0/563.7][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJZ2bLBChGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_ngHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=SixKQmLLJNvShj-pfML-2h4QaqQ&random=727666][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 21 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2571 bytes <-> 22 pkts/28042 bytes][Goodput ratio: 13.9/94.8][7.15 sec][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/4 264.6/325.6 1355/1382 336.5/386.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.9/1274.6 423/1514 62.5/516.6][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8&random=323765][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][Goodput ratio: 76.7/92.6][1.73 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 48.2/42.4 437/291 100.9/61.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 290.2/895.3 1514/1514 441.6/626.2][TLSv1.2][Client: api-global.netflix.com][JA3C: d8bfad189bd26664e04570c104ee8418][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][Goodput ratio: 76.7/92.6][1.73 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 48.2/42.4 437/291 100.9/61.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 290.2/895.3 1514/1514 441.6/626.2][TLSv1.2][Client: api-global.netflix.com][JA3C: d8bfad189bd26664e04570c104ee8418][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 23 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][32 pkts/2572 bytes <-> 23 pkts/26661 bytes][Goodput ratio: 14.0/94.3][7.05 sec][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 247.8/270.5 635/1046 213.2/317.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 80.4/1159.2 426/1514 62.4/602.9][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQIpyTIBGjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_biCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=8Z78vL2i9OzihCA3M1LinMYcMY4&random=2386][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (fGET /range/0)] 24 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][36 pkts/3030 bytes <-> 21 pkts/25455 bytes][Goodput ratio: 11.8/94.5][8.05 sec][bytes ratio: -0.787 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/4 258.1/237.1 1250/1203 330.7/380.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84.2/1212.1 424/1514 58.1/550.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo&random=413473][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 25 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2864 bytes <-> 21 pkts/25456 bytes][Goodput ratio: 12.6/94.5][5.76 sec][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168.5/222.6 1162/1317 246.3/336.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84.2/1212.2 426/1514 60.5/550.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJ5yTLBCkGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_3mCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=r5jtnnEcR8hDCkPImfEiWqWAjKk&random=1846][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 26 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2553 bytes <-> 22 pkts/25510 bytes][Goodput ratio: 14.0/94.3][7.56 sec][bytes ratio: -0.818 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 297.7/146.2 1317/530 354.0/131.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 85.1/1159.5 423/1514 63.5/589.6][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJmULRajGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpfblHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=zezrDJDQvgO2TiYC1dT3imH4QC8&random=169467][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][Goodput ratio: 91.9/78.0][32.21 sec][bytes ratio: 0.624 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.7/84.3 332/331 94.1/94.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 810.9/308.7 1514/1514 699.9/492.9][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][Goodput ratio: 91.9/78.0][32.21 sec][bytes ratio: 0.624 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.7/84.3 332/331 94.1/94.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 810.9/308.7 1514/1514 699.9/492.9][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 28 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][Goodput ratio: 72.0/91.0][0.86 sec][bytes ratio: -0.542 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.9/32.9 266/316 64.3/69.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 237.4/739.0 1514/1514 406.7/541.9][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 29 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][35 pkts/2920 bytes <-> 19 pkts/22428 bytes][Goodput ratio: 12.3/94.4][7.38 sec][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/0 222.2/250.0 636/1132 227.5/336.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83.4/1180.4 424/1514 58.9/569.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJpmQIRekGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThrvnlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=mQfOf90-RY2Gd2ii20KJpCcYQVk&random=134564][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 30 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2879 bytes <-> 20 pkts/22373 bytes][Goodput ratio: 12.5/94.1][8.26 sec][bytes ratio: -0.772 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238.4/289.2 1152/1208 301.3/406.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 84.7/1118.7 425/1514 60.1/613.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQLJ2TIBepGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPbiCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=tTXu3c6FnJtfi6z0IJp3hw8eDv8&random=1294][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 31 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2610 bytes <-> 20 pkts/22422 bytes][Goodput ratio: 13.7/94.1][7.09 sec][bytes ratio: -0.791 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 254.8/290.4 811/1178 266.6/325.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87.0/1121.1 424/1514 63.5/610.6][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10&random=247333][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][Goodput ratio: 86.5/86.4][0.92 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46.4/54.5 282/127 72.4/34.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 485.7/490.6 1514/1514 602.5/610.3][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Goodput ratio: 90.6/86.7][31.72 sec][Host: api-global.netflix.com][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 2877.0/42.1 31088/123 8921.3/32.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 714.4/500.3 1514/1514 676.3/651.2][URL: api-global.netflix.com/msl/nrdjs/2.1.2][StatusCode: 200][ContentType: application/x-msl+json][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /msl/nrdjs/2.1.2 HTTP/1.1)] - 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][Goodput ratio: 79.0/90.4][1.01 sec][bytes ratio: -0.231 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.7/96.0 322/423 89.1/120.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 314.5/696.8 1514/1514 477.1/667.4][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][Goodput ratio: 75.9/84.0][38.49 sec][bytes ratio: -0.106 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2129.1/2946.1 30585/30636 7105.0/8237.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 274.0/414.4 1514/1514 437.3/546.1][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][Goodput ratio: 86.5/86.4][0.92 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46.4/54.5 282/127 72.4/34.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 485.7/490.6 1514/1514 602.5/610.3][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Goodput ratio: 90.6/86.7][31.72 sec][Host: api-global.netflix.com][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 2877.0/42.1 31088/123 8921.3/32.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 714.4/500.3 1514/1514 676.3/651.2][URL: api-global.netflix.com/msl/nrdjs/2.1.2][StatusCode: 0][ContentType: ][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /msl/nrdjs/2.1.2 HTTP/1.1)] + 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][Goodput ratio: 79.0/90.4][1.01 sec][bytes ratio: -0.231 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.7/96.0 322/423 89.1/120.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 314.5/696.8 1514/1514 477.1/667.4][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][Goodput ratio: 75.9/84.0][38.49 sec][bytes ratio: -0.106 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2129.1/2946.1 30585/30636 7105.0/8237.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 274.0/414.4 1514/1514 437.3/546.1][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 36 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Goodput ratio: 26.0/94.0][32.06 sec][Host: art-2.nflximg.net][bytes ratio: -0.858 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 4565.4/33.9 30963/63 10780.3/17.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 94.1/1119.8 311/1514 72.5/643.7][URL: art-2.nflximg.net/87b33/bed1223a0040fdc97bac4e906332e462c6e87b33.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /87)] - 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][Goodput ratio: 82.7/79.7][30.85 sec][bytes ratio: 0.187 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1923.1/15.8 30431/72 7360.8/24.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 382.0/327.2 1514/1514 559.0/501.4][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][Goodput ratio: 83.5/80.6][30.38 sec][bytes ratio: 0.192 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2017.3/13.7 30033/55 7487.5/20.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 399.4/342.7 1514/1514 568.6/514.1][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][Goodput ratio: 79.7/82.7][3.15 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.9/303.2 2449/2522 644.8/743.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 325.2/386.1 1514/1514 478.5/534.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][Goodput ratio: 84.4/86.8][0.34 sec][bytes ratio: 0.009 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.1/31.0 85/65 31.5/27.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.4/507.4 1514/1514 532.6/591.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][Goodput ratio: 54.6/82.9][31.02 sec][bytes ratio: -0.343 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1820.1/45.2 30348/363 7132.3/102.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 145.3/389.6 422/1514 131.7/519.8][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][Goodput ratio: 70.3/85.6][0.32 sec][bytes ratio: -0.244 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 24.0/21.7 72/63 26.2/24.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 222.1/465.4 1514/1514 382.1/579.1][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][Goodput ratio: 82.7/79.7][30.85 sec][bytes ratio: 0.187 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1923.1/15.8 30431/72 7360.8/24.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 382.0/327.2 1514/1514 559.0/501.4][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][Goodput ratio: 83.5/80.6][30.38 sec][bytes ratio: 0.192 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2017.3/13.7 30033/55 7487.5/20.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 399.4/342.7 1514/1514 568.6/514.1][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][Goodput ratio: 79.7/82.7][3.15 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.9/303.2 2449/2522 644.8/743.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 325.2/386.1 1514/1514 478.5/534.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][Goodput ratio: 84.4/86.8][0.34 sec][bytes ratio: 0.009 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.1/31.0 85/65 31.5/27.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.4/507.4 1514/1514 532.6/591.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][Goodput ratio: 54.6/82.9][31.02 sec][bytes ratio: -0.343 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1820.1/45.2 30348/363 7132.3/102.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 145.3/389.6 422/1514 131.7/519.8][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][Goodput ratio: 70.3/85.6][0.32 sec][bytes ratio: -0.244 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 24.0/21.7 72/63 26.2/24.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 222.1/465.4 1514/1514 382.1/579.1][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][Goodput ratio: 73.9/84.2][30.77 sec][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 28.6/22.0 143/79 42.9/28.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 253.4/423.0 1514/1514 421.8/511.9][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][Goodput ratio: 36.2/84.0][30.93 sec][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2373.2/20.4 30602/58 8149.0/25.9][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 103.6/417.1 309/1514 78.3/548.0][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][Goodput ratio: 36.2/84.0][30.93 sec][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2373.2/20.4 30602/58 8149.0/25.9][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 103.6/417.1 309/1514 78.3/548.0][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][Goodput ratio: 76.2/81.0][0.21 sec][bytes ratio: 0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 26.1/20.2 92/54 34.4/21.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283.0/354.9 1450/1066 419.0/412.7][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][Goodput ratio: 38.8/68.9][30.71 sec][bytes ratio: -0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3064.5/6120.4 30486/30536 9140.5/12207.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 107.8/215.4 309/989 83.5/296.5][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 47 UDP 192.168.1.7:53776 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][16 pkts/2648 bytes -> 0 pkts/0 bytes][Goodput ratio: 74.6/0.0][79.13 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 105/0 4588.2/0.0 14907/0 6546.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 164/0 165.5/0.0 167/0 1.5/0.0][PLAIN TEXT (SEARCH )] diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out index 34143be84..c1751d1a2 100644 --- a/tests/result/nintendo.pcap.out +++ b/tests/result/nintendo.pcap.out @@ -11,8 +11,8 @@ JA3 Host Stats: 2 UDP 192.168.12.114:55915 <-> 93.237.131.235:56066 [proto: 173/Nintendo][cat: Game/8][122 pkts/48332 bytes <-> 35 pkts/5026 bytes][Goodput ratio: 89.4/70.7][5.68 sec][bytes ratio: 0.812 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 45.1/77.1 607/506 66.0/116.9][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 396.2/143.6 1254/886 210.0/128.5] 3 UDP 192.168.12.114:55915 <-> 81.61.158.138:51769 [proto: 173/Nintendo][cat: Game/8][122 pkts/46476 bytes <-> 38 pkts/5268 bytes][Goodput ratio: 89.0/69.7][5.49 sec][bytes ratio: 0.796 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 40.3/75.5 313/318 40.4/84.4][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 381.0/138.6 886/886 192.7/123.7][PLAIN TEXT (FutwCa)] 4 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 91.178/TLS.Amazon][cat: Web/5][34 pkts/4466 bytes <-> 20 pkts/4021 bytes][Goodput ratio: 49.7/67.2][21.54 sec][bytes ratio: 0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 728.2/1409.1 14019/13944 2635.6/3582.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131.4/201.1 400/983 85.6/219.4] - 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][Goodput ratio: 74.6/86.3][0.56 sec][bytes ratio: -0.253 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65.1/53.9 287/250 89.4/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 263.5/486.5 1414/1414 387.3/570.3][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][Server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][Goodput ratio: 76.4/86.3][0.51 sec][bytes ratio: -0.264 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57.4/47.4 243/198 75.9/64.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283.3/486.6 1414/1414 400.9/570.5][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][Server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][Goodput ratio: 74.6/86.3][0.56 sec][bytes ratio: -0.253 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65.1/53.9 287/250 89.4/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 263.5/486.5 1414/1414 387.3/570.3][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][Goodput ratio: 76.4/86.3][0.51 sec][bytes ratio: -0.264 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57.4/47.4 243/198 75.9/64.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283.3/486.6 1414/1414 400.9/570.5][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 7 UDP 192.168.12.114:52119 <-> 91.8.243.35:49432 [proto: 173/Nintendo][cat: Game/8][23 pkts/2682 bytes <-> 16 pkts/3408 bytes][Goodput ratio: 64.0/80.3][4.86 sec][bytes ratio: -0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 231.7/88.7 514/507 225.4/142.2][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 116.6/213.0 230/854 27.1/243.3] 8 UDP 192.168.12.114:52119 <-> 109.21.255.11:50251 [proto: 173/Nintendo][cat: Game/8][8 pkts/1024 bytes <-> 8 pkts/1024 bytes][Goodput ratio: 67.1/67.1][1.28 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 39/58 118.7/111.0 274/242 88.6/65.3][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 128.0/128.0 198/198 40.7/40.7] 9 UDP 192.168.12.114:52119 <-> 134.3.248.25:56955 [proto: 173/Nintendo][cat: Game/8][8 pkts/1040 bytes <-> 7 pkts/922 bytes][Goodput ratio: 67.6/68.0][1.15 sec][bytes ratio: 0.060 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/17 107.5/127.0 288/286 108.6/89.8][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 130.0/131.7 198/198 39.8/42.3] diff --git a/tests/result/pps.pcap.out b/tests/result/pps.pcap.out index 935d5e29e..b217994f0 100644 --- a/tests/result/pps.pcap.out +++ b/tests/result/pps.pcap.out @@ -7,7 +7,7 @@ Google 2 1093 1 2 TCP 192.168.115.8:50778 <-> 223.26.106.20:80 [proto: 7/HTTP][cat: Streaming/17][1 pkts/303 bytes <-> 528 pkts/692658 bytes][Goodput ratio: 81.9/95.9][0.82 sec][Host: preimage1.qiyipic.com][bytes ratio: -0.999 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.0/1.4 0/51 0.0/6.5][Pkt Len c2s/s2c min/avg/max/stddev: 303/180 303.0/1311.9 303/1314 0.0/49.3][URL: preimage1.qiyipic.com/preimage/20160506/f0/1f/v_110359998_m_611_160_90_1.jpg?no=1][StatusCode: 200][ContentType: ][UserAgent: Qiyi List Client PC 5.2.15.2240][PLAIN TEXT (GET /preimage/20160506/f0/1)] 3 TCP 192.168.115.8:50505 <-> 223.26.106.19:80 [proto: 7/HTTP][cat: Streaming/17][2 pkts/400 bytes <-> 244 pkts/319633 bytes][Goodput ratio: 72.8/95.9][0.11 sec][Host: static.qiyi.com][bytes ratio: -0.998 (Download)][IAT c2s/s2c min/avg/max/stddev: 35/0 35.0/0.4 35/35 0.0/2.5][Pkt Len c2s/s2c min/avg/max/stddev: 198/566 200.0/1310.0 202/1314 2.0/50.0][URL: static.qiyi.com/ext/common/qisu2/downloader.ini][StatusCode: 200][ContentType: ][UserAgent: Downloader][PLAIN TEXT (GET /ext/common/qisu2/downloade)] 4 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 7/HTTP][cat: Web/5][1 pkts/426 bytes <-> 26 pkts/33872 bytes][Goodput ratio: 87.1/95.9][0.02 sec][Host: 223.26.106.66][bytes ratio: -0.975 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.0/0.3 0/3 0.0/0.8][Pkt Len c2s/s2c min/avg/max/stddev: 426/1022 426.0/1302.8 426/1314 0.0/56.2][URL: 223.26.106.66/videos/v0/20160625/a5/bf/8de9bb946972a88589d1667862292130.f4v?key=07eef1821e2379d3136ffe16082185ba2&src=iqiyi.com&&tn=137719&uuid=76a3085a-57760844-de][StatusCode: 0][ContentType: ][UserAgent: QY-Player-Windows/2.0.102][PLAIN TEXT (GET /videos/v)] - 5 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7/HTTP][cat: Web/5][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Goodput ratio: 94.6/95.6][13.04 sec][Host: bcu.ff.avast.com][bytes ratio: -0.149 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 68.1/0.0 307/0 127.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 231/536 1002.1/1239.1 1314/1314 433.8/214.6][URL: bcu.ff.avast.com/bc2][StatusCode: 200][ContentType: application/x-enc][UserAgent: {D699054D-1699-47D2-9B2B-E96F438C1160}][PLAIN TEXT (POST /bc2 HTTP/1.1)] + 5 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7/HTTP][cat: Web/5][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Goodput ratio: 94.6/95.6][13.04 sec][Host: bcu.ff.avast.com][bytes ratio: -0.149 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 68.1/0.0 307/0 127.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 231/536 1002.1/1239.1 1314/1314 433.8/214.6][URL: bcu.ff.avast.com/bc2][StatusCode: 0][ContentType: application/x-enc][UserAgent: {D699054D-1699-47D2-9B2B-E96F438C1160}][PLAIN TEXT (POST /bc2 HTTP/1.1)] 6 UDP 192.168.5.38:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][18 pkts/9327 bytes -> 0 pkts/0 bytes][Goodput ratio: 91.9/0.0][6.36 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 46/0 392.9/0.0 2654/0 854.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 473/0 518.2/0.0 553/0 30.0/0.0][PLAIN TEXT (NOTIFY )] 7 TCP 192.168.115.8:50476 <-> 101.227.32.39:80 [proto: 7/HTTP][cat: Streaming/17][1 pkts/656 bytes <-> 4 pkts/3897 bytes][Goodput ratio: 91.6/94.4][0.04 sec][Host: cache.video.iqiyi.com][URL: cache.video.iqiyi.com/vi/500494600/562e26caed5695900212eb3259070f8a/?src=1_11_114][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /vi/500494600/562)] 8 TCP 192.168.115.8:50495 <-> 202.108.14.236:80 [proto: 7/HTTP][cat: Streaming/17][3 pkts/2844 bytes <-> 3 pkts/597 bytes][Goodput ratio: 94.3/72.7][0.55 sec][Host: msg.71.am][bytes ratio: 0.653 (Upload)][IAT c2s/s2c min/avg/max/stddev: 117/118 216.0/217.0 315/316 99.0/99.0][Pkt Len c2s/s2c min/avg/max/stddev: 946/199 948.0/199.0 952/199 2.8/0.0][URL: msg.71.am/cp2.gif?a=4e3ae415a584748ac9aa31628f39d1e8&ai=&as=1:23:23|45&av=4.10.004&b=180932301&c=31&ct=5000000927558&d=2175&di=&dp=71000001&e=c4889e64ad9d9eeb9ff438910850c442&ec=&em=&fi=&g=0&l=MTE4LjE2My44Ljkw&mk=&nw=&od=5000000858874&oi=&p=a&pp=&rc=&rd=&][StatusCode: 200][ContentType: ][UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR ][PLAIN TEXT (GET /cp)] diff --git a/tests/result/signal.pcap.out b/tests/result/signal.pcap.out index 61bfa0487..a6a86150a 100644 --- a/tests/result/signal.pcap.out +++ b/tests/result/signal.pcap.out @@ -11,18 +11,18 @@ JA3 Host Stats: 1 192.168.2.17 3 - 1 TCP 192.168.2.17:57027 <-> 13.35.253.42:443 [proto: 91.39/TLS.Signal][cat: Chat/9][170 pkts/206962 bytes <-> 95 pkts/9293 bytes][Goodput ratio: 94.6/32.3][0.48 sec][bytes ratio: 0.914 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.8/3.4 39/47 6.0/9.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1217.4/97.8 1506/1506 547.8/174.6][TLSv1.2][Client: cdn.signal.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: cdn.signal.org][JA3S: c4b2785a87896e19d37eee932070cb22][Organization: Open Whisper Systems][Certificate SHA-1: 81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.2.17:57026 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][22 pkts/13757 bytes <-> 16 pkts/6493 bytes][Goodput ratio: 89.4/83.6][0.57 sec][bytes ratio: 0.359 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 12.7/19.6 112/114 34.8/41.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 625.3/405.8 1506/1506 628.8/565.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.2.17:57027 <-> 13.35.253.42:443 [proto: 91.39/TLS.Signal][cat: Chat/9][170 pkts/206962 bytes <-> 95 pkts/9293 bytes][Goodput ratio: 94.6/32.3][0.48 sec][bytes ratio: 0.914 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.8/3.4 39/47 6.0/9.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1217.4/97.8 1506/1506 547.8/174.6][TLSv1.2][Client: cdn.signal.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: cdn.signal.org][JA3S: c4b2785a87896e19d37eee932070cb22][Organization: Open Whisper Systems][Certificate SHA-1: 81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:19:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.2.17:57026 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][22 pkts/13757 bytes <-> 16 pkts/6493 bytes][Goodput ratio: 89.4/83.6][0.57 sec][bytes ratio: 0.359 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 12.7/19.6 112/114 34.8/41.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 625.3/405.8 1506/1506 628.8/565.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 3 TCP 192.168.2.17:57022 <-> 23.57.24.16:443 [proto: 91.145/TLS.AppleiTunes][cat: Streaming/17][24 pkts/2540 bytes <-> 21 pkts/12673 bytes][Goodput ratio: 37.6/89.0][0.40 sec][bytes ratio: -0.666 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.9/14.0 124/83 34.8/27.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 105.8/603.5 583/1506 104.9/573.8][TLSv1.3][Client: itunes.apple.com][JA3C: 17305a56a62a10f6b0ee8edcc3b1769c][JA3S: 15af977ce25de452b96affa2addb1036][Cipher: TLS_AES_256_GCM_SHA384] 4 TCP 192.168.2.17:57018 <-> 23.57.24.16:443 [proto: 91.145/TLS.AppleiTunes][cat: Streaming/17][25 pkts/2582 bytes <-> 20 pkts/12000 bytes][Goodput ratio: 37.0/88.9][0.24 sec][bytes ratio: -0.646 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7.4/9.7 47/52 16.2/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 103.3/600.0 583/1506 103.5/587.8][TLSv1.3][Client: itunes.apple.com][JA3C: 17305a56a62a10f6b0ee8edcc3b1769c][JA3S: 15af977ce25de452b96affa2addb1036][Cipher: TLS_AES_256_GCM_SHA384] - 5 TCP 192.168.2.17:49227 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1808 bytes <-> 12 pkts/4355 bytes][Goodput ratio: 51.9/81.6][3.03 sec][bytes ratio: -0.413 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 62.1/293.1 115/2199 52.5/677.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 139.1/362.9 502/1506 119.5/470.7][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][Server: textsecure-service.whispersystems.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.2.17:57024 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2054 bytes <-> 11 pkts/3775 bytes][Goodput ratio: 51.2/80.5][0.59 sec][bytes ratio: -0.295 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.9/59.0 167/186 54.6/77.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/343.2 583/1506 133.5/472.0][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.2.17:57021 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2108 bytes <-> 10 pkts/3709 bytes][Goodput ratio: 49.9/82.0][13.48 sec][bytes ratio: -0.275 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.6/49.6 13018/120 3463.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.8/370.9 583/1506 130.8/486.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.2.17:57020 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2103 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 49.8/79.4][13.49 sec][bytes ratio: -0.258 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.4/44.5 13011/122 3461.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.4/323.8 583/1506 130.5/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.2.17:57019 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2095 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 49.6/79.2][13.49 sec][bytes ratio: -0.255 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1020.2/43.2 13026/120 3466.0/54.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 130.9/320.6 583/1506 129.9/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 10 TCP 192.168.2.17:57023 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2049 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 51.1/79.4][0.58 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.0/58.0 168/181 54.2/76.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.6/323.8 583/1506 133.1/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 11 TCP 192.168.2.17:57025 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2041 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 50.9/79.2][0.58 sec][bytes ratio: -0.267 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.8/58.4 166/184 54.4/76.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.1/320.6 583/1506 132.6/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 12 TCP 192.168.2.17:49226 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1688 bytes <-> 11 pkts/3569 bytes][Goodput ratio: 48.4/79.4][9.90 sec][bytes ratio: -0.358 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/57.4 113/154 53.2/65.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 129.8/324.5 502/1506 120.2/473.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][Server: textsecure-service.whispersystems.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.2.17:49227 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1808 bytes <-> 12 pkts/4355 bytes][Goodput ratio: 51.9/81.6][3.03 sec][bytes ratio: -0.413 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 62.1/293.1 115/2199 52.5/677.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 139.1/362.9 502/1506 119.5/470.7][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.2.17:57024 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2054 bytes <-> 11 pkts/3775 bytes][Goodput ratio: 51.2/80.5][0.59 sec][bytes ratio: -0.295 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.9/59.0 167/186 54.6/77.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/343.2 583/1506 133.5/472.0][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.2.17:57021 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2108 bytes <-> 10 pkts/3709 bytes][Goodput ratio: 49.9/82.0][13.48 sec][bytes ratio: -0.275 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.6/49.6 13018/120 3463.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.8/370.9 583/1506 130.8/486.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.2.17:57020 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2103 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 49.8/79.4][13.49 sec][bytes ratio: -0.258 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.4/44.5 13011/122 3461.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.4/323.8 583/1506 130.5/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.2.17:57019 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2095 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 49.6/79.2][13.49 sec][bytes ratio: -0.255 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1020.2/43.2 13026/120 3466.0/54.