vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-05 02:16:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
nDPI/tests/result/whatsappfiles.pcap.out
Ivan Nardi a7c2734b38
Remove classification "by-ip" from protocol stack (#1743) 
Basically:
* "classification by-ip" (i.e. `flow->guessed_protocol_id_by_ip` is
NEVER returned in the protocol stack (i.e.
`flow->detected_protocol_stack[]`);
* if the application is interested into such information, it can access
`ndpi_protocol->protocol_by_ip` itself.

There are mainly 4 points in the code that set the "classification
by-ip" in the protocol stack:  the generic `ndpi_set_detected_protocol()`/
`ndpi_detection_giveup()` functions and the HTTP/STUN  dissectors.

In the unit tests output, a print about `ndpi_protocol->protocol_by_ip`
has been added for each flow: the huge diff of this commit is mainly due
to that.

Strictly speaking, this change is NOT an API/ABI breakage, but there are
important differences in the classification results. For examples:
* TLS flows without the initial handshake (or without a matching
SNI/certificate) are simply classified as `TLS`;
* similar for HTTP or QUIC flows;
* DNS flows without a matching request domain are simply classified as
`DNS`; we don't have `DNS/Google` anymore just because the server is
8.8.8.8 (that was an outrageous behaviour...);
* flows previusoly classified only "by-ip" are now classified as
`NDPI_PROTOCOL_UNKNOWN`.

See #1425 for other examples of why adding the "classification by-ip" in
the protocol stack is a bad idea.

Please, note that IPV6 is not supported :(  (long standing issue in nDPI) i.e.
`ndpi_protocol->protocol_by_ip` wil be always `NDPI_PROTOCOL_UNKNOWN` for
IPv6 flows.

Define `NDPI_CONFIDENCE_MATCH_BY_IP` has been removed.

Close #1687
2022-09-20 22:24:47 +02:00

30 lines
2.8 KiB
Text
Raw Blame History

Guessed flow protos: 0
DPI Packets (TCP): 14 (7.00 pkts/flow)
Confidence DPI : 2 (flows)
Num dissector calls: 2 (1.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
Automa host: 2/2 (search/found)
Automa domain: 2/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 14/14 (search/found)
Patricia risk mask: 4/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia protocols: 2/2 (search/found)
WhatsAppFiles 620 452233 2
JA3 Host Stats:
IP Address # JA3C
1 192.168.2.29 2
1 TCP 192.168.2.29:49698 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][IP: 142/WhatsApp][Encrypted][Confidence: DPI][cat: Download/7][132 pkts/9906 bytes <-> 178 pkts/237405 bytes][Goodput ratio: 12/95][7.27 sec][Hostname/SNI: mmg-fna.whatsapp.net][ALPN: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.920 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 62/47 5775/5834 571/481][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/1334 583/1464 51/392][TLSv1.2][JA3C: 4e1a414c4f4c99097edd2a9a98e336c8][JA3S: 96681175a9547081bf3d417f1a572091][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,94,0,0,0,0]
2 TCP 192.168.2.29:49674 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][IP: 142/WhatsApp][Encrypted][Confidence: DPI][cat: Download/7][161 pkts/189194 bytes <-> 149 pkts/15728 bytes][Goodput ratio: 94/32][110.02 sec][Hostname/SNI: mmg-fna.whatsapp.net][ALPN: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: 0.846 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 322/659 24639/64743 2278/6019][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 1175/106 1464/1464 540/167][TLSv1.2][JA3C: 107144b88827da5da9ed42d8776ccdc5][ServerNames: *.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net][JA3S: 2d1eb5817ece335c24904f516ad5da12][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.whatsapp.net][Certificate SHA-1: 10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB][Safari][Validity: 2017-04-26 00:00:00 - 2018-05-01 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,5,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0,0,0]
Reference in a new issue View git blame Copy permalink