aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2020-09-24 23:26:03 +0200
committerLuca Deri <deri@ntop.org>2020-09-24 23:26:03 +0200
commit044ed14b4f23708ec05f5b5c85ca29acbf4b59db (patch)
treea03aea7d48eb8ec6b5d83da71c7ab2c40fcbc10c
parent51e86346d31f270099d4169cd2ebcb0146e5e593 (diff)
Various optimizations to reduce not-necessary calls
Optimized various UDP dissectors Removed dead protocols such as pando and pplive
Diffstat
-rw-r--r--src/include/ndpi_protocol_ids.h4
-rw-r--r--src/include/ndpi_protocols.h2
-rw-r--r--src/include/ndpi_typedefs.h12
-rw-r--r--src/lib/ndpi_main.c359
-rw-r--r--src/lib/protocols/bittorrent.c11
-rw-r--r--src/lib/protocols/ciscovpn.c5
-rw-r--r--src/lib/protocols/csgo.c79
-rw-r--r--src/lib/protocols/dns.c3
-rw-r--r--src/lib/protocols/edonkey.c14
-rw-r--r--src/lib/protocols/h323.c16
-rw-r--r--src/lib/protocols/imo.c2
-rw-r--r--src/lib/protocols/netflow.c19
-rw-r--r--src/lib/protocols/noe.c23
-rw-r--r--src/lib/protocols/openvpn.c48
-rw-r--r--src/lib/protocols/pando.c167
-rw-r--r--src/lib/protocols/pplive.c232
-rw-r--r--src/lib/protocols/radius.c8
-rw-r--r--src/lib/protocols/rtcp.c5
-rw-r--r--src/lib/protocols/rtp.c14
-rw-r--r--src/lib/protocols/sip.c224
-rw-r--r--src/lib/protocols/steam.c1
-rw-r--r--src/lib/protocols/stun.c120
-rw-r--r--src/lib/protocols/tftp.c33
-rw-r--r--src/lib/protocols/tinc.c4
-rw-r--r--tests/pcap/tftp_rrq.pcapbin0 -> 31463 bytes
-rw-r--r--tests/result/facebook.pcap.out2
-rw-r--r--tests/result/netflix.pcap.out2
-rw-r--r--tests/result/teams.pcap.out4
-rw-r--r--tests/result/tftp_rrq.pcap.out5
-rw-r--r--tests/result/viber.pcap.out2
-rw-r--r--tests/result/webex.pcap.out2
-rw-r--r--tests/result/whatsapp_login_call.pcap.out2
-rw-r--r--tests/result/zoom.pcap.out2
33 files changed, 563 insertions, 863 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 317c36b44..261f97bcd 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -82,7 +82,7 @@ typedef enum {
NDPI_PROTOCOL_RTSP = 50,
NDPI_PROTOCOL_MAIL_IMAPS = 51,
NDPI_PROTOCOL_ICECAST = 52,
- NDPI_PROTOCOL_PPLIVE = 53, /* Tomasz Bujlow <tomasz@skatnet.dk> */
+ NDPI_PROTOCOL_FREE_53 = 53,
NDPI_PROTOCOL_PPSTREAM = 54,
NDPI_PROTOCOL_ZATTOO = 55,
NDPI_PROTOCOL_SHOUTCAST = 56,
@@ -212,7 +212,7 @@ typedef enum {
NDPI_PROTOCOL_CNN = 180, /* Tomasz Bujlow <tomasz@skatnet.dk> */
NDPI_PROTOCOL_MEGACO = 181, /* Gianluca Costa <g.costa@xplico.org> */
NDPI_PROTOCOL_REDIS = 182,
- NDPI_PROTOCOL_PANDO = 183, /* Tomasz Bujlow <tomasz@skatnet.dk> */
+ NDPI_PROTOCOL_FREE_183 = 183,
NDPI_PROTOCOL_VHUA = 184,
NDPI_PROTOCOL_TELEGRAM = 185, /* Gianluca Costa <g.costa@xplico.org> */
NDPI_PROTOCOL_VEVO = 186,
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index c3f8bfa51..e93c326e8 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -119,9 +119,7 @@ void init_ntp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3
void init_openft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_oracle_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
-void init_pando_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_postgres_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
-void init_pplive_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_ppstream_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_pptp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_qq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 7094ef9a6..9476b4fe5 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -860,6 +860,7 @@ struct ndpi_detection_module_struct;
struct ndpi_flow_struct;
struct ndpi_call_function_struct {
+ u_int16_t ndpi_protocol_id;
NDPI_PROTOCOL_BITMASK detection_bitmask;
NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask;
NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_bitmask;
@@ -1163,7 +1164,7 @@ struct ndpi_flow_struct {
/* init parameter, internal used to set up timestamp,... */