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 130.9/320.6 583/1506 129.9/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 10 TCP 192.168.2.17:57023 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2049 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 51.1/79.4][0.58 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.0/58.0 168/181 54.2/76.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.6/323.8 583/1506 133.1/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 11 TCP 192.168.2.17:57025 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2041 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 50.9/79.2][0.58 sec][bytes ratio: -0.267 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.8/58.4 166/184 54.4/76.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.1/320.6 583/1506 132.6/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 12 TCP 192.168.2.17:49226 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1688 bytes <-> 11 pkts/3569 bytes][Goodput ratio: 48.4/79.4][9.90 sec][bytes ratio: -0.358 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/57.4 113/154 53.2/65.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 129.8/324.5 502/1506 120.2/473.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 13 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][4 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][15.76 sec][Host: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46] 14 TCP 23.57.24.16:443 <-> 192.168.2.17:57016 [proto: 91/TLS][cat: Web/5][6 pkts/408 bytes <-> 6 pkts/471 bytes][Goodput ratio: 11.7/13.3][0.65 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/16 158.5/4.0 347/16 156.8/6.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 68.0/78.5 90/105 16.1/14.7] 15 TCP 192.168.2.17:56996 <-> 17.248.146.144:443 [proto: 91.140/TLS.Apple][cat: Web/5][4 pkts/341 bytes <-> 4 pkts/264 bytes][Goodput ratio: 22.5/0.0][0.03 sec][bytes ratio: 0.127 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 25/0 8.3/0.0 25/0 11.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.2/66.0 112/66 20.0/0.0] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index db6d78183..b3cf38b53 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -5,9 +5,9 @@ SSDP 101 38156 6 SkypeCall 152 10704 144 ICMP 8 656 1 IGMP 5 258 4 -TLS 96 8876 7 +TLS 483 206966 8 Dropbox 38 17948 5 -Skype 1796 451121 80 +Skype 1409 253031 79 Apple 17 2225 3 AppleiCloud 88 20520 2 Spotify 5 430 1 @@ -17,15 +17,15 @@ JA3 Host Stats: 1 192.168.1.34 2 - 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][Goodput ratio: 71.0/91.5][166.18 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002.2/607.6 30166/30261 4602.0/3438.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][Goodput ratio: 71.0/91.5][166.18 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002.2/607.6 30166/30261 4602.0/3438.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][Goodput ratio: 74.7/84.8][96.43 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 448.5/356.9 8300/8646 1135.8/1099.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 260.7/433.2 1506/1506 342.9/569.4][PLAIN TEXT ( 0sKWL)] 3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][Goodput ratio: 88.7/0.0][160.13 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1135.8/0.0 19950/0 4578.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373.2/0.0 405/0 28.8/0.0][PLAIN TEXT (NOTIFY )] 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][Goodput ratio: 75.6/77.3][46.31 sec][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 114.6/85.0 899/1012 249.9/251.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224.1/247.7 680/1494 261.3/323.6][TLSv1.2][Client: p05-keyvalueservice.icloud.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 5 UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/7281 bytes -> 0 pkts/0 bytes][Goodput ratio: 91.9/0.0][6.11 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 508.0/0.0 3090/0 1136.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 475/0 520.1/0.0 555/0 30.8/0.0][PLAIN TEXT (NOTIFY )] 6 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 91.121/TLS.Dropbox][cat: Cloud/13][8 pkts/1636 bytes <-> 8 pkts/4344 bytes][Goodput ratio: 67.7/87.8][141.04 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 141/2 23483.2/23483.3 53811/53950 23772.7/23909.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204.5/543.0 343/1020 138.5/477.0] 7 TCP 192.168.1.34:50126 <-> 91.190.216.23:12350 [proto: 125/Skype][cat: VoIP/10][16 pkts/4788 bytes <-> 4 pkts/372 bytes][Goodput ratio: 77.7/28.4][32.96 sec][bytes ratio: 0.856 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2304.5/21.5 5155/43 2241.1/21.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 299.2/93.0 398/172 147.0/45.9] - 8 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][Goodput ratio: 68.9/0.0][69.74 sec][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4362.3/0.0 8437/0 3866.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 212.1/74.0 257/74 81.1/0.0][TLSv1][Client: apps.skypeassets.com][JA3C: 799135475da362592a4be9199d258726] - 9 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][55.58 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3492.5/0.0 6700/0 2904.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] + 8 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][Goodput ratio: 68.9/0.0][69.74 sec][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4362.3/0.0 8437/0 3866.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 212.1/74.0 257/74 81.1/0.0][TLSv1.2][Client: apps.skypeassets.com][JA3C: 799135475da362592a4be9199d258726] + 9 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][55.58 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3492.5/0.0 6700/0 2904.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1.2][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] 10 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.3/0.0][150.37 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30053/0 30073.4/0.0 30087/0 11.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 544/0 544.0/0.0 544/0 0.0/0.0][PLAIN TEXT ( 1573195445)] 11 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.3/0.0][150.37 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30053/0 30073.8/0.0 30087/0 12.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 544/0 544.0/0.0 544/0 0.0/0.0][PLAIN TEXT ( 1573195445)] 12 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][120.16 sec][PLAIN TEXT ( 3375359593)] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 01e22efd3..098a745a9 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -6,9 +6,9 @@ SSDP 40 14100 3 SkypeCall 154 10918 146 ICMP 4 328 1 IGMP 4 226 4 -TLS 79 7742 6 +TLS 427 189429 7 Dropbox 16 7342 5 -Skype 1185 331827 60 +Skype 837 150140 59 Apple 84 20699 2 JA3 Host Stats: @@ -16,13 +16,13 @@ JA3 Host Stats: 1 192.168.1.34 2 - 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 71.9/91.6][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 369.6/331.3 45360/45460 3946.4/3735.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 71.9/91.6][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 369.6/331.3 45360/45460 3946.4/3735.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes][Goodput ratio: 77.8/89.2][22.75 sec][bytes ratio: -0.323 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238.2/214.7 3095/3095 411.2/400.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303.8/611.6 1506/1506 405.8/625.9][PLAIN TEXT (nZREBS)] - 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][Goodput ratio: 77.4/79.7][68.36 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2272.9/322.9 55625/8255 10013.7/1510.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239.0/276.3 680/1494 273.4/358.4] + 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][Goodput ratio: 77.4/79.7][68.36 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2272.9/322.9 55625/8255 10013.7/1510.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239.0/276.3 680/1494 273.4/358.4][PLAIN TEXT (/tBGEll)] 4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes][Goodput ratio: 88.7/0.0][60.04 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1254.2/0.0 19850/0 4801.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 372.3/0.0 405/0 28.7/0.0][PLAIN TEXT (NOTIFY )] - 5 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][54.57 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3429.1/0.0 6616/0 2850.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] + 5 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][54.57 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3429.1/0.0 6616/0 2850.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1.2][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] 6 TCP 192.168.1.34:51297 <-> 91.190.216.24:12350 [proto: 125/Skype][cat: VoIP/10][12 pkts/3242 bytes <-> 3 pkts/290 bytes][Goodput ratio: 75.2/28.9][14.87 sec][bytes ratio: 0.836 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1411.2/27.5 6276/55 1938.6/27.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 270.2/96.7 401/150 156.2/37.9] - 7 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/TLS.Dropbox][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes][Goodput ratio: 67.6/87.8][30.64 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 222/2 10212.3/10139.0 30193/30413 14128.5/14335.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204.5/543.0 343/1020 138.5/477.0] + 7 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/TLS.Dropbox][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes][Goodput ratio: 67.6/87.8][30.64 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 222/2 10212.3/10139.0 30193/30413 14128.5/14335.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204.5/543.0 343/1020 138.5/477.0][PLAIN TEXT (ZeNjsq)] 8 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][11 pkts/2074 bytes <-> 1 pkts/74 bytes][Goodput ratio: 64.4/0.0][14.82 sec][bytes ratio: 0.931 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1393.0/0.0 6406/0 1894.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 188.5/74.0 233/74 72.7/0.0][TLSv1][Client: apps.skype.com] 9 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][13 pkts/1446 bytes <-> 4 pkts/266 bytes][Goodput ratio: 39.8/0.0][28.33 sec][bytes ratio: 0.689 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/63 2320.6/63.0 11234/63 3205.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 111.2/66.5 138/74 23.1/5.0] 10 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/TLS][cat: Web/5][13 pkts/1437 bytes <-> 3 pkts/200 bytes][Goodput ratio: 39.4/0.0][24.81 sec][bytes ratio: 0.756 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/59 2001.1/59.0 7498/59 2282.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 110.5/66.7 138/74 22.8/5.7] diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out index 8875e4f7c..e2503d3c7 100644 --- a/tests/result/tor.pcap.out +++ b/tests/result/tor.pcap.out @@ -1,21 +1,21 @@ NetBIOS 1 252 1 -TLS 39 12580 2 +TLS 246 102691 5 DHCPV6 6 906 1 Dropbox 10 1860 1 -Tor 3638 3001842 6 +Tor 3431 2911731 3 JA3 Host Stats: IP Address # JA3C 1 192.168.1.252 1 - 1 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][cat: VPN/2][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes][Goodput ratio: 77.7/95.4][134.33 sec][bytes ratio: -0.760 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 212.9/86.0 33482/11394 1581.9/404.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 261.7/1175.6 1514/1514 348.8/544.1][TLSv1][Client: www.jmts2id.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][Server: www.gg562izcxdvqdk.com][JA3S: e1691a31bfe345d2692da75636ddfb00][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA] - 2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 163/Tor][cat: VPN/2][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes][Goodput ratio: 76.8/95.7][106.13 sec][bytes ratio: -0.790 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 202.5/109.1 30770/31166 1830.3/1316.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 251.7/1247.8 1514/1514 354.5/507.1][TLSv1][Client: www.q4cyamnc6mtokjurvdclt.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (cyamnc6)] - 3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 163/Tor][cat: VPN/2][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][Goodput ratio: 84.4/90.7][109.04 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2212.0/966.0 44777/37995 8343.4/4770.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 366.4/580.0 1514/1514 349.5/568.1][TLSv1][Client: www.ct7ctrgb6cr7.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (www.ct7)] - 4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][Goodput ratio: 82.4/83.7][135.32 sec][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 10377.8/8441.0 132386/132736 35221.5/32093.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 322.9/334.8 640/1514 270.5/384.8][TLSv1][Client: www.gfu7hbxpfp.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][Server: www.xkgk7fdx362yyyxib.com][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 163/Tor][cat: VPN/2][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][Goodput ratio: 81.2/84.3][108.05 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 6124.3/2564.1 71328/34353 19660.8/8817.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 303.6/349.1 640/1514 266.5/398.3][TLSv1][Client: www.e6r5p57kbafwrxj3plz.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (57kbafwrx)] - 6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 163/Tor][cat: VPN/2][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][Goodput ratio: 74.8/87.0][135.27 sec][bytes ratio: -0.292 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 11234.2/11260.6 72591/72890 25060.3/25130.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 230.7/421.2 640/1514 242.6/402.9][TLSv1][Client: www.t3i3ru.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (ru.com)] - 7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][Goodput ratio: 76.2/87.2][74.24 sec][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155.3/6464.2 63835/63837 17571.0/19124.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242.3/430.5 640/1514 246.7/415.8][TLSv1][Client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (sieb.com)] + 1 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][cat: VPN/2][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes][Goodput ratio: 77.7/95.4][134.33 sec][bytes ratio: -0.760 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 212.9/86.0 33482/11394 1581.9/404.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 261.7/1175.6 1514/1514 348.8/544.1][TLSv1][Client: www.jmts2id.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: e1691a31bfe345d2692da75636ddfb00][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA] + 2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][cat: VPN/2][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes][Goodput ratio: 76.8/95.7][106.13 sec][bytes ratio: -0.790 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 202.5/109.1 30770/31166 1830.3/1316.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 251.7/1247.8 1514/1514 354.5/507.1][TLSv1][Client: www.q4cyamnc6mtokjurvdclt.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: e1691a31bfe345d2692da75636ddfb00][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA] + 3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][Goodput ratio: 84.4/90.7][109.04 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2212.0/966.0 44777/37995 8343.4/4770.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 366.4/580.0 1514/1514 349.5/568.1][TLSv1][Client: www.ct7ctrgb6cr7.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][Goodput ratio: 82.4/83.7][135.32 sec][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 10377.8/8441.0 132386/132736 35221.5/32093.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 322.9/334.8 640/1514 270.5/384.8][TLSv1][Client: www.gfu7hbxpfp.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 91/TLS][cat: Web/5][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][Goodput ratio: 81.2/84.3][108.05 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 6124.3/2564.1 71328/34353 19660.8/8817.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 303.6/349.1 640/1514 266.5/398.3][TLSv1][Client: www.e6r5p57kbafwrxj3plz.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 3A:B1:8A:6F:C3:F6:41:ED:77:D5:40:C3:85:79:8B:62:46:BC:65:9C][Validity: 2013-06-07 00:00:00 - 2014-02-07 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 91/TLS][cat: Web/5][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][Goodput ratio: 74.8/87.0][135.27 sec][bytes ratio: -0.292 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 11234.2/11260.6 72591/72890 25060.3/25130.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 230.7/421.2 640/1514 242.6/402.9][TLSv1][Client: www.t3i3ru.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: F9:1D:5F:89:8F:D8:58:1E:45:E7:9B:A6:FD:90:95:77:FF:DD:E8:1B][Validity: 2013-09-11 00:00:00 - 2013-11-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 91.163/TLS.Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][Goodput ratio: 76.2/87.2][74.24 sec][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155.3/6464.2 63835/63837 17571.0/19124.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242.3/430.5 640/1514 246.7/415.8][TLSv1][Client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: EE:86:E7:21:36:93:23:30:DB:A0:09:48:55:16:CB:A8:E9:DA:01:D0][Validity: 2013-11-02 00:00:00 - 2014-02-17 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] 8 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][10 pkts/1860 bytes -> 0 pkts/0 bytes][Goodput ratio: 77.4/0.0][600.89 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30033/0 66765.1/0.0 360548/0 103867.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 186/0 186.0/0.0 186/0 0.0/0.0][PLAIN TEXT ( 676879976)] 9 UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][6 pkts/906 bytes -> 0 pkts/0 bytes][Goodput ratio: 58.9/0.0][31.41 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1227/0 6282.2/0.0 16006/0 5399.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 151/0 151.0/0.0 151/0 0.0/0.0][PLAIN TEXT (Endian)] 10 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 83.0/0.0][< 1 sec][Host: endian-pc][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)] diff --git a/tests/result/viber.pcap.out b/tests/result/viber.pcap.out index b55e4bf8e..6040afee9 100644 --- a/tests/result/viber.pcap.out +++ b/tests/result/viber.pcap.out @@ -13,14 +13,14 @@ JA3 Host Stats: 1 192.168.0.17 2 - 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/TLS.Viber][cat: Chat/9][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][Goodput ratio: 37.7/94.9][5.64 sec][bytes ratio: -0.859 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 162.3/2.3 5370/40 906.6/7.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106.3/1306.2 774/1514 151.1/466.3][TLSv1.2][Client: dl-media.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A][Validity: 2016-06-26 00:00:00 - 2018-06-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/TLS.Viber][cat: Chat/9][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][Goodput ratio: 56.7/91.4][5.69 sec][bytes ratio: -0.669 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 622.1/10.0 5492/35 1721.8/14.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.0/776.4 435/1514 138.2/635.3][TLSv1.2][Client: media.cdn.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.cdn.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: B6:30:6F:02:75:A8:08:0A:AE:AA:9C:6C:9F:B5:8E:4C:82:02:3D:39][Validity: 2016-07-03 00:00:00 - 2018-07-03 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][Goodput ratio: 69.3/85.8][1.00 sec][bytes ratio: -0.398 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/59.8 176/183 76.2/72.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 217.2/468.0 1514/1514 380.1/569.8][TLSv1.2][Client: brahe.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/TLS.Viber][cat: Chat/9][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][Goodput ratio: 37.7/94.9][5.64 sec][bytes ratio: -0.859 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 162.3/2.3 5370/40 906.6/7.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106.3/1306.2 774/1514 151.1/466.3][TLSv1.2][Client: dl-media.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.viber.com,viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A][Validity: 2016-06-26 00:00:00 - 2018-06-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/TLS.Viber][cat: Chat/9][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][Goodput ratio: 56.7/91.4][5.69 sec][bytes ratio: -0.669 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 622.1/10.0 5492/35 1721.8/14.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.0/776.4 435/1514 138.2/635.3][TLSv1.2][Client: media.cdn.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.cdn.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: B6:30:6F:02:75:A8:08:0A:AE:AA:9C:6C:9F:B5:8E:4C:82:02:3D:39][Validity: 2016-07-03 00:00:00 - 2018-07-03 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][Goodput ratio: 69.3/85.8][1.00 sec][bytes ratio: -0.398 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/59.8 176/183 76.2/72.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 217.2/468.0 1514/1514 380.1/569.8][TLSv1.2][Client: brahe.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.apptimize.com,apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 4 TCP 192.168.0.17:33208 <-> 52.0.253.101:4244 [proto: 144/Viber][cat: VoIP/10][32 pkts/6563 bytes <-> 26 pkts/2782 bytes][Goodput ratio: 67.8/38.3][46.77 sec][bytes ratio: 0.405 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1220.3/1488.8 7187/7333 2089.5/2187.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 205.1/107.0 657/176 184.2/42.7] 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/TLS.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][Goodput ratio: 81.3/76.7][33.94 sec][bytes ratio: 0.217 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2820.8/2646.3 23555/23575 6837.7/7399.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 355.9/286.3 1038/884 369.7/257.9][TLSv1.2][Client: app-measurement.com][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][Goodput ratio: 48.9/88.7][1.01 sec][bytes ratio: -0.634 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 104.0/50.9 273/178 102.4/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 130.6/582.9 432/1514 111.7/601.3][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/TLS][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][Goodput ratio: 54.9/90.3][0.23 sec][bytes ratio: -0.605 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.0/18.6 152/60 47.4/24.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 153.4/693.2 631/1514 169.0/615.5][TLSv1][Client: venetia.iad.appboy.com][JA3C: d8c87b9bfde38897979e41242626c2f3] - 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][Goodput ratio: 48.1/88.3][0.92 sec][bytes ratio: -0.617 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 93.0/53.0 185/189 87.4/83.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 132.9/560.3 433/1514 110.8/605.1][TLSv1][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3] + 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][Goodput ratio: 48.9/88.7][1.01 sec][bytes ratio: -0.634 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 104.0/50.9 273/178 102.4/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 130.6/582.9 432/1514 111.7/601.3][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.apptimize.com,apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/TLS][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][Goodput ratio: 54.9/90.3][0.23 sec][bytes ratio: -0.605 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.0/18.6 152/60 47.4/24.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 153.4/693.2 631/1514 169.0/615.5][TLSv1.2][Client: venetia.iad.appboy.com][JA3C: d8c87b9bfde38897979e41242626c2f3] + 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][Goodput ratio: 48.1/88.3][0.92 sec][bytes ratio: -0.617 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 93.0/53.0 185/189 87.4/83.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 132.9/560.3 433/1514 110.8/605.1][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3] 9 UDP 192.168.0.17:47171 <-> 18.201.4.32:7985 [proto: 144/Viber][cat: VoIP/10][24 pkts/5035 bytes <-> 22 pkts/2302 bytes][Goodput ratio: 80.0/59.8][7.22 sec][bytes ratio: 0.372 (Upload)][IAT c2s/s2c min/avg/max/stddev: 15/15 303.7/333.6 529/529 208.6/187.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/76 209.8/104.6 299/118 115.2/19.6][PLAIN TEXT (Android)] 10 UDP 192.168.0.17:38190 <-> 18.201.4.3:7985 [proto: 144/Viber][cat: VoIP/10][25 pkts/4344 bytes <-> 18 pkts/1872 bytes][Goodput ratio: 75.8/59.6][5.68 sec][bytes ratio: 0.398 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 203.1/278.8 513/531 232.5/235.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/76 173.8/104.0 299/118 120.4/19.8][PLAIN TEXT (Android)] 11 ICMP 192.168.0.17:0 <-> 192.168.0.15:0 [proto: 81/ICMP][cat: Network/14][1 pkts/1514 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 97.2/97.2][< 1 sec][PLAIN TEXT (1234567890ABCDEFGHIJKLMNOPQ)] diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index 749669238..7e5690145 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -11,23 +11,23 @@ JA3 Host Stats: 1 10.8.0.1 2 - 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][Goodput ratio: 74.0/96.0][19.68 sec][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 287.7/329.3 3806/5018 686.4/819.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 208.8/1360.9 590/17258 183.0/3378.1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][Goodput ratio: 74.0/96.0][19.68 sec][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 287.7/329.3 3806/5018 686.4/819.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 208.8/1360.9 590/17258 183.0/3378.1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][cat: Web/5][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Goodput ratio: 20.1/98.4][5.27 sec][Host: xtra1.gpsonextra.net][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 320.7/372.6 3680/3677 903.4/959.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68.9/3438.7 317/11833 58.6/3467.6][URL: xtra1.gpsonextra.net/xtra2.bin][StatusCode: 200][ContentType: application/octet-stream][UserAgent: Android][PLAIN TEXT (GET /xtra)] - 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][Goodput ratio: 52.2/98.5][2.64 sec][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155.3/188.5 387/415 136.9/130.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115.4/3558.4 590/21942 132.3/6124.9][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][Goodput ratio: 56.9/98.1][3.70 sec][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.8/125.8 1449/293 382.9/116.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128.0/2829.5 590/11186 147.3/3901.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][Goodput ratio: 46.1/97.3][3.22 sec][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237.2/155.3 1289/609 358.5/182.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 102.7/2026.6 411/8150 98.2/2611.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][Goodput ratio: 60.4/89.6][15.91 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 578.4/1210.2 5838/5890 1444.5/1891.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 139.3/518.8 555/3660 140.6/938.6][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][Goodput ratio: 56.2/94.7][1.29 sec][bytes ratio: -0.775 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 162.5/196.0 343/348 153.1/132.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 129.2/1018.9 283/4048 86.6/1610.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][Goodput ratio: 47.9/90.9][3.03 sec][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 298.1/360.9 1175/1175 372.1/354.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106.8/594.6 315/1422 85.4/584.3][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][Goodput ratio: 50.0/91.7][2.56 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 283.4/305.9 1174/1173 370.4/349.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 111.6/648.7 315/2165 87.6/739.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][Goodput ratio: 59.5/86.9][6.85 sec][bytes ratio: -0.499 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 728.7/962.9 4966/4966 1533.8/1663.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 137.5/411.2 380/3201 123.8/874.8][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][Goodput ratio: 56.1/85.9][2.36 sec][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 195.8/194.7 883/537 285.6/190.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.8/383.6 380/2189 106.9/639.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][Goodput ratio: 51.2/89.0][3.32 sec][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 335.4/261.1 1332/645 428.4/235.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 114.5/490.3 347/2533 94.6/785.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][Goodput ratio: 57.2/88.9][2.45 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 300.3/341.3 1397/1346 459.1/420.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131.6/485.4 379/2165 107.7/725.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][Goodput ratio: 52.2/98.5][2.64 sec][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155.3/188.5 387/415 136.9/130.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115.4/3558.4 590/21942 132.3/6124.9][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][Goodput ratio: 56.9/98.1][3.70 sec][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.8/125.8 1449/293 382.9/116.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128.0/2829.5 590/11186 147.3/3901.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][Goodput ratio: 46.1/97.3][3.22 sec][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237.2/155.3 1289/609 358.5/182.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 102.7/2026.6 411/8150 98.2/2611.