diff options
| author | Campus <campus@ntop.org> | 2017-07-27 13:12:12 +0200 |
|---|---|---|
| committer | Campus <campus@ntop.org> | 2017-07-27 13:12:12 +0200 |
| commit | abf5bea425d5f8ce18c26e18046a0ef42d15a0a7 (patch) | |
| tree | 82fc1b058d6b39f722507d23cdd6ba85e5d97ec2 | |
| parent | e6b594a626e5cfb5cd0410336f8c1e12966a27cd (diff) | |
| parent | 6ca6d968214d8c23ee9a31b0b5497a3ea24795e8 (diff) | |
Merge branch 'MicahLyle-ssl-certificate-fix' into dev
| -rw-r--r-- | example/ndpi_util.c | 40 | ||||
| -rw-r--r-- | example/ndpi_util.h | 5 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 121 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 54 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 92 | ||||
| -rwxr-xr-x | tests/do_line_diff.py | 46 | ||||
| -rwxr-xr-x | tests/line_diff.py | 45 | ||||
| -rw-r--r-- | tests/result/6in4tunnel.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/Instagram.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/KakaoTalk_chat.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/dropbox.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/facebook.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/http_ipv6.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/netflix.pcap.out | 32 | ||||
| -rw-r--r-- | tests/result/viber_mobile.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/webex.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/wechat.pcap.out | 56 | ||||
| -rw-r--r-- | tests/result/whatsapp_login_call.pcap.out | 2 |
19 files changed, 384 insertions, 153 deletions
diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 75bab6319..96a88a8e5 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -158,10 +158,10 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { if(fa->hashval < fb->hashval) return(-1); else if(fa->hashval > fb->hashval) return(1); /* Flows have the same hash */ - + if(fa->vlan_id < fb->vlan_id ) return(-1); else { if(fa->vlan_id > fb->vlan_id ) return(1); } if(fa->protocol < fb->protocol ) return(-1); else { if(fa->protocol > fb->protocol ) return(1); } - + if( ( (fa->src_ip == fb->src_ip ) @@ -178,12 +178,12 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { ) ) return(0); - + if(fa->src_ip < fb->src_ip ) return(-1); else { if(fa->src_ip > fb->src_ip ) return(1); } if(fa->src_port < fb->src_port) return(-1); else { if(fa->src_port > fb->src_port) return(1); } if(fa->dst_ip < fb->dst_ip ) return(-1); else { if(fa->dst_ip > fb->dst_ip ) return(1); } if(fa->dst_port < fb->dst_port) return(-1); else { if(fa->dst_port > fb->dst_port) return(1); } - + return(0); /* notreached */ } @@ -453,7 +453,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } - if(flow->detection_completed) { + if(flow->detection_completed && !flow->check_extra_packets) { if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { if (workflow->__flow_giveup_callback != NULL) workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); @@ -516,7 +516,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->src2dst_packets++, flow->src2dst_bytes += rawsize; else flow->dst2src_packets++, flow->dst2src_bytes += rawsize; - + flow->last_seen = time; } else { // flow is NULL workflow->stats.total_discarded_bytes++; @@ -524,7 +524,28 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } /* Protocol already detected */ - if(flow->detection_completed) return(flow->detected_protocol); + if(flow->detection_completed) { + if(flow->check_extra_packets && ndpi_flow != NULL && ndpi_flow->check_extra_packets) { + if(ndpi_flow->num_extra_packets_checked == 0 && ndpi_flow->max_extra_packets_to_check == 0) { + /* Protocols can set this, but we set it here in case they didn't */ + ndpi_flow->max_extra_packets_to_check = MAX_EXTRA_PACKETS_TO_CHECK; + } + if(ndpi_flow->num_extra_packets_checked < ndpi_flow->max_extra_packets_to_check) { + ndpi_process_extra_packet(workflow->ndpi_struct, ndpi_flow, + iph ? (uint8_t *)iph : (uint8_t *)iph6, + ipsize, time, src, dst); + if (ndpi_flow->check_extra_packets == 0) { + flow->check_extra_packets = 0; + process_ndpi_collected_info(workflow, flow); + } + } + } else if (ndpi_flow != NULL) { + /* If this wasn't NULL we should do the half free */ + /* TODO: When half_free is deprecated, get rid of this */ + ndpi_free_flow_info_half(flow); + } + return(flow->detected_protocol); + } flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, @@ -535,12 +556,15 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { /* New protocol detected or give up */ flow->detection_completed = 1; + /* Check if we should keep checking extra packets */ + if (ndpi_flow->check_extra_packets) + flow->check_extra_packets = 1; if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow); process_ndpi_collected_info(workflow, flow); - } + } return(flow->detected_protocol); } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index f6d315748..45101cf10 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -36,6 +36,7 @@ #define MAX_IDLE_TIME 30000 #define IDLE_SCAN_BUDGET 1024 #define NUM_ROOTS 512 +#define MAX_EXTRA_PACKETS_TO_CHECK 7 #define MAX_NDPI_FLOWS 200000000 #define TICK_RESOLUTION 1000 #define MAX_NUM_IP_ADDRESS 5 /* len of ip address array */ @@ -56,7 +57,7 @@ typedef struct ndpi_flow_info { u_int32_t dst_ip; u_int16_t src_port; u_int16_t dst_port; - u_int8_t detection_completed, protocol, bidirectional; + u_int8_t detection_completed, protocol, bidirectional, check_extra_packets; u_int16_t vlan_id; struct ndpi_flow_struct *ndpi_flow; char src_name[48], dst_name[48]; @@ -64,7 +65,7 @@ typedef struct ndpi_flow_info { u_int64_t last_seen; u_int64_t src2dst_bytes, dst2src_bytes; u_int32_t src2dst_packets, dst2src_packets; - + // result only, not used for flow identification ndpi_protocol detected_protocol; diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index b2c6b6952..03a73d66b 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -42,20 +42,20 @@ extern "C" { #define SAVE_DETECTION_BITMASK_AS_UNKNOWN 1 #define NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN 0 - + /** * Check if a string is encoded with punycode * ( https://tools.ietf.org/html/rfc3492 ) * * @par buff = pointer to the string to ckeck * @par len = len of the string - * @return 1 if the string is punycoded; + * @return 1 if the string is punycoded; * else 0 * */ int check_punycode_string(char * buff , int len); - + /** * Get the size of the flow struct * @@ -64,16 +64,16 @@ extern "C" { */ u_int32_t ndpi_detection_get_sizeof_ndpi_flow_struct(void); - + /** - * Get the size of the id struct + * Get the size of the id struct * * @return the size of the id struct - * + * */ u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void); - + /** * nDPI personal allocation and free functions **/ @@ -98,7 +98,7 @@ extern "C" { */ char* ndpi_strnstr(const char *s, const char *find, size_t slen); - + /** * Returns the nDPI protocol id for IP-based protocol detection * @@ -106,7 +106,7 @@ extern "C" { * @par pin = IP host address (MUST BE in network byte order): * See man(7) ip for details * @return