u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category, guessed_header_category;
- u_int8_t l4_proto, protocol_id_already_guessed:1, host_already_guessed:1,
+ u_int8_t l4_proto, protocol_id_already_guessed:1, host_already_guessed:1, fail_with_unknown:1,
init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1;
/*
@@ -1330,9 +1331,6 @@ struct ndpi_flow_struct {
/* NDPI_PROTOCOL_DIRECTCONNECT */
u_int8_t directconnect_stage:2; // 0 - 1
- /* NDPI_PROTOCOL_YAHOO */
- u_int8_t sip_yahoo_voice:1;
-
/* NDPI_PROTOCOL_HTTP */
u_int8_t http_detected:1;
@@ -1366,15 +1364,9 @@ struct ndpi_flow_struct {
/* NDPI_PROTOCOL_RTMP */
u_int8_t rtmp_stage:2;
- /* NDPI_PROTOCOL_PANDO */
- u_int8_t pando_stage:3;
-
/* NDPI_PROTOCOL_STEAM */
u_int16_t steam_stage:3, steam_stage1:3, steam_stage2:2, steam_stage3:2;
- /* NDPI_PROTOCOL_PPLIVE */
- u_int8_t pplive_stage1:3, pplive_stage2:2, pplive_stage3:2;
-
/* NDPI_PROTOCOL_STARCRAFT */
u_int8_t starcraft_udp_stage : 3; // 0-7
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 06eff97a5..67636a1fc 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -899,8 +899,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, no_master, "IceCast", NDPI_PROTOCOL_CATEGORY_MEDIA,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PPLIVE, 0 /* can_have_a_subprotocol */,
- no_master, no_master, "PPLive", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_53, 0 /* can_have_a_subprotocol */,
+ no_master, no_master, "FREE53", NDPI_PROTOCOL_CATEGORY_MEDIA,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PPSTREAM, 0 /* can_have_a_subprotocol */,
@@ -1351,8 +1351,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, no_master, "RTMP", NDPI_PROTOCOL_CATEGORY_MEDIA,
ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0), /* TCP */
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
- ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PANDO, 0 /* can_have_a_subprotocol */, no_master,
- no_master, "Pando_Media_Booster", NDPI_PROTOCOL_CATEGORY_WEB,
+ ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_183, 0 /* can_have_a_subprotocol */, no_master,
+ no_master, "FREE183", NDPI_PROTOCOL_CATEGORY_WEB,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MEGACO, 0 /* can_have_a_subprotocol */,
@@ -1503,9 +1503,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOAP, 1 /* no subprotocol */,
- no_master, no_master, "SOAP", NDPI_PROTOCOL_CATEGORY_RPC,
- ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ no_master, no_master, "SOAP", NDPI_PROTOCOL_CATEGORY_RPC,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -1858,112 +1858,112 @@ void set_ndpi_debug_function(struct ndpi_detection_module_struct *ndpi_str, ndpi
/* Keep it in order and in sync with ndpi_protocol_category_t in ndpi_typedefs.h */
static const char *categories[] = {
- "Unspecified",
- "Media",
- "VPN",
- "Email",
- "DataTransfer",
- "Web",
- "SocialNetwork",
- "Download-FileTransfer-FileSharing",
- "Game",
- "Chat",
- "VoIP",
- "Database",
- "RemoteAccess",
- "Cloud",
- "Network",
- "Collaborative",
- "RPC",
- "Streaming",
- "System",
- "SoftwareUpdate",
- "",
- "",
- "",
- "",
- "",
- "Music",
- "Video",
- "Shopping",
- "Productivity",
- "FileSharing",
- "ConnectivityCheck",
- "IoT-Scada",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "Mining", /* 99 */
- "Malware",
- "Advertisement",
- "Banned_Site",
- "Site_Unavailable",
- "Allowed_Site",
- "Antimalware",
+ "Unspecified",
+ "Media",
+ "VPN",
+ "Email",
+ "DataTransfer",
+ "Web",
+ "SocialNetwork",
+ "Download-FileTransfer-FileSharing",
+ "Game",
+ "Chat",
+ "VoIP",
+ "Database",
+ "RemoteAccess",
+ "Cloud",
+ "Network",
+ "Collaborative",
+ "RPC",
+ "Streaming",
+ "System",
+ "SoftwareUpdate",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "Music",
+ "Video",
+ "Shopping",
+ "Productivity",
+ "FileSharing",