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][Goodput ratio: 60.4/89.6][15.91 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 578.4/1210.2 5838/5890 1444.5/1891.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 139.3/518.8 555/3660 140.6/938.6][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][Goodput ratio: 56.2/94.7][1.29 sec][bytes ratio: -0.775 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 162.5/196.0 343/348 153.1/132.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 129.2/1018.9 283/4048 86.6/1610.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][Goodput ratio: 47.9/90.9][3.03 sec][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 298.1/360.9 1175/1175 372.1/354.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106.8/594.6 315/1422 85.4/584.3][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2015-01-12 13:36:11 - 2015-12-31 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][Goodput ratio: 50.0/91.7][2.56 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 283.4/305.9 1174/1173 370.4/349.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 111.6/648.7 315/2165 87.6/739.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2015-01-12 13:36:11 - 2015-12-31 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][Goodput ratio: 59.5/86.9][6.85 sec][bytes ratio: -0.499 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 728.7/962.9 4966/4966 1533.8/1663.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 137.5/411.2 380/3201 123.8/874.8][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][Goodput ratio: 56.1/85.9][2.36 sec][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 195.8/194.7 883/537 285.6/190.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.8/383.6 380/2189 106.9/639.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][Goodput ratio: 51.2/89.0][3.32 sec][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 335.4/261.1 1332/645 428.4/235.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 114.5/490.3 347/2533 94.6/785.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][Goodput ratio: 57.2/88.9][2.45 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 300.3/341.3 1397/1346 459.1/420.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131.6/485.4 379/2165 107.7/725.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2015-01-12 13:36:11 - 2015-12-31 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] 14 TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Goodput ratio: 14.4/87.4][0.53 sec][Host: roadshields.waze.com][bytes ratio: -0.706 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/3 75.0/104.8 261/274 88.5/91.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.7/428.0 137/1678 26.0/650.9][URL: roadshields.waze.com/images/HD/CH2.png][StatusCode: 200][ContentType: image/png][UserAgent: /3.9.4.0][PLAIN TEXT (GET /images/HD/CH)] 15 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 91.126/TLS.Google][cat: Web/5][7 pkts/1137 bytes <-> 6 pkts/1005 bytes][Goodput ratio: 64.9/67.7][0.40 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 32.2/74.5 53/188 24.3/68.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 162.4/167.5 572/602 176.8/200.3][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 23f1f6e2f0015c166df49fdab4280370 (INSECURE)][Cipher: TLS_ECDHE_RSA_WITH_RC4_128_SHA] 16 TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][8 pkts/594 bytes <-> 7 pkts/771 bytes][Goodput ratio: 23.9/50.9][0.14 sec][Host: cres.waze.com][bytes ratio: -0.130 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.7/28.7 134/84 49.8/39.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 74.2/110.1 194/447 45.7/137.5][URL: cres.waze.com/lang_asr/lang.portuguese_br_asr][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /lang)] - 17 TCP 10.8.0.1:50828 <-> 108.168.176.228:443 [proto: 142/WhatsApp][cat: Chat/9][8 pkts/673 bytes <-> 7 pkts/668 bytes][Goodput ratio: 32.8/43.3][0.55 sec][bytes ratio: 0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/9 80.5/98.2 289/238 105.9/82.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.1/95.4 222/245 53.4/66.5][PLAIN TEXT (Android)] + 17 TCP 10.8.0.1:50828 <-> 108.168.176.228:443 [proto: 91.142/TLS.WhatsApp][cat: Chat/9][8 pkts/673 bytes <-> 7 pkts/668 bytes][Goodput ratio: 32.8/43.3][0.55 sec][bytes ratio: 0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/9 80.5/98.2 289/238 105.9/82.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.1/95.4 222/245 53.4/66.5][PLAIN TEXT (Android)] 18 TCP 10.8.0.1:45546 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][7 pkts/557 bytes <-> 7 pkts/771 bytes][Goodput ratio: 28.5/50.9][0.54 sec][Host: cres.waze.com][bytes ratio: -0.161 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 105.4/174.3 394/397 152.4/165.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 79.6/110.1 211/447 54.1/137.5][URL: cres.waze.com/newVconfig/1.0/3/prompts_conf.buf?rtserver-id=15][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /newV)] 19 TCP 10.8.0.1:45538 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][7 pkts/555 bytes <-> 7 pkts/771 bytes][Goodput ratio: 28.2/50.9][0.29 sec][Host: cres.waze.com][bytes ratio: -0.163 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 42.2/69.7 177/177 68.5/77.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 79.3/110.1 209/447 53.4/137.5][URL: cres.waze.com/lang_tts/lang.portuguese_br_tts?rtserver-id=15][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /lang)] 20 TCP 10.8.0.1:45552 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][7 pkts/552 bytes <-> 7 pkts/771 bytes][Goodput ratio: 27.8/50.9][0.23 sec][Host: cres.waze.com][bytes ratio: -0.166 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 34.4/56.3 169/168 67.3/79.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 78.9/110.1 206/447 52.3/137.5][URL: cres.waze.com/langs/1.0/lang.portuguese_br?rtserver-id=15][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /langs/1.0/lang.portuguese)] diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index dd4e89f65..3efbecbdd 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -10,36 +10,36 @@ JA3 Host Stats: 1 10.8.0.1 6 - 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][Goodput ratio: 5.9/95.8][62.34 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 135.3/140.2 2165/2214 262.0/271.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57.4/1281.6 528/29696 36.0/3034.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][Goodput ratio: 5.9/95.8][62.34 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 135.3/140.2 2165/2214 262.0/271.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57.4/1281.6 528/29696 36.0/3034.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][Goodput ratio: 68.2/98.6][2.76 sec][bytes ratio: -0.912 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112.2/100.6 455/404 117.1/99.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 172.0/3745.8 590/18020 205.7/4699.9][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][Goodput ratio: 77.4/96.9][5.52 sec][bytes ratio: -0.750 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 103.7/138.1 1189/1223 219.9/217.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 240.4/1716.9 590/17734 233.4/3587.1][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][Server: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2013-10-31 00:00:00 - 2023-10-30 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][Goodput ratio: 47.8/97.5][2.62 sec][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 143.9/154.3 1031/979 260.1/240.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.5/2130.4 590/8901 135.5/2681.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][Goodput ratio: 56.3/98.1][3.76 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/5 382.9/399.3 1876/1875 577.4/571.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 127.6/2863.1 528/14373 150.1/4303.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][Goodput ratio: 66.3/97.1][1.48 sec][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 108.1/138.8 519/469 176.0/157.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 165.0/1864.5 590/8448 193.3/2710.5][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][Goodput ratio: 76.2/59.7][68.57 sec][bytes ratio: 0.305 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1424.5/790.5 16039/7189 2910.5/1472.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 228.8/134.1 590/3961 153.6/546.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][Goodput ratio: 77.4/96.9][5.52 sec][bytes ratio: -0.750 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 103.7/138.1 1189/1223 219.9/217.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 240.4/1716.9 590/17734 233.4/3587.1][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][ServerNames: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][Goodput ratio: 47.8/97.5][2.62 sec][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 143.9/154.3 1031/979 260.1/240.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.5/2130.4 590/8901 135.5/2681.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][Goodput ratio: 56.3/98.1][3.76 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/5 382.9/399.3 1876/1875 577.4/571.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 127.6/2863.1 528/14373 150.1/4303.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][Goodput ratio: 66.3/97.1][1.48 sec][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 108.1/138.8 519/469 176.0/157.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 165.0/1864.5 590/8448 193.3/2710.5][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][Goodput ratio: 76.2/59.7][68.57 sec][bytes ratio: 0.305 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1424.5/790.5 16039/7189 2910.5/1472.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 228.8/134.1 590/3961 153.6/546.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 8 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][cat: VoIP/10][22 pkts/15356 bytes -> 0 pkts/0 bytes][Goodput ratio: 94.0/0.0][95.92 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1008/0 4782.7/0.0 32494/0 6932.3/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 698/0 698.0/0.0 698/0 0.0/0.0][PLAIN TEXT (REGISTER sip)] - 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][Goodput ratio: 65.2/80.4][21.38 sec][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 795.8/451.5 6005/3010 1690.7/777.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.2/276.2 432/3961 108.2/830.4][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][Goodput ratio: 55.4/90.0][41.17 sec][bytes ratio: -0.585 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3166.5/655.0 34507/5259 9150.7/1545.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 124.0/541.7 590/1502 148.6/614.4][TLSv1][Client: api.crittercism.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: *.crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][Certificate SHA-1: 68:8B:FC:77:1E:CA:80:33:0C:A9:0E:29:A6:E4:0D:FC:3A:AE:43:18][Validity: 2015-01-14 00:00:00 - 2020-01-13 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][Goodput ratio: 64.2/93.8][3.96 sec][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 523.4/352.4 2070/1020 729.8/365.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.4/873.0 576/3993 178.5/1443.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][Goodput ratio: 69.5/94.5][1.07 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/51 159.6/194.8 357/356 154.1/125.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 187.0/990.0 576/3993 192.5/1507.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][Goodput ratio: 63.0/93.5][3.00 sec][bytes ratio: -0.657 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 385.3/312.0 2171/1116 743.4/395.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/827.6 528/2974 166.2/1098.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][Goodput ratio: 63.0/93.4][3.01 sec][bytes ratio: -0.656 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/16 385.9/312.5 2179/1125 745.9/385.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/825.0 528/2633 166.2/1028.2][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][Goodput ratio: 65.6/93.5][0.78 sec][bytes ratio: -0.670 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 96.8/110.0 277/276 117.0/105.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/831.6 528/2581 172.4/1033.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.10 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 545.8/396.2 2119/1071 811.9/386.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.09 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 544.8/396.2 2066/1021 793.0/376.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][Goodput ratio: 63.0/91.7][4.04 sec][bytes ratio: -0.620 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 534.4/640.3 3074/2046 1047.8/713.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/648.7 528/3993 166.2/1254.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][Goodput ratio: 65.6/92.5][2.90 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 433.0/304.0 2119/1065 771.8/366.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/723.0 528/2633 172.4/919.0][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][Goodput ratio: 66.4/86.5][1.15 sec][bytes ratio: -0.449 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112.6/139.1 555/553 188.7/186.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 166.4/400.9 590/2581 167.4/757.6][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.40 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 126.6/190.1 512/509 170.3/159.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.32 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 117.8/180.3 470/468 157.2/150.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][4.59 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 304.9/639.3 1712/1786 557.1/738.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][Goodput ratio: 67.1/91.0][3.85 sec][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 389.4/620.7 1225/1224 477.2/510.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 171.1/604.4 590/3751 167.6/1199.5][TLSv1.2][Client: ssl.google-analytics.com][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][Server: *.google-analytics.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][Organization: Google Inc][Certificate SHA-1: E0:F0:1E:71:F2:B5:D9:2D:F7:4E:8F:CB:10:37:17:7C:0C:C4:07:9D][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][Goodput ratio: 43.4/90.2][3.11 sec][bytes ratio: -0.662 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 263.0/413.2 1025/1231 416.0/511.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.4/549.8 380/2581 101.1/889.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.09 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/10 300.8/483.5 1105/1237 425.1/496.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.08 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 298.7/483.0 1096/1238 422.9/497.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/TLS.Webex][cat: Web/5][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][Goodput ratio: 66.2/90.6][0.77 sec][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/9 125.4/128.6 463/394 174.1/138.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 168.7/574.4 448/2957 157.6/988.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Cisco Systems][Certificate SHA-1: EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD][Validity: 2010-02-19 22:39:26 - 2020-02-18 22:39:26][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][Goodput ratio: 13.6/92.3][4.09 sec][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/14 596.2/745.0 1927/1038 776.4/424.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.9/705.2 117/2896 22.0/1054.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2023-10-30 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][Goodput ratio: 15.4/93.5][4.08 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 1018.2/992.3 2975/1922 1214.3/785.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 67.8/835.4 117/3961 23.2/1562.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][Goodput ratio: 65.2/80.4][21.38 sec][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 795.8/451.5 6005/3010 1690.7/777.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.2/276.2 432/3961 108.2/830.4][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][Goodput ratio: 55.4/90.0][41.17 sec][bytes ratio: -0.585 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3166.5/655.0 34507/5259 9150.7/1545.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 124.0/541.7 590/1502 148.6/614.4][TLSv1][Client: api.crittercism.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: *.crittercism.com,crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][Certificate SHA-1: 68:8B:FC:77:1E:CA:80:33:0C:A9:0E:29:A6:E4:0D:FC:3A:AE:43:18][Validity: 2015-01-14 00:00:00 - 2020-01-13 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][Goodput ratio: 64.2/93.8][3.96 sec][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 523.4/352.4 2070/1020 729.8/365.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.4/873.0 576/3993 178.5/1443.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][Goodput ratio: 69.5/94.5][1.07 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/51 159.6/194.8 357/356 154.1/125.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 187.0/990.0 576/3993 192.5/1507.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][Goodput ratio: 63.0/93.5][3.00 sec][bytes ratio: -0.657 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 385.3/312.0 2171/1116 743.4/395.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/827.6 528/2974 166.2/1098.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][Goodput ratio: 63.0/93.4][3.01 sec][bytes ratio: -0.656 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/16 385.9/312.5 2179/1125 745.9/385.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/825.0 528/2633 166.2/1028.2][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][Goodput ratio: 65.6/93.5][0.78 sec][bytes ratio: -0.670 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 96.8/110.0 277/276 117.0/105.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/831.6 528/2581 172.4/1033.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.10 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 545.8/396.2 2119/1071 811.9/386.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.09 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 544.8/396.2 2066/1021 793.0/376.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][Goodput ratio: 63.0/91.7][4.04 sec][bytes ratio: -0.620 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 534.4/640.3 3074/2046 1047.8/713.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/648.7 528/3993 166.2/1254.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][Goodput ratio: 65.6/92.5][2.90 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 433.0/304.0 2119/1065 771.8/366.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/723.0 528/2633 172.4/919.0][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][Goodput ratio: 66.4/86.5][1.15 sec][bytes ratio: -0.449 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112.6/139.1 555/553 188.7/186.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 166.4/400.9 590/2581 167.4/757.6][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.40 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 126.6/190.1 512/509 170.3/159.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.32 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 117.8/180.3 470/468 157.2/150.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][4.59 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 304.9/639.3 1712/1786 557.1/738.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][Goodput ratio: 67.1/91.0][3.85 sec][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 389.4/620.7 1225/1224 477.2/510.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 171.1/604.4 590/3751 167.6/1199.5][TLSv1.2][Client: ssl.google-analytics.com][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][ServerNames: *.google-analytics.com,app-measurement.com,google-analytics.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googletagmanager.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][Organization: Google Inc][Certificate SHA-1: E0:F0:1E:71:F2:B5:D9:2D:F7:4E:8F:CB:10:37:17:7C:0C:C4:07:9D][Validity: 2015-09-29 19:00:07 - 2015-12-28 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][Goodput ratio: 43.4/90.2][3.11 sec][bytes ratio: -0.662 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 263.0/413.2 1025/1231 416.0/511.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.4/549.8 380/2581 101.1/889.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.09 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/10 300.8/483.5 1105/1237 425.1/496.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.08 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 298.7/483.0 1096/1238 422.9/497.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][Goodput ratio: 66.2/90.6][0.77 sec][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/9 125.4/128.6 463/394 174.1/138.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 168.7/574.4 448/2957 157.6/988.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: www.webex.com.au,www.webex.ca,www.webex.de,www.webex.com.hk,www.webex.co.in,www.webex.co.it,www.webex.co.jp,www.webex.com.mx,www.webex.co.uk,m.webex.com,signup.webex.com,signup.webex.co.uk,signup.webex.de,mytrial.webex.com,mytrial.webex.com.mx,mytrial.webex.co.in,mytrial.webex.com.au,mytrial.webex.co.jp,support.webex.com,howdoi.webex.com,kb.webex.com,myresources.webex.com,invoices.webex.com,try.webex.com,buyonline.webex.com,buyonline.webex.de,buyonline.webex.co.uk,tempbol.webex.com,tempsupport.webex.com,www.webex.com,webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Cisco Systems][Certificate SHA-1: EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD][Validity: 2014-12-18 08:27:59 - 2016-02-19 21:32:06][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][Goodput ratio: 13.6/92.3][4.09 sec][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/14 596.2/745.0 1927/1038 776.4/424.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.9/705.2 117/2896 22.0/1054.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][Goodput ratio: 15.4/93.5][4.08 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 1018.2/992.3 2975/1922 1214.3/785.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 67.8/835.4 117/3961 23.2/1562.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 31 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes][Goodput ratio: 61.7/44.2][0.54 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 77.1/76.9 283/252 98.2/86.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 146.5/96.8 590/396 160.9/101.6][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 32 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][10 pkts/1388 bytes <-> 10 pkts/1087 bytes][Goodput ratio: 59.6/50.3][13.16 sec][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1644.0/1878.7 10453/11491 3421.2/3952.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 138.8/108.7 590/472 162.8/127.1][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 33 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][Goodput ratio: 62.7/20.9][59.53 sec][bytes ratio: 0.376 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8503.6/9920.5 59268/59268 20724.6/22069.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 150.8/68.3 590/183 167.8/40.5][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index bd042a8e0..9f7801469 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -19,36 +19,36 @@ JA3 Host Stats: 1 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 91.197/TLS.WeChat][cat: Chat/9][88 pkts/15114 bytes <-> 91 pkts/61842 bytes][Goodput ratio: 61.6/90.3][553.47 sec][bytes ratio: -0.607 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/11 6995.1/5836.8 150373/150695 18891.6/18424.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171.8/679.6 264/1254 98.8/593.7] - 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][Goodput ratio: 75.8/95.0][15.73 sec][bytes ratio: -0.619 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 403.2/151.4 10035/951 1616.4/288.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 273.4/1335.6 1306/4350 407.2/922.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][Goodput ratio: 86.2/92.3][23.11 sec][bytes ratio: -0.247 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 537.5/311.6 9999/7018 1832.7/1162.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 479.2/862.7 1306/4059 492.4/921.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][Goodput ratio: 71.7/93.4][27.77 sec][bytes ratio: -0.594 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 559.3/53.8 8107/380 1791.8/116.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.1/1003.2 1306/1494 368.4/649.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][Goodput ratio: 81.6/93.0][14.74 sec][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168.3/172.3 1085/1495 276.4/328.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 360.5/946.2 1306/1754 450.4/673.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][Goodput ratio: 78.8/93.0][28.03 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1291.5/951.0 9696/8423 2839.9/2427.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 312.7/951.5 1306/2922 423.4/963.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][Goodput ratio: 87.2/86.4][38.16 sec][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1114.3/1109.9 15327/15635 3311.0/3567.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 516.4/486.9 1306/1754 494.4/579.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][Goodput ratio: 82.2/92.9][13.58 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 776.9/120.1 9999/394 2313.0/166.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.7/938.0 1306/5892 453.9/1304.2][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][Goodput ratio: 82.2/93.3][22.24 sec][bytes ratio: -0.392 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1173.5/415.8 10039/3644 2412.0/984.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.6/994.3 1306/8291 453.8/1870.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][Goodput ratio: 89.0/80.8][31.02 sec][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1264.8/1400.8 15319/15624 3541.0/3988.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 605.0/346.1 1494/1494 586.5/471.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][Goodput ratio: 86.2/84.1][47.29 sec][bytes ratio: 0.207 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1387.8/1930.0 15313/15715 3511.0/4240.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 482.5/417.5 1306/1754 480.2/530.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][Goodput ratio: 85.7/85.5][22.50 sec][bytes ratio: 0.105 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1165.0/785.7 10037/4544 2455.0/1496.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 463.3/459.0 1306/1754 478.0/578.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][Goodput ratio: 62.6/93.6][13.04 sec][bytes ratio: -0.743 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1231.5/212.8 9996/1647 2943.7/472.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 178.2/1048.3 1153/3182 289.6/878.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2013-11-05 21:36:50 - 2022-05-20 21:36:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][Goodput ratio: 82.8/83.7][47.03 sec][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 2592.2/2688.5 15693/16086 4162.8/4915.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 386.7/410.9 1306/1754 451.5/550.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][Goodput ratio: 84.2/83.8][25.19 sec][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1502.7/1316.1 9999/7806 2987.1/2505.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 419.9/410.4 1306/1494 461.7/506.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.52 sec][bytes ratio: 0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 930.8/134.0 9811/287 2680.9/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.0/460.7 1306/1494 463.0/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.77 sec][bytes ratio: 0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 946.7/155.4 9639/333 2625.9/153.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 429.2/460.7 1306/1494 462.8/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][Goodput ratio: 78.4/86.3][14.48 sec][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1139.8/318.4 10004/1570 2698.0/529.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 308.5/492.1 1306/1798 406.0/692.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][Goodput ratio: 79.8/84.4][22.95 sec][bytes ratio: -0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2021.5/1535.6 10879/11228 3975.6/3666.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 330.4/427.9 1306/1494 415.8/540.7][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][Goodput ratio: 82.3/86.6][11.54 sec][bytes ratio: -0.051 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 140.3/135.6 356/292 157.1/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 376.3/500.4 1306/1754 434.4/627.5][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/TLS.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][Goodput ratio: 66.7/90.0][72.13 sec][bytes ratio: -0.544 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7939.3/7944.1 44960/45306 14472.3/14556.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 167.1/565.6 571/3484 197.3/986.9][TLSv1.2][Client: res.wx.qq.com][JA3C: 550dce18de1bb143e69d6dd9413b8355][Server: wx.qq.com][JA3S: 290adf098a54ade688d1df074dbecbf2 (WEAK)][Organization: Shenzhen Tencent Computer Systems Company Limited][Certificate SHA-1: 67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9][Validity: 2016-05-10 00:00:00 - 2018-08-09 23:59:59][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384] - 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/TLS.