the nDPI protocol ID - * + * */ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin); @@ -117,9 +117,9 @@ extern "C" { * @par ndpi_mod = the struct created for the protocol detection * @par match = the struct passed to match the protocol * - */ + */ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol_match *match); - + /** * Returns a new initialized detection module * @@ -127,7 +127,7 @@ extern "C" { * */ struct ndpi_detection_module_struct *ndpi_init_detection_module(void); - + /** * Frees the memory allocated in the specified flow * @@ -136,7 +136,7 @@ extern "C" { */ void ndpi_free_flow(struct ndpi_flow_struct *flow); - + /** * Enables cache support. * In nDPI is used for some protocol (i.e. Skype) @@ -148,7 +148,7 @@ extern "C" { */ void ndpi_enable_cache(struct ndpi_detection_module_struct *ndpi_mod, char* host, u_int port); - + /** * Destroys the detection module * @@ -180,7 +180,7 @@ extern "C" { const NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_bitmask, u_int8_t b_save_bitmask_unknow, u_int8_t b_add_detection_bitmask); - + /** * Sets the protocol bitmask2 @@ -192,7 +192,7 @@ extern "C" { void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, const NDPI_PROTOCOL_BITMASK * detection_bitmask); - + /** * Function to be called before we give up with detection for a given flow. * This function reduces the NDPI_UNKNOWN_PROTOCOL detection @@ -200,12 +200,35 @@ extern "C" { * @par ndpi_struct = the detection module * @par flow = the flow given for the detection module * @return the detected protocol even if the flow is not completed; - * + * */ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /** + * Processes an extra packet in order to get more information for a given protocol + * (like SSL getting both client and server certificate even if we already know after + * seeing the client certificate what the protocol is) + * + * @par ndpi_struct = the detection module + * @par flow = pointer to the connection state machine + * @par packet = unsigned char pointer to the Layer 3 (IP header) + * @par packetlen = the length of the packet + * @par current_tick = the current timestamp for the packet + * @par src = pointer to the source subscriber state machine + * @par dst = pointer to the destination subscriber state machine + * @return void + * + */ + void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const unsigned char *packet, + const unsigned short packetlen, + const u_int64_t current_tick, + struct ndpi_id_struct *src, + struct ndpi_id_struct *dst); + + /** * Processes one packet and returns the ID of the detected protocol. * This is the MAIN PACKET PROCESSING FUNCTION. @@ -228,7 +251,7 @@ extern "C" { struct ndpi_id_struct *src, struct ndpi_id_struct *dst); - + /** * Get the main protocol of the passed flows for the detected module * @@ -241,13 +264,13 @@ extern "C" { u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /** * Query the pointer to the layer 4 packet * * @par l3 = pointer to the layer 3 data * @par l3_len = length of the layer 3 data - * @par l4_return = address to the pointer of the layer 4 data if return value == 0, else undefined + * @par l4_return = address to the pointer of the layer 4 data if return value == 0, else undefined * @par l4_len_return = length of the layer 4 data if return value == 0, else undefined * @par l4_protocol_return = protocol of the layer 4 data if return value == 0, undefined otherwise * @par flags = limit operation on ipv4 or ipv6 packets. Possible values: NDPI_DETECTION_ONLY_IPV4 - NDPI_DETECTION_ONLY_IPV6 - 0 (any) @@ -261,13 +284,13 @@ extern "C" { /** * Search and return the protocol based on matched ports - * + * * @par ndpi_struct = the detection module * @par shost = source address in host byte order * @par sport = source port number * @par dhost = destination address in host byte order * @par dport = destination port number - * @return the struct ndpi_protocol that match the port base protocol + * @return the struct ndpi_protocol that match the port base protocol * */ ndpi_protocol ndpi_find_port_based_protocol(struct ndpi_detection_module_struct *ndpi_struct/* , u_int8_t proto */, @@ -276,17 +299,17 @@ extern "C" { u_int32_t dhost, u_int16_t dport); - + /** * Search and return the protocol guessed that is undetected - * + * * @par ndpi_struct = the detection module * @par proto = the l4 protocol number * @par shost = source address in host byte order * @par sport = source port number * @par dhost = destination address in host byte order * @par dport = destination port number - * @return the struct ndpi_protocol that match the port base protocol + * @return the struct ndpi_protocol that match the port base protocol * */ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct *ndpi_struct, @@ -299,7 +322,7 @@ extern "C" { /** * Check if the string passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par string_to_match = the string to match * @par string_to_match_len = the length of the string @@ -315,7 +338,7 @@ extern "C" { /** * Check if the host passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par flow = the flow where match the host * @par string_to_match = the string to match @@ -333,7 +356,7 @@ extern "C" { /** * Check if the string content passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par flow = the flow where match the host * @par string_to_match = the string to match @@ -348,7 +371,7 @@ extern "C" { u_int string_to_match_len, u_int16_t master_protocol_id); - + /** * Check if the string -bigram_to_match- match with a bigram of -automa- * @@ -358,11 +381,11 @@ extern "C" { * @return 0 * */ - int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_struct, + int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_struct, ndpi_automa *automa, char *bigram_to_match); - + /** * Write the protocol name in the buffer -buf- as master_protocol.protocol * @@ -392,7 +415,7 @@ extern "C" { * @return the protocol category */ ndpi_protocol_category_t ndpi_get_proto_category(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol proto); - + /** * Get the protocol name associated to the ID * @@ -414,13 +437,13 @@ extern "C" { */ ndpi_protocol_breed_t ndpi_get_proto_breed(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t proto); - + /** * Return the string name of the protocol breed * * @par ndpi_struct = the detection module * @par breed_id = the breed ID associated to the protocol - * @return the string name of the breed ID + * @return the string name of the breed ID * */ char* ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_struct, ndpi_protocol_breed_t breed_id); @@ -431,7 +454,7 @@ extern "C" { * * @par ndpi_mod = the detection module * @par proto = the ID of the protocol - * @return the string name of the breed ID + * @return the string name of the breed ID * */ int ndpi_get_protocol_id(struct ndpi_detection_module_struct *ndpi_mod, char *proto); @@ -443,7 +466,7 @@ extern "C" { * @par ndpi_mod = the detection module */ void ndpi_dump_protocols(struct ndpi_detection_module_struct *mod); - + /** * Read