+ "ConnectivityCheck",
+ "IoT-Scada",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "Mining", /* 99 */
+ "Malware",
+ "Advertisement",
+ "Banned_Site",
+ "Site_Unavailable",
+ "Allowed_Site",
+ "Antimalware",
};
/* ******************************************************************** */
@@ -2849,7 +2849,8 @@ void ndpi_set_bitmask_protocol_detection(char *label, struct ndpi_detection_modu
*/
ndpi_str->proto_defaults[ndpi_protocol_id].protoIdx = idx;
ndpi_str->proto_defaults[ndpi_protocol_id].func = ndpi_str->callback_buffer[idx].func = func;
-
+ ndpi_str->callback_buffer[idx].ndpi_protocol_id = ndpi_protocol_id;
+
/*
Set ndpi_selection_bitmask for protocol
*/
@@ -2975,9 +2976,6 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* PPSTREAM */
init_ppstream_dissector(ndpi_str, &a, detection_bitmask);
- /* PPLIVE */
- init_pplive_dissector(ndpi_str, &a, detection_bitmask);
-
/* IAX */
init_iax_dissector(ndpi_str, &a, detection_bitmask);
@@ -3209,9 +3207,6 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* FTP_DATA */
init_ftp_data_dissector(ndpi_str, &a, detection_bitmask);
- /* PANDO */
- init_pando_dissector(ndpi_str, &a, detection_bitmask);
-
/* MEGACO */
init_megaco_dissector(ndpi_str, &a, detection_bitmask);
@@ -3705,9 +3700,12 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
backup1 = flow->guessed_protocol_id;
backup2 = flow->guessed_host_protocol_id;
memset(flow, 0, sizeof(*(flow)));
+
+ /* Restore pointers */
flow->num_processed_pkts = backup;
flow->guessed_protocol_id = backup1;
flow->guessed_host_protocol_id = backup2;
+ flow->packet.tcp = (struct ndpi_tcphdr *) l4ptr;
NDPI_LOG_DBG(ndpi_str, "tcp syn packet for unknown protocol, reset detection state\n");
}
@@ -3857,13 +3855,11 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
/* ************************************************ */
-void check_ndpi_other_flow_func(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
- NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
- if(!flow)
- return;
-
+u_int32_t check_ndpi_other_flow_func(struct ndpi_detection_module_struct *ndpi_str,
+ struct ndpi_flow_struct *flow,
+ NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
void *func = NULL;
- u_int32_t a;
+ u_int32_t a, num_calls = 0;
u_int16_t proto_index = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoIdx;
int16_t proto_id = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoId;
NDPI_PROTOCOL_BITMASK detection_bitmask;
@@ -3879,7 +3875,7 @@ void check_ndpi_other_flow_func(struct ndpi_detection_module_struct *ndpi_str, s
if((flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) &&
(ndpi_str->proto_defaults[flow->guessed_protocol_id].func != NULL))
ndpi_str->proto_defaults[flow->guessed_protocol_id].func(ndpi_str, flow),
- func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func;
+ func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func, num_calls++;
}
for (a = 0; a < ndpi_str->callback_buffer_size_non_tcp_udp; a++) {
@@ -3890,20 +3886,23 @@ void check_ndpi_other_flow_func(struct ndpi_detection_module_struct *ndpi_str, s
ndpi_str->callback_buffer_non_tcp_udp[a].excluded_protocol_bitmask) == 0 &&
NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_non_tcp_udp[a].detection_bitmask, detection_bitmask) != 0) {
if(ndpi_str->callback_buffer_non_tcp_udp[a].func != NULL)
- ndpi_str->callback_buffer_non_tcp_udp[a].func(ndpi_str, flow);
+ ndpi_str->callback_buffer_non_tcp_udp[a].func(ndpi_str, flow), num_calls++;
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
break; /* Stop after detecting the first protocol */
}
}
+
+ return(num_calls);
}
/* ************************************************ */
-void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
- NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
+static u_int32_t check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