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][Goodput ratio: 53.1/82.0][135.40 sec][bytes ratio: -0.444 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6942.5/6941.6 45055/45055 16248.7/16249.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 141.9/368.7 895/1484 195.7/525.4][TLSv1.2][Client: safebrowsing.googleusercontent.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][Server: *.googleusercontent.com][JA3S: d655f7cd00e93ea8969c3c6e06f0156f][Organization: Google Inc][Certificate SHA-1: 8B:36:AF:31:A2:4C:EE:50:CC:6F:34:F7:2C:A3:C5:B6:4B:02:AC:53][Validity: 2017-04-05 17:14:46 - 2017-06-28 16:57:00][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] + 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][Goodput ratio: 75.8/95.0][15.73 sec][bytes ratio: -0.619 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 403.2/151.4 10035/951 1616.4/288.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 273.4/1335.6 1306/4350 407.2/922.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][Goodput ratio: 86.2/92.3][23.11 sec][bytes ratio: -0.247 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 537.5/311.6 9999/7018 1832.7/1162.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 479.2/862.7 1306/4059 492.4/921.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][Goodput ratio: 71.7/93.4][27.77 sec][bytes ratio: -0.594 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 559.3/53.8 8107/380 1791.8/116.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.1/1003.2 1306/1494 368.4/649.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][Goodput ratio: 81.6/93.0][14.74 sec][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168.3/172.3 1085/1495 276.4/328.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 360.5/946.2 1306/1754 450.4/673.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][Goodput ratio: 78.8/93.0][28.03 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1291.5/951.0 9696/8423 2839.9/2427.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 312.7/951.5 1306/2922 423.4/963.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][Goodput ratio: 87.2/86.4][38.16 sec][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1114.3/1109.9 15327/15635 3311.0/3567.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 516.4/486.9 1306/1754 494.4/579.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][Goodput ratio: 82.2/92.9][13.58 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 776.9/120.1 9999/394 2313.0/166.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.7/938.0 1306/5892 453.9/1304.2][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][Goodput ratio: 82.2/93.3][22.24 sec][bytes ratio: -0.392 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1173.5/415.8 10039/3644 2412.0/984.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.6/994.3 1306/8291 453.8/1870.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][Goodput ratio: 89.0/80.8][31.02 sec][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1264.8/1400.8 15319/15624 3541.0/3988.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 605.0/346.1 1494/1494 586.5/471.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][Goodput ratio: 86.2/84.1][47.29 sec][bytes ratio: 0.207 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1387.8/1930.0 15313/15715 3511.0/4240.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 482.5/417.5 1306/1754 480.2/530.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][Goodput ratio: 85.7/85.5][22.50 sec][bytes ratio: 0.105 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1165.0/785.7 10037/4544 2455.0/1496.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 463.3/459.0 1306/1754 478.0/578.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][Goodput ratio: 62.6/93.6][13.04 sec][bytes ratio: -0.743 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1231.5/212.8 9996/1647 2943.7/472.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 178.2/1048.3 1153/3182 289.6/878.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][Goodput ratio: 82.8/83.7][47.03 sec][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 2592.2/2688.5 15693/16086 4162.8/4915.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 386.7/410.9 1306/1754 451.5/550.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][Goodput ratio: 84.2/83.8][25.19 sec][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1502.7/1316.1 9999/7806 2987.1/2505.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 419.9/410.4 1306/1494 461.7/506.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.52 sec][bytes ratio: 0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 930.8/134.0 9811/287 2680.9/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.0/460.7 1306/1494 463.0/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.77 sec][bytes ratio: 0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 946.7/155.4 9639/333 2625.9/153.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 429.2/460.7 1306/1494 462.8/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][Goodput ratio: 78.4/86.3][14.48 sec][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1139.8/318.4 10004/1570 2698.0/529.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 308.5/492.1 1306/1798 406.0/692.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][Goodput ratio: 79.8/84.4][22.95 sec][bytes ratio: -0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2021.5/1535.6 10879/11228 3975.6/3666.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 330.4/427.9 1306/1494 415.8/540.7][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][Goodput ratio: 82.3/86.6][11.54 sec][bytes ratio: -0.051 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 140.3/135.6 356/292 157.1/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 376.3/500.4 1306/1754 434.4/627.5][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/TLS.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][Goodput ratio: 66.7/90.0][72.13 sec][bytes ratio: -0.544 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7939.3/7944.1 44960/45306 14472.3/14556.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 167.1/565.6 571/3484 197.3/986.9][TLSv1.2][Client: res.wx.qq.com][JA3C: 550dce18de1bb143e69d6dd9413b8355][ServerNames: wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com][JA3S: 290adf098a54ade688d1df074dbecbf2 (WEAK)][Organization: Shenzhen Tencent Computer Systems Company Limited][Certificate SHA-1: 67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9][Validity: 2016-05-10 00:00:00 - 2018-08-09 23:59:59][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384] + 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/TLS.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][Goodput ratio: 53.1/82.0][135.40 sec][bytes ratio: -0.444 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6942.5/6941.6 45055/45055 16248.7/16249.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 141.9/368.7 895/1484 195.7/525.4][TLSv1.2][Client: safebrowsing.googleusercontent.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: *.googleusercontent.com,*.apps.googleusercontent.com,*.appspot.com.storage.googleapis.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.googleweblight.com,*.safenup.googleusercontent.com,*.sandbox.googleusercontent.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.googleapis.com,*.storage.select.googleapis.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,googleweblight.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news][JA3S: d655f7cd00e93ea8969c3c6e06f0156f][Organization: Google Inc][Certificate SHA-1: 8B:36:AF:31:A2:4C:EE:50:CC:6F:34:F7:2C:A3:C5:B6:4B:02:AC:53][Validity: 2017-04-05 17:14:46 - 2017-06-28 16:57:00][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] 23 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Goodput ratio: 91.6/92.4][0.18 sec][Host: ssl.gstatic.com][bytes ratio: 0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/0 26.8/2.0 76/4 27.2/1.4][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 501.0/554.8 1392/1392 573.8/598.8][PLAIN TEXT (ssl.gstatic.com)] 24 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.241/QUIC.GoogleDocs][cat: Collaborative/15][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Goodput ratio: 90.6/86.1][1.33 sec][Host: docs.google.com][bytes ratio: 0.117 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.2/248.4 55/1178 23.0/465.4][Pkt Len c2s/s2c min/avg/max/stddev: 77/70 447.8/303.6 1392/1392 532.3/455.1][PLAIN TEXT (docs.google.comr)] - 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][27.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3427.9/1426.0 19999/5411 6454.5/2303.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][30.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3812.8/2235.0 20004/5405 6348.0/2330.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][Goodput ratio: 35.2/85.5][24.98 sec][bytes ratio: -0.564 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3076.0/848.4 20000/3092 6447.6/1206.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/462.9 304/1494 76.6/600.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][13.33 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1665.2/361.5 10763/1441 3452.6/623.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][20.54 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2567.1/79.5 19243/317 6304.7/137.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][11.97 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1495.8/89.5 10477/358 3399.0/155.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][9 pkts/966 bytes <-> 6 pkts/3571 bytes][Goodput ratio: 37.6/88.7][11.54 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1592.0/136.7 10023/410 3446.3/193.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107.3/595.2 304/1754 79.7/731.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][27.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3427.9/1426.0 19999/5411 6454.5/2303.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][30.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3812.8/2235.0 20004/5405 6348.0/2330.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][Goodput ratio: 35.2/85.5][24.98 sec][bytes ratio: -0.564 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3076.0/848.4 20000/3092 6447.6/1206.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/462.9 304/1494 76.6/600.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][13.33 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1665.2/361.5 10763/1441 3452.6/623.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][20.54 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2567.1/79.5 19243/317 6304.7/137.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][11.97 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1495.8/89.5 10477/358 3399.0/155.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][9 pkts/966 bytes <-> 6 pkts/3571 bytes][Goodput ratio: 37.6/88.7][11.54 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1592.0/136.7 10023/410 3446.3/193.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107.3/595.2 304/1754 79.7/731.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 32 UDP [fe80::7a92:9cff:fe0f:a88e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/4488 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.2/0.0][3914.88 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 6683.7/0.0 41917/0 11731.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 102.0/0.0 102/0 0.0/0.0][PLAIN TEXT (googlecast)] 33 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][5 pkts/2035 bytes <-> 5 pkts/1937 bytes][Goodput ratio: 89.6/89.1][0.12 sec][Host: ssl.gstatic.com][bytes ratio: 0.025 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 24.0/16.0 53/47 24.3/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 407.0/387.4 1392/1392 507.8/512.0][PLAIN TEXT (ssl.gstatic.com)] 34 UDP 192.168.1.103:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/3608 bytes -> 0 pkts/0 bytes][Goodput ratio: 48.8/0.0][3914.88 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 6683.7/0.0 41917/0 11731.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 82.0/0.0 82/0 0.0/0.0][PLAIN TEXT (googlecast)] diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out index 867dd4950..70899b950 100644 --- a/tests/result/weibo.pcap.out +++ b/tests/result/weibo.pcap.out @@ -12,7 +12,7 @@ JA3 Host Stats: 1 TCP 192.168.1.105:35803 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][52 pkts/5367 bytes <-> 54 pkts/71536 bytes][Goodput ratio: 32.8/95.0][1.44 sec][Host: img.t.sinajs.cn][bytes ratio: -0.860 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.0/29.3 400/372 66.4/64.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/1324.7 533/4374 116.5/822.8][URL: img.t.sinajs.cn/t6/style/css/module/base/frame.css?version=201605130537][StatusCode: 200][ContentType: text/css][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/css/module/base/f)] 2 TCP 192.168.1.105:35804 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][32 pkts/3624 bytes <-> 40 pkts/50657 bytes][Goodput ratio: 37.8/94.8][1.33 sec][Host: img.t.sinajs.cn][bytes ratio: -0.866 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.7/38.7 314/338 88.7/81.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 113.2/1266.4 549/2938 132.2/620.2][URL: img.t.sinajs.cn/t6/style/css/module/combination/comb_login.css?version=201605130537][StatusCode: 200][ContentType: text/css][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/css/module/combin)] - 3 TCP 192.168.1.105:51698 <-> 93.188.134.137:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][40 pkts/3462 bytes <-> 39 pkts/34030 bytes][Goodput ratio: 13.0/92.4][0.82 sec][Host: www.weibo.com][bytes ratio: -0.815 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/22.7 482/454 83.8/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 86.6/872.6 516/2938 69.2/915.2][URL: www.weibo.com/login.php?lang=en-us][StatusCode: 200][ContentType: text/html][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /login.php)] + 3 TCP 192.168.1.105:51698 <-> 93.188.134.137:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][40 pkts/3462 bytes <-> 39 pkts/34030 bytes][Goodput ratio: 13.0/92.4][0.82 sec][Host: www.weibo.com][bytes ratio: -0.815 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/22.7 482/454 83.8/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 86.6/872.6 516/2938 69.2/915.2][URL: www.weibo.com/login.php?lang=en-us][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /login.php)] 4 TCP 192.168.1.105:35807 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][27 pkts/2298 bytes <-> 26 pkts/34170 bytes][Goodput ratio: 21.1/95.0][0.53 sec][Host: img.t.sinajs.cn][bytes ratio: -0.874 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 23.0/21.8 183/162 50.2/47.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.1/1314.2 550/1502 91.2/448.1][URL: img.t.sinajs.cn/t6/style/images/growth/login/sprite_login.png?13434210384389][StatusCode: 200][ContentType: image/png][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/images/growth/log)] 5 TCP 192.168.1.105:35805 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][21 pkts/2323 bytes <-> 20 pkts/20922 bytes][Goodput ratio: 37.4/93.6][1.37 sec][Host: img.t.sinajs.cn][bytes ratio: -0.800 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 71.8/74.7 375/438 115.7/123.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 110.6/1046.1 525/1502 126.8/556.9][URL: img.t.sinajs.cn/t6/skin/default/skin.css?version=201605130537][StatusCode: 200][ContentType: text/css][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/skin/default/skin.css)] 6 TCP 192.168.1.105:35809 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][18 pkts/1681 bytes <-> 17 pkts/20680 bytes][Goodput ratio: 28.1/94.5][0.56 sec][Host: img.t.sinajs.cn][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 32.1/37.9 252/181 64.0/50.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 93.4/1216.5 539/1502 108.1/525.5][URL: img.t.sinajs.cn/t6/style/images/common/font/wbficon.woff?id=201605111746][StatusCode: 200][ContentType: application/x-font-woff][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/images/common/fon)] @@ -22,7 +22,7 @@ JA3 Host Stats: 10 TCP 192.168.1.105:59119 <-> 114.134.80.162:80 [proto: 7/HTTP][cat: Web/5][5 pkts/736 bytes <-> 4 pkts/863 bytes][Goodput ratio: 60.5/73.5][1.05 sec][Host: weibo.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/347 175.8/347.5 353/348 174.3/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 147.2/215.8 500/689 176.6/273.3][URL: weibo.com/login.php?lang=en-us][StatusCode: 301][ContentType: text/html][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /login.php)] 11 TCP 192.168.1.105:35811 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/604 bytes <-> 2 pkts/140 bytes][Goodput ratio: 65.8/0.0][0.46 sec][Host: js.t.sinajs.cn][URL: js.t.sinajs.cn/t5/register/js/v6/pl/base.js?version=201605130537][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (KGET /t)] 12 TCP 192.168.1.105:42275 <-> 222.73.28.96:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/610 bytes <-> 1 pkts/66 bytes][Goodput ratio: 70.0/0.0][0.38 sec][Host: u1.img.mobile.sina.cn][URL: u1.img.mobile.sina.cn/public/files/image/620x300_img5653d57c6dab2.png][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /public/files/image/620)] - 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][Goodput ratio: 52.2/0.0][0.16 sec][TLSv1][Client: g.alicdn.com][JA3C: 58e7f64db6e4fe4941dd9691d421196c][PLAIN TEXT (g.alicdn.com)] + 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][Goodput ratio: 52.2/0.0][0.16 sec][TLSv1.2][Client: g.alicdn.com][JA3C: 58e7f64db6e4fe4941dd9691d421196c][PLAIN TEXT (g.alicdn.com)] 14 UDP 192.168.1.105:53543 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/75 bytes <-> 1 pkts/191 bytes][Goodput ratio: 43.4/77.6][0.11 sec][Host: img.t.sinajs.cn] 15 UDP 192.168.1.105:41352 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/74 bytes <-> 1 pkts/190 bytes][Goodput ratio: 42.7/77.5][0.54 sec][Host: js.t.sinajs.cn] 16 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/72 bytes <-> 1 pkts/171 bytes][Goodput ratio: 41.1/75.0][0.19 sec][Host: g.alicdn.com][PLAIN TEXT (alicdn)] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index e3aceafa2..d16cec350 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -1,3 +1,4 @@ +Unknown 180 24874 1 HTTP 11 726 3 MDNS 8 952 4 DHCP 10 3420 1 @@ -6,7 +7,7 @@ ICMP 10 700 1 TLS 8 589 2 Dropbox 4 2176 1 Apple 212 56189 22 -WhatsApp 182 25154 2 +WhatsApp 2 280 1 Spotify 3 258 1 JA3 Host Stats: @@ -16,58 +17,61 @@ JA3 Host Stats: 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][Goodput ratio: 71.1/54.9][9.73 sec][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 40.5/33.0 198/347 51.1/47.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145.3/93.1 525/488 100.0/64.5][PLAIN TEXT (zTdFPOk)] 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][Goodput ratio: 66.2/81.4][7.74 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.8/124.4 307/539 62.9/96.2][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124.3/226.1 484/552 75.0/128.5] - 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][Goodput ratio: 55.1/48.0][134.29 sec][bytes ratio: 0.183 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1384.9/1865.5 28162/28146 4416.3/5104.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 147.1/127.0 1506/754 238.5/99.0][PLAIN TEXT (iPhone)] - 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86.5/80.2][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 121.7/107.9 1665/1391 339.6/319.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 84.8/90.3][32.84 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1908.9/36.8 30435/294 7133.2/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][Server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2014-03-08 01:53:04 - 2029-03-08 01:53:04][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][Goodput ratio: 84.7/76.8][0.94 sec][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.8/42.0 225/228 76.0/80.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)] - 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][Goodput ratio: 78.4/79.7][29.18 sec][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2192.2/2121.8 18656/18299 5822.2/5720.0][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5] - 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][59.94 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] - 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][Goodput ratio: 79.4/59.8][14.33 sec][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1922.9/792.0 6986/6468 2906.0/2008.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] - 11 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][90.14 sec][PLAIN TEXT ( 3375359593)] - 12 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][cat: Web/5][9 pkts/1130 bytes <-> 8 pkts/868 bytes][Goodput ratio: 47.4/39.1][0.94 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 104.7/100.3 275/162 108.0/46.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125.6/108.5 236/151 68.4/42.5] - 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][8.85 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.8/0.0 667/0 13.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] - 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][6.95 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] - 15 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.9/0.0][43.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4794.7/0.0 42598/0 13366.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70.0/0.0 70/0 0.0/0.0] - 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 18 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 19 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 21 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 22 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 23 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 24 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 25 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec][PLAIN TEXT (ay.OF@)] - 26 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 27 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 28 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 29 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 30 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/TLS][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes][Goodput ratio: 0.0/39.0][0.03 sec] - 31 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes][Goodput ratio: 0.0/0.0][0.20 sec] - 32 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Goodput ratio: 46.3/82.9][0.07 sec][Host: query.ess.apple.com][PLAIN TEXT (akadns)] - 33 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e13.whatsapp.net][PLAIN TEXT (whatsapp)] - 34 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][3 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.0/0.0][77.07 sec][PLAIN TEXT (SpotUdp)] - 35 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] - 36 UDP [fe80::da30:62ff:fe56:1c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] - 37 UDP 169.254.166.207:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] - 38 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] - 39 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] - 40 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] - 41 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/TLS][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.06 sec] - 42 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.28 sec] - 43 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] - 44 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] - 45 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] - 46 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] - 47 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] - 48 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] - 49 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.22 sec] - 50 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.05 sec] - 51 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] - 52 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] - 53 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] - 54 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] - 55 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] - 56 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] - 57 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 3 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86.5/80.2][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 121.7/107.9 1665/1391 339.6/319.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 4 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 84.8/90.3][32.84 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1908.9/36.8 30435/294 7133.2/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][ServerNames: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2015-05-06 01:09:47 - 2016-06-04 01:09:47][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 5 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][Goodput ratio: 84.7/76.8][0.94 sec][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.8/42.0 225/228 76.0/80.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 6 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)] + 7 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][Goodput ratio: 78.4/79.7][29.18 sec][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2192.2/2121.8 18656/18299 5822.2/5720.0][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5] + 8 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][59.94 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] + 9 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][Goodput ratio: 79.4/59.8][14.33 sec][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1922.9/792.0 6986/6468 2906.0/2008.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] + 10 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][90.14 sec][PLAIN TEXT ( 3375359593)] + 11 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][cat: Web/5][9 pkts/1130 bytes <-> 8 pkts/868 bytes][Goodput ratio: 47.4/39.1][0.94 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 104.7/100.3 275/162 108.0/46.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125.6/108.5 236/151 68.4/42.5] + 12 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][8.85 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.8/0.0 667/0 13.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 13 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][6.95 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 14 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.9/0.0][43.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4794.7/0.0 42598/0 13366.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70.0/0.0 70/0 0.0/0.0] + 15 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 16 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 17 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 18 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 19 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 20 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 21 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 22 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 23 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 24 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec][PLAIN TEXT (ay.OF@)] + 25 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 26 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 27 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 28 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 29 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/TLS][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes][Goodput ratio: 0.0/39.0][0.03 sec] + 30 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes][Goodput ratio: 0.0/0.0][0.20 sec] + 31 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Goodput ratio: 46.3/82.9][0.07 sec][Host: query.ess.apple.com][PLAIN TEXT (akadns)] + 32 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e13.whatsapp.net][PLAIN TEXT (whatsapp)] + 33 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][3 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.0/0.0][77.07 sec][PLAIN TEXT (SpotUdp)] + 34 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] + 35 UDP [fe80::da30:62ff:fe56:1c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] + 36 UDP 169.254.166.207:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] + 37 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] + 38 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] + 39 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] + 40 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/TLS][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.06 sec] + 41 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 42 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] + 43 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] + 44 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] + 45 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] + 46 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] + 47 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] + 48 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.22 sec] + 49 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.05 sec] + 50 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 51 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 52 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] + 53 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] + 54 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] + 55 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] + 56 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + + +Undetected flows: + 1 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 0/Unknown][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][Goodput ratio: 55.1/48.0][134.29 sec][bytes ratio: 0.183 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1384.9/1865.5 28162/28146 4416.3/5104.