a file and load the protocols @@ -467,12 +490,12 @@ extern "C" { * Get the total number of the supported protocols * * @par ndpi_mod = the detection module - * @return the number of protocols + * @return the number of protocols * */ u_int ndpi_get_num_supported_protocols(struct ndpi_detection_module_struct *ndpi_mod); - + /** * Get the nDPI version release * @@ -503,7 +526,7 @@ extern "C" { */ ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow); - + /** * Get the HTTP url * @@ -526,7 +549,7 @@ extern "C" { char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow); #endif - + #ifdef NDPI_PROTOCOL_TOR /** * Check if the flow could be detected as TOR protocol @@ -536,7 +559,7 @@ extern "C" { * @par certificate = the ssl certificate * @return 1 if the flow is TOR; * 0 else - * + * */ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *certificate); @@ -547,7 +570,7 @@ extern "C" { * Init Aho-Corasick automata * * @return The requested automata, or NULL if an error occurred - * + * */ void* ndpi_init_automa(void); @@ -556,7 +579,7 @@ extern "C" { * Free Aho-Corasick automata allocated with ndpi_init_automa(); * * @par The automata initialized with ndpi_init_automa(); - * + * */ void ndpi_free_automa(void *_automa); @@ -568,7 +591,7 @@ extern "C" { * @par The (sub)string to search * @par The number associated with this string * @return 0 in case of no error, or -1 if an error occurred. - * + * */ int ndpi_add_string_value_to_automa(void *_automa, char *str, unsigned long num); @@ -579,7 +602,7 @@ extern "C" { * @par The automata initialized with ndpi_init_automa(); * @par The (sub)string to search * @return 0 in case of no error, or -1 if an error occurred. - * + * */ int ndpi_add_string_to_automa(void *_automa, char *str); @@ -588,7 +611,7 @@ extern "C" { * Finalize the automa (necessary before start searching) * * @par The automata initialized with ndpi_init_automa(); - * + * */ void ndpi_finalize_automa(void *_automa); @@ -599,7 +622,7 @@ extern "C" { * @par The automata initialized with ndpi_init_automa(); * @par The (sub)string to search * @return 0 in case of match, or -1 if no match, or -2 if an error occurred. - * + * */ int ndpi_match_string(void *_automa, char *string_to_match); @@ -611,7 +634,7 @@ extern "C" { * @par The (sub)string to search * @par The id associated with the matched string or 0 id not found. * @return 0 in case of match, or -1 if no match, or -2 if an error occurred. - * + * */ int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 93b1b8651..d3c34452f 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -912,7 +912,7 @@ struct ndpi_flow_struct { /* init parameter, internal used to set up timestamp,... */ u_int16_t guessed_protocol_id, guessed_host_protocol_id; - u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; + u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1; /* if ndpi_struct->direction_detect_disable == 1 @@ -920,6 +920,10 @@ struct ndpi_flow_struct { */ u_int32_t next_tcp_seq_nr[2]; + u_int8_t max_extra_packets_to_check; + u_int8_t num_extra_packets_checked; + int (*extra_packets_func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); + /* the tcp / udp / other l4 value union used to reduce the number of bytes for tcp or udp protocol states diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 8ed89e3ae..537893567 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1616,7 +1616,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Nintendo", NDPI_PROTOCOL_CATEGORY_GAME, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -1635,7 +1635,7 @@ static int ac_match_handler(AC_MATCH_t *m, void *param) { /* Return 1 for stopping to the first match. We might consider searching for the more - specific match, paying more cpu cycles. + specific match, paying more cpu cycles. */ *matching_protocol_id = m->patterns[0].rep.number; @@ -3426,6 +3426,50 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* ********************************************************************************* */ +void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const unsigned char *packet, + const unsigned short packetlen, + const u_int64_t current_tick_l, + struct ndpi_id_struct *src, + struct ndpi_id_struct *dst) +{ + if(flow == NULL) + return; + + if(flow->server_id == NULL) flow->server_id = dst; /* Default */ + + /* need at least 20 bytes for ip header */ + if(packetlen < 20) { + return; + } + + flow->packet.tick_timestamp_l = current_tick_l; + flow->packet.tick_timestamp = (u_int32_t)current_tick_l/1000; + + /* parse packet */ + flow->packet.iph = (struct ndpi_iphdr *)packet; + /* we are interested in ipv4 packet */ + + /* set up the packet headers for the extra packet function to use if it wants */ + if(ndpi_init_packet_header(ndpi_struct, flow, packetlen) != 0) + return; + + /* detect traffic for tcp or udp only */ + flow->src = src, flow->dst = dst; + ndpi_connection_tracking(ndpi_struct, flow); + + /* call the extra packet function (which may add more data/info to flow) */ + if (flow->extra_packets_func) { + if ((flow->extra_packets_func(ndpi_struct, flow)) == 0) + flow->check_extra_packets = 0; + } + + flow->num_extra_packets_checked++; +} + +/* ********************************************************************************* */ + ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const unsigned char *packet, @@ -4622,7 +4666,7 @@ int ndpi_match_prefix(const u_int8_t *payload, size_t payload_len, const char *str, size_t str_len) { int rc = str_len <= payload_len ? memcmp(payload, str, str_len) == 0 : 0; - + return rc; } @@ -4635,7 +4679,7 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru AC_TEXT_t ac_input_text; ndpi_automa *automa = is_host_match ? &ndpi_struct->host_automa : &ndpi_struct->content_automa; int rc; - + if((automa->ac_automa == NULL) || (string_to_match_len == 0)) return(NDPI_PROTOCOL_UNKNOWN); if(!automa->ac_automa_finalized) { @@ -4645,7 +4689,7 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru ac_input_text.astring = string_to_match, ac_input_text.length = string_to_match_len; ac_automata_search(((AC_AUTOMATA_t*)automa->ac_automa), &ac_input_text, (void*)&matching_protocol_id); - + ac_automata_reset(((AC_AUTOMATA_t*)automa->ac_automa)); return(matching_protocol_id); diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 5860abed7..5afca5389 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -47,7 +47,7 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st if(packet->tcp != NULL) { switch(protocol) { - + case NDPI_PROTOCOL_SSL: case NDPI_PROTOCOL_SSL_NO_CERT: { @@ -57,7 +57,7 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st */ u_int16_t sport = ntohs(packet->tcp->source); u_int16_t dport = ntohs(packet->tcp->dest); - + if((sport == 465) || (dport == 465)) protocol = NDPI_PROTOCOL_MAIL_SMTPS; else if((sport == 993) || (dport == 993) @@ -70,7 +70,7 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st break; } } - + return protocol; } @@ -98,14 +98,14 @@ static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndp ((ch) >= '{' && (ch) <= '~')) static void stripCertificateTrailer(char *buffer, int buffer_len) { - + int i, is_puny; - + // printf("->%s<-\n", buffer); - + for(i = 0; i < buffer_len; i++) { // printf("%c [%d]\n", buffer[i], buffer[i]); - + if((buffer[i] != '.') && (buffer[i] != '-') && (buffer[i] != '_') @@ -120,12 +120,12 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { /* check for punycode encoding */ is_puny = check_punycode_string(buffer, buffer_len); - + // not a punycode string - need more checks if(is_puny == 0) { - + if(i > 0) i--; - + while(i > 0) { if(!ndpi_isalpha(buffer[i])) { buffer[i] = '\0'; @@ -134,8 +134,8 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { } else break; } - - for(i = buffer_len; i > 0; i--) { + + for(i = buffer_len; i > 0; i--) { if(buffer[i] == '.') break; else if(ndpi_isdigit(buffer[i])) buffer[i] = '\0', buffer_len = i; @@ -306,6 +306,46 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, return(0); /* Not found */ } +int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + /* consider only specific SSL packets (handshake) */ + if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { + char certificate[64]; + int rc; + certificate[0] = '\0'; + rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); + packet->ssl_certificate_num_checks++; + if (rc > 0) { + packet->ssl_certificate_detected++; + if (flow->protos.ssl.server_certificate[0] != '\0') + /* 0 means we're done processing extra packets (since we found what we wanted) */ + return 0; + } + /* Client hello, Server Hello, and certificate packets probably all checked in this case */ + if ((packet->ssl_certificate_num_checks >= 3) + && (flow->l4.tcp.seen_syn) + && (flow->l4.tcp.seen_syn_ack) + && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */) + { + /* We're done processing extra packets since we've probably checked all possible cert packets */ + return 0; + } + } + /* 1 means keep looking for more packets */ + return 1; +} + +void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + /* 0 is the case for waiting for the server certificate */ + if (caseNum == 0) { + /* At most 7 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 7; + flow->extra_packets_func = sslTryAndRetrieveServerCertificate; + } +} + int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -325,18 +365,22 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s #ifdef CERTIFICATE_DEBUG printf("***** [SSL] %s\n", certificate); #endif - u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, + u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, strlen(certificate), NDPI_PROTOCOL_SSL); - if(subproto != NDPI_PROTOCOL_UNKNOWN) { - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); - return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ - } - + /* If we've detected the subprotocol from client certificate but haven't had a chance + * to see the server certificate yet, set up extra packet processing to wait + * a few more packets. */ + if((flow->protos.ssl.client_certificate[0] != '\0') && (flow->protos.ssl.server_certificate[0] == '\0')) { + sslInitExtraPacketProcessing(0, flow); + } + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, + ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); + return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ + } #ifdef NDPI_PROTOCOL_TOR - if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) - return(rc); + if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) + return(rc); #endif } @@ -346,11 +390,11 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) || (flow->protos.ssl.server_certificate[0] != '\0') /* || (flow->protos.ssl.client_certificate[0] != '\0') */ - ) + ) { ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); - } + } } - + } return(0); } diff --git a/tests/do_line_diff.py b/tests/do_line_diff.py new file mode 100755 index 000000000..6db65a133 --- /dev/null +++ b/tests/do_line_diff.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python + +""" +do_line_diff.py - Interactively runs all tests, and on any test where line_diff.py +showed an output, lets the user check the output and replace the test file with the output +file if they think it's safe to do so (in the sense that the test is actually passing). This +script was first used when enhancing the ssl protocol to not immediately stop detection upon +only detecting a client certificate. When server certificates were added, the this script +was helpful in checking which lines of which tests had appended server certificate info +to the line. +""" + +import os +import sys +import time +import subprocess + +program_base_args = ["../example/ndpiReader", "-p", "../example/protos.txt", "-q", "-i"] +line_diff_base_args = ["./line_diff.py"] +temp_output = "/tmp/reader.out" +result_folder = "result/" +pcap_folder = "pcap/" +pcap_file_list = os.listdir(pcap_folder) + +def find_pcap(result_file): + for pcap_file in pcap_file_list: + if pcap_file == result_file[:-4]: + return pcap_file + +for result_file in os.listdir(result_folder): + pcap_file = find_pcap(result_file) + program_args = program_base_args + [pcap_folder + pcap_file, "-w", temp_output, "-v", "1"] + program_output = subprocess.call(program_args) + line_diff_args = line_diff_base_args + [result_folder + result_file, temp_output] + line_diff_output = subprocess.check_output(line_diff_args, universal_newlines=True) + if len(line_diff_output) > 0: + print("File output " + result_file + " had line diff output. Here it is:") + print(line_diff_output) + replace = "" + while replace.lower() != 'y' and replace.lower() != 'n': + replace = input("Would you like to replace the file? ('y' or 'n') ") + if replace == 'y': + subprocess.check_output(["cp", temp_output, result_folder + result_file]) + print("") + elif replace == 'n': + break
\ No newline at end of file diff --git a/tests/line_diff.py b/tests/line_diff.py new file mode 100755 index 000000000..1b42f1f2f --- /dev/null +++ b/tests/line_diff.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python +""" +line_diff.py - Simple tool that compares two files with the same number of lines and prints the +characters (if any) on the right line (moving left to right) that are present that +weren't present in the left line +""" + +import sys + +left_file = sys.argv[1] +right_file = sys.argv[2] + +left_lines = [] +right_lines = [] + +with open(left_file) as left: + for line in left.readlines(): + left_lines.append(line.strip()) +with open(right_file) as right: + for line in right.readlines(): + right_lines.append(line.strip()) + +if len(left_lines) != len(right_lines): + print("Files didn't have the same number of lines, exiting...") + sys.exit(0) + +for i in range(len(left_lines)): + left_contents = left_lines[i] + right_contents = right_lines[i] + if len(left_contents) > len(right_contents): + print("Line " + str(i) + " has longer left contents than right contents.") + print("Left contents: " + left_contents) + print("Right contents: " + right_contents) + break + else: + left_list = list(left_contents) + right_list = list(right_contents) + while len(left_list) > 0: + if right_list.pop(0) != left_list.pop(0): + print("Line " + str(i) + ": Right contents that are not a prefix of left contents.") + print("Left contents: " + left_contents) + print("Right contents: " + right_contents) + break + if len(right_list) > 0: + print("Line " + str(i) + ": Right contents have extra characters: " + ''.join(right_list)) diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index 187ee661a..d170a55aa 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -4,7 +4,7 @@ SSL 28 15397 1 ICMPV6 48 7862 3 Facebook 37 14726 3 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][client: www.facebook.com] + 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][client: www.facebook.com][server: *.facebook.com] 2 UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][1 pkts/133 bytes <-> 1 pkts/261 bytes][Host: star.c10r.facebook.com] 3 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][client: mail.tomasu.net][server: mail.tomasu.net] 4 ICMPV6 [2001:470:1f16:13f::2]:0 -> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][1 pkts/200 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out index 2122cff4a..cb0788864 100644 --- a/tests/result/Instagram.pcap.out +++ b/tests/result/Instagram.pcap.out @@ -15,7 +15,7 @@ Instagram 363 255094 16 7 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Host: photos-h.ak.instagram.com] 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][14 pkts/924 bytes <-> 20 pkts/28115 bytes] 9 TCP 192.168.0.103:37350 -> 82.85.26.153:80 [proto: 7.211/HTTP.Instagram][1 pkts/324 bytes -> 0 pkts/0 bytes][Host: photos-a.ak.instagram.com] - 10 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net] + 10 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] 11 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][103 pkts/150456 bytes <-> 47 pkts/3102 bytes] 12 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Host: photos-g.ak.instagram.com] 13 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] @@ -29,12 +29,12 @@ Instagram 363 255094 16 21 TCP 192.168.0.103:38817 <-> 46.33.70.160:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] 22 TCP 46.33.70.150:80 <-> 192.168.0.103:40855 [proto: 7/HTTP][1 pkts/74 bytes <-> 1 pkts/66 bytes] 23 UDP 192.168.0.103:51219 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/89 bytes <-> 1 pkts/305 bytes][Host: igcdn-photos-h-a.akamaihd.net] - 24 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][client: igcdn-photos-h-a.akamaihd.net] - 25 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net] + 24 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][client: igcdn-photos-h-a.akamaihd.net][server: a248.e.akamai.net] + 25 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] 26 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][16 pkts/22931 bytes <-> 9 pkts/594 bytes] 27 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com] 28 TCP 192.168.0.103:58690 -> 46.33.70.159:443 [proto: 91/SSL][2 pkts/169 bytes -> 0 pkts/0 bytes] - 29 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][client: igcdn-photos-g-a.akamaihd.net] + 29 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][client: igcdn-photos-g-a.akamaihd.net][server: a248.e.akamai.net] 30 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Host: photos-f.ak.instagram.com] 31 TCP 192.168.0.103:58053 -> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][1 pkts/321 bytes -> 0 pkts/0 bytes][Host: photos-g.ak.instagram.com] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 616f59fb2..cdc055e8c 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -41,8 +41,8 @@ KakaoTalk 55 9990 15 31 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/SSL][2 pkts/112 bytes <-> 3 pkts/168 bytes] 32 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][1 pkts/83 bytes -> 0 pkts/0 bytes] 33 UDP 10.24.82.188:38448 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: auth.kakao.com] - 34 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][client: graph.facebook.com] - 35 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][client: api.facebook.com] - 36 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][client: developers.facebook.com] + 34 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][client: graph.facebook.com][server: *.facebook.com] + 35 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][client: api.facebook.com][server: *.facebook.com] + 36 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][client: developers.facebook.com][server: *.facebook.com] 37 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][server: *.facebook.com] 38 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/SSL.Facebook][2 pkts/139 bytes <-> 2 pkts/112 bytes] diff --git a/tests/result/dropbox.pcap.out b/tests/result/dropbox.pcap.out index 81353f45f..57b68986f 100644 --- a/tests/result/dropbox.pcap.out +++ b/tests/result/dropbox.pcap.out @@ -4,9 +4,9 @@ Dropbox 1104 246122 16 1 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/588 bytes][Host: notify.dropbox.com] 2 UDP 192.168.1.105:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes -> 0 pkts/0 bytes] - 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][18 pkts/3562 bytes <-> 16 pkts/14464 bytes][client: client.dropbox.com] + 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][18 pkts/3562 bytes <-> 16 pkts/14464 bytes][client: client.dropbox.com][server: *.dropbox.com] 4 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/312 bytes <-> 4 pkts/1078 bytes][Host: log.getdropbox.com] - 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][12 pkts/2338 bytes <-> 10 pkts/9054 bytes][client: notify.dropbox.com] + 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][12 pkts/2338 bytes <-> 10 pkts/9054 bytes][client: notify.dropbox.com][server: *.dropbox.com] 6 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/146 bytes <-> 2 pkts/646 bytes][Host: d.dropbox.com] 7 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/666 bytes][Host: client.dropbox.com] 8 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13960 bytes <-> 100 pkts/6260 bytes] @@ -25,7 +25,7 @@ Dropbox 1104 246122 16 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13910 bytes <-> 100 pkts/6210 bytes] 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13921 bytes <-> 100 pkts/6221 bytes] 23 UDP 192.168.1.106:57268 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2632 bytes -> 0 pkts/0 bytes] - 24 TCP 192.168.1.105:44949 <-> 54.240.174.31:443 [proto: 91.121/SSL.Dropbox][64 pkts/12228 bytes <-> 74 pkts/85074 bytes][client: client-cf.dropbox.com] + 24 TCP 192.168.1.105:44949 <-> 54.240.174.31:443 [proto: 91.121/SSL.Dropbox][64 pkts/12228 bytes <-> 74 pkts/85074 bytes][client: client-cf.dropbox.com][server: client-cf.dropbox.com] 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.Dropbox][10 pkts/2170 bytes <-> 10 pkts/1758 bytes][Host: log.getdropbox.com] 26 UDP 192.168.1.101:2169 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] 27 UDP 192.168.1.101:2141 