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 147.1/127.0 1506/754 238.5/99.0][PLAIN TEXT (iPhone)] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 59a9dce17..34936abdb 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -1,16 +1,20 @@ +Unknown 30 2963 1 MDNS 2 202 2 DHCP 6 2052 1 Dropbox 2 1088 1 Apple 50 23466 2 -WhatsApp 32 3243 2 +WhatsApp 2 280 1 Spotify 1 86 1 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes][Goodput ratio: 91.4/82.7][3.89 sec][bytes ratio: 0.415 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 179.5/27.0 2803/212 622.4/56.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629.9/312.7 1494/1002 544.4/369.6][PLAIN TEXT (BjmkLnl)] - 2 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][cat: Chat/9][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][Goodput ratio: 36.8/25.9][19.72 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 1370.8/2065.9 10513/10479 2987.9/3556.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.5/89.9 267/144 67.5/22.2][PLAIN TEXT (iPhone)] - 3 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0] - 4 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][25.29 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1983/0 5058.0/0.0 8569/0 2765.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] - 5 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.04 sec][PLAIN TEXT ( 3375359593)] - 6 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e12.whatsapp.net][PLAIN TEXT (whatsapp)] - 7 UDP [fe80::189c:c31b:1298:224]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/111 bytes -> 0 pkts/0 bytes][Goodput ratio: 43.8/0.0][< 1 sec][PLAIN TEXT (airplay)] - 8 UDP 192.168.2.4:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 53.3/0.0][< 1 sec][PLAIN TEXT (airplay)] - 9 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 50.6/0.0][< 1 sec][PLAIN TEXT (SpotUdp)] + 2 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0] + 3 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][25.29 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1983/0 5058.0/0.0 8569/0 2765.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] + 4 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.04 sec][PLAIN TEXT ( 3375359593)] + 5 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e12.whatsapp.net][PLAIN TEXT (whatsapp)] + 6 UDP [fe80::189c:c31b:1298:224]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/111 bytes -> 0 pkts/0 bytes][Goodput ratio: 43.8/0.0][< 1 sec][PLAIN TEXT (airplay)] + 7 UDP 192.168.2.4:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 53.3/0.0][< 1 sec][PLAIN TEXT (airplay)] + 8 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 50.6/0.0][< 1 sec][PLAIN TEXT (SpotUdp)] + + +Undetected flows: + 1 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 0/Unknown][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][Goodput ratio: 36.8/25.9][19.72 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 1370.8/2065.9 10513/10479 2987.9/3556.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.5/89.9 267/144 67.5/22.2][PLAIN TEXT (iPhone)] diff --git a/tests/result/whatsapp_voice_and_message.pcap.out b/tests/result/whatsapp_voice_and_message.pcap.out index dfe3d9087..a8a374119 100644 --- a/tests/result/whatsapp_voice_and_message.pcap.out +++ b/tests/result/whatsapp_voice_and_message.pcap.out @@ -1,11 +1,12 @@ WhatsAppCall 44 5916 8 -WhatsApp 217 22139 5 +TLS 46 4990 1 +WhatsApp 171 17149 4 1 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][cat: Chat/9][30 pkts/2539 bytes <-> 32 pkts/3070 bytes][Goodput ratio: 35.4/43.7][47.83 sec][bytes ratio: -0.095 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1857.9/1709.0 28667/28718 5782.9/5581.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.6/95.9 299/559 55.4/94.3][PLAIN TEXT (Android)] - 2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][cat: Chat/9][24 pkts/3029 bytes <-> 22 pkts/1961 bytes][Goodput ratio: 56.5/39.4][13.49 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 680.6/812.4 10696/10748 2366.1/2569.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.2/89.1 590/469 124.1/91.7][PLAIN TEXT (Android)] + 2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 91/TLS][cat: Web/5][24 pkts/3029 bytes <-> 22 pkts/1961 bytes][Goodput ratio: 56.5/39.4][13.49 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 680.6/812.4 10696/10748 2366.1/2569.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.2/89.1 590/469 124.1/91.7][PLAIN TEXT (Android)] 3 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][cat: Chat/9][15 pkts/2690 bytes <-> 15 pkts/2019 bytes][Goodput ratio: 69.1/59.9][8.61 sec][bytes ratio: 0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 717.0/767.1 8044/4043 2210.4/1535.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 179.3/134.6 590/1022 202.7/240.7][PLAIN TEXT (Android)] 4 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][cat: Chat/9][26 pkts/2311 bytes <-> 26 pkts/2300 bytes][Goodput ratio: 38.4/38.9][10.07 sec][bytes ratio: 0.002 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 495.5/397.2 6149/6160 1350.6/1325.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 88.9/88.5 299/308 58.4/60.8][PLAIN TEXT (Android)] - 5 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][cat: Chat/9][14 pkts/1123 bytes <-> 13 pkts/1097 bytes][Goodput ratio: 30.9/36.0][1.34 sec][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 96.3/113.5 318/331 104.1/95.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 80.2/84.4 231/286 43.9/62.4][PLAIN TEXT (Android)] + 5 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 91.142/TLS.WhatsApp][cat: Chat/9][14 pkts/1123 bytes <-> 13 pkts/1097 bytes][Goodput ratio: 30.9/36.0][1.34 sec][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 96.3/113.5 318/331 104.1/95.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 80.2/84.4 231/286 43.9/62.4][PLAIN TEXT (Android)] 6 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][5 pkts/840 bytes <-> 4 pkts/344 bytes][Goodput ratio: 74.9/51.0][60.68 sec][bytes ratio: 0.419 (Upload)][IAT c2s/s2c min/avg/max/stddev: 208/189 15170.2/209.7 60006/241 25885.9/22.5][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168.0/86.0 168/86 0.0/0.0] 7 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][58.83 sec] 8 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][58.25 sec] diff --git a/tests/result/whatsappfiles.pcap.out b/tests/result/whatsappfiles.pcap.out index 31562abea..6ea83f436 100644 --- a/tests/result/whatsappfiles.pcap.out +++ b/tests/result/whatsappfiles.pcap.out @@ -6,4 +6,4 @@ JA3 Host Stats: 1 TCP 192.168.2.29:49698 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][132 pkts/9906 bytes <-> 178 pkts/237405 bytes][Goodput ratio: 11.8/95.0][7.27 sec][bytes ratio: -0.920 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 61.6/47.4 5775/5834 571.5/481.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75.0/1333.7 583/1464 51.0/391.7][TLSv1.2][Client: mmg-fna.whatsapp.net][JA3C: 4e1a414c4f4c99097edd2a9a98e336c8][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.2.29:49674 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][161 pkts/189194 bytes <-> 149 pkts/15728 bytes][Goodput ratio: 94.4/31.7][110.02 sec][bytes ratio: 0.846 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 322.0/659.4 24639/64743 2277.8/6018.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 1175.1/105.6 1464/1464 540.1/167.3][TLSv1.2][Client: mmg-fna.whatsapp.net][JA3C: 107144b88827da5da9ed42d8776ccdc5][Server: *.whatsapp.net][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: 10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB][Validity: 2017-04-26 00:00:00 - 2018-05-01 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.2.29:49674 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][161 pkts/189194 bytes <-> 149 pkts/15728 bytes][Goodput ratio: 94.4/31.7][110.02 sec][bytes ratio: 0.846 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 322.0/659.4 24639/64743 2277.8/6018.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 1175.1/105.6 1464/1464 540.1/167.3][TLSv1.2][Client: mmg-fna.whatsapp.net][JA3C: 107144b88827da5da9ed42d8776ccdc5][ServerNames: *.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: 10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB][Validity: 2017-04-26 00:00:00 - 2018-05-01 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/youtubeupload.pcap.out b/tests/result/youtubeupload.pcap.out index ce4a75468..f6b1856e6 100644 --- a/tests/result/youtubeupload.pcap.out +++ b/tests/result/youtubeupload.pcap.out @@ -7,4 +7,4 @@ JA3 Host Stats: 1 UDP 192.168.2.27:51925 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][80 pkts/100473 bytes <-> 20 pkts/6003 bytes][Goodput ratio: 96.7/86.0][3.49 sec][Host: upload.youtube.com][bytes ratio: 0.887 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 33.0/249.2 1825/1883 216.5/551.3][Pkt Len c2s/s2c min/avg/max/stddev: 77/58 1255.9/300.1 1392/1392 385.3/473.5][PLAIN TEXT (upload.youtube.comQ)] 2 UDP 192.168.2.27:62232 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][13 pkts/8651 bytes <-> 11 pkts/6463 bytes][Goodput ratio: 93.7/92.8][16.89 sec][Host: upload.youtube.com][bytes ratio: 0.145 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1666.9/2090.5 14942/15097 4450.3/4940.9][Pkt Len c2s/s2c min/avg/max/stddev: 65/60 665.5/587.5 1392/1392 633.6/618.0][PLAIN TEXT (upload.youtube.comQ)] - 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/TLS.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][Goodput ratio: 45.4/91.9][0.12 sec][bytes ratio: -0.762 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.5/11.8 57/39 23.4/15.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 108.2/685.6 256/1484 73.1/634.0][TLSv1.2][Client: upload.youtube.com][JA3C: bc6c386f480ee97b9d9e52d472b772d8][Server: upload.video.google.com][JA3S: b26c652e0a402a24b5ca2a660e84f9d5][Organization: Google Inc][Certificate SHA-1: EE:3E:32:FB:B1:2E:82:EE:DF:FF:C0:1B:27:CD:BF:D8:8A:CB:BD:63][Validity: 2017-11-01 13:50:15 - 2018-01-24 13:31:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/TLS.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][Goodput ratio: 45.4/91.9][0.12 sec][bytes ratio: -0.762 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.5/11.8 57/39 23.4/15.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 108.2/685.6 256/1484 73.1/634.0][TLSv1.2][Client: upload.youtube.com][JA3C: bc6c386f480ee97b9d9e52d472b772d8][ServerNames: upload.video.google.com,*.clients.google.com,*.docs.google.com,*.drive.google.com,*.gdata.youtube.com,*.googleapis.com,*.photos.google.com,*.upload.google.com,*.upload.youtube.com,*.youtube-3rd-party.com,upload.google.com,upload.youtube.com,uploads.stage.gdata.youtube.com][JA3S: b26c652e0a402a24b5ca2a660e84f9d5][Organization: Google Inc][Certificate SHA-1: EE:3E:32:FB:B1:2E:82:EE:DF:FF:C0:1B:27:CD:BF:D8:8A:CB:BD:63][Validity: 2017-11-01 13:50:15 - 2018-01-24 13:31:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out index a006ae7a6..dff863194 100644 --- a/tests/result/zoom.pcap.out +++ b/tests/result/zoom.pcap.out @@ -17,14 +17,14 @@ JA3 Host Stats: 1 UDP 192.168.1.117:58327 <-> 109.94.160.99:8801 [proto: 189/Zoom][cat: Video/26][10 pkts/7806 bytes <-> 175 pkts/184434 bytes][Goodput ratio: 94.6/96.0][1.44 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13.8/7.8 32/35 10.6/4.6][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 780.6/1053.9 1071/1071 444.1/129.4][PLAIN TEXT (replace)] - 2 TCP 192.168.1.117:54871 <-> 109.94.160.99:443 [proto: 91.189/TLS.Zoom][cat: Video/26][127 pkts/54118 bytes <-> 83 pkts/17526 bytes][Goodput ratio: 84.5/68.6][2.00 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.9/9.2 950/156 93.0/23.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 426.1/211.2 1506/1506 458.2/363.6][TLSv1.2][Client: zoomfrn99mmr.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.1.117:54866 <-> 52.202.62.236:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/3097 bytes <-> 17 pkts/18622 bytes][Goodput ratio: 71.3/94.9][0.61 sec][bytes ratio: -0.715 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32.5/27.5 114/143 46.8/50.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 193.6/1095.4 864/1506 265.3/617.8][TLSv1.2][Client: www3.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][Server: *.zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.1.117:54865 <-> 52.202.62.196:443 [proto: 91.189/TLS.Zoom][cat: Video/26][15 pkts/2448 bytes <-> 15 pkts/16505 bytes][Goodput ratio: 65.9/94.9][0.50 sec][bytes ratio: -0.742 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/21.7 112/136 46.2/45.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 163.2/1100.3 687/1506 200.1/622.5][TLSv1.2][Client: zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][Server: *.zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 5 TCP 192.168.1.117:54868 <-> 213.19.144.104:443 [proto: 91.189/TLS.Zoom][cat: Video/26][17 pkts/2534 bytes <-> 13 pkts/7180 bytes][Goodput ratio: 56.2/88.0][0.41 sec][bytes ratio: -0.478 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/41.1 87/168 27.5/61.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 149.1/552.3 642/1506 174.8/611.7][TLSv1.2][Client: zoomam104zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.1.117:54869 <-> 213.244.140.85:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2480 bytes <-> 13 pkts/7182 bytes][Goodput ratio: 57.4/88.0][0.39 sec][bytes ratio: -0.487 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.3/40.9 202/224 51.8/71.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 155.0/552.5 642/1506 178.5/611.7][TLSv1.2][Client: zoomfr85zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.1.117:54867 <-> 213.19.144.105:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2468 bytes <-> 13 pkts/7188 bytes][Goodput ratio: 57.7/88.0][0.42 sec][bytes ratio: -0.489 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.2/42.6 147/178 40.5/63.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154.2/552.9 642/1506 178.9/611.6][TLSv1.2][Client: zoomam105zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.1.117:54870 <-> 213.244.140.84:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/1832 bytes <-> 12 pkts/6702 bytes][Goodput ratio: 44.3/88.1][0.38 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/40.2 187/280 49.0/91.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 114.5/558.5 583/1506 129.0/636.0][TLSv1.2][Client: zoomfr84zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.117:54864 <-> 52.202.62.238:443 [proto: 91.189/TLS.Zoom][cat: Video/26][10 pkts/2030 bytes <-> 8 pkts/6283 bytes][Goodput ratio: 72.2/92.8][0.47 sec][bytes ratio: -0.512 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 58.5/40.3 110/131 49.6/57.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 203.0/785.4 812/1506 256.3/675.1][TLSv1.2][Client: log.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][Server: *.zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.1.117:54871 <-> 109.94.160.99:443 [proto: 91.189/TLS.Zoom][cat: Video/26][127 pkts/54118 bytes <-> 83 pkts/17526 bytes][Goodput ratio: 84.5/68.6][2.00 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.9/9.2 950/156 93.0/23.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 426.1/211.2 1506/1506 458.2/363.6][TLSv1.2][Client: zoomfrn99mmr.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.1.117:54866 <-> 52.202.62.236:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/3097 bytes <-> 17 pkts/18622 bytes][Goodput ratio: 71.3/94.9][0.61 sec][bytes ratio: -0.715 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32.5/27.5 114/143 46.8/50.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 193.6/1095.4 864/1506 265.3/617.8][TLSv1.2][Client: www3.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.1.117:54865 <-> 52.202.62.196:443 [proto: 91.189/TLS.Zoom][cat: Video/26][15 pkts/2448 bytes <-> 15 pkts/16505 bytes][Goodput ratio: 65.9/94.9][0.50 sec][bytes ratio: -0.742 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/21.7 112/136 46.2/45.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 163.2/1100.3 687/1506 200.1/622.5][TLSv1.2][Client: zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.1.117:54868 <-> 213.19.144.104:443 [proto: 91.189/TLS.Zoom][cat: Video/26][17 pkts/2534 bytes <-> 13 pkts/7180 bytes][Goodput ratio: 56.2/88.0][0.41 sec][bytes ratio: -0.478 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/41.1 87/168 27.5/61.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 149.1/552.3 642/1506 174.8/611.7][TLSv1.2][Client: zoomam104zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.1.117:54869 <-> 213.244.140.85:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2480 bytes <-> 13 pkts/7182 bytes][Goodput ratio: 57.4/88.0][0.39 sec][bytes ratio: -0.487 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.3/40.9 202/224 51.8/71.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 155.0/552.5 642/1506 178.5/611.7][TLSv1.2][Client: zoomfr85zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.1.117:54867 <-> 213.19.144.105:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2468 bytes <-> 13 pkts/7188 bytes][Goodput ratio: 57.7/88.0][0.42 sec][bytes ratio: -0.489 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.2/42.6 147/178 40.5/63.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154.2/552.9 642/1506 178.9/611.6][TLSv1.2][Client: zoomam105zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.117:54870 <-> 213.244.140.84:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/1832 bytes <-> 12 pkts/6702 bytes][Goodput ratio: 44.3/88.1][0.38 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/40.2 187/280 49.0/91.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 114.5/558.5 583/1506 129.0/636.0][TLSv1.2][Client: zoomfr84zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.117:54864 <-> 52.202.62.238:443 [proto: 91.189/TLS.Zoom][cat: Video/26][10 pkts/2030 bytes <-> 8 pkts/6283 bytes][Goodput ratio: 72.2/92.8][0.47 sec][bytes ratio: -0.512 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 58.5/40.3 110/131 49.6/57.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 203.0/785.4 812/1506 256.3/675.1][TLSv1.2][Client: log.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 10 TCP 192.168.1.117:53872 <-> 35.186.224.53:443 [proto: 91.126/TLS.Google][cat: Web/5][8 pkts/2017 bytes <-> 8 pkts/4822 bytes][Goodput ratio: 73.8/89.0][0.07 sec][bytes ratio: -0.410 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9.7/9.5 58/45 21.6/16.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 252.1/602.8 1434/1484 447.5/585.4] 11 TCP 192.168.1.117:54863 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/2198 bytes <-> 10 pkts/2067 bytes][Goodput ratio: 69.4/67.6][5.26 sec][bytes ratio: 0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 644.8/739.7 5003/5003 1647.5/1740.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 219.8/206.7 932/1292 283.1/364.2][TLSv1.2][Client: dati.ntop.org][JA3C: a795593605a13211941d44505b4d1e39][JA3S: dd4b012f7a008e741554bd0a4ed12920][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] 12 TCP 192.168.1.117:54854 -> 172.217.21.72:443 [proto: 91.126/TLS.Google][cat: Web/5][4 pkts/1060 bytes -> 0 pkts/0 bytes][Goodput ratio: 75.0/0.0][6.46 sec][TLSv1][Client: www.googletagmanager.com][JA3C: d78489b860c8bf7838a6ff0b4d131541] From f6c7a33177d4db9c7fdac054b8b0e26f99715c28 Mon Sep 17 00:00:00 2001 From: Luca Date: Wed, 1 Jan 2020 21:27:18 +0100 Subject: [PATCH 06/12] Added TLS test --- tests/pcap/tls_long_cert.pcap | Bin 0 -> 120537 bytes tests/result/tls_long_cert.pcap.out | 8 ++++++++ 2 files changed, 8 insertions(+) create mode 100644 tests/pcap/tls_long_cert.pcap create mode 100644 tests/result/tls_long_cert.pcap.out diff --git a/tests/pcap/tls_long_cert.pcap b/tests/pcap/tls_long_cert.pcap new file mode 100644 index 0000000000000000000000000000000000000000..062bf72f162044c7274843237e3e542bb4136a99 GIT binary patch literal 120537 zcmdSAby!s08a6(|(A^<|bjQ#g0@5idNO!k{ba#q`luCDZcZW)&q#_;C`OWC-dDZuv z^IhM$uHPTO(WUIY*S^=Yp17Z9tu=h;u6hjvfCc>hfdv2|7a>|{PiOrB07b~p&<0C5 z&9<-Y&eqwgM}-J@1OSLa|BAx%^mY`$_*mG_=x(C}o0(X5AnyPG6)<;qU~>Qf1{SUc z2m-+afr!Xd<#TS(XRt6o(52P^09nX2wEe*SF~)avK`1&m{KG*gGIRuB^ENtLnxr0N zgn(>pN3#2cKhR-e5RoV9t(KwakdY9ea;HO(#UQBA_7Ax^|B`$154i&%==y$`h{!cA z0Ki}J#z2vwh{K-&04a#v(Do-H4Brn#u91I>NQj8sXz@EDJ_rZ{Q8Mrv1d`Sp>)}S6 zQ>0YInYj{pGZ!Yt-w?``vlxPFmF{{sEKa7Y^RgCRXd^E5QPL6nsRkU(w`0#E=jkb9Jn7cl|o z08|(Yc0>yo7Y9~07B&DJ01omD@2xGS5dxg#e9#aeOZg)N^qE-qLj5oS z+l}@=+zR5PcM$iFfg*030RdZZfbZ>3M7TwAekkI-{r`j*NcI!a8URJa2Y~>J5SNz) zfz;XOZ6=>vBuIBngL>AEUeFd=EVqSw)e>AwFx}uAF9JHi006}gAA%YO1po^IK-?Va zI}mvw{sRXwqXjzz62k`tfZ++ia04K(f&-90fdi2GvOzFF7#K{15?dEb;grhPr)k{^ zI){s3G(P&t7cv<; zV>Ti%0rWNs4kpymO(2hqA&*#$?QPjez{Jo;ARJsNQ+qWhS7#Tp$Epv>#2=EegV}h& zqy%Ved|(bR5BU2>n*fa+4CVrJu|fU=gSEjXzl<-V#)bw)fubSez&^IOHT-#r@Ym&i z@Vy_>;YdA_kRgML=wfI?rpn^PV#D%NNYD=i31^;3jksO zAor1B0wD1*bv}dxJFdzoUO@9nxdB=9^!?0WDTlsBJq)^cJuV_<^X3ch0Oe?QVa2E} z^#_T^>s?^|?xf;2_o#RLXIo`7yVD^;BGVaBc(9AF&fUwrP+MgY9E-=aPq9qB%oTy32>>6p z&&28F%H4NzKvf_0UWiOy_wr>-XwZAVS-VFPo0*wL=Ckwla{mxDu%SvXM3S00N^U$- zYmGn{p&CjGz_$Siao_-iDDVS_l1V6G3BmY&xN%x{73r=8Dr#<(yGL)u@p&_Cdch>n z4(PD>u(%spt{RM<)1QFNV?oSzUUF@AK?f%5X zb~bjhba44ycMgU&rcSp1=;{Os-#unvflsE`#($%9cr6j%<`8B zZ7gj~o$c*xEbUC8Qnd%rWkJi^ah@(fY{K#QJ<`X9{y!__eU^e2oT)BM}eI6rRuR!juo z+FIHe{=*)GKe|GmxI)~_+0e7ncIL`0g@BNMQ52yGgrvHOce+gi0BSWV@ zL-L<9viZ+5`Xw;_QV7d0e!}5o@?Tu#FAg!YbTYN`H2q_Wgnv)*4|2Hw_mh8PKx`;U znAtr0g{HvhP*TMJ0`Fj9K`?OHKUkO=79WfYkH`oQgo8r>0sr+A3|JW2{Q)cwB-?Ui zvt_e}FhdJXepXgv69)(>*tQPzyJ-8RyN2xdXBwR|@O}@lwN@+bH?~+9D<-kS(?1 z=_ep76%arQ{0N3jbl*xdtQ2g|`1;}XCQQ-OwWImo706^+_C=T@fl{t;;Bc4ZNeFX6LpZk)j%{%aisDF7jL5D>tS_NauUSN}=r zp%{qV8;;VLXCkq!QtwN2zmCp;xanJp1^+J=I@``E(Pi_q>K;M(=U(*lTWL~9nqCp5 z*6NI!sJmk$RbR48gT+gklb`i{I@P!jo^OAeWPe~?lZjRR?F#*Zl^2n-!C#%Q7bkMY zc1vCE9gl-Y+}Wqrfl4>OL1u5+$YCtE`*R~0s%{-4VFspFZ1+FxEN@jaFOl!f3rO1B zF{U9WC7OnQGFNDhKyor$2hFxrNLr`6d;iC4vTiiTjDH$+ucj z8(bEZCZ5JOii?N>3o51{VCc|E1V)^oo-WKbUlhn*@TEO0YF8Vw4FEP4Ql~_M13=E% zQ08}sFuxe2#D=y%7pH*#u-x4XWlK{j_rpZk%)9-;{E<0?PhSL@qlZ;0UrO0BwJ+ zB4F3a1);fw`19|%M5X+DE+GVL$5;HGOMaC0aFVx#lxHh1NZw|R;r19h|6y6M;V-52 z|5VzOfk`1804ePW{&z zL$`kvLa}hJp!Tr0M$C7dg8+yg5cl|fKW9$oYv4S4wrJ^tC+i&7+1)QoENtF?O?8f< z!E_t07vW?7`tAwc9zw_}l0fizk>zQjb(U7C(|}H>SsCK8%N4V#xKW@`Y_L35@*?TA zGPofSkzMcU)1DPqGTH6iX;; zPe0wbOVN0E7Ex>!esRPGy+3bKedm$hYEp7aY}~96%L{XUpsCwiM6Hdg+Y7!WQzf$5 z?Eb5+2Z}=2PwU$I|!{8ymRFSK3Y~NuaLaE?cTwx{D7b4G3unJUc zt_lpm1#zz^)>#EIR-=0{L+O9_dF#0*2T*00?D3JqQE-FPy3Y*+N9veFNFk{A&yGUz}?1 z3Iu3^0N>l6oC=a57lLvsiSO^6s_|p52g0c>BLCu4IOxtyBSh?4uz%(o$g1|=g$E%9 zq%wl+WUzCwakGQDc(uXKU`MbFq{4t>L_TpMS{=j>Ymho-NUUa6HxaL8Cn1p;?9D?MCFlI=S&!Q>Pm=$RoR-a_9 zQL4*SlwoJ!nFy#tP#J>vVA?CM>Df+ne)9rBT?2v zaQK}}XIqa_2O!4WK$FS&Xrdh0BsS+|sfX-Uqw{>H*OEugKiT)<}xz(4@ zT}oJVNbv&=+!RQd{V#$0#03(#-?Hfb6}VN9Vh9e3nCA`zbU@Id?H}b;)nBIxs=x33 zL(3}&A|WEcOZ<04sIZcd8eQxmtkSB>*xpBjirA8jk+Y~4r5p>naRwxR|2vW|rRNg{ z%&SG%1kGteZ_*d(sK_pu^|ug@S4kJ zE!;!3j-1%q-Bug256n-2UNnsASuD+W(D_KF0s&c&?$Gv+`NaPn?Z*fBf;a?lp0`3(AE3Od%6*OJZZ) zF(ST*pdxSPjm7Z8Nq_A#iDS~Tkn7^105S1H*tm8IsiSR1A`ndV7*yQdG$0@Z!kf_c zr??>ZAL4RG{~@l?PjR#L{vj?1LZ#n7Fl#i8mqjhKT`(}h#v`jR#ZsC0Ey+r(iP52$ zC49aeqcEu*zWotIO^4r9?=?H+_1S%K&QPx;ICH-P(ospooS+|7hMkXXI3zGX#cuvC*h)+hicE6MIcP=qso!!<$T)$8j{=nBqHOi z7UZS(6`#0R=&5zC%aGJ?nW&8SDrzO%$$jex%tsH4e5hTcL=ycMcg{y11jVMcNxW&_ z1*gndq*xx`6W0D3IwsOmzLi9zg59dh*MJxjq%n2NIVs~V>1hW3W*pta+Ek(Iwj*mR zXE;-P(C{(=Ea_zkKmcE<7>}uRZ{X_zBhhUu`;m{MdDNBANnzL zGmn}{jbi%g4p}cZf97in>2$|MTJ{;0o+;#}&N z&8JgJH>9qr(B>N%>WJve{r*dyq0F9f>g<^(NQ`#Kl;HYP3Pp-$u4j>Sf-G0DZxe9@ z+;)`me6WCm57#A+D#g+P`}+pFSiUqfS@#P%xwx&*_9(Tg@(5hyHhoewg0f#u^Qjgd zimqR3AaK=<&3#m7p!46hp$A_!M0UT@Hc{M)TxmHk@K_ayRh?`4sAr`9Tw#-?W_X2) z{SUgba$epiPzn=gtxn!piI^2VfAe8E}X&{9=~Jn*0|hrbR>WWXPkGn zO*{32=tKYLa{M!@lB0_BM9IOu%n!blA%^kyhPJ-)@EK|1y(?x`G4jg@*ZkrMANpZ# z0$!lkf!d8!RXiFod_!ZZjq5T!CV&$fm3nJH04L-;4%+^#W`H#0!q95w!Rz0vnI|qx ztov|&kZLC1=topS2!sMs%~U}-tO>H#tOEeXg37Q``bPsJza6uyicl~Y)R?dOaf zdc+=GI&Ut3wC@ns3$TdwXG7f61ibovx-_4R^ZPIE3fw$GgMi2XSBIwnyUin z3+3v=$Ft6(z(QRO?)?u#?H}gC?)lh>j;6^?J8t#sm)V;bzS7Y4225=DrRi7R%WLj`G%gjKn^mYgK$ynI-|%VG2Zt|F5a) zD32{o+YFMbu2ZM~#cZQcJwg!^um48;(<%T?auKLi$P#|HinbXO>ro!$Jn=jma>)JH z9xy$`D$P*Dqgx;#7Q&X$_76mVa?$UI68{#F5OCh_^gALnSxEn-BIK1Ir4J0kjz!fr z%Pl62bdB!S^74t5PHj4G)RsJQWrrD6*fGQ!otMkASgz8K#*zs3l3vT^Qe!h-^d@;+ zI~hU6E^pps-fAQ zjQ4j$=!D6?CmR3&RDeZcV<&ifj=Zs=yyjun+V>2bo%dDH2NdYI;U+KueMksE+n!AziVru+W(EUW&fCL1rvs;4o>DWn3mXh}hgrpw?;=AKM5f$LHLop|Bv3%j9HF zoDJYIQ$Ps;WmcWEP7PB_jinH}k_>ynISo{Ac+aTT)Mz53s2vSVZF_um38c@?3%KsWIg_rsJ?90jRpa*>#PDxE=Codp6FgAZf0(Be|#_oyy7@r)K|px_PexW^(|Do$}b-H~yDB`|%dWDr62Me9)G<~hc>YF$a0@+F89%go-bp zjJHH@<(6oD$-eaAzy1Qx9Qkne6^@#>cFPc|G5k}Zdk-ypj;7ucA1HGcPF41HEasUD zj(0JCwNr6CCHY8Qit4Ub*=1Sc^U3u1Qo=9E*p55}zAV(*5aH0PkJe%AUUc2fyXo@x zoAU{;*sljFIraP=kep(QU;`SRXUrP#YqXZ){Fxf zY<+&WI;w)$w@-ogPRLe?cs;m|2XwaIl)v?=q@S)~3!~jMtnbtTmMn8OQ{{e*_htQg`zXQQacA$eayibC;EjiR8G)wS;f;p zqi5Am4>iR>Pl?UeTC2HRv}$exp23*#y3$Bw3K-T4z!1i_@XN)lIN-bvSV4!2xHvY7 zizTVgvKFduW1yZUhMdgiG6`0|%xasbJYT9Osjr{qbDJ+r35q^LX!TRCh*vJLV$1`1 zF33?`Vi*Kj0KX98JW$!R6M;iN9it9x?Lg;sINxg7;Mu7-^fWkn zJi<`XQ7f>SClzV)K=pyFF|T~Y?L1`=^;&LJ!T_b+5=cA7B9sYKx4?t9@;MhjlP=6G z;(nMb384*#LQ)i-())A{^h_0C^2PZ{k$#QaSiPB2P|$r$4pUK~NdMM>8BSkG6zXj_!6Wh!3Qx=~vDv5vjV}c8Yz_`)6Acdsh8C>N?!r z>h89{wguu_3b!ukUfQS`>0XtPL%#xpE8IftYFoTs820MXIxB~aX2ux%$B{y9`h(Sr z2T9eH6$N9o<^jqkTG=?{DW0Mqom)1goya&2mmOV6E%}4qx<$_K-}@3Br1M^&h4D;N z&gJ=RMFRO*R!Fj$b`c8>+E*NX`FC^)p5`qp*4wiVu50KMS?U;1Rz{$76ZPNeM(jJ? zIQ>pHdJ{kCCQ0-^(+#R$f3+gHl)3x^ic&MNbYnc@IvKlA`Mggk`cs&=<#1J*7!w!m zaAHoosvHFaP2_A2zR9CcW%ElW8c6+F9)i}q*}D7RHsPDYOHC#%n5G)~0h?p?<2t%Y zyadv&tVwvhP3oVwu~g%U1RKhgVXiyFqf%IQJ9Cg^7`fxSwW*ID-$8G>ZGf70EB_@4fBte4b!;q_?BaU1)xn%ouHMi#V5S z!&Hvx&DA9ki>{k{Yafh5&Je8c=T}V8a;=fu^wR(7^N7k<+B#xFz7J<8-Ntvczsi*j zyg{&ov0Zug?%m0!ZIwJ2B$KIwQggicuEr~+XPv-Y35?P?lEWJpC)00c543Q>-2OY= zEqB;}!8xf(cx~Lg=aE@ceu%C|7qQ2JFF@>}sW28u=9qCcqAM7lbms4hw@Y@hNWM%J z@K7bath%y+WzWW?^^GQw1~^&9af;+t^0Zn(l+ z@J;c98P`vX#ke`kiwq5$Qt?_RJ!<+`yqw^#&QkjCvhcfa0>Vw>MM&V`)e0GN2QS&R z6=el&)%9Ktm)$(yd;vU?gC4L1nf3^ft#85l165AO5J;W_cImwwYR z#DH^nQ}BTk<8m}Ts0=;qJ)K5t%SkO*$@Ft?CJ;?O){^bv_*6u4 z{pWTE?0g^EIfOOm>egO*t|kJr^&k-xe|>f}eP6E@p@I0P$n2H*A8F3>k9kLH*3lPZ z&M)F|Y0oI+PvfUGiIKu1rwZ#5~KVyaQhikQ*}KYryf^O3z6-Ymfy1e`nD zZQ>@4c<#naOl_5gDF%eFPV(|5Sh2<0e_kP4_8)dn-X17W9=E$D3ibKz4W#ciD47NarMX|=RMYI{-r&fVf=#?;sqwN7@*_ShuX*EPkffJ&E(io)j602 zkp_fve2*3xE>~Vm^0CrOmLXHz&Z=HZZ19w`bQc#Hdv}M_V<%&&P;YhJkTQ6~1B0mB zarX)tFkW3xKTPj9C|sb)-<3=?#S~kNX_BkCF&6K9JkK4Q`S4G7QR}8656^vYFSuJ-0OeJ+2W$Z+k3y*ju`&QZE#mt9a&}>_(Ee9T-k9Lo@5r zndO*-Z;c^WS96{qg)HN8uDRVpm@TIojT!$8b&hkT?!HScbKuoR+7(c)y<{zI$Yim9 zD~qpofZC3B)A9{*wUNN%G47i-zo#59F{)d!4o$_md&rh@jg_a)f%m>8cm(Zt6I!4W zDQI%qQgyJkymrG(;lIwfmx8uy%59CzwZoRoOhcH0mY0%M@qj3bC66%}^K#wmg#;02 zN@>~({(!7u5y`Z5)eWjr-kRyOgiYtt={Y8T>)|I4R@`fC@>8rRqMLkIY#x)(AL&ms z&y;q-lBIlSH4kG`#)>n!BaQ63xY-w)^wOq4yLNBO8ykz6?l40Q5l8doio+YVwLu=f zi=Dl)!$k*vOop3}W^;}nb;r{w+-0GQXJnru?)2|?Ejjl$HfY-0^RX1e4I)S3fvqk0 znQHnpz91nR9WNqOJmMleVxX6m0V# zqiTP(Bt@Mw z&gZ=mt9e?OND>xYwyJy+Cga(ALWC@!j()o2j_pb#`utg*iKzbA{r1LFq(^o+u=VU^ ziTP9TO`_g+f~XU5F(iu1&Ea_@Cc-$c21S+0l9KQ?J!PbMtF%!gTsRs7lCli4`u0oY z?7Qg&lBXgie_i^ZkB1ay=GFQ!9$<^N>I2WFE)2xsOwZ##kE^lm1hZc9xD}#^+@TI; zTal4%C?i_OWW5uy$UxSmIDKy3r+(tg@-d0g6h%_S)M7wXOE%T63P&Yw9y>zac|7#% z>|qws!6Bclj}S^b4z#yK3 zL4vOXDcCQaJbEK!Er|0HrmVk9VFuQoFp()ZCA4qYfK813@oVC_vSDUfcsz_u`^;91 zX(q?S1a#p$T;fCy?=@wUoL3FbN?uWE9n@UJGmB{Iv8Jvu{e(H=8`KF$DUKtc{>0eM zAkIwJ)NbFi7v-Pi$YX&-tjeO!isf{wBbM$CvNu9qJDo}QgQ>5ptfkzn*q*c(br_1` zhik7@!GsEQpukw~r^-%7WRQlNFd^3w(IylYK0~wn{$2cc5a$1XUZIb$rRhyTR_Oal zknfQHb&$3TS)q$VbIJSv5z%NDg18h9`7-jKi0G#On~WAoklz;oL_&U7;ZHlBB82hnLg*FLr@PcMD->QjXxrJbcF%v~rSj%#wJCUB~-aqQxL4g@rDgANJ0KJsn+F3v2uGXhi9B{~J&sinI;PDkrnr}!_n7L->*tuuCrOCG zky*}LJUm`ClU0%#8z1%M(6dCn^?}5N|)fKlw~yYM(mC z(MacUIsq{5OK_sSsKi~DP@3Az^bmI>vhS~672^7yYO!IJya znJnpS^6&5?2hJ1|u9)1%P4CR*s>`p4Hm+XG+M5|=t?%bo9CI2FQZ>gYnrpP=m z!~6c?^T;Rsi!W06jhFcEF!0>cCkP8>>gxsVC5b*Uo}sZtd@MQ&`i*df)@Ke3l#>`$3)_gF zJ8GC7-JDT(Hf4Ofx+hM3bZEp`YWX^GF?VPNo;?AVYx8S*;nW2vXNu zfG}DUak>xh;8)w_qA2FA@Ow|nFa4YY%}Ri2dJO%uts-b*qnpaR+})PvLZs_a($BJa9n5b@Y<&V4DZdz4qxg42c*!)2zKYASCbDDk)<-5jMH_3^6$NcOt-m`}fzcyb|XHb3U3D<62Jek}~gpH{z zfA8AadQ`nkiG-%RPiqA-kn*4?O#c*EsZo{@6u87>9f(HPKX^;a^Bm1Yr;fVQTi%RG z#kY~}Z7v6`G zO=q8rzJz42X|*(lN-@*LjbGQ<3^T0UuKl&4>9&ulk_((d;ltR+%2HE_AJ!ij-?H`0 z&gI5*&4z4Uvc!4MmxaSyvfIF{3cH^;AHT@tSGD5Hk?7he6A7STJ*H%=LC8HkJ$6bz zJby0Kkh~wZ_?$Ul9Z_4FCkj?3R{_m7gUpq#;_#f9Cgri!I_>K6hqyxj{E#tY)XUY_ z=-c43vg$F`r03zbJA!_!q?BvM=~)!{f#)fx5*jzVVv0bnlX9uf$Rh5JC9Ep?GG#+| z`9drQLAT+e3tS0Zt@B0Cjm*8So;T+rCLm08~w&$WBq&LL9ANt zg`0ajVc{PxG2O1@6qhZvpKS1i85MDYZJ)bg}Z`#bWt|Pf1FpdORT?ZMwfkWAptsVLnl`N!ck3OsGrbI@{5=M|f;AvwLA* z@G84{&0%flm~dN=%RX)$m_L< zA}Ky?u(tb}8u|KhjEkAM)~xH6mhB_;3O)fznxaGbY;}cZ%E_@ba-^!gy0^@5W3`-? zTGISlA4!>54zzaHSA3ZWP@H;}U?M&jSR`n-DH6raXA)LOw%ST(dY=+c66+hf78R@5 zadZnmV}Ku6F5={Idx)`>Wl+n27S|PST<^bL%Mta$xZ^FE%S+87u8`7p!zk%)WfPQZ z^NO7P%aY?48jgqHfMUa~Mb2Nz0rTdd`z=_|8c5CwO) z)n`4`PF=Yf%Tx3_SS5))_MKwbiB66_(}&4^jsfalsEi!na==Ud^1L!o2U{;BD6LCAD%#O8Yu6Gq9$+;8TYT)*&rD8gZ?*vNq9M z@v9H4PJwL85<(K9wxYg6jnj;WeFFX>bGfHE!4fFQJz8UD0SI^@toh_xGH*>n-=go2 zcHyM#tcoBHA4c?=X-K^%e~jQ#@OAmsKJjgW3gtjjo0)3?4Pm=yb40}c`N{Q!x#))~ zo17a?Eee@;oaGVkM`d(J74(S|dhg#JMt!{P4Ovxe8?bG6C^*SSUM~PbqX;%i(CpHeq3m= zm3TgA2|VTx=B||0?tcqFY-eB0pjE<L{%bNa~pJQJ(T94~!m2D)T$e>k?sPjdRsvn(41Vl z=@gs{zv1esK6AnDWs)zRJJOrm=#UQMWn@8<|Ey~vKN}smHRgdEbtz?sBQnEw&W;m} zeb-8;V;Uti!j-Vb9QJ9pQ{lZz1@)r|r$$0_ox&V!n#yQ=N^a*EBGx{(xE)=zygI>g z$T1uT%u>mKrP<|H7coXZgCa2+*UmQrUjqhb3%M-=FaNx6NxSFCpWGT0G~`ciG_BAB zc3*UPV0lM82kE5qRb^XJBH>KoZy`;flry`Wgi$`KCF!6KhF7%4ctNzPaJM07=w5p{ z1#|@UH~5Tc+jxsU^$nAJh7cx_DNg6foTbXaR8Lw#pKeKy?jewX)OLt5p~kev5r0D> zTJ3ZbmZHBn^0`z$Zk9evxHz2ctx?UMNU$`H``|^-OTm)!V$CNj+wpC&LxOy9;r2`! zztRm>F1li`NDSdM4IaMg*u#lw*JdQ|#I<*W-1|qsJaht>w<0eluYB;w$FckGzpo7_ zr+S+<#o2+n*r%G^C6ae~ZbWnx?p8z+=R5oAsvuo;K~z$_A&&4-u~`OMr}U89E9@so z!uCTfPaLcf7qL(N65_{+{VSf6kwD4_n z!5XqR9YcZu5-tBck;KDj+)mPrN1%M46=N$EOH+G4zuusO^e`iQ@Sc`6+NR}#n9acC z*Z9NiPS5b6`L*EGN&z$NlPxaB+%u|U*Wp0JW?OO^N z4mHW+Pg~r@8Oyl$J;SNjs~XG-XgF|HZa4Kdgm+~FbZ-*9W_yR?l|Jju#*^BcIP#Jh ztJZ8QecP*g$Kn`)70Pc#nV0rv!_XXwz5AY>-B?*(+otcrM+)b;{)(qC&xMhxlFLbF zm`N+zWePx|316`gGS29pMtGvlPQ~D1M^ih05lyNnkQ;uqV1qkZhG507%^l5p;l9RY zuUNRD@z_Lv-h~rn!O`(t)*!f5EBNF+3T{o0^n>^BB`NnL1LvxqOysd+QL)1xFWnEQ zG#JUSVbIN!u8R8DsA%Ai*R6MnoinYpm2zEbzTs&(Bv# zC;1e1w>5~?ZK=zstiA}yd&zJw5TBGKD|*@_w>@MVdlfbtVMp_V^<5fsOnqSp!PX7v6Jp9d1hrGy7IKiueR)*CZqnUGN6s5k-RZY^P%$Znwoa7J85B;Ap0|JUKG31n zn^ch?YU*1;9hCW5{yXzaeP{mF-6pHbFz9dA>(QZk+HesNutkJj9xww}RX7twPeS`N|Szl}r8Z_iDV&*^2gP&rs4iPfKW zQlubv(#F7I+8F7*V|fI-EcT6EO`ui@FQD}uvRz#p|7-h?7TY`>rOlRJ(cQAOYhmLG z3%t$nR5b@X*@PHnbDkK_njdue&hGgqhwGB)kRC6ajuSK?Nc>7S*m-xOb=rA@_pn$| zC#y-drB)4?*j~-D#{@5BXb$+_plHO|6~QVmFLj_vFYYsw__D=&kTxMUl?xZ`E$?05 zVoZHunu^Pcqkt0dP@wV$h|2t;g7x$3@lfCLnw7OBfy`}uU9`*!jdGc=)E`ipY zm|iP?etl>jR`a#ajG12{l=&&4W<+PP`f7OnJ434|&@&s8O-9Cw$)$Y|0x&l4-Wf5S zuVx+{n+`_?Sp;f6k4>?{zVc_S%wDQmryDBy1{UN^NvX-eDi!P(Igb zkOu|Gvdy2yn1nbC!haCIy!5#I_~71a8WQbNZV?QpNSShw4l@SF$b&gV!$G+6mpvI5 z*oq(L5n}*_Pa1isU&G+8X|hIn?sVJOJae0F@{#s-52p?8T72rrYm%(7$ru4wgOaX+ zR2skdR*CIWs3f>+=8y+pF?{Y~038$k&>F=SttZon4_@bmUhF!sFVP8JFx^L_dZ%%4 z;I_2rd01f1VBqXj;+F!9+3N@EUZ{vyAuxR}+2-kIq_^Qt{1)SyMBu&+D zZ1O(x3~9K+@(?a24ayNv^z*^Pc72dmyIT36GwrKGgK?ay?t}13p)ub808DP$X2ZO{ zuf})uWv+w5*Qm?s1HbYBddV#K|7mWHX< z_hb_lmY!J@l~lLsNYqHYLu#ZCm5a-RBQNQ)WR6!6WaGrrv(WOnwz2IJnCUSmBFq-; z$PYJzf2^8Qg`w^g{Ay^(Y!*2meqgA7_8p;q^CkV*sl8ZksMtO)M)Xe25(i~Xz3O4j z6;C6I39m%~;7D3V@LW`5t2Qp$p)U40X%T-IU>_&#r9U8C<7md1yHre-mQ?rM$Zj}2 zqvIPj4bog)ZsBd0M{gw4pJRWrLcvmekr+OE4*_xQ+s8Nmc zJYMVAjv;BFB$inz(27kB%KYH}&ivBfnSbSX=J$H=llkqjerJBNX=4Ib#?*lgEI6L& zSg)>PX#;HgFhWmfZv*(TF#sMxQ2eAXrT+3&;{H&~J`K^f$k771q)u<7VKY2Fw+on9i9djm3>&Az5LSp!khI)*9k8!L*&t5L4UKpirUDR<;OKiU{k4oFnF`xdTEj^}BZ zj=S;l+t6$M+2+cfiKmt)#OEH8M?G>`^0nO7L^_zeo%B*Djh4+L-xSd-d_t7e%Ob)y zjd$HXJu@%N9B5C|cq#Vc0auC|++tBpeP?LE3%ZD;>t+`d0(LEg+A4ugT={bOg4r>B z5oD~ujn7g6`yJAZP3vK+Rl=G)uwXMdxDVK$7|vg*NaBGFrE|+`0HjKH;Lo2%(7W

En9^r_74K_W+&77-Cxr;y z{s+<3hHw3N?4*WsQ&cixP&z8>Wv^@`jb$b8Iovy9Q|Tq#Ma4dT*=%UgSR1tNw?x~B z6RCix-lUdr$qnuxb7E^hNnaYpi59Ojd6MOg|JZ1~kdJr|EZ4Fcxq|G`=;JIz6;x9K zILCU;Wij{Vm>++x={TRu;0?7IDV$En8yNzvWWn}^>5oQqoA9Qm9fM)s&-@#N)-Aq@ zdGBbU^9WO^Ud^co;@;q;BdUn)FnTtj+^={UjAuNJTYo>gt8tnT@#4xnYu|l%Mrumh z{9W%WD&2KB&&+cmqa6lT=a1uIKIJZMA7Qd4s?49_sV2aTJc+Q+A;_;4 z!g*Dov(6_g_tb1hG{2SpO|nyAz0X8R8KGI*=yTDoh$VV6zd@Gqc^gT9A2!pT;fms* zyx2<$q@bW;#wGKh*SW?hy02h0cLm;TaZXdmm7-Sl4LfyOPS_%?225RJory|Rk~21; z`{jP24Iykd~=K5c#}t@4A>-_x;HNg?L52)wL$0At(UBikd`ebRtwH^lt-SGvJvoD9lZ1ZuVndjj3;$36w$ z(wjP0d1+y1BuvVc9O>N=Y>v?7aQ9GI+`UE<7jzChfz4*SsD@wI_?S7xZ1>n?LgyOi zRrRcHDSdzBw8%!@t2c3#woLNynai(Um|CXZ)5I{fnaETdt5du3V$Oa<{vmDPqZoFr zJWQZR`}2#2{F+UVS_wW1VL!C(h(rnr;|y#D6?UdVGNiDVa+HGhncmlmMX-VJ=OFq9 zg1watr`)BBGq?riH#oyju=i-lyXmX6KIa@?)AEo#wfgp+Qfl0Sp7pg%(i3LQAS9~~ zTIL(GevRL16O>m=%3H0|wv1PuLKq0DkgXQk~q?XC>@~5OQZ& z?hZ%BQ6g!DG0Tx3=}Co&cxvvIH-Y?9iI1{;59}8#??N~q%$6(pnwyY17TV{FW~JZhEy;0jc5-4r&t4`laaZs&4cZ1?R4VYLGaL+K^^z;$etb!Cka%Y6hd4 zpPX6AvuF`S`d94UcIuw-cwaSiCR-H^))GB*#*t(U--a?j+ka<%neWWM{5$je_y1&m zLCCK(|MfNH@26ubVWkGt%GJh*%NgnTRlL7k?~X@9XObN&b3>)3NVXonyb`?0iu9uTWPU9@^QRwC zW6Mzx!zWh|tNmk&ypS^r*RBYUlZM)ZjArur3y&pCq~L>kLV;*QM|6xTskT(*3*O>3 zjIOwZnfR0UH?o>U(DAZ|)bP(jo#5xjl9_geUIcreot}1|4b9cC&thMwbCc!^`5|~H zX2g|0HSZraLzh*2Muun19Xy4D&b2Rp@%Yjh$$Mr&xQ^F@>H1Sb{wMR@K8AufOqt^K z0huEdJgi8x?AA{miK^&`)q<0KC*4jWSxd4{(niILB&gbgN+N@-wFus7uG;8Gt!|D; z#=dBgcOXg{(X*fu!rP3m@aIpMjq@^d8cuyF&(ih0i^XLzu7ue~ntey1HAdGL8Gi>P zOlT=ARp`o#+qtc=cx!3YNl)qUGD(G}A0AUvAJIi3w^Vobv6+`6;kx825tDgHithb9 zZEZ!Gc;*Q-@JY2Zm^=_4(^4+U9hi&fwudXW=4M5mNm(5qg^N}U&m}Z$ZH~cDz@pLx_6N6ABMH`3#qEr}!Cn zoo}=fG~HSG?o1`LW4LJ&V}**QcP*1I1)LHjhsW+NbQXJ-VjtBKD^mNT6v}P5hM4!S=*wkZ*_7K*xRdIPT(T=bv*_#=P0MX zxh4%);z}npqnghrH3)(lb(T}eA2(!`Hs^@noT)G5d=&<5)KhTe+CYM)0B2+dS0}3WQWjK?8QgrxzS>!AN#MKhcn|#M*<; zg-tw^$GeA#!QU2dqmTKyV(RTZlyJisX(aEr&&R+<*omK@graV2X_UdXZ+qfZramkn zylCi^T~`?90J7YbGRrtnd&fJiIVB6VzHK5c&4{n%8wgz?VxG*r!((fIc3?I8xd&IW zXNK>iI`bDW5B>3i*b4@MPiV)lr3`h~mm~9)7Ec)Wb?@$ORXhs>22bg4h^ANUJb?{V z<5~kOx#c3MDMo;VzeCPm;*eNXAXC+ME*eW!? z*|j?@)_AY%3ro(k{-ST3i%Ep0FI4o>_5F?n1|YWQp$U+ebv}DBl_{128rVrAoA+3% z`V7oqTahFj!-wWuE#j$Ksn-ND1tnWe!U4;a%4f-o*@&>9GO2|G9j&7931H}e*XC&b{aeIQbt~nHK0xdCn1y;=V zfE(}8h5|a_`$~!G*jYPf%F4c%^du=g%M3=y&Dz#mdl5pBBTEv8)8+&e1vbWAcATun z-Firt@BBf2`7iSSH{Br4E?;-XGhU(poBUrB4*%%}(fltX`VDHTY&HXxKT;=8QPZPFF zE)OQ6r$fg*j%zMpoO`va{(X6n3Lu>_%u3hd)ddehm{#131mrZ-^+PKWxiQ(n?@sis z-GV*6IY+msWKAo!4VNaD0)7918-Of~(kP53 zEep`34L<*lL{xuTVm8e|s>rkN(LMV&Epq-x9Rmz(l|Yc!=2O4w zWhi+pR5@bo*u5ELxgTTH_Pe@z?68y<=;@YkKQFr};DVM~b~a=;pYqb7B-S1vg~weA zIKQ2sy>ZGg4dm0;v)ad_Ah>A#G$zM$92Q1JTTrHBJGC8WVG4e3iQncp68;evDtL-> zWy*)DJExbWEfd)6T($i-(+Hbfv>43cy$H#1;@HgyG?sL34F((98zbgf>s z;r>BG2+mdnEUfq(2X#^7u@=R7810`uJ``4*G)9CpU4GU43u1I^PdWpWe0mD*_cHbI zC^g`tc6eQ!zpQ$*m#7Bv0kJ$@Bn#T5ZVgZSNZ=YD6PYoynlqf#s3Pv{EnXWA)a-rP z3}P<3Td8&TgxFUkjel4=;+jn!c|hZ0h+#nwkwo&FUeyAEZP$i9@6_`^E^`v)u@SVeb{MPu5`-uNd62T2(UvNu`=NY-DQzrkpg4-vz_JzRM0!quC=*#@ zX+P#9^(nFw@Hs&lWG*$y%1PZsDr?z5#p(*kD0L5XAsRZp0K)0n9uU@G>H+a`){KJY z*Qfbwy+X||p_@Ktt?_1W>m=+q?s*LB*2#;!n7Tu0d|;l)C+e^0=!|saKv9pFk=3OV z0^_X->LsmkC+J$5;d6Q&P&N}aBvH+cqIM!;hR-HuvUwKVS=amz!a3ISjXv36@mhPS z6=QyMGJEpR^*HMY*UqnYx!-I>%39Ld#8us0xr^umnm|2s7nl;QyhMv!HEbd@BJhzl zv^2Mi5@&+`R$E1LRb$ZTmMhG{meHtC2UG|J?kPpez+wEz!go+XKMfdZ{YQgjQQee? zvsE}JdqMBcXw4SR0f{REvTrAltOzj<->A=fR+}+%?=6w_u#N+&ujv)7R;X-ZZ12@DN^Vc#uVj=|p38M`mQC`5BEAV%;XYW+(F@Cmgya>huTnH7 zkh{U zzziz3#Aw&H^oz}755g{ZDtubFf=K)r+s5i@>>w7;^JIM}TjUr`6q-`t zKJ~K$p>1Bq7)&_^YPv#UZ^|u#1UV&9{w+FXJbtdLs0ab=xUA8n%016Ug+hxVoLL{z z#on;$Tx1rp9yg{P-!5=UHxtHnj+n#I;~AQ(z-=Ph5Ypk9=L67opvP=fhFaGk5`j$F zCSD@N(S#7|6!MA8h|Br9)9vL}xx1sC4k%v7h8EE9C{chZynhikvM{Wf|7T6gnB z1a&VEy@xt2;GJlzE7il{PgJL18UivaZDj%y94+=*AiN^U!?=S>P> z#N^wa$Cl^J@Af=yvEdp0J+AiLN_OA^Eh9wPGO)xljL|6N-@Og+otJ~Ru+!W`2Ux(2 z3K^^^3%oa6TJ;$_?12+F#4^U*hcf^%mE+NdMPth9R_I}sSwbejOJ9EL*C)=0Pdi>* zm3uQ~KyLgFJ-nee5M*US0lboXV8BZe2yQsaJlgx-*3_tpPgAtH&%lNr18!zW*hdS+ zq}G1A;(up}kzjvsmW0%kQtL4E?kQ}FQN?t>e$dk$9|UIP?+onFc^AFefij<-a@(!2 z849S?{By)Xx-_U|AX&yvd9;z) zHI3a?)S*wZpmh{rojTCr&uiR5+1LZ9HKSnoLfsa8#)Jq6RuGJocMso2VhAJgw(~izqe6&YS(wD8t;{Ti^T|Ky>DRW9>3`o-%IYfZo;GR6910xtCtSLrO?_&GO!l0u=P!hr zAa-h@5Rz6Ugrk~unvi?LtVwQpasV*zn^tMBHr)HD-)8Rc^jl4D+e>Cu(V^RG_>BEf zdY!E_RlTKnHPRzACX~|0zHf9Zkj9PO@FZy)t5mNZ2gTILrA6Yq+r|Tc!pUipvF*or zw(_UyG6`#OJcOsWQ5RLlKqJ@Qzo(spN-j*HB63pJM_lq_ZDlU$4voV zKPVgGqg*b@oEwu6^auHC|I6$-#O9CAXG{J6nLT&?mk}f3zw+^Olezyyy!fl%o5Ac~ zyFw-ZwA1=O?G)Gamz{no{?kqd!!gK%jSE#0#P=7@6#nLn>jQmdFFo|SkmQ0!WG9Q8 z3uzR&yu1;~x#)8*LYARSKaNrpy2VM{CEYU@iM@Ve(VQw%kTjdX$q4SIhqqj#eB$W-3bVF_kR1E1c1T51$eo5qPuNi)vxT$SC z=7T#nNUdR=V~rmk3KCElAc_C{el41FT?aWJ2_PXOv35!Ov!G2d+xeACYq9noJ;y?5 zX@gCsmbr}N?GmWeOX*1&8va%;)MVD7LF`eVWFOJ#n_k4`GG1h$U7-g7}QVrN;vW8q$@2yZ#RN1`6wE30(Z zFBzLvuHY;f5BNMi_ff58Mj4A)@k|O0Q!@SHnBR4dn0GW2<{fAH4haMl-gwj;Eg2`%;NTEJ{SJV zEN0l@D-?__YAIWx9_88}5fDQTZ5fi>$eR8-D(eB_LZUcg4)QONuu!$5Dq^d$l7P2T zr8s{_BF6Kn!i7V$ieG9M2x}lT8Ik_xC}$geIW#G$vG)oE#~V*>!+z|n;}vicg5Bxl zC&pk>Q1|FU!)U>f^Xy9n{=)#6Vmty62`IlINH0f76&vmix-;}|?L{Dv)_b|Vtf~@Rch-pQeeT=BE%U0=6%;oJVYs#gn2^zayi!pos|pi} z4XB4Iy`PsPJ3p@>6{>Op#o&3+(uhwcur;K2Ld|>vjTgL%&r3U$@*>R0a`0WLdWaCE zlRS{HROoD-VQsCv)dI%A?>ly^CM3n4ljNX0y+tv$>Lc}4wGIbK+9@MLb+^R8=Vqlj zhOlg+hBH8E;$I%l+V+P{8ZFZj z!5ahsNzpWmQF2)n;ChQy=IP(zdZ1dS;tj8gZzhZdhP%q_O#K(OI|r$vLNQy7AowTd zvye@V!;Ns_K|K&tK}x9a3F6=QkTk}6h0ZhV$B7Hu7nvg&+*L8lCc&k$yMaE$LZW!^ zUT^h6a8BZ4`4aDQ^4*({v0NEWDl-YOl}EX)dP0zLn{u~xsfZ^AJB+ugbq22hdCTPV z3RTNd${Aodw|=O+(V|hDp@2^k^hj>PTA%B2nYY4Jc^m2`U>cf`ymru#R{HZbo~O3zW0Agzj>!)Pgtx!5es zlJrb#Cjdg=7`<1i>Dp@Went(BjqB{;(8$U^`UnGkyzm*hGFR73D^VOz6BrVjn-(Q; z3a?%CMfQPwmk~4Orq#$Xcec#AxBHFNzYd&dC5uPY8k4LbF)Bpor6RLTmgB|27Bds) zt`%4Hhn-}<$p7D*7Nz|02;Z^h|2-}Gk4x(Q-6c|gx@7I2E=l=%gzxK>jjuV>HP3&# z1pRzFec!DxuQbc%wiS}=G6Rm%hF#Ll-av7m0V8u_*L-vwShb!T77wOZ2P(F?f zSrY7%%e;pe$}B4M#-*#qL3eD#mB>e}o&L`TzLC)UTFbd6{X5OHmQL61yTPmYAV>A% zZXjY9PWS>-+J2nf_$|+a%8vV3{tK140zjyI9wQ@tGn$2BK95q!^vS zsqq7QlX(=`laX;eyU~{xALS2{s-sPlt_NR5ZcHQ?-*gacDTI+ZZw(>SupdJuiUM6| zLl#Bve+L-m*@@UkDv$F^TDeX7=WLXD&LiTIzHCm zHH3`lSJ^`lnsd|M_G7aB#87zCh+~JjgMSurGi^~)h+IK=WKru)}%&>j+aZQ#XczKx7 z?6hCAxkVvuY=SQwgWPniIg*&MYHp$fJ346`(%FA_ex`n_fy2~2r)W7oRC*bmVd9Et z)f%Q4ly3CA$ZbbuEvIB60#6v`t4L$s59>z@v3Bqb$Vl-bHx=0cP$;6spIzebcT6Cu zVGRY&lWW3HCD(&ozpWiViGUw%{ozj6Zke6dgbj=O%^2%}YWsNwL8gFc$t{v~lH`cb z_XJj;5?*cps(041-KR+Hr6wokThN;PL{tD@n(ZeFFvsb5y7z8KD_(JKx_NG{s9ztx=K`4h@mGB-wuavN7F2lXH&uC(S@{zfP(42wrWo_2*LQ`)t)FqOaE>{!u_??M8= z%G`|b3%&9gK~;6l7R5}T8)FYdy}2=E2!1zUPAe#ZD>hs~%!m5Zm0~a2ibTRE)kz$r z&>HgDFa_&5^)^5ETdQ7kXx5A%NMP3Cq#`nmo-vGmPCeeH7kFwgD7SzN&Q^e1le3g0 z^HD(V45cuV%})It4p{J+gL)db0B~k<%{&@W!zKe0IGrJ7xuv_~Ey+i+xHg2BU5XYW zkW=Dtzf}CuJ-N}`BPDZHf{!LPQUZ=0y|p{A*L|tw!*9z{DqU*E3d}GWLu+9E>fAyc_&jkOA{5l%{ zB>!!+M=gL)xWUeop-Lk@SL1%O3Zqjp7P+)l6nN9Rj3g_F`wBL`F25k^cRg0OV;w?9 zg%SO8k*wM8!;0IhzQobA>T8>Fe11NwS>bqrBe-RH^p9CFO}!AWO`3#`9v5@|diu!u&%#y3@{|FfNz z`NfNa^|j_^d15}t#>_E=>Ii3{w`V-M1iEf%GULTMB&e|yB#R06f)HA|^!%k;r4N7! zH+}6kEdo94BEdZy{Q1?2f<4KT7zgpp9aU2r;*CaxIIK7m;vMNAid~S!I?8wWu_s7@ zp{ku?Wd@5!Kgz;QE3N4`lB;7WUfr>-X4>qX4Q;j_o}C2lu23Zk^QY3KYzixqIIf9i zblo+U6#M4A17YG(2`Hm0)%ZnMZ*Bfv3Y4+4eNH$;4=Hn-iLAL?qG356EvHQM zf#6J*DDSONVL~k~x$BL4ohR}KhAB1&fufpsZn0sT8 zvOD)uMO4RlBUvYb1}LtbxII>l3$FSlmIGbmSQ^CQv9794RsS>MA^LR`DuxX1U z>j2|kvtk>5wj^HikhbbTRu7O?G>wT^=G6G5aM3!XVto zpY;z~zkmPajqk20A&xdx*b0v=dd}1DHjw8t`}OMX z0*6-N!UX^)=;r8OlvQ32hC1-d8%)|E?jc1JBB`M$i=hj-L8n@JZm)-sYO~J;AFL^v zxGZCgBGFSqZJ2`tR4UMACQ@NJ)k-2NL|rTsmvCl)?%KQ701#Pu_SC0jd$r>K*!csc zoX{{<)5(oUyZV+z(UsAGcxt=?{K9$ zi9|9r#%~a(p-d;N$NBWWA_rN`n&wyzD=_Txik1|c*A=TsQ&}=FulhS~un|~PegVA- zw}rcxOw&D;+Pr<_uy+{Au)kl|_T8M+FlAG;3>!SYigK#f{N#|QNeb3@4b*`10~DmS?1IV# zf32}i%|>$>&oP#sICscmi2tdmexMZQ&d?)A1<-6pR5p197AjWw)0{RYL*>+L4LZih z!PN8z-zODq(fkM*=8$8?E#SHax`nqoUgy~yekIL*o~{$SwcZwXb(H~o zpO2}k?Pugj;J89aK|^D6WXq|%si;namWA-Sg|+3T0$siQ298A*Azn}%h&umyb;Zvl zbFaS4Hd|%wbqX=Ik32Q{+>cGodGk1~wt=n#MHlwOVZVou*WjkZKge(LMgIS$ipcw8 zJwm(O|GgppPZcrr?=F$~(R*SfKyQ*}OPgb61k7TI_GBcoK27Hd)pQpp~3Pg+~jlv6L1c@&5YP{FAH)y1nX7$2n zTphwkx1{IT{0Tfx4&ccwF3N(^D)H|4PVDY=FZrFiFEpy8l^hqyGcaCKVv6a=Bg1ygC`!(gFl@gsn!o=;UK(XCau~?`BS*P;fj*qQP`9d|-Rg8$YQYpElfN<`<6s4lo=tMOmICY5d8;qA`o6O3$}?mW%JoopXEdU)T!vMtV zxleL9N;{|6@Pz~3O`WK8=gs{|k%Dr|h5yV~=E1zsA{qURc<%0F^`&053j*H)yuj|@~nGfvTUD2i~NIyeBL zhpOg-j1R(nsGUMY67t)ot?oDSlrFt(t$*uo`KfLz25c6zkAP=$q49x?WHILbVpGFWW5)T{$>?1_*O1u#A&hg{jwF7TL-hO|4&TyKVDtb0({ zZW%_RP~=wtWvwQ?RXKXJe2$lNm1eK2sCG&4>?8zf?f)|mYa9!W_!HUV*`eN{)U{IQ z#<%$N^&(EgG3PfhH_S~!)Gywdn70!|4o7|GLUo2REXnO(n=PGq-@-QZ_RsZq`c*1P zFzoQOn>myn>Uoj^dnXm6nx3PfZSe-ia4|tky~z*a;*p9|=&DU=O(3OdS~w_|FN4h% zqvlf5mGZh);M(-D^5J#?iNkj!Gf2=_r3$*c4L%}Jlt5?kcjM_tO1MV?b6JBn zL*0q7?vP`;UP2ez_av*rzsBDrY3_piA}gd)Ij-P!5k!6WEn`Cte%9S4q!ulk=6|*I z6{JYF(xxeu!+t8yA71*7lQMZP!9km+=SH8_X9bZNP$o=b8c4D=SLO4JOI0M6ojiTzMf@ENL{KKCf%=*W~Fvl;A{p8wqmMRvVYu(C+xER016PiL4O=vF_j zL%D5256a90?)#j>J&~^m{rJSir~(xUeyqAYKKp6r<7N3sHM7U{Q@P4eo|KBdO}3nd za4_R}^uWE#4{XRovW z8VPQ#6))W}^C5!qc@*5edLsmsy=xg-DS8d;#104MfG@xL1~-O_-w5kVb}78aAfAvyo)RB81mjh)_khm6Pi2TLF&b z40Jm6IT|Ye%OJkV>OhM9>$CB}&njsDfV5prw)tMnZ3UpUN%bpym!_SHF@eyD_4lVB zmh#We?l}V>oT26dghM}o^^`wcB5v`oRfO!H0q?*jOt!Bl6sXuw~iEZOkgAJAfrde_{DC+DC zGx1miy`64>Kn+Q*KMys=+beinCe9{eCil-LPuQTyTpQG5j4}hvIAB%+oD)}1{g8!; zFY=e)s}J)^%Zv&dvzuWdbtE2YEblO+W4M=lK~C{5CTW+AWscbeW$)xv#R!$jBDy7s z2zMP2*dj#mqE;yBA(u{)*FMi;rqcRL%uUrG*i+}aik;r;2dJtPMT5X_9S!%VZ1ym{ zAtf^LQ&@N;XE1~LQVqZ2Eenkm*$4`ZQ4&pfQ!_bG}Vu?UC@+1m&7%fB0*5g+xFBrAZ zba>xnMNafIAu+;7C#sc+;(w;DimZr*8altS7}}I#N6>;Fpf|~bAg9IEP4>^PSU|Na zf4ks6o#iC+_w;TwN;a!jcc-UbGI14eKOx)gs@`M&wX}(ainGHQ^DTXsKVc|iWI%lf zX@|$wI;TsRDf8krIFf#8154pXAO0+go=%$_Oa{B#tDsQUT)5ezGS*3z&1_eu!s*HJ zDn|q&nlNY@s%(4-BS=dR4Q&o93BW4p4=9xl$J)d~*8N)#!|cp}WQ@Ab4K zbVChs52h-z24yATU*lK2Wdaw3;5w<^CP`~bCYK{LC+U<| zu(xF634j5WGrkmSPiifN!=Aht%dHX8Cg|qQo)66qTNhlnepr_x+Wi zTZnBIPrBye^4@Xw<(ssApuI0sixq-br=tV%Iv=)rJ4Thl-Awoeq?2?CQE_ zrqVAg#^jYCiyu)px0hyC6y{g=tFDv-ZtI?2-8DezXeSlBNm?o|r#>f69H;DGenni@;qkcNK6efsV8tHfs_yZ9UUDj z$|MdUkQp`Ms|B@@wh9R|GW>Uyi$I+i6*s1FCX2aTEle3dWAHzY>ExUOn^+~X|7XOJp?|fL+@E$@`lp>LKmW2*&DwwLr1?jOt@(op?02J}kaU_3x;kef^o>kJ z(5sw)%Y&s(%iT!jZQ0H(FmEl4>3?kggoD%Q6V zLw5?DN;Tq&x=LC-J-ogcv73yb&AVvO81ML$N~X~GHgSH^z)9)&qdkLPM_b7=6$Z(R zg?(WAvhq8BK(DY~1<%}mnSHqLnfyl9$O!pXqBK)I`c2&#T{zGn z8UULKu5gX2ipn=F3>JAvP0Fw?7|~23ZZBPkr<{&!0@6Y!V6HG)(UGDU*vZ?mN4>P? z&3w1Q4YmG|%gUA>b&j8-n>KYlK6Q~E!&K8U1di*|fDW&37~4%ubww&U&x1+Qu(RD8 z<3<>!<7&N)VY9itA`(6LC+dcyqhq-~` zk9jS%45O|W1gr}>n?wWzhR2!PDX;txPX%2LhQ3++NlBy*!lv|)9Q5cK8mz&8&2rx2 zinsOoRwy#;<=L!^Vvd{n_K5;AQdPGW=4#Vj*k6Ib1T*KpsR3KWXV&J6b2yb9>8SsX zmQybn?lpaS#a=@v;jd$$w}P^=CsqUBSi!>`mKfk8+mbaxlGabW{H|R!YFPsKaRDCr z8ZnahfT;F3K~iOmTx`=>5uvq*R1VvAHOZz8X%v{|^a`fK%U>8Sw~_G!asM^(_l`NF z&&_uEYD}o>NDhVr&VBse#uRx<>{Pb#*Q7*XRSW~nTT6*VwAx_cmN4wbJCaAgMvD*V zIvY^a_K2~*3EXH}xLXFcq%T;R&HQ2}%hQB=z#|S-${c1pG2l2#swSYO7eLL`H#2^{ zuos7(ktN_8583r~Rca941g%o5VtVQO#Dk83o%NwMwO$Wc$}}+XJE{%sTK6 zfc(e@7zzj)xT+ zBeq?O+777chLemg0RwFmCq;@`+fNVXk<8Zv_+j5ir)lm`QIb@o#JiQ?(uovilWng9 zqtJ_GSju1Fx!$92#&HVkV`m{ecP{RX?C8$e6EQ#~JCc>iuO|24;}cX1{uQwl^Jp*& zi%MYNP<%p>U|H;X(q!~d)?3))QHbOrexKtsqpY0f?_yy5x>X&;OA$Gu)$wBAmQ8q8 z`6(*uTtBIu^4=AG5f&OXp4gPl`rlHgX;wz8wPy!(fP3NTh0X%&G1g)+JeeXS|!`AScD_N}1 zR$pM-5F&aX+cFUGYUN3#b(%S9S|Gw!gbT{h-EPKvB+XL7ZzR{qd_WWPPDha;2I3+F zkSSd1`UNAVkIz3N`RYQ52TlBRClGE0T2oO-)Qa+B5Icr==t?4(uEg#`l@R;W!`^KKIAo zW)rpYW8%qh9>am`6K6}^!mU|j97`WJQdje9R=z&S1ITYiZYs7YDeqX|x*@b=WGD!% z%01J|j4&hzcQ$pq>|KT%!P2ohNsO2FZ=8Y;UBLN^po)=D z;zs%V1LU^_n0%vE!SBYi>{y6S6X~~rD`Z&rm}Id+i&fG?2eFMCawG=d?9ccg{MwT> zhhjPi-AXNL;D?fO4o|?#>Q+4~uiLjE@&df?N9RdXi}D_6aOW|Qr^FA4#|-f|zDlE~ zpn&xoI}65Pe?8Q-ll7F&&B8xB*rg0WjW2sYr92aL8_Fo{3r> zo`}OA{4fEdmARluEQ@Iv)k(6_=GCiFg^BiQ;(5pBzLZ0b6iTYpgd|67o6Eq&1uKk9 z!-lCNxdCp~yLKr#`likY$||5il8fQwR2c$qPGd+MnqH-1IkeGNl z)z5{Ylyj7L2-#oPi!`v@05Vl9WN5BpPjE;ID~RCr>ZxP0hq`-Fg>`j1ePtuuH)Yd6LHf0ubN3c-L$u@yi(N&QYEPf zCgmS5xb&Z#8%)(CS<}>%Vg?wKt`;4X+mSyIz)Y$>LuPM;u?}2SJk6Zij0(P13>EGV z1T5EtmTFR$`Nl&7%d(thpSX>2zFCXKfLF)&@91GDpGrdkeXmEhI{VtmY)uL09Bsc# zlN~u0q_6}e#+(Eli}B6o{@1p()6`N)4!nC;$guOh>As$2CdNEtqTO{(_8d{%&_?S0MdWCwww^>%2RMUeEJPJ?GUHX^)G7zMK~H94PU;jq1PYb4*bf^Nz2Y2OeM zPd0@C>Ju(&gHQA8PR&ZB);cG-Q zfn!J`JGO(_WoCW1j6|(#6>F_`5BQ-~n=%!86LDdKVn22zZ?qol+BKnL#9D64<;XV3 zH@>H#bf?^4fPoN%|0GV|euU-$I)hPk`_}!Ga_2Yx z8pmz<5IK5reHqW0X?_NZ3nMoP$)O5@MnWTMn&s;u<{wW+-!XT-F{o zs&jQJbAx4Jga8n9=tRlH7rO&h966eL)R7fhC;GS3b^&DA&5TR|1OHGNc%UYfF236j4G&wi?^*V8w@3%zXWzUoaK&Nvk63nQJ3J->winx0;QUb6o&8mSnObv^PeeRhJfE_ozW zpQwrjN)Y13E^6s43m{=zDR-4n`#Br%38>4Eh6cs#5o&fJNpU`~8tS=+hamJamruNw z34IamS8R?*DT>_u&@wXq_2Rj|VVJX%ku?I6$1f>r$-W)8erJ0wHI4F>hU+0zhD%fO zhI91C*42*hn5X0B&ECRuZ?$O~k)BetC|2A`)tCe+t;?s;DQpGiwoNbW$b8||J;?Qi z`NT8vM+$Q&sogP}MKD%H+uFLwk=P({Q&hiP8Kx{j;KLMV?dGaA5i6;?8hEZa70z}vEhNkdI zgr!bY)1eR*6W5MnKYrBYd4RMqh2|?m!7CAu0dh#VI;t6dKKcqhzy=f8{A|_-9uE+b zZ3CvXUO(gAIXp7Pw*%d@1FEoJiCVm}4<3@=3*U@Oqj6gDuSCrt9BVA;kDO4bmvy)J zy5L?ta%5=j($gic*@R$o@j$hCqdW$O@fn*oIHwhz)zcUagV|U#(L-Qbc$<=*+pP2h zHBT0d$eI$x6U_^o>sBE}B%k8$W8bHsJd<`ACn(|t1V+MigaoLnOcZ$UwNVg}lMh%N zW%BM--swVy&GxeZy;L8YO$!(5rG^WD$rIG%K?QG5Bi!vSIaO_2w68yxa5?<-#d zBK|*n&xr8bMUND#Of9BHVeMN0cEd9a(pNPxoU{DUu3K|NPH3n{j{ayrx## z%)}^(errdZAv2y>B$aN-_wEjK-qoQWOs-%$N~!m}UgFWTrp$>0=GQWscu^t=4bzHwk1;8FNIyy9}$E&GwyaWG>JOqI3#eJimP zNaZ$@XA}`JX~Ys%XZwf^hO8E8M3318kZI z*AXyuM$V54Tp2RW3qbiW_88l&HY}*Z*2Iy(qHGX3t#YmRQNk8B3_HY7vyDEdWb)3X z!KfZ&LmU+nnD7LPleCUadGBN@;N?L(uFR zSJ!<}mqMjoJBD&x4&et^AI9O5jf!8pncE%tw;K&7{2IqrA!p5d<|h=#O%9C43?)s} zLcHB|j!BG69D5)2QMBo#XeDgH)rXCMEG?Q+4!(Z7NWmrNsfFv4^y84qNDSt zPV})JF8cO|nZn{AZl|_IhyDJmsh136$D`J}2i@9{4`p3g0%^rqjo?J+&TR)*p?(@( z4)HhDAx?CM!00MiZW4i7Klx*f!qID- zWg$?1d_7pUBu#_Q&z4eftuGx}OE!m1N}8dYW?EyHk6ySsW2eZV#z06@5#hqTHu53; zeHv2&e|(@*H{~@-nwQ=8E}2jm72PVp1SG5v>6Qp@Tf8`?&HXGF=9de|uembI2u@DK zJN>B0d&GbnsYK~E`l)9}_SmypT0gMeqkA1pk%lU1chL)@yDJkDJM-o4Re{H@iCFVe zGRCet%>B>054>&)X~%`dybNxK=5L$3)T%u&;h+EqzZ9XoxYRM3#B*>7gx6htiW;;~ zAznWGFDrR?8H%^-2zN$V7hLC~lHog81&~d4l7+zvho<>#)DU?jfLbc%uSAnlcN{HT z&Q~nTHb=-Y@C2lNtNK^7JIFk>VU`PDu97UrK7!Ju-o3d_IijaolgyKHIOjF8oh%b^ z6rzZkXs)!`m(8O&Z$pDfcPQY~$A1qNW+i}BnF9!sgG74j>sT|Y1b!vr%sa1I<7@3E z{w?l5_Vbz&!zze(h}(fORMJd2Jo@8|7gm~9O-*puY-1C?aU+9c%ZilG7zTV z3PzNZ7xc<}F1C*jDC_r-w{sFN5u%haMmjMJ;9%bsNJfdGswCexNUDFr-3`XMPZQN| zm|dYU%4%gtpiW#W)Pc$3LoTeQ?s#X1!m9c`!!QgyToOH+=LatRfc@*cvk*z^BwPkB zZHK6T$(3UcK4wpSWHGJn_p0y9s>WzkfNc^Pj7O5G#p*rdgeBRX;wQ#Hg%#<13=lL_ z)X3A8?N+U0cFPSt0tlEsa?zv}_lw^dWAL%se+>3+;j$p2%4@Es9isI(Qp-89EK&LC z4UztC({1V2hpEt>Gv%1*A=7o_m_Wn7tFnAP8=A&X^srdqX{YmAaAUyVXrBXF&cz^c zl2yyajie*c97k)%$EQfEYZQ|8zp2Eo;0#onWu^ZJZ;avT;zH&j+Dq z*S~1a=m1&h^mjOr1dShdyTJvwvq5D&XUFNv7no}wca0PEH;BK3+7a(ooGFEiM^bRUw4sRANqx-E9NNTn`2uS>B@2nY>*6=YyW(+_y%jQ(E$W$$ z{{g?l84Y^V&6r0oSq1!2hE7~siiuNECJW{@-h!9Qb({0&M_40 zD|CTAQ~`TTd5uK%ppu7YA7|^GjG>F!1$qNN>hebwK|A%YIlt1Mi*ex$cII83|5C~$%-)a&T}J~=eFW_6^#0Y1?#El zLWrehFGLX4=uDQ+1H!}3H3K2A5T5~I#=bFB`lz}4esUvFC7=lexCyyQ!4iFnMW8d7 z)A~I$%rjcR?H(oML&u3ofy$3iV~A~WGc&@Ua?^;#vTkO4SmJSeQvvM+;XwR>pR4+1 zJ+R+`9}_$SyB%pDlga|rv$7x8O@&)38Y&g?*tON>oNv-0qlgDqt@{i zZ1Nrv&!1{HDvaW~jrSeWKgcn;r2w$ibLj+I2FFuatV$TDZt41b>aMk|!@=^Ec2{!exPC=Oc8PUB3T1k z{kkQ;JSMMiGHLb6U@iJC!a1)|abUBFm$Mx%P=EVI1wCqU&LElg4|RAiYaQ zld4Q%iF4aNJD@^D*~92y`OLq>%KzFHiYD!#sPmCu1NsWuluHqqt0pa3D6V*4Xvu9u z+AQt;aarYfb~x_-lj?=B(1^R3fpUZ`(<-~TR7qg`vFpm5$Lm|xz#v+p&q|QI&YkmZ zGd7Fulsxt6T@?EdU=-q=6pDT!M@~rG!(6|7R9-HE71T7V3lY|KD}s9j?r;8WGS&f~ zbr)2u{odfV5$^}@;*<*->3J73oJRC9`L$xBeJ@_sme?vyQn-UW#m!gwkF>L8Cx;H{;6u9LM7!T1#myfO7k47U}O9+T8MEfh5n;PM7j1cLt^CE7YHPv6EX z5kP9E2Tmmc>rw~%!{1dDs?`VAOCzH z)(5-~(VW}dNj{57tXE+1>XXR8w0I{!U0caCaIxsl z-|jl!#0AJiI5#!6B^6z}dags?%176(MA&BhZ2jPs_9%LeH$?{ZW75fGqy8~MIYS>n z1l5XzMW*Od7M17uq7h`8op%X7kMuld$j9iUxTN3OWuH2>?M5X z)zc}+Z}Pi*lK+46q`W`-cSeey`XBit@ZTAq--^lqOT|&q-@DW)mHu7v{Xcsrj2Y24$(s5Xe2 zYe_Elfo~LEBKP#YO%uki0aAp1w;1$d!)&8Gk+lq@B7%GOj~zSld#q)h%Cni|&iro3*=^ z;;HUUL+#ZJB-EKP((E17S-(jexQqHN?J0x5H+5QCuz8>e4?V~MlwDMDTeM~OI+ER^ z+u~jx0A)h^aw|c8W}cjlukNN3FUq2O*dEBwy`yB$kr^PB@9y^C)H{IA8kKh;t`$+q z2N?VVbw&-?OsvG=tf&b2QFSp~)CS zFSK@Ij>iSjUx|XP4;RvB*RR3@RL_cu_VtcL2}QHl;MdKxK=ydp38#KQp}7)BEw4Nr z>M0<-^=*`R2&cJY$I-i?zG_{;hb?Tu=n5kFK4%{QC~Sz=_EU(suyub?R!0$6_%5G$i>{I`sLdO$z7ka7JNIu*n$WrGD%24IlZG@+Xsl6i>q;FHu zX|fKTZft5>@SQzj^E!~RVsu@%&}3$eFI~{5J3izO=_$x3u!StXxSBtUew`;7Uq$8K z^wce81(|sZa~HuC028(ohSD!bnoI%0Ps3F!iSy7(2XI+n&MB>Yo*>L~Z+@Z$Xq-03 zk~b#p-7L7@M18qW2_c`CMQ5ZU6O=R?O-%hJG~JiLy`Ob=F-H3V9-3q6k<1qcEjQ_l z|2UGmt-nQuIb_RRWl_jT8Qa~&W}vd4|4J6_nX_kJd{!)x1O{fm{9S3mEpbt*@W;>3 zdf-el$pVblPRbX~1vAG=!QCGqPWe?l7GRGj9l;l7BIeq=mKkdsLhk;0ZY6hL-DJag zfG!rUU0N~ndIGuN(Mg83>`p=XG&8=eKrvh??H9pr4pw+4*E&Exb&Ot1AM#^nmHCJ^ zA~@{LcMer@PJBbj&r=;3Hz9w+T*&kY@(S1Cm}jz)D1vgES#YkapCW@HGMs0grnFGF zdJ}OZkWRb)d^7~ydi#|D(npr>!$Mi6@ANhW6&#Pw!90a>(H(kYQ_Q#y)a=)s>X@@) z^y0;aaM1@5UQd(?XW9GQ4EPiq2k=q9OD~U_;4%}{%GSwz+{kFvBTOYsYA^*1WUWXU zLD^^o4zL@=R5%eC7g2En+1q)GaC~L}5+}ztrZdyV02MbTPZoL`0y2ghX~`h}+;H;x ze39OfnT*bum8wkR&k;Pikl=W*gYJF(;UC6LNO{WDV^A&ap{#mmmUIF-7wl0u2O79` z`;y3Zm&B)7vMNx1IKJDOzQKtxYu_ez7mN|MFROBKWM1}__yVfCD?aD|6nKrhwbilH ze)|%}>Hjz{QTapu*}s#2>gq4@ua^9s{3!f;vq)uh2Dl#PhsnGMr>heQON0e#s}=u@ z8;W!g@q9TTEYY@@c~pZd>mTdrU_VB!t~JvF@@X5deK|-wtCO)ZOq-5;#BgF3wk=gE zah1eT3*TVmB@KzuR@?%$Mm?OtaAkuT3vdI(#xILOGV}N&`i1WVt|SXb$JJLZ1#gmN z1(HeAHj4?9V`0>>nuJM*zE2`Qedz9*@N(pKo&7ADfnd3mb8hIXE!GM8pk7%R{mOyD zyw5#(yDCcqOV77yhfn`_R3lR}I7slStr;V~wJVZ(v$t>@mYYr#1sW(b`-55y=U^e8 z4SQ4sn~}*p&4mh!JxByNlPVT{fa}5CS`#W-(i}1!TZ^}J8v3QDAE2Yj z&8RP$uty;;)*HC02X*i;lHQgpJDX<09u8_u!S-g4n4j0k6@Y-c2M(TYM81=P*S(3y zNjIsVo$Te!CH1OFKnX*We2@iL95=vs;ykhh19O>1Ci@DV;h<_eanWk0Gd zKwF?dH*!C87@%rrdY{LK@;3x#ABBGyr6n7xBAzLY#nJCBr#R2P+Sr%rh&^>4v1Od! zpR*^Ia*#8kGwbC`t?To^R@$Ny#qX`KwT+X=zxX4jK8+}679->;fmEYV z9c|%GQJE^Xc;hN(_f3Lk?F0u~P5RQo%Bh^)g(g6h@jJes?cjW;b2giCzgI@N@sDZF-rT>USnsQ`0O~ZF$Wzfc`wr;ypZBPR=G2Cg@`x z1AzK0g@wQh_5%Jn+Sp%)azRjk-%Hk+U-ME-=yav4I8W~Ylw`6G=<^gPd}dpx0?kM3 z@ACJ1zgL7$nkv` z@q8Q{LnNxJ_)+Qo8bwjzplsi*yn!8@F`D`K~?*kj{%9uD;#1G77F94y23c58Lgq?TNm|rZL)bn7eS+t$a_g zc>cP5HiZr$Ar+&%34<%eo~H^uH*Nk6f3gMCgq`gdl}GTwF_JD-*d~XD(fl*307I=2 z;E%92;p2nSh`#DCtoU|V6R3a+H>pO(t+-=~N_W=csmaPlndCsT{&6fx6|prtw#PRl zE1K{bSN{wLO2q}{UvQ@J8sZl9ASuB~4XnsAfp9OKp?cw&+z%XKyCZk~}Qo>#Qi^k_R?wgnhqcElS;^6@5{ z374R?{s3y1UaKfws!sU;*(h{L1SWkSF-Q=Kh-}b%&nQjsHiswU03dk0H3$$w{)H6! z)j~Nqw@xrI8u|u7#Vj?V5kva+uyb8Jax3=HfCk~+663wqRK^V>@Q@Ieo&gO`O4Rg< z*H4i%83?p7t4Ef5i@NZh{raZo`!9$uB5hPZ)2t3L47S!Hc2N1)3O_f;CoMeI?aMZ7 zR!u;Fk*4Y@;%dhjOr(&5;EbJPDXeo3^$Y=Sm|Ie-M8d~JXkLR}JH&+z14+pjCYKg%K0p6Y02oI_3yBW-Z|^+^x%I71j?;v=PyQWXwQ z8=Y_dCcoMz`TsZbl7-~YdC3VL&cDwhdjGR8QT^jfX8!I=7Lxz+C0o0H_a*A8&>q_Q zL}Tj1sQJT6Hxdz%@hZXB0}#Q=Z5%}TnN!Kyw;$(VRqbcOIT)$_1+#H=Zufml%=-mc zR0vU`rX=VmovjGWmGd;l7Z9w8%IH94sT6$ASyFdBn_IGVNqNa1?=G$Q$pv|tSH=<@}>_EhKgz#|3@Tu|o zcN(A$vFZO1OSb%Cf(G=(G(SuTB%I4FdVGqS_QI};KX&}v>bI%+4?wv9m)GLvVK49b zlkpGOrl?_^^K_K_q;i6YK3}4@4g--fJM4T95sYjmo~gV3fhPh>^Nn%0kCBPDZN0YE z;fEOXp;i4r4qM-C>nU8=Gi@U3=f^B)2UUeA^yh_dsA1gY)j*^~y{p}jDhFh9_NDnO zy=JxvE9_ai$MuFUFFN0!>ceBmcbq>|JYtX`>8n;zCuA>21Bl=!pFuhp`o$i>K|IvW z#$JKKf*!*3z|;{VPk|6Nc1R=&WrmzBIohaT6q>(iqB=vhb3*7aspqsjgSn?Eveg=* zCN8Yo%d$J7aSO}iFCzt!QG;ndp3MMMKi}a6q^0jE(4~R*nxxi}=q?#>7 zQtY>y%b~X3?xC^8To_e?86v4iJVSv8`+Uv5*{p6@88z@HaqDD3i@DUoP9aJztf}~~ z2PD@23@|DyM8}NDoxpUoZyzSH>kQ>ax)yk?lBMocP+E2&W70OSD5R1jN4;W^o3e|Fpk3)`xRXid$2ucfn*66V0d z{EoMPwgl{?Z>d=3dQ59WM@DjW_>9)K0ngPYW`4TTy8R!}3x$!z;bGAE>Lw`YYgz%u zxR6QCgd9pyJ$V5N@Z0d^Ry2g}1q1pKKTKg17uIGF4z;*kfZj=LJ)vdd6najFwhd|& zd2G|@n3ZK(qe8i;-z-ny+pxWZ85J$PJ-u_wpfeYxGaO|7iCtHphd-UPsSr+gJr1}^I@qIy$AoMATC(6#qk~;x8UWJZ z;Bv&FZsZZx!uz=ZY++uSdSv>W5*l{ajKJCD)Tvdubprksp3+Bn4w|(~4$DgGkC5EY zl{sAW#@ba_B}R1PAwU|KE7myjcVapa%p?%3wCTN9%dGLOp_xO{N%wb=Yes6;keW}8 zAu}CBuiUw`Qmm7ZOR+|t0-bzAdd&Q+#AxUtfRwaxL?RLF#6Jm49Nx8;aDoLD^nsgnsjP?o8B29+!2H{nK+gQ{e90RB?~D|N*1!7_ z#ZSdYV1PgEUr!weJ|R^5?Mra_{_acG`2YBl&r`=u;s4=Fbbhaq0tGm-(sP!m^&P0b zfniMMln1P*f#-~^mFrvDp&2Tlv2V7vn&RDUBN-y10J)YL~B? zi2XQ#iZV}oRI?i9&&5*jF57IXF%3$Af^zMZ-XrG4`VaBP2kryNVo9mN`lN`&9LH^ET53zm9P^nf zD3UjV=DCbQx5Q6=bH@9t&_GEMx^`-^KPff+r2%{}L4Pq`=W zw{;<8Qwv34XhTHrZe6{`sEiKj@0xCt^wq)E0Dk72SLvBz%0A`KnGRaDVfofS6|ha2 zV=1`LqX;S^IQF5lBSbj$&N~Y2({n3OAE*>ZEl!#>Dc-((qLum`zP?m=a0YhPYiBXC zA870chijZW<@2OdY>O4;uvl?nmKOG&LfNhdgxL^c35VyBnNptQHvDf>p&(r|0FMA{qP-P6ys;zfC_v0CxAG&+@ zE?_e6G{!`syAu-U$Oj`B8!T$JCu^rCPQQAoa`r?&crbjFh*b#`Dr-q-6$5UA>EiJ-!Bd{$Yb zv14s>F?U9h(a-vjLKV8GJc@6V8WPKT19tFTK9En|D5ljkuFOW#L_tIqX&>FBj(P!75*x^FOT4etJ;~A!tQkIPL@fcl zl(v8;iv5k4GI3*H>}LBC?ttVn^&Ujs6luKn!zClVNdyvxnCRUK0M9%`a2|Nnmtfhv`wUWlqBQ*tEIPjxna3aj`T+p`G!TqM#w+#z!pr9tG5~VFs6MfVn6^S%>SjhR{EKa*ZKV80C;_>{k}l5+v8h854@gwgmKG* zOCYN%oNqJFSK^DgF(hk38sLM{pj_$YEI8QImfZyJ0$vwa8A5{Z_P~aFuudIpL-ndzD?m?8$#HO^ z{_YdYXP> zzT_Qv4OYdHgZcg~Nx?nYSi_we$Ce&X&ySX1b_~tKNeXbNl*nEiVVKzE@`0+$p~#(U zaJIpmMkHBhwc72cLJ^ZH^9!@(N!f5%wgTpmOfrP8+Ha#1C;z`2eTVRu(c+f>v(ez9 z18A=FA!UB3S%GuPktbk>$_a?oI5;&GF-7w{Ai z91vvU+k)Og-O)gGu__s6wVJxCj@LFlXL>D{*m>uG4t^WG-U0=10toP@{p+0uT>Gy( z%|`Y2JN^F-ceG6zdV%w`78b}{_wODQ2&_T|7!pRz(T10 zJAfi^`FjAhc}GKk=irL~2#O~CUqAeGvz7U0Nv_i0LumjL8sPKgKkeTX1qe0%D4PGD z6l*>eb7cOZ=>4g<0SE{R^_#4}zwx)aS12@q&S#04-|b)3LF5QE{{(!h|0i`{3_#E` z?tiGK{#O6I$sid29njDKW@T&=6?5KC2$O^tY?N;|9mEc~0gzv`F{kkD!YRu13iDGs zFb286@+26u#A|H9UH;JXC0}TH>k`nQap-+7mE(Af4OE5xQr6I7n^LB!|3Q^he;`1j zpq@XRQGxv(419mTrTFQ?+e^lF!45VIb?M6b*IWAgsexxvf8qwX(6FL#@vp-0uhAIa zktZS)e)@Kd%ft+2#q1}XR2~$IB&bvhc+z`|cfFUM4SAHYs6OeJL6|>k-B#f5KrJa9 zh5(VmZ@6-}9`RLESPtTJnm7Hb{dTbkFIEcv=qI0P*%e z4JYpm`{Z-IJt2RcHQ1eU@Pg-riInOhPa!`s+^QM0Yx&&-eAs~^vdS# zc*^!?p*X7bj>g-xgJc5p1-9vhBtQ$BRZ6f@wZ8skgLw1 zy%yz~>`wN?hV86$BuI9+Tz3!PbyO^RuQ!oBUyrfu@v``G)>wk8E)K66yBIVzD@F+UzVLh4TahV4K?ng^N$`@zk(3YXb`)G zuekAL8nZ=|g*nfBB~8=w^ujB#yk+F3uMlGp@Z!3(#VSvqGcf(v@87=jD5;4eLeYgR z_qDIgL|EXqSt5!$i?hcz)Pu^GP_7ZkAV|o=k9KNg7Wv@{n~v$-$}A?OB+DAi`c_Sr z%3{q~^~hzLVJ2XK+Tpc-p69YV_B5XgOrp(!8{SH) z#OJY*RFe{EYb`YF^Q$v2^Q~vd6}oQjOJLuJoSD`xR@l}SKu_D?iYk<<`HY^>cq9U0 zB}<$I8%ICxv&59(aE^oF2;wdM5p2ymn~ahS2qeUWi~#RdjVv1}Sq%S8ua%pM@~tj0 zzq6lIAs2KqVxYI+`n2JIRpwzel9bs-$&1p|` zso`%2BEwI|1Zj`jV~@a|2ooh=BXs1xg!ml!S@}Y(072IQwFG%=V^(cX)t`J=F{Dl# zQ2YT5Hl6t!PJ+mT(+ z`qQ#`2Y9`_2a;5@3#a;p!cHs5 zPy%&pktGCX4N-(&oh*tx6t?I;xLAoZ*y@T+ki0MT%DzufyE>4zb4XUe`f0k%^K7{# zC5+8CqiIq~#KN#Cq_oknv(%4$$CtO>U1FsKZB*lGQ}$Igq*qWbdnefq`kps*ex@4w z?LO#&2k&RoHpL7oqbE=e?b-7K9RzJc=B)jPO!Id;ck(F-o1>*;pE33)Mp!8qgH*>7 z@xfi~UWhRg8MgFb=iQ%(szB(&!5P~dPWs3=Ta!7;(!I1+-(=DYORAYstnbr-x4z}7 zp_xAw5cK%}%$6OEdHM>(5o9s-#ox#uw za|ftDq2OYL2G}m(L7wA#&bzF(*IvGCi-Ot>%Y4yIWE~G2w>2GmA$A(JDSe|DWqwv| zg4Y+~hFXe%V))iv8`h5*4i;`0Lbuzm(W1Ph`INuvvvrXkf5`BUubHAhx66?rrpBeA zaF^_NBeh)ji+B_KqP;aKI5&7L0d7!xm?HLbXB<|MUKE6cLFDh?k2@q0LRkIbV*phM z0;dWW(l_dw)oX-76t$T)yk{N*keh)m*wgt{0j&{4GLw51Wi)&NB5fv=b)(tm^uh%K zsJ=U=ij1RdcP1x*r}~!I@oNtQUAgIpf*whVzA0Ag?p^!_2~5IQcWbyj9VBJll^~}O zVhYu<#KZT7BCkkekTA>bRmtpbIH4)M*G+tS%##`aG6~yl71Y&;?_-{>MOv<-DL3gb zB0*|D96@WOf$z}J7v8t@nshBfVnq*~Hy&4e@bHeW#|&4`+|UdMB~@W(0f_`!9Q!#NW$y7lIfcvA@WPL<^`|EjfSY(MU%MZ@wX z_q_8*oU7b>gLcy%+xY34%NlZ!f|R_OBYk=$*G$fjCClDguc|JjB#rf3?v*ayPsm4hN6DD!wK8704W__JYd_}SP&taCzwAj z$AF$u&=Iaw898_9_JCiRKOlGw5+A^Z$-+ z0{=5^wEy5n`R}+nqWcRs-#h++o3ww8Zs<$}nSXt8SWc{`(V}=g^_P}M7PFSZPTA;R zqsR&pTI@@dP0Uo5dNh2NAfN+1aY4yN=-#Nb$993C zcOii3DT5XFl7!a~+<|1p6G4p%_eK?Uj8wA`Cf7@pzpD!pYy zVF)bgRO?ejZTU)kpu`a_V5?9sBc@#`W{DavJx_4*bwJ3H*<6>T_lhf*M+%-m&@5Rz z-JsIVbWE@`)>F|pC3=@BMQ{els%;J=1<6fJh{826(apk8*>pHbUR~!fuY&p4sHn@Z z*8Z?ZgEqbXSbkj{hhvUV2oq?BOa9n7viZ%BzJ$y+NfUb=02AYQR9q6S({zJl_{m7qbyQYKfw6ag>+@UvE0YW(EyzEH(1fzf4x>$;$5W zYE(V8D}QHN_?n@S|@z9iyuRWi4>oR z40EJq-0&|82KIk#^4l>1fbTO6;X}UJ`T4TDxAPfYjC-)W(DfX4GIZ|knw{aV!v*)5 zu!@kibeR;94D9(;K>mV;x=vUkD>EgLgvqapJHbQzIpArSCIq${gMtXIO_4A^A7K?P z>OZJ{Hr_Qv9Fcs@%)+b}ifP7&72nk`g$Sg&`Ou=KHz^8c6RZ*#hTUcm3w#lGozBjM zN7XC#s?DJ#<>BP~6nMqxkSdvuN@SgQS|ARPjgiyuM5<3{aPVC?w+Y!C^?(j;c;9IY zarr86ieA0dkI6)=I^LmJF&YytS$GY;j5Usu<&~fwf5=Xfx8z zGuor8V-8IUm@35S&ZaLE7btw@aCoYakX6|e`Wq%jBJg0dWFWs6E3=KYyA_2h8^41Y zy%P2V@H^7FZ8la0Jgt-+m()*`GfV$IP$YV*p zEv-!;NJHx}CU4IN9wkGs;2MnIc(429LBq;{m-OwIS{oKZ!znn_desJUAV28qWE*0@clol7X^OsHFK1ih^gU-S z1&uob)8J$>g}VPB-+iKsTijhz2VLNdG-)}^{x@!@!v5oAO6L!5l>UyJGl{=&Go|xC zgD~SLp$8|%#=%lxZvw9RiI=UW+C1FlPY_DWl1E; zD|)`$OttG4iU7;?&6T;gWE-quk9=}ed!`J!aU;*r?w;&*Vc-143E!&<(x&*4X-eiC zmGxKhVtER60=T~QQHDB4qWFM%?qW$e8$-U$Z8()D8!g7;X;*=(anOJBN4Rz(wB&p9z?{ z7q%0!!*?A+Uzbm2Cs|*bB){Oy#hOWFW+y>p@V|unliIxp&Sf_{q;ZY%?9t_b{bt7E(`IU@T`dNv=TeSsl;gH;)w2*>c4SYrs+%If1jBTve zY)L)GU#uFKrF=%kG{ld$TlPh7F_S7Aul5QZ-gSu}&K7f}w+bx;&O^{LOF;f%KB@|8 zR#xr|Gq|I*Jkk1S(m$0$9ODdMECG7KBMOjJ=EM$Co6)58S1hF;|0oy&jT{Wb)595b zEmvwbCl&Ad5p@y^CgD+Y=HC5GsYG%c7PIs{{TV8kOXz0 z=KM9usvo~`L;s&~qx%Opihsw=mFZu&ssHb#B%isae~WGyAXh~QpJURKfSaoo8yIoT zStqN*sj<}@)nr;oRxjGIgENTT;M(V6rZa}9K|0DadisFvq2=n6>govj{IH@a@x1P? z;+S$g(AL6qHuQgFYcLHOsf8DU7fyimU3juk9UYT(j&?)@@=bzKvxECDaefUpKhSMb z0X;KYPQ#?4I&D8VFJ8qMe%2Zj>Wjg+k`8p|2!OyJa*i1V*0*fxB`OPL?AXvek=~rD zeN=vd^v(R>zR{T@!IK7*Sm5vzgCCyd5YsGoHT&jtwkVy6^`=!9&lPOrm4kC?t*}D* zu=)an)wL%^cY+hc^|(TJQi_pMAf7Vx)4p-859yV~kEIxBN^Q2{3|v=Nhimfdcap5T z;`(OWo^_n&!{(jJG9brDTwKIohnEHsivqvW4Xk>EnZ~SR60a15j@ir{$xo)IzZs`0 z8tIX@2$?+A0nq2w67sM1*XmImfK(1NZ!|&C3{}A!LzV6y<8EdKDQLrLm|?DNtzEAT z6RW;#;JGwS$foZWC=B`^bU>kX|NPLjLL1qi26Ud}CZ4;e``((Ajb?{QDZCK7g^kqI znr@mS6*B;Bbx(De6JPmpo)vdm+d{`}OT8@ zk45j~(&OR82<(tpf$WUAGvCWxK;_m_(@{`?%X5)Qp}=g6`DYuI7`_h@{^+lTNsV#} z6Gmm#oR?XCZYtL7O+7%)3)52mk#X1yuul?4@}tU_8+}0`s*gAL?7kP+|Bh za+g6Hxe%!;&^JMWcNWigk)<_Kl+9TJ^*{0$r%~)9%i;n2R1;4R$u=6WF9R#>U+K*8 zN4@D|QK4EI7NRuXw1UUO%X<81d&Gl@$nxOz;N**i=^T!H%bmZfJBjgWz||-|0Z6Bd zj^)B`ji~ZYy4wE|WX4+i^2%yJGrfR9_My7H3^zh2|qTOgJU@~BXH47^Zj#UchhXo_*xujk`uUmi?zi|`riJMbUfIsbD zQ^la`gnGYmgEjnj+}sBJ!OdqPng#rSj&2w+5dlmYF=x4X)dk~QVkttX?-9wv&81a? z+U`#>?yEi;N7qiWdX~uPBHLpfVT!k6T2t(OY3;SHfgryOqfu3UV-2p}vS!GWOM%jm z6REdhK%*cs)9Y6Hfl!*pv?z_ZF^6yj>1idK-em5=i@lr^irqbMnRX=G<6l@(wJ~5U zS?@ZL-IQN|Zcls|CC|T>F*f9<%Umj=IfiTfxjh8m9qa$+_y?Bo`-yeP`hp5e=k)f& z1*@?eI_^ZvRP1TgIi&Y{Op{1Dc=5(1G5p{IOYOn8~-(ZqKb;L%lDB zyUzJS{v7WH{v{ufu;q^_MVY4{JId6%$XTFjmc-~+(k6Wwxj^4D^)LuH8uAzK9cB*w z-|NXk2A7gxf$OQb-PEm5R#o4%ruj46i*HQHKC2+=HN4}#Qo$1(0cT4q!-&A%wtoLC z@!L>NtT;)^BxIB*y|X~+;({>d1?)=)Z0>KEgCj4Zk%|8GYg#nt@WVToDEMSv=4j1b z&K-CYmQHH;cd}J~bjn4e-9Bjq zPKc-))N5?^o!k#k7~Zy6Foq))YeQ(h6(&ckxH6TD_Pae?CEi)%#-H<7wTA1Y^Z;DY zma&&$E>3+XVfFfXyek_OuPrv5W!~jW+5Kn>nY7_QF%`TJA@4ZfXnIHJaxcfPbHr42 z9(UN#4dV}?UaAKzJ;2a=L;w##mYhlFe~Qt-N*Z_BZO{;eq^}yLrD;ecCRU{ptn~dF zLu6gT$|1P1bcYoeyh?-H%H<^nv*m?N+PUe_Uyir}<|Vu#Dea8bbil)<8ztznRvyov z#LyF1(OSXY<(D6?--S$xU29Wf=P8j3JJd z`!x`8?CQwSRppFaFu~p6=tcv<^O6ppWz}?nH9LnP^>fMWS**Pq-<2)(y-WaZ`3=&m zo4}}v>2Y7^iYUezA1rhbe&LIW07?9u*$WZnokT|WTt(_F;LOLND611i@MKqrrDT@y#MZFre7>27}1Dwq}Te z5IaWW@K4e~S{A5hc7G$?OmbybI|W}Vrjdce+-9gGLjgopAv;!L)QEUo10QMpagMRP z_*E+FyWhlVpl%&GwlJG{@pV)oC2al=;YoEWsR&Dwo3-&i6Qu5S$7#7ozC>tpp=CG2XxF2 zQA6Es|3R%4AfpjZWiT=&NGv1h3h{k(Ka3(RA^jX(c)<2fUG4Fg%ZD<~@=%1Ky`E-e z^55i-{3QQ85Wt`IujB_BB-H;+e%yblefv!NSD+cp^>^|gHBAlO&CDnorNt{LQ;44eh0f@+7-K z(7Z@Vh}bmED5`R~Q<8c>0@2)Lm`z{_h=XuhgW9*)8BIplz-*#ZS#BU{-JqS?k!Neg z<~7sO9!ayBJXo=S$+C!Tr|Du!24jP?m%vF~={BJ4w5EG~RgL+(Q0cu9G8=HHWjYb| z6p*0u>G?+8nIFJfW8=Whw%bPmOD<(riM8833{V+6T!C(jnOdh>&3j8h!(8 z4en8VMTKo8RnzD}zxf!VjIEqLjby^bfq`g#DDh}$Sflj$pwLv7zRL)?eyYeIG(0Kd zVz@|thLc`3!h@Q`8z&AdK14Mcev6{^(xGfX;!@|pqaq__No?gQ+l#iGjb_!)K|-U; z(Ag5YxEs5_`KZ{!cJ{Ri^)TixU$R%2 zu2R{$aKL%a){g4h*-q@8PeMg=5rbl-c?xh@eRu|2G5Jkho2AQ`9Vw)-+^@1wZ&|gk?2Q{rBy7~7QhY$ac(T%~M=w|Tm(ameuU(pSt>EFlrKLd<81cv@6 zk4&42*(sB|eY*61IQF{&d?P`6`W-9JU@7ecu}gFth&hAKF7B@#TK%RzyuL}O47k^GsUc7~W+$%+62VHXHN&1W=gvq<`5XpBhxUC=LzyJ+$ zeYQ5v<2|COpjer0z+B5_FgaP`^QhdPw4&KDSyqyY?^@KpUWGPZEipBP*brG)HV(=P z{A(nY?86L&>kK~MxEr(IaJ^GmgOQOQEq<79p$U;%t6Gntz!hzWse z=u%VkWA^P>`nU&y%-4FbYate(Z?=d%n?E~C&P=X)Fp5YTk>A3M2fux$&W#+!vz2LdEF&o92n`I=*mYzW7F1nR1uqO`bgv+269sXRw9@74QNWf|OcJx zf^o4fw4C^9#UoK~EaV!)giiwyxU8=H3s+gKRC>s?p0 zvZt5hqfF-lGk4DRsP^e(fgW6uF-5tVs{F3m3#p>bFLEK`OJ`{4@Pb~Y)!iNpT9B6Z zFnC--!U+Fa95uTjGmYXIx^z#(rH_jo6*Y-_<`wBwwAS0HVt>ZAj42%9kNwWdc4uIwQC6gZsVrg*u1gDe%@Q|ZeByvI}*~ajjPLR_i z*&0xs4x=(fSDUQTe5_0kP{6BS;L~`!-gG?Ny*99IRP1&0Eo3VTbaDa>)-uQnYSZwf zlM$u`wFk3Uhti~`dVHx1Wh(6{4P(A<#;L#1Sm+YODAo<2d&1B8v&vq-Kx>WLb3O4x znfKFzvdI^H{WaWTa(7~Xcx!bonOD&qTg;NaLr=<8{UWZ&K{K+NBH^DKlV(_qMgIS= z_D*4%ZArU!+O}=mwr!)5m9|}JtI}qrZQHghD{VV-XRYq_{k^*PUI+bu2lMo~<{R%E z_lSrQ5d$t)VF~5CCUOMBU6=;)rfR@$|lE( ztpPeG^u0&AH1uuxV_yFn$hsXhRf9jEt#wiIN-qZc!|nO}Uva|$vz53LmQJOK^<%3w zbxJwYnns2~)jHeVy&2LkF8CtJudmh4?xN0MF)bzOhZwp}YDUxYJPYyZQ+{jmX>|ME z3{%f)dIR1SaP7cQ{DO$lQ00fA{GEIwEY7`=5=$?us zAsTX1_Nhm@p{I%y`%qD%3oaCrp3PDg3$VUn?N!x-FcJ((Do_e;$bsoDk#d1f)p1OoTguVg+QDiZcKZ+W zU-?E?5S+b|TUouZ>LcOZjdYy75Kg7F!1bJ$oaa;ekjfC{Z?KhNn8%mB3;iDP9!CLY1GPYyI7-BP zW1#P&$`@?Ud^B#lnY!*bx8C~}K$owddRCAi_xUL~IhqwgdMKTI;^LGUs2r@CXu;`n zEVQF#1QtR210Kvyjov6jZ5kNc*qiq|th@O2M+*JxE7k7U3Mg$W!!0h74-f4!zRRS} z8Xy{e_WYrmlIq?8;TDmMcW;5dPPQRuM@r=K=l2Kfr1a93zn-b2&%iB@vK<`S{q1VQ6u- zk-E~<)?~C`Eg#AWlzC8=M zNddiG0mN7ed4lu84I!Wm0&0C43D z^e)Fx6@>@WbyODm_Optw_^j;sdA)cj_A&wwR%B6n-qprB`tbpb%MfFOVy?DHI#wm_MpHez{Wk2{r(uOYYnFdM|6cwM!1B*V zgPFgUzu!7CrtKnr_K#dZ)&0Y;BvtEhpQlr)zZKX2OT`1aPsJ^;qW?X`6X{RINubof zDE=|jW8=Sk#|!gM#m@JL|2@TJkG-WT}KcjS!x+u+{x4;SyRZH=F5f4X>r|Li{cznzq_iHSvI zVLy+`3_gKvql%6f_nU)OKy}Iv<~q%)7gCEhqMQ~oJ;WxiKp`U(pIJLop=woGCn7^M z<|b$w!k=;XQ(z7Ir*;K%<)&I7ZnAFrMu*85J98*rNhS8Nxp8;Q?PgxhvM=G|BK1Z9 zLpM8eh0+mSz^}RU@^&uUi#EJ&3_O4x>TPVoCLGM^LVyfyeP zdS$%KaBxqF&UpxSe{ht6B;&f*jt>&uSu7<^vB|#>!3MP;y3%?aW325HNu44>gs<6X z=%VLoCBM=E(`A16qIM_XhVp*@^&9{Za`0S%H8nx)D}pm9i%6wK;M8MgY7+hI4F1F> z;%e~-5qrI>!73(7ZWEzvrLy&Crx5Zom-rSeV72~I{*Ao62=bOi(9YJ_)t1?hx#>Q0 z(w1+%?rWm8bozGxJIbS9=w=0F?H3S3@M-1*cNs9S0lv*ziO{RX#~5q7 zun&@8deMiTmTS>XHoss-e*x;lT0?Ti_QSm|_;g4@1-5I>ySuW;YCMLFKWwDRD)k#s zP=TPs@TBNP4M7=!Wyl{q7MI6nJ(P*)Kj#-VgT3X~qWdGB-+qrvY#!cnI8}*H{jkyZ zqhBPZ*Nj!1AQ>Qn_Nm(LXo%NsM1@PoCQb`v#`W(fb>jFcXLgW`(^7}NQ3w7}7ZnL8 z0X%!ebH=wTHyQ+7gndC8ZDp*NXCiQPJDx&-iuXeej`)|{9)2hA3~qwh40W9gP?1|7 zK{FPTkpQC|;c-v%s!4wubzcnIua)js5tOIix?!N*&~i8#5f3G>Ab}Q{44~|n`sxP+ z9e}y_utfYo=G3H4Iwn?Zb7OkMO!