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/facebook.pcap.out b/tests/result/facebook.pcap.out index 231b9d4c4..cb7d91585 100644 --- a/tests/result/facebook.pcap.out +++ b/tests/result/facebook.pcap.out @@ -1,4 +1,4 @@ Facebook 60 30511 2 - 1 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/SSL.Facebook][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][client: facebook.com] + 1 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/SSL.Facebook][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][client: facebook.com][server: *.facebook.com] 2 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/SSL.Facebook][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][client: www.facebook.com] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index 8d2a0b46c..16c73c8b0 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -11,8 +11,8 @@ ntop 80 36401 4 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.232/SSL.ntop][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][client: www.ntop.org] 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40526 <-> [2a00:1450:4006:804::200e]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/SSL][7 pkts/860 bytes <-> 7 pkts/1353 bytes] - 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][7 pkts/960 bytes <-> 5 pkts/4227 bytes][client: s-static.ak.facebook.com] - 9 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][6 pkts/874 bytes <-> 4 pkts/4141 bytes][client: s-static.ak.facebook.com] + 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][7 pkts/960 bytes <-> 5 pkts/4227 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] + 9 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][6 pkts/874 bytes <-> 4 pkts/4141 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:58660 <-> [2a00:1450:4006:803::2008]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:59690 <-> [2a00:1450:4001:803::1012]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out index 03983bcb4..bdc64329b 100644 --- a/tests/result/netflix.pcap.out +++ b/tests/result/netflix.pcap.out @@ -24,16 +24,16 @@ Amazon 2 126 1 18 TCP 192.168.1.7:53217 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][667 pkts/50462 bytes <-> 1205 pkts/1807875 bytes][Host: 23.246.11.141] 19 IGMP 192.168.1.7:0 -> 239.255.255.250:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] 20 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Host: api-global.netflix.com] - 21 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][client: api-global.netflix.com] - 22 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][client: ichnaea.netflix.com] - 23 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][client: api-global.netflix.com] - 24 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][client: api-global.netflix.com] - 25 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][client: ios.nccp.netflix.com] - 26 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][client: ios.nccp.netflix.com] + 21 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][client: api-global.netflix.com][server: api.netflix.com] + 22 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] + 23 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][client: api-global.netflix.com][server: api.netflix.com] + 24 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][client: api-global.netflix.com][server: api.netflix.com] + 25 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 26 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] 27 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][client: api-global.netflix.com] - 28 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][client: ichnaea.netflix.com] - 29 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][client: ios.nccp.netflix.com] - 30 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][client: ichnaea.netflix.com] + 28 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] + 29 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 30 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] 31 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Host: art-2.nflximg.net] 32 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Host: art-2.nflximg.net] 33 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Host: art-1.nflximg.net] @@ -54,14 +54,14 @@ Amazon 2 126 1 48 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][33 pkts/2732 bytes <-> 25 pkts/30064 bytes] 49 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Host: 23.246.11.141] 50 TCP 192.168.1.7:52929 -> 52.24.87.6:443 [proto: 91.178/SSL.Amazon][2 pkts/126 bytes -> 0 pkts/0 bytes] - 51 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][client: api-global.netflix.com] + 51 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][client: api-global.netflix.com][server: api.netflix.com] 52 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][client: api-global.netflix.com] - 53 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][client: api-global.netflix.com] + 53 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][client: api-global.netflix.com][server: api.netflix.com] 54 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][client: api-global.netflix.com] 55 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Host: appboot.netflix.com] 56 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][client: api-global.netflix.com] - 57 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][client: ios.nccp.netflix.com] - 58 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][client: ichnaea.netflix.com] - 59 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][client: ios.nccp.netflix.com] - 60 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][client: ios.nccp.netflix.com] - 61 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/SSL.NetFlix][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][client: art-s.nflximg.net] + 57 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 58 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] + 59 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 60 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 61 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/SSL.NetFlix][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][client: art-s.nflximg.net][server: secure.cdn.nflximg.net] diff --git a/tests/result/viber_mobile.pcap.out b/tests/result/viber_mobile.pcap.out index 097363152..c11180994 100644 --- a/tests/result/viber_mobile.pcap.out +++ b/tests/result/viber_mobile.pcap.out @@ -29,7 +29,7 @@ Amazon 8 528 1 14 UDP 192.168.200.222:39413 -> 90.19.187.56:40500 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] 15 UDP 192.168.200.222:39413 <-> 80.47.129.1:44420 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] 16 UDP 192.168.200.222:39413 -> 70.112.231.62:51413 [proto: 37/BitTorrent][3 pkts/438 bytes -> 0 pkts/0 bytes] - 17 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][19 pkts/3115 bytes <-> 18 pkts/13053 bytes][client: graph.facebook.com] + 17 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][19 