&n(Nxrk82wp+pp-bDnyqHkdp z`!H_n!r$7FnE|0X*_H#a9y0=JgArE+4@0jw7L>cUB=v5<0tPf&#NvZzFXsiuhs)fW>jy`Wlx%0mq zU9f+qaPlT59Dp47U8{v%**MgMWu?j918T*V-8OwthpKZ)7PX0;TyVaUlu^SR2u828 zl?k?Rtk|TrNi3&yFJ~Z0zA2dnN|36V7KUx+il<;UU*dGt1{H^zVvlLW`Ju)$7`S{@ zpiYby=y=@9hlGg@lNfO;kuu6{oyDneSq(&mbK2HxZXUn;`W<`(1yx2Oj1*At!~|!F zI`^S>H%E->)ndkw5huIwoLfx+Sb+Kf=F@~u_gGrjQm5y;}xW&}xpi-2iP$Jj4gcB-6VK?G2 zgU5~Qp;!(KWdo33tv-g2w5rCPb8d^;vIDkU;0}pW$y|LuJ<+PrQD!%1!n}I0fTQru z&cSZyfgjI~4432tBqO%AVNYL=w%D274CJFbp9y))*iu@%`7b5|)Y@Y7WAs+gJ%wgi z%alqr>HXeqJB|}4U%t6$9Hjsp>QNAHUHj3a-O32A6#qoiolP5pg`(%i_W|BH?h6IH ziw#c17ab8-q3n-Bws+LC++!oUsYezdNyB*#N`4#F*8npEOrW$ds>bnx{=mRv`NAQ? zzmSb#E{K1N)IevnVB`9*vP03tW-UCiswe)^xdFOvadI6eCuA%0R{pgSvzg!!9h{<& z5s`mhaUL1WV|BaA6kqQkjZhl)?0K=k^SW)CeqsfpKzhq0?Ga3ixwTqD0X=Ad!vmcr zm!k(|KQ$_qg=SQ#=oSu#M;dQwR?ck4ZzS%rp zh@>tixWHI_T*OQgFEL^d)-uoBvd$<|&obeYkylRV!Tq9)B&V0JXU@ciZJY>95#eR~ zl>xGhCWt$ds4ZHV8r*dL!`Y5+{(1v)3(1bu1SF*DZAZDom%Gu%Xi*DJW3CVf%7w9O z82n;isgja77mV>Dl^43Wy99KxC8Klv)2R+I9e&8W*KaxYsOl$!AI~U>A0bW>wGeTX zO>ej^MUNrilbXYbSkfX5k@nQ!w-Dc>cCF53YXH0cYjDpoBma55<@>n;^X51!90|oy zSgK5`tt$ZFC4hk~&*qXGP|ko=+ddUr5&tMshL}Nj&Eu2@u(s4Bv0GM=#|nGIE!dgn zVcXcT?eL@5P-Jep4DHQf(VI#K72-+g;E@r94eu2Yvip3CPqgGFTlC9>ouVW2ccQRV zt1`Lt?j$llz%Cp3t|Lz*RO;AHYAR32d!_R00(taorlz(d!r{S}?f#DsySU2sDhY1K zSIkf-xuWOo=V;+GJ%>C|7+%qgv*kJAA0pu@jSl3P?22@JysiOQPH^qw`Fh zF@E2C4^nAE(yel&Ar0Q-2qL=YPH!6x(Vfz}y&x0lhAq{~3{i_^wbZLFqM^D%VIyqm zWO#D&0WB=x)7(e`6A#`~?)oCb38&|ZZCb{FIhCDkFxplCFC45>Wv-U%uiEd<@xW?M zN`mg{y}4UCL4rbKw3dpwuD~X^x28<-Bg~i<7eODirEbEdVN>dju9O;d<~0Owi8OXb z=<}v{Ao?nV!)^-ib24Nh=)6Mc=c)%&==v{*PLTJU^lkyjvX%$EKb6Jr0ny5#f>1TV zq*UDzAcM0jc>Ir=lWH$HFXUbj+T;(Y9?}CmiAP0xjmraVqBF@H|zH?%^84uL=kMlB3eHd6c??a0n zNiHQMrh*O0PI*H|kFHeONu7b@GxAdY@{X*B;C{_k9zXR(bVKB~Bvl_-2}bmlH((@I z$ARD8HL40TNlnCpx#W#>ojtqDknSAn^}dJx=ySU7HRSqDe!frg|4ndj{zq_c^jGpD zoBkQx2Yj}}|7&nRwY|kKWMzlPJ9at0oTjc)?nq31)&9g@Le{js@3yCo-L(;Z-b+{? znp04d@U#|_U<|e5IhDZ4{t~L~K7&Qtjsk2SV`pg0=@KOc|?fN3(+!Ow$^H5t>; zZgapy2<{kS*jDFvmy5iBE!`pad9i^t_sA-7<7K_MU$2z0=`Il8B}35l`MPwfWxdIM8&=@cu&bZd0KcDq&zb;@6I%Q>EbjDQ4U1y^r(x+A{%Y7y zfB_}^vt^ibJp#?g3`F_vx`KNa?eL?Y)zvpS1u>h`CJ2__bWvCX8A_6u_f5otmvGOO zo;C@ff+GeKDFUU%9+R07RYCIlOK-td%hb3M1r$WgX#1gQO(nzo7qNr!u)^^S?e{Re zFE3S@5G8F`9vv>^$OGFQvkOQN2st8l{7HbzRtwj^3^8+*n^`y9a5pD@)tb?!iY3v> zUub8tVZR)O2zPTng~aX_c6c+QkpmWma%1n(=cKw&L9)vQ0G+O}*GFUOBhyid$b3U_ zBVA?@%mG~AU7%<4ecw-rX>JHo&DXyd$7V`_DUJ$4oqDG0J#>3=R)$26top)<^AaD#KP&~{T$#MteNr4fh*Tv8bDn3|bjyfbJ2($|QBGIc% z=|D!3>ZMd`gC8<^1cpBa#dL8e9WY7TVA1$ajVLyw19(c1dn1*{{5?{(?GY*2sc<}e zS4$VWl|Yq95}93#YXhFeu^t{y?se~Zko!$Ip$kNbfU9TCF17$A;|YhYtqD-%XWNnb z!I>&;K$W8+tYXOEqm!q%ysv*6-f8nX#HO8k!mAxa+F@uPrXVl4Wf6;MofEaH;BavJin z!+hXHSf=iGKjTtS(U4|1pPqxoo#*_-rNh#@sv>c$VxYor^@{m%p^wK7Na9&n4l5B( z$!3$dd-XQa`@F8GIE@e#XklHg2A=KKt)E5rsaN$E=fTY;e}Cy^pI`cak;Y0#HvLRQ z(5>PAXCmUiRYbA=RHRzP`rlJT2mMsUUyAxq#k>FVSN~Ro09Y*hA4T}zZu4(Du9W|6 zUyS8%V&F*ql^E!te-dMS{2z*+YWe@(hR3Dn$_WS0n+fg2n>;9YNsD$3mYba#&nzmL zi#!6U3NEPrLK%}UU~y>}O)5&%OjH=c-@ z8qgJtu`muX92oz=q1{%0sIBT%;!~A|?>U)QFq8EqF~lg?MYhQ&>uOr{$%IU!^wu%` zRgR{2R0NoWGUv&_jD^$A{hHK>E+RIMBPig=QerPq=ua=a#zei>#UGZXk~N!bMwypr zrdN>~^g-E<%A6RvK&YM?y}0b*CQ(m8O_3%IVoaE#d5P&X#%ztqg09^JU#4Z{QJd;L za?MqLTB0(3*YyP3nY&+uJ^jgDF5SCu=Aa2aaxAYnTd(`r{K2Ms3SC%ngfl{5|Egfi zs`Ocx5>;bHf4}f^r)l)(Qjgu%N5&*#K2+7<i>cA2tubVC${!t+ir>9W8Ec%`2a}puF+IA)e=| zc)QH!uf$Os7&gOrlF;-OF$PEC`XI$flMKq2GEBf8I5D~GE?XrNjX+*>iqxZ^28+Ia z7k?%?EH}>bNycM*Y1%(W#mt`&L_MSQ>T!MpgM0gyKZ1}Ro3FvF+pO~Zl>wRmM|RQJ z;Vqp>?cVnRRJ#3NoT{94!zn2KV;zNtPY4S=w7+q)@%Om-`Uh?#|B4%IqCasX+x7p( z4R>F33l|On{9LMv4fq;vc}j!F{s|`0>&Q(;%4wUl9sT?k1Xe54Zb1;!V)qCLs@w$rr^W|z& zah(1E{?wXyGk?VT8^+5mkxkip(eB3e)4iI?rE$U)RAB>9_?h6+I8~QE9^>WV!^lv< zx+Yo=i}2%o_i_~vjgh0re$n$VkH>k|J~uC&#*An@kvqQdhcBlk*G7%at0hgP;<|DX z-aK9TLf_i^S9R@XSm_@Rfo%!UkFt@+n`Q11?X{8cQVHz^#;4`Fsi74XuQwfwV>$&b zNd6Ek(*w5|97%5OddREO*`eME6bq>n+|??mKLT>6AY zuBS(|>*c<7A-NAd#srX)G~}OPaY|p-jdVzP&*k5&J}(~mPlVT28Xa3#9RB!vD3A-k zL5D&yC1IN;FyLPZ!vsQ4OsY9g)-hPW=ptFhOCdG3*1$UTj3uoy8WV7#5rL|1tSKp3r%J6*;uXb$1S z=1VRgh_C2}5M(>PqvvXQrk4o$)(Xwf zhJ>i4KBje&&V3m$WJuIO9c1jj^)=J2tadCkAgA&rr17`I-b&?C%7KBI#iVx*3=5Qx zXI9$_Qv;;~c|dk$+@lhQ6^^ShA;VfsT-JaoggzaUIzK*8D|y8oUz#%_g(yxoZB>$P zPAZNlrortL;uwt&>DDPq&+`tHEzKHk1I^~>C>vn}Axe-pPG$Aw-=R*lBtYEmumXl7 zXx3`U^AlF$)GLvC)YoWdzK>4@Z(c`=4BDig;e75CY1pn&Pczy z%YE4%o8BLSzw*Pm^it?YofLYvgs&!MxK3y7r8bScE9|K&O*C&YSGBqdxM4*)x28H5 z53;DlKSki`uvN0m3PDs~Il_kep6;mz1`)dpUv%u!KsSQ&1N$9!o%m@RwrPiyh`h7U za#wc!#tmG>-ySYm{l*Pe$6s-S|2Z@BA0wY0(f;4K;o-PFI1x70OLO1lQ)yp_91O{4 zX}9NHsDsUCgZ1?cKOtzg>w&`wbxR%L2ndzW6BLSQweDhbDhj&>)-Io$S7*1`7MtN8WmF$%6G1=E>bnX6{|5t3g?Pd2gfaT zVGu?D^EYq?4_QEhhK&rI@#e)Y*BcdzcVOgolENa&(aEEBxmW;l+kPZmBYNEzY|doM zUzPilel4kfV{_l%0X=I^ik^T5i=}RK!#L0=pyonTU~ZF%y?D}bze~gE)F?wXHdh7L zJq4^AUh@G4-P5xvLXyy%aCrH>@r@Ds|PjmKSR?o8;J*E9!e84hSRzh>p-R3p*KhpHB+bFq7O&}VwFms> z<^XI2=gP;0UeOji{ZT(UQfzgu4IFuw`Qh>dVf3^WxqdvBKt?S*=w?$SU?6`;n2uyS zPPmGtRSYJ7F()Z8$$g>4y=223nI+Lo2)b9hf9jVXO}EY0=c!x*4Dl&ThJ~)8E;+3%e|<;OLmx7uGt^yll0MlDF5H{oC&FTFko4xuBOC-Fpp zKhSZ9gNve-PGkuEKq+jNhRo800(Q%m=58=*UEZ;9NLe$^rhO{BtH@8FBkeD}*>D-P zeOvRKn$F*bI9RLMF>%D~AtigG{HTp94`GTY+wn6+zW4THwu34kpvmN9@WPd~)^BUz zyIurv>Lc^T`^5)p^V2>{TtkrBBUgfws7e8KAihJG0|=DNW+g6VJuf$Y6-7Kx-{bt@ z+_xe|e|!h^=i<}#yMa+T9_@f#bC+Y90}DCs$LPy+JrcI4;sjwlk@Ale6(>oiUjgk> zc2HT96g7}ho2XbM?Cl)O^l-d> z@M=hL_#UN;ph|*>SbL^&C40zcFx{fh|CoqtMl5QD9%Y?|#v)UVtCUUqleS5pnRf4t zvW+B6%+!p5+#-=It;o}-adTEXPjU33ds%4mo1NhqGi?CZaOh_#_WVMtt92Fodhy!& zf+(W8>~k&aDzA_*{9pKQd@YYNW0~p~oId z^x(wKvVpC9=ggjka_g?_A$QKPQ^)7Yz!8a2*t^D0s@Xch$jj>@OXVWw7(TPcVxyoS zc1;1j+*?*}BSF=(PU>UN1GfY*335;OBaQyJ*TkNQ{`dnfuI&bePLr-`(^+2@mU%bk z0-i(wl78|%_Ys}T_0*V^u>3MWJA>Xf!TvzBXY5RqTXbY6x1x&1{8Y$4 ztg&Qi5hsb^KQ=j2j9Ctb39a%AH1>L+_19~uNJXbG=1Rc~ZOnKU6)ZY-;ev_YE4p*~ z^Tj5~3aGAC$8YkJev<#c$q!%?ea7Awv(f((DWm_6ZGS70{g;aPpA((IwU=#9Wo73v#ti6 zuZvUcme9r`7>J3qE`j&~7zF4F4yO%+vMw=_6rY(-wUE@d1xmH2v!~4|!W0k~Ys;LL zi0TDlfF3*cBkSEr3)wKsX_AF5h6o;yuWwOV_8EJ0@Gizsh{`Wa3!-@fLlZQXNo3%~ z3LVK)q^(<_li>&f80v0O+z#m~p)o>pWD{3rm0p21hNc;=x!QysdGPJxsRU#!mstvr zbXN9hoCS!!4uT}yA@F0z>JlOP$qH%+(kaPO0`IDfjQ{dL?FJ+(!J&22-#Vh=Dzj@}*>KF3JJKNHhq+{=7ZP7}3EC~{}S{lh#H)KMs zX?qT@wo2^A_}58IK2NO0FCgo>M($}O*&@w({e{T9+*X*Yz1mKc*ejU)77 zTkcDJ35D2LdlrQywFPgX)<8dhSLd**YId?l_pp*&WG6;&yuT`eQdtr#z4mqu z9*@vBsbx4Ss}s%R_X&ciOs|xtq&EP}HjHl&AvHT_IDa8GUOwN@`CeOTsQWe1yB3z+ z-p_y-y{4M}{9Yx8<}tYUIzd<^xgi~>WYW!zg#us?w_lsbMT+NJD=rd|FaGeEB`iQW%EY}DfU;Nj@%+nE^z-LUpf(jnNhz4@)@52ekemwFknlKLwQ zsSBR^BG&9}p~zzQ{%v@(qp-?`+^lu`7Jaw))*3Mp3TI;1&V=1b7BpdD&Vr7m>ZR{j z%@XvM4HVT0MJ4FQr2#KiTBH@dFC5iz+d;8|9o`!}xrZ*o_-SVE?l`F0Pr=%9O%W<8 zTOUlWj!Oy^ya?~LPSYh*O+CLb!O7#kduM^Uo}`SXNEc_ z24`SHx18C;lM-CPhe0m)liQ(T48p@px){#+mIo%;x74j%faq`m8Jx&;C(=?UTw$!_XgiPs`QjA9)>n^FW-AxiZ#8*4n!d{TC_=!Ia~g5|(|tZ!G2MqrC8 zgeHFR1UA`KaRk!fpfj_KayF0PCR1F|gbQrXI*Z&A+@95#j!1Nw>x6?aH%LvHepMj@ zzz z^u~n`eNxy)EPf#~!?Q$unI+-44O$!_;V+lH(MVl^2OI3c_BvBR7xmx~Cx_?Y$5a}8 zR(RDf`}RD8^Q8$1ms<*iU+_RN8dkt%j2> z$B;a+X{L;{DJkrMWgolW94-U-amWy57bG|$Or57PX=+q?Sjs!$1BIMxmr`sc z=z22*(-rinXgfidh2QHMSQx&%y<&ylAONS<7V9$d?!$qwK|s!LZsu=*pLO5f-o; zq9o&H$C!k3urz}!*2+mD)pGpk=8~9wSS#$qAI+mI3e-Nf;>a>j(RT?)1b6B4ifj?{ zJA!-X5e!_mwMUkQs_;8B0O~dN{22H)>hn1h;cRs~Bvu}))(Sj5!7=42DU;Y z`N>Tm>Xps=2rN@xqALO=n_hm3hNHp(E&(+>2;#d}Fpt4-D8NM_wTKk}{A7}beIf@l z#@Yfch^i$gbXx)Bd_{QODl}FfKUQPkxwiwSe-)#sxh!>9mJ_c>$D$KtsW{~av03>c zTigKc5%o^Y#{;91WQcFYEEwN?dosCqzxT3u>G?!uk1tkqiv&baSyL^JkYT0pYF!^q zGR~67{(++ba}lY3QZfrPMQJsMpgqM9?p{R3#S+%^nr#V>HWU94U@C=J7D=~0iKUUI z%azlmenWzQKCfk5VN3aLpaTf;={LvgLZowXQ+svyeZ8!Xvir*GM%AJKpAAa%@F|;(ob%dBbm+|1BBKlTf{!3;9$)Ss+VueWADyo)iIRFmVFsV>a z+dsI?Q^QhW2Kckm7BBT)av~u8QX1*N4lzOA7|S=`ih*kwnUOM0TnFBLs)^SQlcFcz zJAv~P5fZ0&SIk+MXsmsbc3herf=bDbHN+FDcYf`b36sBOPQF|0`LQW@P2%F+kJwN~p~aTMQ_q9_^4b_*Q(J z12Df9J4$0#7kEh|Dcre9LRI35_3K~5T!9&a+A$eLsV3v-bw~6>yId#aGzHGJ&Ec~^ zfADcrpz(+hmXiZK!OHKryj8$~Fx9`%fF5=HJ1@?8un(2vuDfia#y(`;9y%LOBc8k; zDJK2lC6T425N zDqeGwM+Shu>0TpHYVZl`0=HXN^>>*S>G%7wo(6MU0RNpnob3Qq{&dr=!~<^Dr%rMd z*;%tu|MVh^bKsS6EA4KUyEXIV#a|fgRyiTFWD$UeoX^*L{2Q18j4Rr@*B0vA8Dl>PCWM5az|mnfzE>vgnZLAWLP7FFYy^n#5GRKE@k>0K?AE?@b~UC@k#!_ z2_fzN2qCBbN`6MZKb_%D*}sO6Yi-w|Y7YLYQuW8`Lh~w;;zzfplpz=&oxBEe7@zD!ul)_4vKYSBO(`mBb>F*XyO(tnqJU^CmUMLRWk zapBlqnz&f<5NHU`VB-t6tm`9v?4teAG|KMkjn-1&ONY}D1Hy4G?AUf5YTRF;>s8AA zOOa`yu-Bph$|snU>XsG6_+jj5_$4ghCyrJA(!tn`)qHj5YKpVK)fb5vmV@ z(}(wzxi1DnqFVF7+|8RN;Ly)YG!l5#1h!(q!sP{VsO0d1gUynSbKE+}d`T0>3K5xi zmi1OJ88(-b{rP{jrbtaR!b1HNGEw+PJ2F`T{|MhO>YVvLEAcgR}{? zLoEQv-VY->tbM2qv^@zM@$^nfO8&4(prAB>t*lD>$>3vM$OL8!ZpRE6gwmsL0&IjE zQ8r*>+W>meY!*u64h2F}iK)2At%a%{h!%%;Xw5LMTu{-(Xs1mXtptJI(?Vt>`|cVv zEi(^w!$?S;)E<MspVG!AYK7WN6dlS#f*SKV;cI|`!`7e~^~>W5>@c9^L= z!Pj6r*9o#~IACh&T8Y<80&+C5h3K#KzgiY*GMCh_>KPn^n6mFsC%hsE#t%fQxoZP| z33Q_$)-Ri5xD$Ux#K~2sdnt#Gk>K|_;mygEx}J@CAwih%&|tw^s1m6C;)`E2r#GzB zjSb7)`krwrX%=A&VYaC;ZgYd5^g#O@i&8Xof}C_+NyH`W+*;L@U(IJ1o@ zu%|NC-(*vIIKwZ{34|-h(r9uE(&U$Jp7EIfEsRhp~d}ExTEi{u{G4`~v6-q-w zysq1{E5vX;3XEJHN(Wh7wRX^PO+g2EzNtD#{b&l__w=&?F_{4Q2 zjLYRbKxc0=J%BWFVg6n9m~|}9Ft<##YlUIcMZMYv^P)_wm;di9uv9LsGbx5o1M&J4{F}T?Y z?M`|$Kv*Ua@z8>hm7*vscQVZ3xtvAwCRYJ6jmPgpkqz@y**X z42a;;npTKTwF#L|p8uE5x7xTJu-M|-qYF*vhurhY_nituFw0XQH-&T*1pIIeLkIIO z%#YAdS&TS?Sq(8e8%PK7;jz~<{3@NGL$wSp$-=?oMv8tL1jcj))Rls9?9hXAzdWEU zX6xM7={6z0zw`#6zO?m!<8lOJGZc|c94Eatv317)U9UbCrk;W*0W$@TvpBviov}#> z3A-+m6q7D>fpuh1aklDtetrd03M%*F>V0vqFKBBNB3U!trHDRi44^FRGJi}G_RNEI zaeoV{oV%Q@BhaTc@ZfhNo35!z38;OU2sFFEz;@r$CwAVn)Usu1QrWEKRjz;4ZH+kI zp)k(`9qnSLM^XD_Wxuun6Cr!0rJ#0Zyo560O6%(DIODktaj!q!<7a=wC|;sY4Q-Ei zUumV(yY`oxe1-TEkN9rERBjynSrjV7ng(cTOTVB7sLGf1%@id(;~VzbWHMN6kIy7AOhP9#BW>$S`^>I$U?(<-DbMSYX%_9%Mnmc)!A_d(ay( zuy`Ak+MtyXQy*Z$DFiZ-r@r)``GHWR`0R900BAOJlut|@gy+u4Hf7jflty!Ev3*8v zR&!Ci-_J7S0ET&R(ieF#r*Ja4Va8@)L{&ea#eVN4%70IOhd;>Q^jGq8y8TIhVu-(z z-8Zgk7*BhZhTOe{}z$J`QZt@sGkzoMoY%X&V#DE z0$c@3n>4K01pl-f_SjjgU;jRDBaI-e3A4slfarBT;!n_d!#;Oxr>r$>N5`PGC|?G% zr~AtdA<3$){qQD&A~SM{wdQD(kc@91Ff6@!pijx^ky!abG|A8UjL9iH<9WjvpbMj2 zAX7~WgF*oOZd_F0KvIx_`xKjf>Xe=Wuxy%?v(l_O4uYr@vlsd30R4V9rCwhB9(pPd zNF9BfDi&5URZ6FTC34qD!hlCObG3?*VYA>ol!Xawozr=39(A25|O!-MSOQ0?HIx(9br zYl?}bVfrn<*c%A1*j)^PsZ#L8zBm(GaZWWGeX7|^G3$V?xh2PP1Vrwp7Xw{^3p9nm za^sFF6?p`7&c2Il1Ll_jlW0)~SQl}T$n+G|1;5)_u3)l{(ZS+7M!!z~0;dqL31+R+A@@12ZG8L}0o2~wwI-12YPx+Hp=gU{ zx)V22JSAV8xOP``N~gORYg%ZoYqZvDNTc_hB3VGJOjWGgoid~S+c?HAdV3YLkfo`rC)9Duhzk^!|G+k273|LThfdq3GloJw#Y|KOkY zy=i7ctz3#iw}=Ws0GBP0qQvdR3Wj@pgH(S?gm+iXW9oXJ2ok3`bo!10tkw+N=0yXo zGJ&2B6%$)kpbqH+mvXc1LshSuqGb?}xq&$Qo&#@Lr$Je81v3+g4x)Qhzy%p1qOkNG zoa%L2K>Owka6`oGs?1SJVEoDcE>ijXRhtNH)!y{mC~3y*6;}}c&+iB^8g4V|3*fy` zG_HzY7Ao}AZRLR-iW-w4xFz&{Cc7X*P>X{vM#p_h zEJFb$0Y|uhMO39VSn5JG4Sd}oZHB0YVO{-(^{pzf9X~*Eg+yWnv^qhKrB;I7FB}JI zisIK9JG3wUZWG=4(4`-_Nk$t6F2z`a?i+DGo5pu_H~*_0rwmsT(Zh}b`rMduZm|3Q z-8uuOI0#SnaU^b9&WkDVk9u&NI>EYS(YhY<48D`ceLQ%>Tk}Rx&T(%VOfn(w8kU3# zf{ux)08ED&h*V?L$l6t@2HR}zqR%5Ylms3#i8J#AahV*xU+02noF1{Mv`iA1+t&Iv zbD~SnDjDWrTxKW@g_Wr7k8-C`kTKgM(=sQ;%1rn&45_3&2J{c{t!3E}aOlbcd76Ep zn1$a~crid34>s6;l%hTsjKdRF>&kV+HLcTCd9!#(Iy~djwb=RnOkv017PdE{idiSq zh9wVzaX4%%ihHW|k0})zl2Wy;;T33FXj-{D8Gp+qThIrkc2xeN9+6r)05>xXHL9on zYAU%m5t7mGC^W%f@$&R&Vbo=#v`akiL>f&I4Ex-QMCVrqY4#pSK!Kc2aGcu@jv4a8 z0WBl`(KuZFwt09uoGBXylsUWo%0{P1LY%|Jv$(~#TG!?raX8{wkj5y9j-G@j`O0r7 ziKBP$o}TGai3}})L0F?lu{*|$WQbqk70#TW9Z6jc#>fsk4=4z3z*yp-Zes)JZ}O{tlHc@mMDFkB z-&-RGcgMs6?D&k=;u`koPI%7!OBlPvNYcwl8lHanU4el4W#%yoOop^ugaA_0Y9s&C8 zR@@xILnHLa^~IbhA7+IhSV?75v9x~Os&V)Rq&aR+@nGj}g!x=eWobcdtW=&>;Osih zcA6rdsU!^G6Ys3~wKFVrQ+Fh`&GUZa=4*ISy$qT0!8zX{IXT2(J*540M8D_>PdKwD z`t{>h-p{7MDGo~gw$q-G?i1E7=Y&^20qeG*JlH;p##BMulu}@1vmrL}D=X_(9u_4mC(;6<2`uJXOT9iQobhV@I$D6F}PFxV;4DT|OazHO_%d zI{!T#uKOWMxPb>ugDQPgWVUz#sC@CO+W2?Mj%Y6gb}2L7M2o!#S9fFi+O3_oJB4Yg zMV1rGBLG_3ip!2U3&0^t^}7!QWQ755tckCNX7GHtxn5B|XE%2H*pP(WM^hu5uBchAn?###R73oowV81sfq^p|m^aCN5= zN77cXVQw#SbO%*p&Kg2VE6;W<4@x9NLQ$fvA!PjlR;x)}h|vX+WhjOTR|h~g*Q>s& zDZ*&u=$1w@o*WF=o9^^1yTMcw>SYs&5RxXE$-Tc4fr^Qk3=5@#gY> zIJ>82O_yzL)YWau_ETd`U4s7!5df0yq}gW zDK|+GRp2!Hbf5RS{pA@Mbq#o$!=%rvQl3J85AZVl_Vfg>gfRx>t^82ZU6&?uX^9NsHy0*8iEaA=Ow0oxbxF0QC#tLmjBKOt z*lzdHjgEF^G<>kdQWfnd0IO6FLlHIsQZ7(Zg}zkWH)ow zmH#`t`M<6xB=lE9L0RViUXil-zotP>f1e5dWXa3ge@(>!Xg`N#$Pg0x=S<-J|Ax%{ zuZ99)psbAg>`Q`J;>pa=7+tcWxNf^#X_RV*HE<Lo)ZL9AcYM|TQ)26&0%s;0l z@a=C*jWLHjv(VjG`JtwnHoledC*$&wW9>g@;=Gl8JI0 z?eOR?3lFzCZv}H=YLKufkP%Ia&`DhL={CY2ohk)wn)w+;Iu;P$@ zs3cxV{KBllXtT?}YZXYP=I89;5sYb1Q?^jRw571^Zy{`4y1_(0GVuj&3KLN=t_&kN zd1RP_#>ixl>-p2yz1nzw&MP40q}+i#w`f-bH~f1NVgbVFM6LV zY*=86K$1e2_ukEy4=0m}JICYVt*Y`WCc;kKU2j!623n+I*3*SP*vpz6lu;*v>V{h! z$(bA#keA=|f@^rxm*6{8uCV1E<_&vX&Tz?}4*Y&tjeCP+ zlaM4_4vXy^&S6@OwDa*@3x7LBQ~`Mu=aa>u3!HHxU^7@B)tf>aD&DY{nB+&{mWfEJ zXU7R$O6d(>D+v`eMI&264KCtBDm3X4DIg&wONE+EsTEi;k%t`wCv{v!8C# z2i0K7?XocuG-m6UEx-v8``V+XQ}T3iY0mrf+RY4RzOWHK$DtIG4;$VF)a!1&|(=bNr(~7ItqYv$0kdvR_3D^c;tQ58i&rA$Q#H@}SI){YJN? zhY%h<kYO?qpdN9k3}o8XxIoN~`&mS|iPKndU~CrtcO((jo$;Y|EDZI( zL-KQ-3@ofV^62-O=N-7c<(7o`>Z?LW{iRl=;;+)82xgP70UJlR_8>QSvi&qTo1V{l zt25Hs@d!vzPZbBt-%!FQg~q%lrBQ0#MYAHz|Ef;3|6P9PzvXZIxBTK4|H$77`tLL- zSN9Ciyt)kWs5;v%FbSBjUvh*$P`H?EadZMKBU#(T=||^wa=-9NHwFs~jx^ChA(A#l z6~5nD^q?{db@@nR0Kuq$HxDmT94SZf6K`^mOTC2#$cqLhy7=hQW4 zwc~hv&ufLGxlYvqUVCS>i`lki8>}IMuz|K4dbH=Nd3-l?+&Dv^jBevbJ4ZO%p6;}y9UI=`gpc-FYv8&i@Yal|rX2nxGg5^uNLhyZ@GFAJ zE|?prYYA2y2&bl_50*I6cQS?$6h2vRm>eB<5OzR(t{D)zSmL%k{zU`aotERyN%O=M zuUaqZojf)ho_+yZ($?+HCJo1{@*|)imf`t6-uHHETCL&jKOX^z5(GUFpQ%TpE6SW>s*%i z_^PA5Lz}JntJ%&H6BJgx0DX=-ScU{>lTWWLC925j2G9#^kEp3qm>Eb}`x7@^=A=uo zE>-i^J~n)rt3;b<1$L~*+rJ@PUGjtE_na>I-E5;h9%73XmA22UXfjy=e_GN0eL!>JM z^qx$u`=FX%^{43Zf}Xm|WtqN{$Qgz(@DRRAe;I)|E}^_yoT2S(D}!GjWeoDnpJ?Mg#Vh5+IBb6s!ZI5?Xg zm(YVrUh4Gll1}NH&__o zm(gw$x^9?wqo-Iw_=prSA}COy-0u4+9O@T3bEFn(y-`=QCXjKo^J@hm5YNYACV@yQ zV9ILh>igy{6Eap18bqQFSVh1Kp@$+Fmq+|=b@wxL4E~jhZ z6%Hf>u^Rk^v{k-!5?diE6P;`T>6HdrvxfcJ1$;^ge_u-4!7@~QZ+f4mvrm5du z35iitC`+4itATXL`|->RZFh~P>0pKM;7bEhD4_y{N)ub`hfpFjBv<|IhtiGR9j!9$)XsKbO8o?#19F z+S%l{TtD!`C#!w5ZWi8N5#6x0-N&-dm1(7I-X#*&o$VVjQ*1*HnEUc-P@aKF@A~90 zNZ>jUJ5UNdpIbFpByn+Xu0!xY4_oxia@85ow=t*fQG4wful#>A*8CRkdK-0SHkSM} zP^s(>OY^Ih`rRkm*UGr~{^!oJw1MGa{q}J1@7tu2g6+6)!g#Y9xg{ap9vq6ijEP^t zOT)E0Tx*@`IrX?+*H1rAed%Kpz{t z`Id#QRH$PE>6P>9I}S9$WD})WjWE3QFxSco*akgpML@gCFt8TI`#4dGB^8&JLc3}UVQI`0yNWzms-UJmd8{3LoO-TGxPFs z_S_EVtBwucU}&ZyB;HVF?-k=uNAl1EL^v_!^Yi76r}_kbefd+qDfk|>366qX+-i8F zhN6Z`Oi+ODbh(So;HOMgjdPOoq?AtzO@MJoigacb=wJCa3AW%vF+7L*0aEXB@cOiR zMp{E_8KFp>f&L)+^3b@kVM%mur89a?zm*yXmbqeQZbGwof+L8Kqb9q_>XqD-TjfJa z(t6{xzmW{Mn65vO%~-roA)>g|=a=PvtiYnjUXJ6jEC^Sk?yppZ+MQI9G0ln>43QXj4Pg&z>Z zd`6<_+ny@v;rP&*)GGSPH54w4Rje>4kf7i~@*x4pd$8e-kB-HI0T0c?e#=|y*{yDE z{>v$pf~{-=!7#^TH=TS@U@?O0svC7^1tF7@a*q+1E1)7?W<7{d!i)@hm|g=@9}kDO zL>axp5c45D{&EInOx%)%_#NlMJG+Z;X?N|tlyd-LqxV`W)L-^_I6AxVc%xpXaz@Xf zX*Y|tQGwO!iz{)WH(ic`{m>8Hzf%9i;I~87Q;@D%ffBk!^w;8ANI5vUH_@hy6h}qU zAw`*d`KUEHEQ&I!cW~FvLhnwU0OSe+)ikjk8Dafa|X+eE(Gmur*=7; zHKd$z8y(F1&8?D+7Fl6RDQg#&lDBF6579-+XgCou8fcvz9CJEmaT53eb4iAMM%7xf z=G$WE{y)mJ83p`^waUkF^V0tl2XO}1r@q1#%O}rd08m^_x;NmCo(W|V55HGTNSi~^ z#nbRk0U(fS&`gO?7+;(6ID}pw1Y^3+qe0rNHHdLTH`o!V)3USnNFn5~pIL4?6uI&i zC$GnG-2RC8k2|7_xnonvcBSu;sx`8be-D<{`y>DVC6SU%`ja2U zWxM}ReuVK)H<3vDf6b3v|E?wV|E?v<-2c>)wATNrC53;DQ0X3#PteTv%Tec9UDB-kML4wOVC1bKuYJ@cZl?LG~OVUDFF0R zByARxTM@?dmK2<1K5I>@oF~MXi|xU@&oS~!z2(Fu3BM_a|XjEw83mlbyrcw~GeE&3e8 z&b3n8tqs3sak$ch+US#6*Ggp(C`1L;4JOccClZ6}g+lnz` zl_tX?7|An4?r1eMsGl{5#fKNGQpK=Csb+==OV)0WEw9ECaNai1vig3s&O8Jv1^*ozHFir`T%upw_2u_UF9V3=Eq_#{nPtlnDY))}=~ceB%7%<}!&xwk z3@a1>1KZpUwuUx`PfFOX23`xswA}`|{0N3K9!qgCZvW7Yf(s>M*fZ!>-?m?Koe9wk z@vQf6Mb~C}!eCoTewTWeyeDgB5^-8dQsajai zw1|@w>#R}H1-psF-(aA=+5U`L&CfvW++Le7s&UQ^)C1sW{PX{6D$T2wK|z+^{}r-~ z5hPw>2WxUvta5tv#3EZsx5(L8x43C`_wb3PAngQksxasn$8YkOtWb3&f7M_{Eo<(9 zc|mV(tKJR09-PyZ-Ne?KLA>g?Xp8WlfJsDQsCej0CECw&nlK`5X^sLcF{oh>AS&bn z(e{fJJlp{_N|?CR7b9|&5ch!WR0QjOPdf92X)kVM6})U8%nc8z%8PqlYQ4LoKMa$#h)i7$#R^IqibPzLqpDkMnO6ik9S z>sGKrzjrFpH2iYGs&VLr+TC&8^dZP{HZr%|Tj~4yxf$|d4jDAgGWQfvk-pcp@smx> zzc~^K^&v_GdRN|MRBBLce3$)`Woa2{LL&vCz&j#yzYYCf5A5fD->r(P81_#ypkB(H zS+uqQCw^oHk7o>GH$FB}L{3QOabK%fww^ckTb;0N2|yP^822#CEaW@6))*D$HT&Ye5ZFttoXN6eW z&KDD)JbPT`>fVzfJ=&fsCfRX_dtrf!DJ)Zf7xnd+x^OPYDA%2tB57{e&vWucFL0;k2fm6R1wuBLXQemZW$~Cg94}=jgXO(PNg-JhLv@<_em2gn47LxGa2r!FBVClnxwf$gtTgw}tT-|cVt>;5gj#=$@G6HWbFe!Uz#dkorv z0c!mZf=GUW4#x5^vn}d&SN7eGh_bzXfk?fq=(z%?6;NJVxVxN__1CK;%~hzfQycDcRUF60W78lYEy4zKni+m++^Xfi(Q2~jyiH8=$!e|qo}j3d=b`940~=QYgt?|Y zhAb$dR~)B2t}3f&K8Au(7PE@(C6h~CHsxK_$o@4xc#i@XFK8v!EF*YKZt@J55-TVP z?)PDM8Dlx#9FNrcT7g}K={n)|-ESAbt9u?=O|5!QjxE{d(?NU`u3Z%4VAx9Xxz7x1 zVYMV6UkzT7@2u_IQa0%U@E-s$ED|DJOc`NW`7c%K5vcaIVT8}W6#-kbNP|@+fX{x_ z=X^tz2;8GW*oV#pFW zZ9MT+p}1oI#N#gxmj9K+Q5$`UN{u?vPP@Cj)jFb5P^3=w$mW~TYzUDP@d~Mw%_H0X zpWH}x1UsWI*@pIeEAfzvzY03~8ry41Mc{F*YxmOpAcFB9o8?G7mQ_<-`H-cg!5RFlVM&$O(Fc~Qlvj!<(q2mT->ZJA6!S5~?C7{@M-jfs)!A1A3ik$S(b}l`^Yb@5XqW z9nEH&yY79+T_3nSJmqm} zdlQ&%fpYOKF^yL}FM4l4{vw4QlwLLc8ONp#f+C_~Dcw|jk&Do==o*3xp|8<}!n1;w z|5pEHP!{gvv!DQzyL1#lu}4R>I5BE?5&Mw7y%luX0!8cm&P5{sWBJ06y5hTc$@#Hh z%fWW;yo>HE zSL0=I3><626zvrPR#=*C2UW#8>xw(%0o9zbJ zYWKhO#y~p33EH?|E>ywTcLL3*6gMpV+ff6>Th-6QJP;WP2sB~{@%N?KpC7JhREj7I z(l;z1co-?eju(qlS`(dmDo0g_ayBdvM?v`R!iK~kMG(gfynpxd#kb4NWh%T(dF_VQ}; z-u#kDHZMC&dP?S@(X0{l`tjndir@a}*@pl^h5##Fht4y7#kn0o;V9NWtY9$6fPzf>0>mfk!KE8*p|yC#rN*zktK;6>4!E2NkVz)n?m*ewDUU^ zp{%b`P&3dw#a5SYRwj9Vf|$`Wa;W6xQ{V24o2J{ER#a|X#a)A{2=Zw*VUlk-<+BDn z!q`8(bqD`L)kclwDTpM(_YYYe3~VT)vh?qoTfmt%{8AC2F@pZ3IFk~=J(p}7wGXu3NU zYwpRGW5T>mk$XvOfyylX?QyRy`n0_OS7H*T8!B%>8PB}Zy1>2sQ)Q^tg-2y&-BBkP zhd70P{o?eCcFNvJ4-@vZCePeRmz#~9*4x>Iw2PXfd#kUFiZvCZEu2) zku*D5yY`*C)Q%d+vR3&euu4IV4h|CWhbj0o@@>3-Uat$Ec~_PI{-E9h!n%OeD^L!%&@1h3 z#!OYx8hEr)DA9G7mDT?FCnz}74pOfoBKaV!bfFi=ScJ0)eWdnm+oJwP$T~(rAEKsa z0lz3^zRW}K7`uykgYRCQd3?b4Aj3ZZ;N8dU2wBe$PH32bySti zKvTocCbAH0$|d%$zmbUKLC_M!-!joNEKf{}k26jxJ8PeMA9TI_X{uC-ms8%*qC$~#N)2QoL(YXZ= zG8s7FY_|d=5Q z{GHuIzO8B}0yumt&5o1i3OldXBb`h?*MTDssraacs(`mgr~H+HS>_ke>Oz!U@{X2_ z)QK~6bi3*!deji&CAm4fO`9<%>2&QQzOO_(miSn@w+AO?LZ*vn^lY(la!}}DTe$Zw zntdF<(&DlpSBXXFPnDerP73{DH_DEvS=bWiL)jNp|CkL_=XVGWnb5{2NJU8_>35E- zJ`3BWlm$uuX5~Y0Q`eT6Z>9x{{0E!F)|H^ng&G)g9ZZKj+Ee0;;b~{Hgpu(M{-$P@ z?9=MnSNyM(*(=L}=nxAckW7?va<;LbNHB#?OT?REY>;_sTps-0`naksj@ zPr!1=<;M5vL2ynWFNeA>;~uwV5rH1o9o&{gKshb_huYxA9=F{kTvS1P&GB24*bS+5 zYuPpI$3-#>^kcH4qQ(mrMnBQ}6IageFnx@h7QzsVC<6!SCwpVE22JUcINwMVL0;Pn z#2d1gNojGn7`(xvbGzqJt{XNaoK#^ldk6~)cq=9@Z6&(L>Xe|7af}MLxl9?LjlXQO zJJ_ZkEkKzbO#i&&&Sl3+a)>TGC`jr9g>};^ymt#Uk?QG$^Pf0K`|qtW49uo-b1H|* zGx%#lJF>l??8e+b{bH+3X3CD^_5AaaPPF)s`rP2%(LFHvA@C1P zNUr*XSQ+qT)8%FSz|#+x7fPuk_?1-ExWwO7fPn&UlF1JJ+{*qsyx)|0h4f z{3kyW{6DT}!u)4N)-Z;DtyuWiZ^Y~RuZfh$-_@z+-_^;4`Jd`EQujaSlA^y7DP#Ln z?FLx&`vdhH{oi?{873U+ydmQ3L!J;wmeu*R0gyH(aieBQom#JKtoZgV^mY6H{@Kb=(CCxiF0(uUa8OLwzsJjcQd zJoyjX>8WISokrrl`xz*X2~l$U2MS_G1;MNGR7Ev`0PBDG0s%lQK6qdAYxBPqq5$=B^jK!e;je1*?mkNQR|rng_(^jn^kvd z^5F&mE73Y7)w{HY@IreX;;ezX$MKH7w<6eWdE6BGHS7Ay-AC>ia z;9c6spuHQvbBFq@rzTB#=uloEw!VuJn!_!-Wq{tL-c(b+l*9AE+Uj*x&EESa54gI@ z3HF_nkk8p2N2Tj`@xgLrV>a_Z(oZs$J31&`VW=68;FtQ_#~XLYIHaSFGyb`tH!=bv z({=g1e<+~(?r%PJ@!BL*QIe10O8+Oma;Tc6yx`*{q=H$&-1Q@N)h(;pR9q}u)(bxg zQW^!{)Q1D9%d!_emKL2mHrUx8A6`Xiv_`UX)WFHW`eJUrDK>kGnW%kPccv>%s#r;p zq{c?>?r3>kS`6L0MY5VvIcO!E?m}CzT`V*AoRO@;Gqhjt1cXN*U!`yQ7^X&W{eCC4 z)rQlkD?FbxY|zO%@MDZpShvCcJ}2@^5HbQ|cnq3L!V4%;x3~Ah_`G{H(WG$EKew8P zGY%Lk&k&sjJ7e{^)xM9*nj-2Yth}gL-KsK}yB!q8lbjhA&Lj?jYQL#&8>F{IRPsL$1$uoFXx}JH!!m@XEB<`f)zHF3@&OJql1(V!?Mh zV(=5L0~abZR!K+2Fuok&D4N}y?wB=u6aA%(aT{rS&pEp*wAOBNpb9xiuG*wEMT(<( z?cjAaecR$^%(H858EVhd1?442>>?V%h~O@ct#9GaIq@#Z*9`RdcE2GQolONU7n9k? z-a;Asw9pfF7hBRQCd{Kp9#A(Fv${1#g}iq7XIG}#JQ~~JjuHry(Cy#FtwEQ!$i({2 zAndgU@*j2!BcpM>NjLn5{f)WuECYrC=CP4p;;D(Lr*)U1$)(J9?ScXEL&B-M^FQh} zeku^G*8p>YaQjSz26l;vAOChAN-!1RgMvYGQQ?WPDFfDccRCUpbY3jy9ziB_*X~~1 zlNK;LF6!p2Lx#X(Fx#ga80qD^L-agU2zU?05gSvmJr%`r{2?ue?Tf6}-F=6R0dn#9 zu0^N{sFsN6F&(pu4h(n~g2o)O>Gkr$>>Cu{`e?5_=0xJ5LLxI%It>BGQIF;uGVkJj zuAjv^YE&&_&My6Asp?J>tf@9^U}gty;p{y?!c2OBV}T!b@^j;>o)t1X3nQ$(bWxjzeAHnd4|O`Ine8d zd2Ga`fG_wK5}v&UMFtUolBvY*@>tm-=uYTSS)wB^Oq7dk51%HHbLHoT@wT{^W>b*u z2D9Z{fC668ugD7y#HAm^mK=rCiG~&TgoUytK0rZXV2FRoPy65H_xxM_>VL~`x$%$u z)yw~uzv5xxe#2n^Jxwb7xw4EKvsQE7nRJb2pydYCC3$*Amn2R=6w9Vb^8s#8HtG}k zVuK$d`wMOz!1HbUklrof{m#QLed%&v5HFHK1^Wj@@M1p#tR*fkqduML+g5(u;J!uI z>fvzkQS)*j%{y35(xKj*W{%54085)Xj4{H3xw5us!Lh@RAb6`I(`*@FRcJ-NAhmK% zc=A^LvP!+b9T{5F6zAh!M_66+I3{wxm>5ZfP-!tgOjjs#ptZKMYtkSt=aKsvaUr8S zq}cIVSWcc|9jW~h-_}=g0xs<~EU$N2h0L%ehH%poWwZa=F9*j`vd*AYUKy2%&~^NO@KY}K%tQm>0t;rAq`R}$x2 z(&#$|GFM*%cVxbn&LhdK1koSni- z@QH8kResI->Y{eM^<8#MtAwN}lCya2$<}E~WSJhbnjOaTwX(&Io>m%zh~Q4lUh{CF% zqxO4E*lx~t)QcBDZpu}RaHkDS3VDPs>t%0sh!LaM=AD6d&FY=QjyY(ECTNDZn|p7g z9c=C);N%VD99)&cl!X^wdxL`{wA5lf;FFY<(pA$plw?;!+oeui6;^#prGS8zDhioN z2>!AJHej`n!nW_~ICRki*n7}A(LH`pOXlb6W-p2RwsNo(6bwNH_NV{;jkK70!bG`` z!fI?B#&09SNZh>8J*9nkL7jq9Z~!~1XUjJc@@N!&mE-rBp>>Bm5tc}N$%8IJ62ATB zZ@rC@i^^DClBI-n?ts4kuyw35rq^}qyC~>3v zMoiBf^&LN+p-LL|Qzc5l1*su+*G}}YDYv%C87C^1+9vmTx)N{Y+u5C-{8ZG>+-#*F z#u%qI3>rM)q~A?U>IN66t-s4YQdsPhg`g4K98zSepQV3$Y7G*1AeLQYzQnOnyH>wt zw}PSzL%?5vaC_34>jMI7)LFW_EF^6EtUzA~JyyBClP;k>%Bdl24Eww!> z>`lCUxld!-7=ksdAb-VAtK~~;sJYyD*z+Ci8@*$6tkv2->vc&bNpi?N1+8*oXDc-j zL1xhV%ZFpyuoz1G;uwBB`o9~EvEa~4) zle4HR_cd4$aR;lshu2ZIT$cSxp3wX;`ccT?!Z=MvmyU&>y9%81V)}CJ+@;&wfBGBR;!FFyGW^z;sqGsk z4kZ`*>0La*9WG=EvD$u>q1 z{w=?K&_D8%Uj18sARu7$|NrG5xpgniL4+Qm(^MnAP?T(RM42DdUz}khozl&K92f?L z00s-qq9@aBEb{se2?ifH$RLCPif5$LbY3|sw7U2z*e&6K6+Q@lm1MCKYs78p@R@<} zlUIg{OS4y$y1}Rz<3vPe6OTu*_oNq=5YAaS+?|0@mjn?|$wGp6K1wpK>$$9%K)1`I zc$;ay+6tZu((@ZqJBs>;B9el>Bi6M@7H1qK=>y^`bB8s9eX5=(?t_b?5)$jx{q2Gr zuY3giAbyGgX>D!AS@Ax0#Ii4zk<^m|P|$A<7wHUlgPz6X)_W*bqzET&h$^N!>O~2K z!W2qXKemA)Fr2sfls+eq`-RbL1A5nKB25~`ozPVBTpaazgGcQ=Hp(Wd;R-hs@65)V zkOGkvh<$=4bd@Bf3twVV$~Djl#;|DWmCGmuT6UruF#&jYB2Z*@9Zi*M;u z#!M%7ql|1-7mrm;cOQW~-SC@-xSs8<+}!A*9oaxxW{ivuP4)JI4e>e+%#_BK=t$Bl z6$Vbt1<&;BS{X6~o=%~x#G^K3S*<=57Eod!yGdaRah_lUEeJw=57pZQ^foW zz}mb)+T#bZlyo7g2>TKyDbAtXJXIrj_ z4X$5E!9|Jq|Rg7LjfoVUQy7nV{ zD~Oy(I;;Q zruTfjLkL38WPCw%r0`4tTJYoGn;DG@*Pr*omGPh2wIuQ(18A~`W^J7)Y>pZESRf$F zOaRvc-;{y-$|eT5m(q(hVd7f#-hnqXQVDBG7|=gMHFQ2g3xR+!g%H+?-e4c8*$;Ap zV;s>#x{M~WEyxJtPaNKfm_GP(3!T+|U7$0g8{2Tq%Aa(!ZDk1N8qyM$r**#;X>JjS zDqMnU!(V#-r*FJN4qLRBJZrA3uk#At*_9DAnb>n~$AL{{kXOh(hRvu|SI;zR^ficlPuJJ60l za;$4B4a7uUd-K^~r9-;g5%Z}Bv?u;^FCzaf2uo?MOja=k_IpxPCmOw0J4ptRm&T?5 zmC9W+nX4aE*_zpoZOJKQ3Hji||L~b3L3;0v|NUI0;URnKY-~v#ec54orSs>nUo3sf z9Z^m{lieJHq}rIK?Ewgse`etC(h_7(-C)^#CGRiiBW;xRYcXv(*Lj zGt^-_r_GbDYjD8P^!VsO>l^X2av$Y$MVpCe$)rRmjsbjpMPzyP?<;zcWsL~Rr_0Tf znHMOdQG%23{8j|vYS)8F(-=|%+6p!o$)?3##C5^Z7|qepk%I&$rbaGGBeda*PRjCI@rup+7|0CVx9Ord65TjJuq?g-! zid7-5HeZ9^i1FADOG4~qUt4bvi>GAz?Wd zcuMTAHzTvnC}!~0o?=`(c#K@kza*2@cG^Dy?)uK+skCAsnPhCLrfp~{AYO-7ghog! zSPKq^iL)TvVA{;99+SbLJgYiGu}}RwzU-;k&G6~i-u)fv`OlD+2xYViUACoxVr#k9 zAIsXK$!-8*mKL1B;k71!p9$8)2aE?&ARSRP>)aMxx9e3Ix{{I8YZ#olN$?dq;m1C7 zrCzuf46H}8uty5>YaA_Juv~LL^qGTKc*ZSy^0iVhFXF<=7#E!(A#BcF=Dr;k%&Q#3 z(yPl*L~=PxJ7V&YM!fukD0TSzo`_D=@(%Q2D%2)S;}m3pctSVn8zM`~(ED|5=J7=`k1DEju_<@mJUE6N4ribJqI}wp=F+e@%0n{R%<8m4`ve}K+1qYd zf1p1|Zn~+;+6V?ERmBViAu(aHC!<7GS@+4`VOw3M0MGwTU$qOQ3| zgM?ACmLp}Dvj-rlkeghQZyMJ%meyoWiN1=gvxCxsJ4kM4dK9d#XyXi)UqPEYuk20N zt8aGE+|J7tG-3WwCfAf4_u*F9`Q@wjHt8~yBWhJ&Y@ytEerwBzu~Cr+02%`%^RemI zDH>*>y}@JE6E5sep_D3X%t1@ryy)WTEeV z|CI^GrsYcHSC@unK{_HCq}!V-pgPa#zQi(1KMt1xW2vh)VdbpmD-ehUJjsQCpE`MB z!Vmb=V4eVM1Qw*Nida$}NhJ>Q5o!BM7HRrXb-+r=920l~+i5)AYauQiyO zTteGh24mbz_u5+kH&wc{#T&%;{h_*muY$_rc?QGn0Mx9`A_aVK_&m>KCZFhW;4~4( z-`Osng#`+*XMnSKY)zY`Q$r8;ks%4p` z@B=dCG4ej8c$h(+XA07-#m~p`x~G^X*jdtChn8a`J&4rH9=@OG^>3>MunBQezvlG% zn9+S=YZyfxb*_1HhjZB!1}oEP%uk@)MxxObndW|w&e5G6S=nsx+eAq8-q|>l>@t9M zjtnTT^0W4VQ4K*N?VPU0X8amDRlv>8ZRJ5XVrPxu$)*kY6Vxg zjpQk*2GT-f*4);etr+VJGGbWQ4l|kt;yPZuv~<{CbYw|UTb!)}ID0^NAzxSII4C6c zR*>p2wGsfXfEkwEQh#Pa`pqA?S~zF71qZGD9P;CQG$!uWP$Mr3nd3yj`}tX3h%9}! zyRr12+$iFwjMWpMSBHCW>EYHK8@NA9k>t^3V(rRaula=3xq3LlwW9XiTr{2M$``jD z!UJn_K2Rs`%KG`t_z{ed26Qt>zWoD1-qRbO7htiFWi?6A;U57@&?F_R8GIAe|ZKN)0tRO2m zqbNqZYiv8RE;P2$j$CmdrJZTWWNXVoxrb2g1z+yxDc861Fm@&INSF3^t6lVZfY7|s z7Kv2!CD2h>az}WM7_JOO@wmRih)nQ5nYc;$4M5KN>a?oi|QehPq5q-1H z!l_KmObTn{j6kFF4x#%GqEnQCdVL;enxEZ&1`pmVS8dS(9uYU!L{dx%Fd!t9 z5G9`Z=HH`jz8Uv>x;)dt4NWu9q{-A48CX7$+pNH9X9PE{j9{05nj7LLYS<5718hxl zSca-#fnOkkgV)$&NbmoRN1lq$*mPR-6Md4WiaH#*^gZmAL1dZ{2eG2H=oMIPrNEO_ za`DA$`b)o8&dvt(_*oyjD6-*`L_PyaL{aIWkdv2FrDOMHiBMz`-0R-z&^|Nw>4;;_nQQCTEulu^tfMGn!8VUN zwY4QPstTFN(89ZY=!=lYDEvPu3LP5SkWB^w&-|6MvU_M25;FmU^oz~Qb*^F#0(i&vYM9DDl znEGjO%*Y{s03dW?lOS{^G>7Bzy9SA*mp;|ObSF&YMoaR&5NN=P?WBM_bhF|m{ryPL zIRJDSElJ@S;y-av+C!={>fRbR3-3)*zbXs3hy*)=b=D`>%ZKRX)4&+{3CKN%9^pk~YSNsXJ9SxtbE@#SU|Wbh zvjjYfO10bDGnDOY%MJ8BeqG^Jp3y|q5P&-j(#o7(8ZX zwm`*5l~S+L%J&qP=GgGohO-+7OAkTMwCCc$>|W3@k^yzpPJ|0I)9b{W`~Q*lj=`Nb zTl;TpJDJ#;*tV^SZQHhO+qUgwVsm0A6FWJXd;j-y_WkU0cGcM@RsHs={&uB5*ZQsQ zUTfCt@=2F9?dKLHHTDebkIlqdvF7?HK>w<`9VNrcjA<$pns39#t4Yw-X(`96^S8#plHA+6Sj&ikbB+dx1r!?g7;8Tu@Qt)9AEf{MFskFo#cl1tan#Ee=li}qpytrzI}VzyZbA-h&2;y` zFzBk;&LK8R1O%08K?SLCZ?1Lt1;by7e)d9Kd@O0Q3Lm%@0mD+K9RQnwSCF4V%)*P~ z;rFeiFus$FHWffqJ-`eKCltibO4xJ4>&Ah6y8@n8O%GV`Y89Oi8oI>}AbkV-?!)R` zqNXrk1@*G&Vf7x*(u><9q`0RbrR5%!5>DFf)mpP9ar}f z&gz#(i-i+J=|Cu8rpixAySDVh(}FOV3u#MqDari|y``6iDKzVBzm28jt?Ci!MLuHvRyC=q<*p@$&)`JX8nT!k>iWvo5IOkYD0Rl|5!^xpZ9~H|j zkT_=@JpI%n4>}qqk7fSEBDI!PSI8X!7~B-vm$kGc++!+NV}WZ;iL=+9z^@0l&lOE_ zkl%fO&~~YlolYhMO|G*?8~%+ipvY>;S}0OhkTRnMcOOrWsC;O{YZI=nj^aHD4i2{B zKULXHn?wbJh@!-SMuO<`>CbaXb(xKi)LY5ZnPkml^1YZKamk>AndkJKd+ym@%JG=KcM z7iL5OYZ-e>FjzW|QjaqZAt_QeHva*3eQpres+ypP!PDU`k=*EY`dVck6E&7C*ND@P z-;>FNQn5iY6~OVAnBvDav*a6U4BtXjyvu*_WHpSH&ewvOF@{5NSLkP3fQV#wzK>?( zMQifHQu@30br30~QSjd5&#uP9T2bSjJ*dn2^!c5F4o zB+-0)jV8O7`fcWW4=~m3=$N>YGoet5;O*$iJ~!HQfsu(`M}~I|CanI#TDwjYx4T)c`|byLkD`Tgc!a;>3I+| zLPf%AioFK7o3oLrOs#CF7V)Q{=gpq$T$|8<*2d@{fH$zjtgfGW=hIr!hr@sA>Sw^8%I zD+&((_lghzMvnikXg%^Dvu3`3IcVA69W<2qpANc7@DIhWH7xy;HERF>6dXVs{u$LG zb8RmF?Am=5h7US@kZTZwppV*=2>ueXttwbgrXYSY6WTslx9{M=z3{4u-IO=T6^^~@ z=?aq2{DB8!+aw?erDO<2tna1iyCu~uHm5AOh_rV(Pt*FQ6cqQnfk#FM-(80L{YT_J zYF+;Nz=WKBOd^iIAk#FUY02WNKxF|_+Zz9%(MN@7(?QK5)Qr+{F7a<5#$9CFC%gSj zFDc%G86%g2J$M(+9kwVEIm;sa$KrUcDruC!ta}_D{$vLdIOeW62IGlVsu9G@^9QMq z?0JH3o6rmtY_Zj2I!lcT-2odJNIe~w@@#nna3?MmG(2xm_jj@5@3KH zbSR5wP@wMK!g%~B_Pq@oVevbY_l77Db;OOK8ZQv#Jtd6H`}H-;a2QCmpak3unva8O z0vCcQ-Sre*+>3$LXh|)afPi>~i;1?>v6loJ1l)@Ts2CIP_90iJOqQ;RAGj}twq?IM z_U1daeqLIq^#J2|3xap}5c&rx!Diqu>P)MFQg9q(Ho>>trtJITMP-5zO>Df~*ZAV7 zK^URR;khb-U}%p`bbhZIud(*gOdy0-KrVa1#bgLYpseD^x{g>68E z|8pLv!d~>cwG;e-GQO_XhjUV^`&u zWwZt~=K8I65}+Ewh&(HrR}dM%%&|s*LoN##i|Zrtbq17k&tu%#9o->gF9*vT8YKYf zRS&~gW%!Is!BtoMpp~FSPcy?H`vvVN*d!MXwD{t(#xL#&xn3#2*Ek-mL$r8E&u3`w zuCdV8g30>3*}Ab)MHfhsHbI2Y(op}+jc5*ZxSRzRlMC{u!0eTo@IOh`^Z3cRz2Zv(>7|7M`ZaCuFb)a=wkxIU4+c5HOw2{+C9%7Hf}S$vhxgxt(+M4dV&y zD)z1ilK_$(m$qRg%K75^c(WFcg}Pt=>V`k4i6dB^zneTtCXvc!)xpO}nZ+7qXSRv`Vh zY_rFI)Z2mw;&zk?d2ckRdeqfCp7lb(AG~J2C7%C*Hc!Ry(^VtDRXJ#Q7ad6!CypVq zb45H|7aHUT4@2fzg+6ktVrD5sh6`+l_!A!!u{)R(Qu=sHBjv+#qJ(fmHKvp60rg16 z`MNU(ThY)9+5n0NaEh#~X#kvT4nYXN3f#N);P~a-rYp7nFrG(_V+@lU%e;jo;7}(e z=Y{@lKtx-3QhA7`$O*n;u|3L++&CaJft+Oky^bSonB|qfLEdis`?) z&*?E#g|J8C?{vFxB7OlYkM!o&e)mW%yH!*lXhIV)pHVan$fQx4;RBPMs9B}A_-P28 zzQWV$MEsDnc0T*d4k@jh%Kjne!3R?Hk2~4_XY%{~MgG#ilRs+mpX3+2_&fOxLeA?p z3x9aR139-`VeRFeSOCS;xW>s@iKno!P*fJzZwsa}Fe<((TRJ*~*vzzQU|Sm6WI zyyWa9t77rhGF6FSV9+XIi8z%pIrwK5Yn#Qcx>**(V((YpQGjyJhlOmwfp@@hCd7J{Vr^{s5g>-`u& zj7kEjj5Tgk>!t85Tc3(xk*Xyx&P;wPgh|?avf5NyL=0uSKbh$|4|f4&^ea-lv0u60 zIY^C1JdUf4Ah%y-Vbr5j3SX9h3d6sG8)(qsnDbiC0z3d|Y`< z1A*m$BO|!aPK-SOE zwAf>_pgXa=RN_Oe?66KlQKDpjm&sx7vcY<--LXUL{Xl5-a^Zp8(@Ydgu<;_JlXEO$ zDJd;%*o&Wi@(;4v{$D5aSPUqOBR9uZbMkR#Ulz0d`x?8eOgkU6=Gh^YQ2UKEA@)1` z%g*nvTPYXNli-iCJX06wJjFGH79%-pk5Vcfzu3D>z@ z6?`AOBy#jax^fdau^n~onh&3bm5{jM%S$XtbA2_IA@4>B6hZnW-mXAt)MLSo|nD3^27*J^JZItO_b7 z1QsbGhQE^cj124ECwtN zg1aP}h?!1_FwNuYx5#Y_C($|)y(rS-Qsi*v*NQ|5Ept}TimC@72)vc4BMti0s#=2V z@too9-A|mzqm(}pd+*)5XQd?j2|Gu#ailLcEu~g8)iQb4pCw*Xx${)mWS;Ji#I8)9 z@{#O%Es{$AuvqpSqiDxh+8JBRr3YypQcNSPe8Co*fS{g&;dTsgVQ7G<|@$m>e~ z(xJ;ZZg;osv|6?yM39WcwxFjIn+|SqV_UA_L7jBz$R`Go0dFOnjRsL;iv5<5@^|6G z%3%BA!Z4CrJd=J{g%?fygXFAgOIFDv{;H*LvPoUQ_}<6ej2+m<0r5}>4vTN7Spp}= z#28J`9jY1Svl9xU5^TjuE%p^$ma{3OUQYOvLU;*-F=4~23q-EDjj}&HVMu}VqS-DN z!qh240I&5d2EyLGzPVbW;Ni{R>wcIu+XV1GMJJdBzrP~jJ9NN>D=`RWt-hB>}H`WA~+v+I%=WRn6QgPExYG%mIiys345V zJno$4x?W*{tBV6&$`9kSvJ4d-A;UmLyGfZTq^Wf3`qsV#EbXoZ`+fTYt z^RX6VSff2H^Xn03kz%R$%@AyN@bEf$Jmu(MYXt?P6OQVQ{#Yppk;2^hyGK#4hB_J* znPuQ&NgzEfC(tlLAbGdFN{4Kg(R@-$Fzj&PHC+rf!~xv&iNKgw6LswRRktAaoE&+p z&O_`ipu2f*jJnt9w%!@NX+$uGW?$)pVUqG{ZXSiR-%ej4VtT`!7u|1+ zS889zux=Rm=D>Fvx;C z0>tJzVh`rU$w@d^7i6TgB6wy&Em6h#2c<0%4my6F##MzaunNgz>)X~3Uc;d8<=1R@ zfqXWvQ4sWY-f$d2%b52gpecCE))2CL39$g)k-$VGxEqw?u(2@4juvAIDRv^@+ZVHZ zzv&KF`lbQ#JLu;0y59WOXC}J8uN@aVF9d~0Wqt3VqyoHuonB7q1_4r8-^5r*SlZPe zMrrAsVaixjQioWny`Z?pg!V3enaS2lc^}Kr$`rZz>6;qKfv(LU&yZrR)4^O@a7;I& zy)WUU-oeV)$RhPo8F3|ab02l4RLIcjmX=~DTd08HoS3j-8$Y6&w`V} zOQn88J41sPa5GXZGMeWdH>P}Vr}Jw)%Vh@Nhzm8eqt%*rbyQ;E=ivTv%@z&@iYQLV z>cHO8^EYPSq+stWjka$Js%~%fsh*XUVU>5)S3pk15T=|{?CNxt!D(Pn(pF6d7|Y-V z_~r+-*LXXJh0~j876uH4pNbeHEMY>hic-FC^g?YH4JZR1V#WN4@#*}Emr z%vsU>Ri@RUm?>fj{W!$t%@*XHunm)aU^i%kg)fT6-f4hg^gJc4BhS=z0#On1XufBH z?h+ciqCsU~9x`(muCPwK-3}fCyw{U2&cutN=#Is95`Ge(Dme?B5G`_FNJz`wdc~U+ zG#Gb`K6WEfez0a(VaZ8V5fzPL;lDqFJ@SenT}D?GFxI z;1Vm0)=!Eq;Y0l>%RbIkr(B0T{bOIwwkNPH=!XVaeztBo)S?97;S)g3z&&_ujqW3% zwjEZsf%^H3hMFku~|j!rR{E6f0|Zo`3tir1KdnqU`HBQ+I10Mco0&K zcp{CF$Np$V^-dkk1QxS^o?`1*Nn`{%p)ELj2{iAx9LdA5Y=6SKA-+5gGn0EY(EYWd zXz)5r^+toYZDu0o4C^gU7f**{6%n~dgd0})%v@9D#BTQhfBz%mEZun$Kz-bjzKFw! zw>-lkAP!46;8Fx3+9~+u@&FWP+wnCH29JKp_Rjmf*5vg#75bzDo>-Y$j*2%*`o#+q zN|p0E(+iFzH+G?zRa-BVlX6=IqEt^`XCmO7hH;bc5BYPx$p7DD%@Q2HGE#Huvj3Am z!v2%-`J>o6{@*F4Vf!LL04V+6m8t$m@#XSAW~2iCa;M_IyHgtWKix@)?SI^<@v8wl zoKXIHc#+cYDLfaB01SFbGg&YHDUIJu=XyKHIWF9n1eBLX-lLlLAdY7t@-Np>+n6Ih z{!PDAcPT!IR?lNAg)z{8gzbNYOLjiSF3%vj#vs{q!Q(6Iz`CP*BeZ(&WC|K&J7x3G zU)C0a3*B1~U}7nt1-dq0tl5UBQln33E6E`PAv4O%qA}+P^9$i#Nj3wv#e5ED$E1B^5ReJV0wtpkl%llJlgEVyoO2t-WTfJMoX!ab0=@P8MBrh*YU_ zx$E90n{D@a(r7Vw0U#=m@jm4|c7rX)m_Q~Cc4Mx{;)%fCPEYmz{<$ttfow>7#P)jb zA)A0gF&wK07wad=^z;-cjc$5*dil+=`115S&A2IWe=LX>W@-p4Rrc6yfDadfO65|L z^6TYnn6qRQH&sN+U9C+w!XBD)S97B^gLE#mhjZ3ExR#=(0AaNX*!QOJM9hJEK~ZvB zhZtUSGa|kOJI>&D|ikMTwz+~i#(0w+jlHnTdamg+mfdS#GX;oF?_R}HDUH7X5!{7 z#?P1OkVS5xi`Gc028@f}be}^MX|{}_7OCAB1~b0; zF|JKAH6qJO50S>rOCnQS{iwUFUcMts;&E}Q67j#}{7oXPj6P=)5dB2mNXC!HtV{$mf?w(97Fe37aFwU6efGp!l|IB^#9ED_QQDrWY` zj%K&bW+d6oSPsb6+tz@jxU00@5}(;}bAmhuN%@TVKFR9cwd>q#mn16>bZW)$YPxL?}O zZnUGG=N6HBbleK#X0CFA%+kJI%}KR}pD3y@-w^q(2;|r@14rQY=V_rJfcy~Cq0`s* zblk}@);__jKULVd-oxVX!jgZqx+?RQq~fVWzO#U5mm9&{3GK|*Tg+C3r}+`K+^jb< zt!0qTe@c?Lm}Mv_j&9kt><|gtr)F%{_YNC0ejHjh-3nZ5yopsP8AFrJ(@V$8Y<-eE zLdVB$;~6(iT-H7o`qdtL?ES|AWG^_1u@*j!tjrv#2_%k-tX!sZ3?i3RXv>cv!C&Fz zQb>8y98v4z@lJq zo_Y?L9Q~T;$7wp zS;`wa@O3Z_+Itsi)1kP$=n-a4g^}o0b8~OwWzCj{IBO@vownFrRF_jWE_e%erh#5w zf5}PK8Oq@Rva?fOgw_#?7y-fxA`T=W`nn_sO??Jhi2zg7g^=?8OCtp;rl?*rnr@zL4?4YdqRZ8zdDJ!*fqX#jTxb55UbSC6^FYQ;d)fkV({08-gg$PmDQO=6CC5 zfU_T}*GVK@Bxp_l?zg5;si!K_2H+3d#kvIl2Bcj@qnihc~B) zIj{3^Jk+?Py;PtJh)Np@g0Do} z9=RZI`DIzL7r)!9v$piSbZyqSR@lo82nwjwEQNd?3lxY^E!|rnb+a{vf<#7HFv2P3 zeFcA=p4Cqh&T`iy==T*K13~tFCI*aTl{eZN&F7U73y#Ol9ZnwOc!ht(jpj@$bAQr@ za+t5M_MWe*JLF+|ydIJg9xuqZ>Ip&49vANdvs#Nj{zU+iBIAYhn4}l`k(A`rlT4KW z1}8r98q*~x@Azbz^n~?q&>r)*U-wZE?kkr9j?cR)XR>gjESq{n56_Z*?L(z%Ul379 z$8Er1MB$FRMR3j`rRp*R-rFbr*;?L`b=e>X+WF}S7BoI?S%L)9Vl@x{6qLEfNQDUE0@CAEsx+wU12mny?H z+%+VTi!jB|f=XNZOm6>FY4tkiiTKRl*Piie9-&B8$(ATN#0-#2QPJ?y$60ygY{@`yRf8yPq=$^#u713!Q{Yf3#OG7v4!#l{a~u1IHKtZ zM|A_cLVZ0ZBVdhH6N?I!Y$#~ZYI<8Mdq}BA3z_y3yjk?;ZmLR>7aTx19Qvzrn~8n(rbIMU>2k{u5~#_n;#nbQ8&iW%fdM4Y;%3^aHNemBen|Cx<=*D1 zi)b#&3Fs}Pw+2Snu`#Qhb@|2XLI*Rdhd@om)`wKf%Ii(WYi+L>BpI$BvB;ERmd<5w zoonPEs0F#t3~uUhMI7uOlCzErvlWMjoKRMm6doXj@XsXe&*~eoHOa~br5GIVHW5rUerexk)8myD--*_f%0msVk99Rf8(59Y zygNc&gPrZa!K;50TfWm0h0J=@KF;wEEu2BQ>avg>gi7V?rC|+=il5~r%mb3%WxQu? z_Hj--F%MhAjE#|h=5V|$cby2)s=4NqCdyoKfmpK-DZEl&t65YxPA#AI@z6OB{8u<= z0UZV_7lP>yL3w=(JshUlYz9nNz|$$^)h_0fdcRag69O@zu9PbB_^YP{{S`ET`d5#; zKjYu}+({7x{UQH1roWTF(DEv6@NthYR}ro_1) z`kAYqWQehIS-U?skx})O3uFlqWJH)wII z0U+9JS)@V;x*wb<;Zv1JV#Eyy%loZmHA#3Bza*Dgt{>P7k;1C_+~87RCj>~c!UgV&?EZhZNKKbEo}|EIO+%l7Bcj(7oU|%nya1&7hSe+f+eiOGWN1y zI%`zvNPUF0ZI()Zi$0XpnDqzF;j-bC&v%tRZNhH_hLfy#7;9Nx@1~c6p1K+1)?AWa zysOGe!r;9jne@n0MzKajptUDFVPU@@;?z_HK3fQwwNGnzh*D&UXl}^2vpl+jl5TjqBaWd+#`#J}LWKAn6i+gS#)OH*6%AYY6V( z(N%20$1dkf6<;yqo6q$-_7Q(0siRLoU{7*=#N^XpN5jm^8>Yiuxs515gy(MwM3%sH zdaXph#&C5uq*Go8&HUK%-2r1ec_eCs~J^GBa2@POHhc=3ReW6!FiagzOBR0L5=nHc;AzMW7H>N$yh_Q zNPo_de#9L1vV34_WDw!3`8titsPBnyE3Ojj4=%$-ZkHbqRT(E3Wu^-!as9BC3j|A!&wV6+^E=<4Bvp%m;Wohte10C3I5YW?-yW>rhM!3+8iH@b+@;e=T6q%17)|$07RecM$wMNkIE(fc6(&!q!4CO zVYli4CqkNbD#VP#=kk&A0kra$BN(#wk6B}CY{e-LoA*$Z2HfKOnLw~I=f_D8bm=9c zq+IWUP7#+;`RGV@Aydj!yi#N&C{UrNjommeSTt#Wp0h1!F={v(gVzj&ng~6LLhXy` z1rqeQp(E_lY~_@jBspl`vt_NWD&D}Xt={{>ou5QH5jw8dNNEm}RKe_#l_QO>sK&3W zlRaG_Dc(MAa%ZKa`z?pgQGpeGtF&^N-#@0?P17Ziu-`AA_x z@NZM!yaPdCjqHf#K@YDil+Na;48zX9tKiL8zdHPhvH8A8``=`M3N8O+fW-O#LE5j( z3h7q{sPT^?|9`1i_U9#Ew-EQgD^C6YP=o*weEqv($k!ZyvH}870s{OsKroi*uhjqH zG7td50D#y40DJ&^U@RwpI_3TGm@_!Qjz8W)pYb(E37a@{HcF*bvwn7KWb=JIH>nU~Gijn1CEntKa{z@ce5@it>%nzdX3Rxi5QoU=0attv^VH|Uo~v+yO{ zSm)s}Nk)kXnHK2N$)rbTC}AINirPgvL->2M`iWnO>F-1a_6@}D;${8>2%PC$V3uTT9m{`blOZ2e>9Sjqmra`zhlT)Cj7e_y$x|Fd$C zO?*7N&K3YpX1DY3))MXsl+Y8HrsTLV)o#MIx3VZW$4Zx!lDUoisPlG+@Rye#Suy~d zP+RAeCJ3WXc6ap*DoaiILkYE6U97vRJBgTln-y`Sye2GTE&exlJokh+$Yq(83jkq+ ztqObTsjSBQ2U=GaP;y=^GIXpjvh=%I3GNAj*saxuQsSsLT1LGPa!Aya(;kNk(Ft{$ zhJU_2F9Yy@_R9Z`N&uJ$g8xJ%_>zB*O3J>f6WnX~A^;+ZCjH~vXIiYEh-)@w{wRLW z{Evzue<@1*yW#`rmm;3X*Lnj2LO}hiq5~cffDQ=2U*mtz5k#IK^p7Go_5Y(H1|Z&< z&Oa4xF#pW)Un4l3Cv+=4H?#bVN1?1bNDQ7CQJZ-vL)gNp*a8J4@^}g17DS@<^RaD^ zB#^-B(ckiezfmaX=%TvDv7C0tfg&)+(&VW$aBO+^y%%w*-wrMqBWa$3Le<)ICc_|m z{V+97Kq8W`Vm)bkJM3sk6fkr@X&?0bSWA@BcCKuFVMwMxqcfwE+EQ2gV*=*fu-|Ze z@5fWVC)c8OPHGpAmR3Vu>mMWX z7YvX3k>k?lX=jN&CGgH-9w@657rk1Qa#Ek;Y|*3@;w&a=&>T^?QQUdF$Ce{S({N{u z#NgE+JtomxnIlm<>(g0MrhPqx%BCLK(wc{=j!JZ5b=zp;Va_mr}+8&tg z!f$WC*|*zjl(?2mj~J@_IXhisY3jZWUqtB_g@QX4^t*?H4* z_Z>Dc43y7%R!^5q)U^N~*1>(B4wKPsP++ZRXb-Xflg5`-S)Fk~WEUE9< z@bE^1yBY#gQ#E~5VWVr zO?=+DuOW%_L|--s1^uu-?CXzA1|zGWS(^!HqOLX#XXT0V8xlO+)Il4s1s~Z^ z?#&KuR2RVtg+0@_5ooT$yX$rTVTkT|2D2|3Z%3=OaffDkuHU?f0!6m2S`W5Xy(8dz z^c@TnSEf6&pNyQu#l3G)g1U4Bagcs1pFXT5d-P*Vw!&Z_uT4{yi=@8Kf+xd+!s2*k z(9oL4^OG~ksKoACn|RW?4}irJ&Nq}@4Mag*zp^(bYAvx7DO?@3`W)jJ=AVwRFb~6- zYwZPIxOz=p0OjOh11x_4=Jua)6ZRKwsQ!+dsyu4iFMxgF2I}Ge9XGnhjxzGL5Qy$Y z!X~KJ5qxguMU3D*cV!80dqN+$EtTgP)NjcKHvv-v-yf5a0a&UejdhtIonVqr$h&1- zCEvVF@2Mvg_9`&Bw#>=vSlnxD`7`2E*=f0IOh8(Ie`Z?R!rk&ZCq=ybS3ybV#p!R7 zbWrhEu6Ac}z;z3hA^(I2lCxE`VeyN%6+9Jgzqkv;N^rWHLY3LCDtdHR0Z4^=It_r> zp@OFW27lpiKkGQe$=^7f=@~V?BqCtVfUQG}V#d@>r*rS`EK28G@0P*3j=1h3g8WQC zfk__;uNw${G_iK(`r&0SUlidmErMbYKEo8YzM59!eJ*VBOGi=3(@Qy=k%dyU!LAYl^iU_y*WOd;ukJ_~51DAJ}j*zhi!Pj0p6Jto9$WVb6kg_Py$W98@QwGy%E- zan4xx=Pz3_nUUL05>`>Bv~DQfxdt-+3RYg-9}keK`^1^wBvb*EXN#rqsoT0XyKBvH zDawm?tf=we%K_&Gpa^!|Onl6$TSq>o^-YE@_&KLc9iHXeMcVyy^O`-jP=%py@;9M%PgMs2@D0GLJQK`4pBUAqk-w`s~uS4?-Lp@I{wi8 zXQDwaco&C-;@z^m#m<<96=XX*)Z3~qS^;5q6Iv2YmFQMf^$gs=RM_t>h`YZXL&UXk zQdW^N>a8oXf}9)e_2Yw_nb*FK}rrxhn#$DHjF z&xfffhqM&otg?+ZZ>!WW+asM z(zw5>kob2cH}j#BJLZ#zL?V=S&zI5x>PC9k`#+^I9(qfT;dOIO22S( z`jr#C#T#YYt?lcl8IrQ`Dg)GgAd75Lc-L|vT10YCv60J)g@U;-~+9P|{=D;H-vnkaNi>hET- z<9OL?-Z-XmklPg=3YXr&zw)0>{z1ah+<2D=RPr7{?_t`ye32Kl>7RQnXM!!5 zM-Bp3TSPk(6SIgHI&7kgW+ z{*3W+Jg2uXs12awhn!GZhsM@m%zF!-*$i*?FQyv0uHTFzYWk`PWOR@wIY%DEWMb18 z8EIo03X(p3WDUZLwB!%|l|lIcJ#a%BYrC!foOxXQH}!;P<#(Id@SIliq7vFUDxMoB z>KD)`$qZ6Psj8m0@Qfo z87Uyy8Egbxgn8|N7zW$(qxgh@Xc+rNw`B2NJi+~$V(g)lR?MzY{sTf|$*JS9TrKzb zO8f`jhv9m&33%go@(p=OIV=Z*zTQ(?1IH7<&Ki2}Ow>io@Q19Gmx|TSf|!LIP5WkQ zN#VS%@|R0>A!p$cW2_zKp^q* zaExtxfx+F(-jmb$-Y94*4wy}Kr8u1itNhW+ih$FD1D0e^1u0t?9>YIX14#wqK=u>^ zi3xcTaXc#E6dBQ>oexOy$fCCKBQZLKhcX8&Z~za)A<^&mJQO+UpaaLNV-9*wq{fnc z)8HWKBEqe`d4KkXSW8=nv^>k`yFeG&zXM$>hcSO-P`QtrH}vjEZ6RNF=`K1*pkdHi^{+pD^tZ)$a}SMbD4syA zUp?;yu3+0_W3GBT6~5&Vj9L=B)Hy~I8NIY)xv*1DkYKt%4*xc{afoYnyxZSJ29U+J z_XI?|L8HnK30(>Js+$$o+mrUg-dfP66n#__s-xX9IxP^-p)4Y_V(JCOFUK7zFJnV0( zeIfz4QK-H*_{8m-`DoA1gXSZE{T8!)SFr6Go;9tP zTdZ+`xZR2c8ip8q20lX{Var*hw9-8h%{Q=Gx~O!SHPk>X&hBPOn493{bGbX@Ejbo04e`kOSDcD4F#77BXACf?6a9a z@SS@XbNHq{;Sc$TzsUdpHBa>bN}o}c_mx$;;!ODm`M-YChRn3sVE+G6tn2<#+-42` zcSQjF|89;g#((ZU(f9qkBKMc#0uaDo6fCXD3h5_YtDhV_b(F?YK zM)tf;cyY$oPc%XdG}E0FcvJHJww}DaD7!&_jAa9=kycn`6L!od;r#*}s`EqMHmo?xE3$l5WFB>%>Q3L3c)Ct*}x2H{UWz zco4x8eT*@-N(yrEm3-2eva>JyZA6@D9JvfvQ8_Q>8dIhfIy?q6jnSrKW_#CYL^Up* zH54aVactAKG}oKhFs)N0r$)QE_7LM|7g8*J?h(;{OB|{#KuG*oSbpoQJ#eIAjD;`fYQwF>6e}$bw~+m zbx8vl-6gPhJ@QGyA+AsNFAe$;E0H~Hr(9C|Ikm-$GK8_n!Z?;=1yR&qTglZF!B;O_ zu(=b!>|DKIL^aA&1qkban1!i&S@T9ub`)=#YaBE$=Jr+Sre?}D{xbd|S=p!udgg{M z^=B=!(Ah|cJ;9~}5yLHtkh^>sk=HczW`%}wciR(zOVirOqOJ3$b|VXI8U#T*RlFgX zfMDhKuU-h5_S;HR5$a2iQ#gZ^AS@#Mz;MTcQ5*AB1oLVqp748IrNf+)KJ~0x65D|F zhFVWLFp@C$#p*pVid`nR=!1RR`WCr{KnKp^vPOJ=_Mzr~xog^UGuL-V6czw4;cee0+BPuVl<{xQ>@N$7Jn9N_8i2L zHQ}f2D;9r9DW^5|>>Mb%(mxNGp*z)^tfJZ&(jIvH{^KUplN0IKS==9XS5#MRrG{8P zQ9IVYN>?MZajJ1|UXa>*qar*s7@qWnH=R}bMd_Ta?SAQV9yuR5Zbg0STxC`BX}fHm z=@diz3@vn}eA?T}R!C0!&iW#eNtJ@+v~?9ge;`^aT)&${nco0o z2ua*vnuL*arF~ZU7x(3sH^t^%ihmyxm)=QTL^dEP1vSQUoQ_qTfwB4|eQJ{gfYd=M zXbJ{5Nl#J3bbSOLJt8hPD`9>He}RGljRtJt1-@8~uYCs~h%wC$(BDR8Z*x8htH&W~ zm~-qO^WGrJ$H^DwVj|d-LTp8I-SB8p-786h%XcU@)Ldx;U^lj)0##VDiq2Bgm?q}P zweDbzP8C4f1B*O>hZ$>uSQfk>?EyB)IZ+Y+$k-J3n1}G-lj{*M|Cqy_hNRXa=n`F# zZYT$pF^l|;=K$e#W^=@A)YCVCa4h$P3n=@k2ohL323e6v0g{Gcpr!~gXW z8zBI1HIoJN3>Rzgce!p=28i)+J}7eV zQ6IWc-Q}kC3OiFitSsXc7Q!&Oz5(?3j#+|5;Y!lNvs!S2VWTGana6#)!7SIg<0_wc z0C}_sP?2RrXW6@MYgIyt{VH9{mwAnNS0)$y8pFt64Mne31#yupJ20*!)eZb+eint? zKQNSp!9akB_b@3tb%d*|evWbSd1_g+e0I^-)h^v~C&PU#JzL9er@B%72>)JfZqUmh zczDAgmIw;U>|@UWd`x>NZT%j|SLqF$ovnTn$mL-&t*4Hgs}7m-p4IrT$!c_Phc7k~LWJ*W1Z zBjiY?g0`~C~EZhB5A+7lRbVqTRPm;Q~3)JH8*1bHLbJ~Kap z$cGw2+z4oE`yX}k?XwWNPlb;{)<3r4?QpZGjM#OhHKBF|SlkrUUdhg$d%QvwC_PB4 z#D`t?R06KpLG{8bh|xZkPL{^O&-}98gsH#(ts$@>vBYE^;Q`6^Z{TmH>|}>*3h-14 zXV`fpl4;*rz5FX$NC8|kDcLvBI$Z~TtP~Q+EJO(%|78AoV}TKfY|hX3*7iC4yAzj4 z8a0=}*A98tQ*M`Ed+Jj=$C3Adn1;l3HcXjc2wSAnA+q#67ZCtmfDCE3f0;HWOzV8A z5M4IK_39AqdKlqB9RZUk#Rdtc*#{3BYhJRez6*1nP=@4mG@*_FxB2W?f;WTKZf8`R z+!ddYBKf@U6jxWrl$@gOca^n(imK*A_;A!mM}bBJTkwHz?#Eht4Wb^ew(Wdil!yHp z20xuC%>|M`N>t3WUmnVMPzSmLo3`e4Z_z0o-Ucw6KG zimz&GdUy-)o^r!ISr;{gZzuB-K-a-_`{_xMXYto-5QDw4E>F+&gz?Z{mucquVAI01 zh^2S?YAH>hLeDkwlTXf!95UL7kArM(^E{~pvDFK=@y)sSy zc*%Ey|49C*zsR5Yck=h-{*(NmU&WOEah~#z(~oc?1PKKn_^axS%3Tw|rKwvyjxzr8 zg?z3?b_YPHYR@n{YsiibcOo$k0<`&!)^lYj!`vCW-6^_hw0mqpZ9ZWqoy^1%XoFD;Smp;+Vb5LK^Lf`Z9f}0i zVQv zH_oe6wQgZ_%%O$RD^lXchJH#|=~w_qg~C|w6d3WHEEdd>%Z1%gZaKcp)f-&-slIAb z_v!<_J4X&6>fY_m@~Wf{PD0?hw|uG^fw{fsv8mJQMdY1u4H-)P8g9r%kE3pbWNRs%sq_pw7y&M?PY*niE%;lCOVjnytNz=m(MctkBs~7VKq7230YiDA#?HG7ls!<|Xy(V&DLbV*ry*~N+ z_Ie)9pTs~zvFf}s_n5=Os0rj1rlr6nMk74QaqDDjQ=zY@R?S66tqK@gb2kmuH2GXInlkGe>FxyJUxOXt^KTCtu-@kiRKNFJDmLmM#nc!fuU*sd~Zd4ea> z_}t_I>>}&#I`OB8TRdCwb;JY}*~K*?17@PKd%lucE4#B8Gj~*^uH+K5vw_j-2KxLT zY}yo8-!;5i%iQa-wa3KG(B?kw54>t#7hMq=me0qAaGnSu)4}Uctrkbw-9HKSWyUc< z)lf<>fsN`^bzLV%+uOo@|IJG`4>gf#xAKmZzmWvn4{b-~M?_l&@%S~cYaCYZ&IT71 zD{UAVEjkF*@}r0T#gCTKnu;rB9VD5`Ptn-kqhC@EzY(p#R?)g`Vo+cM4YUGYqy}z$ zY<{M7WP&bmP=GM)o8H%+6xgopB+%7{CH^ux=TvNSMa385q{cgK?MyU9^719#e%3V%xMYB!d>QNl-*;&`*@60HYL zgOpAPF^U-C9E|W<0io?SIf@YMMn^RC`7LHz%XhAKRgk{cQWoi?J)=cses%FLz9o@g z;d!)l$6ug0C9=E&%q}ru(VkrzI7du@LKvS)qWAPM zz5jCcEoP%N36r^oF-SksWCxp{lsT1toHX!V%`sT4Nn4wgm=1x{N%K-$@TfAK@m4d5 z|6S`4VU;ldMJFM?5`N!>9)dGxW+q#M{kJ?Z8DXkTjmPrlgltxACu%a-g;uW&%?iydJMf+Cl!50P8Y6?v!ZGDZTEa^!;AmHbcl@vsW zM(L`3!Oyxw0P6DSjgT<(dJ8@8($;&s+=5p}C7|5HRYK-o?lk_A7jd_G!vzL>#*s31 zHF*z7Hlo5JH_fcTsm2veS3!cY&NyDQV^x5f_56sU7WqxUBN5{kZT`9xz zQ%5~8Kc&F0%-<#TQz`dO{mT66Pq=4bmyU&O_()#x;mYLS#U$4LxbSpTMZSfjC8C+{ z(GS`e(h6q1K zxA|GMTI#b_tW1L3ysNt;a8MRY&gd&Cd07Mwvh!^8YVLhzGHB7U@H>M5p&prt39S|Z zjf{7z*3rGB6>UleAhgWT_9@M7(X{%9z{*1d`%f-jx}>1;>>C}?pYlxMA0l=Gp@^Nd z1b-sB{11pIFf@OE{QtZh`T|A#FA_5PuY*L|uj$kc{CSW_wD>ih{*$)N+trG!AvLKy zIf9N(bhQ2Xm-v0t&6OTEve66uW#56MrmsLHVZ364(QQYzW<{MXuc+Rh)Fhub)LA6H zH!l&|O}K12!>xnBel`e`ZN>faVPy;6W*D4@)r9z{hJf5e#nH*ltLF0haP0ZFSE~|+ zIpmbcnDp3U-na^IC|LLrVbd!ylpTnLmZim^QQ}8uG$p6LPqI95GBj+S_|gwTeiVy1&L}_UkUYu9VKA1of{S(2|G&@*p6Nq zei2yq&-Ig+F`c$7hf7aUU+bqNu_mwZ^<|jzm~Objc`vO?HYN+wDUtFnA6ML2kszyPP$c(tbR9f*fTQ*Q`X(;*`G*k5KJN^hQSQJ~gMR_S7IIyhz z{yIgEnSCXX;i5T%fkVfv*UeskDurm0jbZ7+BJ{GEsK#z%RQT0IR=8TE><LZYE$~Rtr!%APDcaD0-&~VLRU>=@7{|R`%O>@fklmmdk z;TSym0di{;&}{Y9X#&GQF%3CqI}cCMfu@E&vR?$OTKdesJ8mr6-Bl&5ig}e1i7A$8 zEk$o|EQ4B=w4QEaid-t>z=N%1p~K32>ABL4OPyKEvAx4_G4#P`E8{Y68VoY)H>8S_ z1_!h|lz;-NAFfwsNi4HCY0vB4X7NnLRz(pW1fpU+3%i_G7K7Jl;~QQ@fpkUF(YyAk zH$MjoeIxsvx~IP^myE)3UP9^q%Wx%h27jb<2yU{#Lnr{6kjv%|e796vRX0->WVPZl=&9|0={R^o14l-Ua`(eU_V z?o}A9*>dl?(3ZYAjRJA9U`#Ydq+|5h;t?OS?mNH=II$3HBBJ+o_!+E|$k$}q)6uCkOA<3}um)}F zXB>iBW4F?&MTt7=6}!e8#WI#H6USaj5pG*=bvEsWz}Whz`W%d@!{b!VGeP1lr|DMo z248^4q;C>U5}c9&Uvx}*ksbwvH!w@ z1x?~a!SSnvxT7&~nFy1fbrj#)bZX>;H{56R`V z?E4jmBSSo)DNyF=sW*udCF%1cHX}*=%3y5mZr|h80TqneG)ZY}Vvry|G*vD>Zz2vS4FK*n(tmoXTV29KPr|GqGRj=DPrg z9IC>gk$S<2X)=t>jx(@YVXZt`EiM!=pBjScR;t#ufl<+5bhre_V3oq-RIRtQ`25LX zzYU@pqTJWmsG|G8Y!QhhcqN73*^F z{zO_4TBV99Ew?Ey&<*u2o_5$NuT#SplinGma=e;Vy&!<}wn770=apvrRJrs1*){k5 zxr(GlKbds~CpXtKeB`_`o;yPU!;s}Dn7|$Jbln$&;&HKN)Rjtn+>{dL|!VvvbW@sY6ksG!r6^!t-NHEX$5z;K$^?N1PvT=2TiofI`kqZUQw#jWv+3 zx65oP=CoWM!p))+9wKC;;#}EjO}4l#)J+0rV)jw6w@f2Ljgmx4^B2ucflry5)|FCl zH&;MrcS>oprU1uKxQ;r^e#aQ@l(f zMXMrJ&WfNmsrOi2Yhdz4#3&fcp%iGxpg>l+F)BuyR2p0V7D{)#OCsqojWO)nV`kTXbpk>}`V%?ZK9E)sc??&cgxK&Di zucy?VkstRu5V@V5l9f-l!aaB4hF%ro`fBnEkKbx$bTijserXzcnT#MY%quvd@_i>+ z7aly7gzoDfdAbJm^o|Jdr>A{@|JrsQ_uwfR&2OHr{q)pW-!QATBA$ZR?KP_~ca2dWu5_Ih*>DRMvMW0^+6c9wzY)6(cd<5U%7^yIH>) zQ%4xiyXj|W!a?cZ;lyY~-n7rpDgfD@Yk^Wc>zZx)dJ57SKANf#){hcbEp_1AJ(bXV z)ahQs*wtBm4DwAd#Z%J?qy- zbfnOifnSq)fjMcKEyyl;j7Jrjtf~e}VY0T{GS4#+L>6mZoJMh;QJzl0<=ic@A?jNr z#7NM!$_b;ys=WDWb8@zWu$DVW@M)z*GyFRjP+egdz8f)^`9}K{(RF^%;-F+Chb?!c zv%Xx?ny%wGF4~hj?fg28F!u%TIZsxel{B!9y59Wx6nv92+Y`Q~i5Sm`w-WClj2ju8 zixKg15hJ15pJeI}YnKj=sRew!0zTv^#tnv_t&IWwg{;1HnD=J$dws?02+r7I_biie zp`-rmPG(mBH8T^fkaqTDN8cgNG7 z<4KUL%mSu0&o4tV7P(%c%%rF}6MCkGN`7RU^;tpZR&#~)7^%d6C^U2S3FSk|NaF`o zETHPAlMH3_Lt@MU;PFZ$y754}a=I$pkxjdLGfQD-e3SI0n4pC#J5K+cdCQlI9J(KH zq`VKxSn)Iv9H-XH9Ad5+d6Wd4>Aw+f_X*9C=n)eP(&O|g5bB1st9Y^XljMQzKTuX{ z573Hc7Vu$`>FUmJoB$>J78y`lp7AEr7$gs$=Tsn^rIZdVmHB!v)HbaxUn+sMX_=?4 z2v8K<0xQwm!1a8Ldx1{0rf)m6L+!GfL+1s<;L#8a@`xAnGbr5hp5RdRb-koqSiBB$ z97H83@PdeIWCq*@jaD<0vG`)qTiX+rB1K$04kIm-9a~_9n|aswOobeGRk1B?o_8#< zH|{l79~Y9-_BadWap+Tg={l`w!q)5?=0!T0mu>f3Y>iCubolF{<8CF~kAZ4eUSFlE zi&|<%;aeQ&jU;UcM9paqI4q=ZjM)vBgsZ)(YZxeIcH*nCm}IsR+E5;4BG=4(hM~us zfF1FfK-g4jPem2q8D5spob^+c8ul{TLZf`srcvA#hBczY{BLA$9x%-B9%YN;lu(e$tKl?H_al>-hJP$eMumB@>Q7bNGos9gO9t z8*b`xqmq~-j0TaDCjRx)$MIMz3)j!bzdvI&^a>6eAdnO5F@i<3U=9Mx#TNT3H)13B z^Ird0^cHkblNgc|@qj4>I#_oF^ay+EKb7r;H9cG84x8OARh6IjIbzKBTUUh%7Zl!9 z*ttan2n8IV(DhPCx~ia}sWHg5AEJitD2~11*G}rD_kCN8E~0^vETZ}j?SABxi>O&s z(Ni*qPzHytqD}XRr<99JghUv5Lfqw?*yQQp+giq%fJFeCkZck@ob6m(W!a~mj^i-z zVWFn?t{{J+)>!EkBg4X}LZWeUogoBYJ(xzm!m;6CG51aN5RZf!ix1nKf@WjQeqA}` zn!PG5#7N!C?QfXSpWQby(kek3*S(A;1*uP8X~?cM4QmS)F7XwMqRpZAxJG9+GCF+@ ziw_ zs}99Lo4RNp5b^#Y;-vdS4acqi6|owMh_8YQ!ws$959^PCHwF~w-JuAQ1LCg(Z)XVX z>67k?(59}45g3>Ul(IV1e^uPy6Bar;mhh0URD!=I?4d%$FD<|m?`0mm~)2Wqd` zv+wk<>+l{7HbM>lJT&}a@C9|!Uk3SqGnn+33%Ib9NPNEe3y8n&QJ1xLQMV(arjTfihsJtWM5nqnEk;&5yMOW h?e(8=eDInZNp$qLI3`2mi1aY?cjou6IJ!J|{(q@q-*5l` literal 0 HcmV?d00001 diff --git a/tests/result/tls_long_cert.pcap.out b/tests/result/tls_long_cert.pcap.out new file mode 100644 index 000000000..2d5eecd17 --- /dev/null +++ b/tests/result/tls_long_cert.pcap.out @@ -0,0 +1,8 @@ +Repubblica 182 117601 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.2.126 1 + + + 1 TCP 192.168.2.126:60174 <-> 104.111.215.93:443 [proto: 91.251/TLS.Repubblica][cat: Web/5][86 pkts/8534 bytes <-> 96 pkts/109067 bytes][Goodput ratio: 33.5/94.2][71.34 sec][bytes ratio: -0.855 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1046.1/930.3 45462/45488 6188.9/5864.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 99.2/1136.1 902/1514 118.4/524.7][TLSv1.2][Client: www.repubblica.it][JA3C: 66918128f1b9b03303d77c6f2eefd128][ServerNames: www.repstatic.it,repstatic.it,amp-video.lastampa.it,www.repubblica.it,amp-video.deejay.it,amp-video.d.repubblica.it,www.gelestatic.it,oasjs.kataweb.it,video.d.repubblica.it,www.test.capital.it,napoli.repubblica.it,video.ilsecoloxix.it,genova.repubblica.it,cdn.gelestatic.it,video.gelocal.it,media.deejay.it,media.m2o.it,amp-video.espresso.repubblica.it,download.gelocal.it,amp-video.m2o.it,bologna.repubblica.it,torino.repubblica.it,scripts.kataweb.it,palermo.repubblica.it,roma.repubblica.it,video.xl.repubblica.it,amp-video.gelocal.it,video.espresso.repubblica.it,www.capital.it,video.limesonline.com,media.capital.it,syndication-vod-pro.akamai.media.kataweb.it,test.capital.it,video.deejay.it,video.repubblica.it,milano.repubblica.it,video.lanuovasardegna.it,video.m2o.it,parma.repubblica.it,video.3nz.it,syndication-vod-hds.akamai.media.kataweb.it,amp-video.repubblica.it,video.lastampa.it,webfragments.repubblica.it,amp-video.xl.repubblica.it,amp-video.limesonline.com,media.kataweb.it,bari.repubblica.it,syndication-vod-hls.akamai.media.kataweb.it,amp-video.3nz.it,syndication3rd-vod-pro.akamai.media.kataweb.it,firenze.repubblica.it,amp-video.ilsecoloxix.it,amp-video.lanuovasardegna.it,cdn.flv.kataweb.it][JA3S: 35af4c8cd9495354f7d701ce8ad7fd2d][Organization: GEDI Digital S.r.l.][Certificate SHA-1: 0C:9F:21:DB:65:A1:BE:EB:D8:89:38:D3:FF:7A:D9:02:8B:F1:60:A1][Validity: 2019-03-07 00:00:00 - 2020-05-05 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] From 8b01056b21905d4ad466aa74f7673ed06f66a64b Mon Sep 17 00:00:00 2001 From: Luca Date: Thu, 2 Jan 2020 07:37:03 +0100 Subject: [PATCH 07/12] Renamed TLS requested server name --- example/reader_util.c | 8 +++++--- example/reader_util.h | 2 +- src/include/ndpi_typedefs.h | 2 +- src/lib/ndpi_main.c | 8 ++++---- src/lib/ndpi_utils.c | 3 ++- src/lib/protocols/tls.c | 5 +++-- 6 files changed, 16 insertions(+), 12 deletions(-) diff --git a/example/reader_util.c b/example/reader_util.c index 57286cb0f..79104ea91 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1017,7 +1017,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl snprintf(flow->telnet.username, sizeof(flow->telnet.username), "%s", flow->ndpi_flow->protos.telnet.username); snprintf(flow->telnet.password, sizeof(flow->telnet.password), "%s", flow->ndpi_flow->protos.telnet.password); } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) { - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", + snprintf(flow->ssh_tls.client_requested_server_name, + sizeof(flow->ssh_tls.client_requested_server_name), "%s", flow->ndpi_flow->protos.ssh.client_signature); snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", flow->ndpi_flow->protos.ssh.server_signature); @@ -1032,8 +1033,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') ) { flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); + snprintf(flow->ssh_tls.client_requested_server_name, + sizeof(flow->ssh_tls.client_requested_server_name), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.client_requested_server_name); if(flow->ndpi_flow->protos.stun_ssl.ssl.server_names_len > 0) flow->ssh_tls.server_names = ndpi_strdup(flow->ndpi_flow->protos.stun_ssl.ssl.server_names); diff --git a/example/reader_util.h b/example/reader_util.h index d4f638d0b..6fd1880e5 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -195,7 +195,7 @@ typedef struct ndpi_flow_info { struct { u_int16_t ssl_version; - char client_info[64], server_info[64], + char client_requested_server_name[64], server_info[64], client_hassh[33], server_hassh[33], *server_names, server_organization[64], ja3_client[33], ja3_server[33], diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index ba00185ea..bbfc76d18 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1220,7 +1220,7 @@ struct ndpi_flow_struct { struct { struct { u_int16_t ssl_version, server_names_len; - char client_certificate[64], *server_names, server_organization[64]; + char client_requested_server_name[64], *server_names, server_organization[64]; u_int32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c5269171c..fc9eaf9ef 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4219,7 +4219,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); else if((flow->l4.tcp.tls.hello_processed == 1) - && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { + && (flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0')) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) @@ -4620,11 +4620,11 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, } } - if(flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') { + if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') { unsigned long id; int rc = ndpi_match_custom_category(ndpi_str, - (char *)flow->protos.stun_ssl.ssl.client_certificate, - strlen(flow->protos.stun_ssl.ssl.client_certificate), + (char *)flow->protos.stun_ssl.ssl.client_requested_server_name, + strlen(flow->protos.stun_ssl.ssl.client_requested_server_name), &id); if(rc == 0) { diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 6979d099c..2e7fe4966 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1043,7 +1043,8 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, if(!unknown_tls_version) { ndpi_serialize_start_of_block(serializer, "tls"); ndpi_serialize_string_string(serializer, "version", version); - ndpi_serialize_string_string(serializer, "client_cert", flow->protos.stun_ssl.ssl.client_certificate); + ndpi_serialize_string_string(serializer, "client_requested_server_name", + flow->protos.stun_ssl.ssl.client_requested_server_name); if(flow->protos.stun_ssl.ssl.server_names) ndpi_serialize_string_string(serializer, "server_names", flow->protos.stun_ssl.ssl.server_names); ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 1130eb7fe..a73cc2976 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -987,8 +987,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, cleanupServerName(buffer, sizeof(buffer)); - snprintf(flow->protos.stun_ssl.ssl.client_certificate, - sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); + snprintf(flow->protos.stun_ssl.ssl.client_requested_server_name, + sizeof(flow->protos.stun_ssl.ssl.client_requested_server_name), + "%s", buffer); if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) flow->l4.tcp.tls.subprotocol_detected = 1; From cb825766ead537d273cc212939f712e9f447f313 Mon Sep 17 00:00:00 2001 From: Luca Date: Thu, 2 Jan 2020 10:37:53 +0100 Subject: [PATCH 08/12] Minor changes --- src/lib/protocols/tls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index a73cc2976..5f2fe5a52 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -382,11 +382,13 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi #endif if(flow->protos.stun_ssl.ssl.server_names == NULL) - flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); + flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), + flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); else { u_int16_t dNSName_len = strlen(dNSName); u_int16_t newstr_len = flow->protos.stun_ssl.ssl.server_names_len + dNSName_len + 1; - char *newstr = (char*)ndpi_realloc(flow->protos.stun_ssl.ssl.server_names, flow->protos.stun_ssl.ssl.server_names_len+1, newstr_len+1); + char *newstr = (char*)ndpi_realloc(flow->protos.stun_ssl.ssl.server_names, + flow->protos.stun_ssl.ssl.server_names_len+1, newstr_len+1); if(newstr) { flow->protos.stun_ssl.ssl.server_names = newstr; From 634457615c91ef27436db92210f32522277f1818 Mon Sep 17 00:00:00 2001 From: Luca Date: Thu, 2 Jan 2020 10:47:23 +0100 Subject: [PATCH 09/12] Updated TLS support --- example/ndpiReader.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 9ccef7e8e..c88df245a 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1083,7 +1083,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa fprintf(csv_fp, "%u,%u,", flow->c_to_s_init_win, flow->s_to_c_init_win); fprintf(csv_fp, "%s,%s,", - (flow->ssh_tls.client_info[0] != '\0') ? flow->ssh_tls.client_info : "", + (flow->ssh_tls.client_requested_server_name[0] != '\0') ? flow->ssh_tls.client_requested_server_name : "", (flow->ssh_tls.server_info[0] != '\0') ? flow->ssh_tls.server_info : ""); fprintf(csv_fp, "%s,%s,%s,", @@ -1207,7 +1207,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa flow->http.content_type, flow->http.user_agent); if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls)); - if(flow->ssh_tls.client_info[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_info); + if(flow->ssh_tls.client_requested_server_name[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_requested_server_name); if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh); if(flow->ssh_tls.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_tls.ja3_client, @@ -2053,7 +2053,7 @@ static void printFlowsStats() { newHost->host_server_info_hasht = NULL; newHost->ip_string = all_flows[i].flow->src_name; newHost->ip = all_flows[i].flow->src_ip; - newHost->dns_name = all_flows[i].flow->ssh_tls.client_info; + newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name; ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info)); newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client; @@ -2086,7 +2086,7 @@ static void printFlowsStats() { newHost->ip = all_flows[i].flow->src_ip; newHost->ip_string = all_flows[i].flow->src_name; - newHost->dns_name = all_flows[i].flow->ssh_tls.client_info;; + newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;; ndpi_ja3_fingerprints_host *newElement = malloc(sizeof(ndpi_ja3_fingerprints_host)); newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_client; @@ -2103,7 +2103,7 @@ static void printFlowsStats() { ndpi_ip_dns *newInnerElement = malloc(sizeof(ndpi_ip_dns)); newInnerElement->ip = all_flows[i].flow->src_ip; newInnerElement->ip_string = all_flows[i].flow->src_name; - newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_info; + newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name; HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement); } } From a58a135758e6b98fe1ebed4ac595a837864ef5a3 Mon Sep 17 00:00:00 2001 From: emanuele-f Date: Thu, 2 Jan 2020 12:56:25 +0100 Subject: [PATCH 10/12] Add fingerprint_set flag --- src/include/ndpi_typedefs.h | 4 ++-- src/lib/protocols/tls.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index bbfc76d18..25a2c8363 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -646,8 +646,8 @@ struct ndpi_flow_tcp_struct { void* srv_cert_fingerprint_ctx; /* SHA-1 */ /* NDPI_PROTOCOL_TLS */ - u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1, _pad:5; - int16_t fingerprint_len; /* Need to be signed */ + u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1, + fingerprint_set:1, _pad:4; u_int8_t sha1_certificate_fingerprint[20]; } tls; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 5f2fe5a52..88bfa7590 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -394,7 +394,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi flow->protos.stun_ssl.ssl.server_names = newstr; flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len] = ','; strncpy(&flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len+1], - dNSName, dNSName_len); + dNSName, dNSName_len-1); flow->protos.stun_ssl.ssl.server_names[newstr_len] = '\0'; flow->protos.stun_ssl.ssl.server_names_len = newstr_len; } @@ -482,6 +482,8 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, certificate_len); SHA1Final(flow->l4.tcp.tls.sha1_certificate_fingerprint, flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + + flow->l4.tcp.tls.fingerprint_set = 1; #ifdef DEBUG_TLS { From 2332cbfefec9a64c77e5c30530f0e397a1388470 Mon Sep 17 00:00:00 2001 From: emanuele-f Date: Thu, 2 Jan 2020 14:10:21 +0100 Subject: [PATCH 11/12] Fix invalid free on non-tls flows --- src/lib/ndpi_main.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fc9eaf9ef..7ad648ee6 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -78,6 +78,12 @@ static int removeDefaultPort(ndpi_port_range *range, /* ****************************************** */ +static inline uint8_t flow_is_proto(struct ndpi_flow_struct *flow, u_int16_t p) { + return((flow->detected_protocol_stack[0] == p) || (flow->detected_protocol_stack[1] == p)); +} + +/* ****************************************** */ + void* ndpi_malloc(size_t size) { return(_ndpi_malloc ? _ndpi_malloc(size) : malloc(size)); } void* ndpi_flow_malloc(size_t size) { return(_ndpi_flow_malloc ? _ndpi_flow_malloc(size) : ndpi_malloc(size)); } @@ -6411,10 +6417,11 @@ void ndpi_free_flow(struct ndpi_flow_struct *flow) { if(flow->http.content_type) ndpi_free(flow->http.content_type); if(flow->http.user_agent) ndpi_free(flow->http.user_agent); if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf); - if(flow->protos.stun_ssl.ssl.server_names) - ndpi_free(flow->protos.stun_ssl.ssl.server_names); - - if(flow->l4_proto == IPPROTO_TCP) { + + if(flow_is_proto(flow, NDPI_PROTOCOL_TLS)) { + if(flow->protos.stun_ssl.ssl.server_names) + ndpi_free(flow->protos.stun_ssl.ssl.server_names); + if(flow->l4.tcp.tls.srv_cert_fingerprint_ctx) ndpi_free(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); } From 798bb6e2e113f10d9b710179553e4cef23222a61 Mon Sep 17 00:00:00 2001 From: emanuele-f Date: Thu, 2 Jan 2020 14:39:51 +0100 Subject: [PATCH 12/12] Fix leaks and sha1 certificate detection --- example/ndpiReader.c | 6 +----- example/reader_util.c | 6 +++++- example/reader_util.h | 1 + src/lib/ndpi_main.c | 15 +++++++++------ src/lib/protocols/tls.c | 4 ++-- 5 files changed, 18 insertions(+), 14 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index c88df245a..15e4d1016 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1224,11 +1224,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)) { - if((flow->ssh_tls.sha1_cert_fingerprint[0] == 0) - && (flow->ssh_tls.sha1_cert_fingerprint[1] == 0) - && (flow->ssh_tls.sha1_cert_fingerprint[2] == 0)) - ; /* Looks empty */ - else { + if(flow->ssh_tls.sha1_cert_fingerprint_set) { fprintf(out, "[Certificate SHA-1: "); for(i=0; i<20; i++) fprintf(out, "%s%02X", (i > 0) ? ":" : "", diff --git a/example/reader_util.c b/example/reader_util.c index 79104ea91..b8fce9632 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1049,8 +1049,12 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; - memcpy(flow->ssh_tls.sha1_cert_fingerprint, + + if(flow->ndpi_flow->l4.tcp.tls.fingerprint_set) { + memcpy(flow->ssh_tls.sha1_cert_fingerprint, flow->ndpi_flow->l4.tcp.tls.sha1_certificate_fingerprint, 20); + flow->ssh_tls.sha1_cert_fingerprint_set = 1; + } } if(flow->detection_completed && (!flow->check_extra_packets)) { diff --git a/example/reader_util.h b/example/reader_util.h index 6fd1880e5..55c260a54 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -200,6 +200,7 @@ typedef struct ndpi_flow_info { server_organization[64], ja3_client[33], ja3_server[33], sha1_cert_fingerprint[20]; + u_int8_t sha1_cert_fingerprint_set; time_t notBefore, notAfter; u_int16_t server_cipher; ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7ad648ee6..9296d10a2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3835,12 +3835,10 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str u_int8_t backup; u_int16_t backup1, backup2; - if(flow->http.url) ndpi_free(flow->http.url); - if(flow->http.content_type) ndpi_free(flow->http.content_type); - if(flow->http.user_agent) ndpi_free(flow->http.user_agent); - - if(flow->l4.tcp.tls.message.buffer) - ndpi_free(flow->l4.tcp.tls.message.buffer); + if(flow->http.url) ndpi_free(flow->http.url), flow->http.url = NULL; + if(flow->http.content_type) ndpi_free(flow->http.content_type), flow->http.content_type = NULL; + if(flow->http.user_agent) ndpi_free(flow->http.user_agent), flow->http.user_agent = NULL; + if(flow->l4.tcp.tls.message.buffer) ndpi_free(flow->l4.tcp.tls.message.buffer), flow->l4.tcp.tls.message.buffer = NULL; backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; @@ -6426,6 +6424,11 @@ void ndpi_free_flow(struct ndpi_flow_struct *flow) { ndpi_free(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); } + if(flow->l4_proto == IPPROTO_TCP) { + if(flow->l4.tcp.tls.message.buffer) + ndpi_free(flow->l4.tcp.tls.message.buffer); + } + ndpi_free(flow); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 88bfa7590..655de7e2f 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -394,7 +394,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi flow->protos.stun_ssl.ssl.server_names = newstr; flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len] = ','; strncpy(&flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len+1], - dNSName, dNSName_len-1); + dNSName, dNSName_len+1); flow->protos.stun_ssl.ssl.server_names[newstr_len] = '\0'; flow->protos.stun_ssl.ssl.server_names_len = newstr_len; } @@ -581,7 +581,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* Split the element in blocks */ u_int16_t processed = 5; - while(processed < len) { + while((processed+4) < len) { const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed]; u_int16_t block_len = (block[1] << 16) + (block[2] << 8) + block[3];