pkts/3115 bytes <-> 18 pkts/13053 bytes][client: graph.facebook.com][server: *.facebook.com] 18 UDP 192.168.200.222:39413 <-> 94.6.33.9:46735 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] 19 TCP 216.58.199.206:443 <-> 192.168.200.222:58663 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] 20 UDP 192.168.200.222:39413 -> 88.176.55.218:51413 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] @@ -48,7 +48,7 @@ Amazon 8 528 1 33 UDP 192.168.200.222:60474 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes <-> 1 pkts/141 bytes][Host: easytomessage.com] 34 ICMP 192.168.200.222:0 -> 8.8.8.8:0 [proto: 81.126/ICMP.Google][1 pkts/148 bytes -> 0 pkts/0 bytes] 35 UDP 192.168.200.222:39413 <-> 186.220.157.231:45235 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 36 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][17 pkts/2087 bytes <-> 14 pkts/5520 bytes][client: googleads.g.doubleclick.net] + 36 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][17 pkts/2087 bytes <-> 14 pkts/5520 bytes][client: googleads.g.doubleclick.net][server: *.g.doubleclick.net] 37 ICMP 37.214.167.82:0 -> 192.168.200.222:0 [proto: 81/ICMP][1 pkts/174 bytes -> 0 pkts/0 bytes] 38 UDP 192.168.200.222:39413 <-> 80.234.25.211:12624 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] 39 TCP 192.168.200.222:46761 <-> 112.124.219.93:80 [proto: 7/HTTP][5 pkts/520 bytes <-> 4 pkts/563 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] @@ -72,7 +72,7 @@ Amazon 8 528 1 57 UDP 192.168.200.222:52263 <-> 8.8.8.8:53 [proto: 5.142/DNS.WhatsApp][1 pkts/75 bytes <-> 1 pkts/203 bytes][Host: e9.whatsapp.net] 58 TCP 192.168.200.222:51146 <-> 23.21.254.189:443 [proto: 91/SSL][12 pkts/2322 bytes <-> 10 pkts/6919 bytes][client: e.crashlytics.com][server: *.crashlytics.com] 59 TCP 52.0.253.46:4244 <-> 192.168.200.222:43454 [proto: 144/Viber][8 pkts/1187 bytes <-> 8 pkts/856 bytes] - 60 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][17 pkts/3286 bytes <-> 16 pkts/11246 bytes][client: mail.google.com] + 60 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][17 pkts/3286 bytes <-> 16 pkts/11246 bytes][client: mail.google.com][server: mail.google.com] 61 UDP 192.168.200.222:39413 -> 37.214.167.82:11905 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] 62 UDP 192.168.200.222:58921 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/144 bytes <-> 2 pkts/192 bytes][Host: sis.jpush.io] 63 TCP 192.168.200.222:43646 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index 7f5f06d7c..6b130dd20 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -46,7 +46,7 @@ Amazon 3 174 1 38 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][9 pkts/895 bytes <-> 8 pkts/4398 bytes][server: *.webex.com] 39 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] 40 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][server: *.webex.com] - 41 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][client: ssl.google-analytics.com] + 41 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][client: ssl.google-analytics.com][server: *.google-analytics.com] 42 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][server: *.webex.com] 43 TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 91/SSL][1 pkts/66 bytes <-> 2 pkts/108 bytes] 44 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][22 pkts/15356 bytes -> 0 pkts/0 bytes] @@ -54,7 +54,7 @@ Amazon 3 174 1 46 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][9 pkts/1357 bytes <-> 9 pkts/615 bytes] 47 TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][9 pkts/1357 bytes <-> 9 pkts/615 bytes] 48 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][server: www.webex.com] - 49 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][client: radcom.webex.com] + 49 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][client: radcom.webex.com][server: *.webex.com] 50 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][client: radcom.webex.com] 51 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][6 pkts/614 bytes <-> 5 pkts/399 bytes][client: radcom.webex.com] 52 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][server: *.webex.com] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index a80680e7c..401404d8a 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -20,7 +20,7 @@ WeChat 1251 606425 49 4 UDP 192.168.1.103:42589 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com] 5 UDP 192.168.1.103:43317 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] 6 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] - 7 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/SSL.QQ][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][client: res.wx.qq.com] + 7 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/SSL.QQ][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][client: res.wx.qq.com][server: wx.qq.com] 8 UDP 192.168.1.103:44063 -> 192.168.1.254:53 [proto: 5/DNS][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org] 9 UDP [fe80::91f9:3df3:7436:6cd6]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][14 pkts/1428 bytes -> 0 pkts/0 bytes] 10 TCP 192.168.1.103:53220 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][4 pkts/264 bytes <-> 4 pkts/319 bytes] @@ -29,25 +29,25 @@ WeChat 1251 606425 49 13 UDP 192.168.1.103:53515 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] 14 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/SSL.WeChat][3 pkts/802 bytes <-> 3 pkts/198 bytes] 15 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 91.197/SSL.WeChat][88 pkts/15114 bytes <-> 91 pkts/61842 bytes] - 16 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com] - 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com] - 18 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][client: web.wechat.com] - 19 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com] - 20 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][client: web.wechat.com] - 21 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][client: web.wechat.com] - 22 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][client: web.wechat.com] - 23 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com] + 16 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] + 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com][server: web.wechat.com] + 18 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][client: web.wechat.com][server: web.wechat.com] + 19 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] + 20 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][client: web.wechat.com][server: web.wechat.com] + 21 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][client: web.wechat.com][server: web.wechat.com] + 22 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][client: web.wechat.com][server: web.wechat.com] + 23 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] 24 TCP 192.168.1.103:54110 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][1 pkts/66 bytes <-> 1 pkts/66 bytes] 25 TCP 192.168.1.103:54106 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes -> 0 pkts/0 bytes] 26 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 4 pkts/280 bytes] 27 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 4 pkts/280 bytes] - 28 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][client: web.wechat.com] - 29 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com] + 28 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][client: web.wechat.com][server: web.wechat.com] + 29 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] 30 UDP 192.168.1.103:56367 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 31 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com] - 32 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][client: web.wechat.com] - 33 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][client: web.wechat.com] - 34 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][client: web.wechat.com] + 31 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com][server: web.wechat.com] + 32 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][client: web.wechat.com][server: web.wechat.com] + 33 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][client: web.wechat.com][server: web.wechat.com] + 34 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][client: web.wechat.com][server: web.wechat.com] 35 UDP 192.168.1.103:58165 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] 36 TCP 192.168.1.103:58226 -> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][6 pkts/396 bytes -> 0 pkts/0 bytes] 37 UDP 192.168.1.103:59567 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/79 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com.lan] @@ -62,7 +62,7 @@ WeChat 1251 606425 49 46 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/180 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz] 47 TCP 192.168.1.103:52020 -> 95.101.180.179:80 [proto: 7/HTTP][8 pkts/528 bytes -> 0 pkts/0 bytes] 48 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][5 pkts/2035 bytes <-> 5 pkts/1937 bytes][Host: ssl.gstatic.com] - 49 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.124/SSL.YouTube][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][client: safebrowsing.googleusercontent.com] + 49 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.124/SSL.YouTube][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][client: safebrowsing.googleusercontent.com][server: *.googleusercontent.com] 50 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: iphonedimonica] 51 UDP 192.168.1.103:37578 -> 193.204.114.233:123 [proto: 9/NTP][1 pkts/90 bytes -> 0 pkts/0 bytes] 52 TCP 192.168.1.103:40741 <-> 203.205.151.211:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/108 bytes] @@ -76,24 +76,24 @@ WeChat 1251 606425 49 60 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Host: ssl.gstatic.com] 61 UDP 192.168.1.103:53734 <-> 192.168.1.254:53 [proto: 5.124/DNS.YouTube][1 pkts/94 bytes <-> 1 pkts/272 bytes][Host: safebrowsing.googleusercontent.com] 62 TCP 192.168.1.103:54085 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 63 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][client: web.wechat.com] - 64 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][9 pkts/966 bytes <-> 6 pkts/3571 bytes][client: web.wechat.com] + 63 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][client: web.wechat.com][server: web.wechat.com] + 64 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][9 pkts/966 bytes <-> 6 pkts/3571 bytes][client: web.wechat.com][server: web.wechat.com] 65 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 3 pkts/214 bytes] - 66 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][client: web.wechat.com] - 67 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][client: web.wechat.com] - 68 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][client: web.wechat.com] - 69 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][client: web.wechat.com] - 70 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][client: web.wechat.com] + 66 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][client: web.wechat.com][server: web.wechat.com] + 67 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][client: web.wechat.com][server: web.wechat.com] + 68 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][client: web.wechat.com][server: web.wechat.com] + 69 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][client: web.wechat.com][server: web.wechat.com] + 70 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][client: web.wechat.com][server: web.wechat.com] 71 TCP 192.168.1.103:54109 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 72 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][client: web.wechat.com] - 73 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][client: web.wechat.com] - 74 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][client: web.wechat.com] - 75 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][client: web.wechat.com] + 72 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][client: web.wechat.com][server: web.wechat.com] + 73 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][client: web.wechat.com][server: web.wechat.com] + 74 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][client: web.wechat.com][server: web.wechat.com] + 75 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][client: web.wechat.com][server: web.wechat.com] 76 TCP 192.168.1.103:54183 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/2508 bytes -> 0 pkts/0 bytes] 77 UDP 192.168.1.103:55862 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/227 bytes][Host: docs.google.com] 78 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 3 pkts/214 bytes] 79 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][13 pkts/866 bytes <-> 4 pkts/280 bytes] - 80 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com] + 80 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] 81 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][3 pkts/206 bytes <-> 2 pkts/148 bytes] 82 UDP 192.168.1.103:60356 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/74 bytes <-> 1 pkts/391 bytes][Host: web.wechat.com] 83 UDP 192.168.1.103:60562 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/234 bytes][Host: ssl.gstatic.com] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 360cbc096..6105015fc 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -53,7 +53,7 @@ AppleStore 85 28087 2 39 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] 40 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] 41 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 42 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][client: query.ess.apple.com] + 42 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][client: query.ess.apple.com][server: *.ess.apple.com] 43 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] 44 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/SSL.Apple][2 pkts/132 bytes <-> 1 pkts/66 bytes] 45 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] |