+ struct ndpi_flow_struct *flow,
+ NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
void *func = NULL;
- u_int32_t a;
+ u_int32_t a, num_calls = 0;
u_int16_t proto_index = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoIdx;
int16_t proto_id = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoId;
NDPI_PROTOCOL_BITMASK detection_bitmask;
@@ -3919,7 +3918,7 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str, str
if((flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) &&
(ndpi_str->proto_defaults[flow->guessed_protocol_id].func != NULL))
ndpi_str->proto_defaults[flow->guessed_protocol_id].func(ndpi_str, flow),
- func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func;
+ func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func, num_calls++;
}
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
@@ -3930,30 +3929,44 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str, str
NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask,
ndpi_str->callback_buffer_udp[a].excluded_protocol_bitmask) == 0 &&
NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_udp[a].detection_bitmask, detection_bitmask) != 0) {
- ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow);
+ ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow), num_calls++;
// NDPI_LOG_DBG(ndpi_str, "[UDP,CALL] dissector of protocol as callback_buffer idx = %d\n",a);
+
+#ifdef DEBUG_UDP_CALLS
+ {
+ char buf[64];
+ u_int16_t proto_id = ndpi_str->callback_buffer_udp[a].ndpi_protocol_id;
+ ndpi_protocol proto = { proto_id, proto_id, 0 };
+ printf("-> [UDP,CALL] dissector of protocol as callback_buffer idx = %d / %s\n",
+ proto_id, ndpi_protocol2name(ndpi_str, proto, buf, sizeof(buf)));
+ }
+#endif
+
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
break; /* Stop after detecting the first protocol */
} else if(_ndpi_debug_callbacks)
NDPI_LOG_DBG2(ndpi_str, "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n", a);
}
- }
+ } else
+ num_calls = 1;
+
+ return(num_calls);
}
/* ************************************************ */
-void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
- struct ndpi_flow_struct *flow,
- NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
+static u_int32_t check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
+ struct ndpi_flow_struct *flow,
+ NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
void *func = NULL;
- u_int32_t a;
+ u_int32_t a, num_calls = 0;
u_int16_t proto_index = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoIdx;
int16_t proto_id = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoId;
NDPI_PROTOCOL_BITMASK detection_bitmask;
NDPI_SAVE_AS_BITMASK(detection_bitmask, flow->packet.detected_protocol_stack[0]);
-
+
if(flow->packet.payload_packet_len != 0) {
if((proto_id != NDPI_PROTOCOL_UNKNOWN) &&
NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask,
@@ -3964,7 +3977,7 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
if((flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) &&
(ndpi_str->proto_defaults[flow->guessed_protocol_id].func != NULL))
ndpi_str->proto_defaults[flow->guessed_protocol_id].func(ndpi_str, flow),
- func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func;
+ func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func, num_calls++;
}
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
@@ -3976,15 +3989,17 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
ndpi_str->callback_buffer_tcp_payload[a].excluded_protocol_bitmask) == 0 &&
NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_tcp_payload[a].detection_bitmask,
detection_bitmask) != 0) {
- ndpi_str->callback_buffer_tcp_payload[a].func(ndpi_str, flow);
-
+ ndpi_str->callback_buffer_tcp_payload[a].func(ndpi_str, flow), num_calls++;
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
break; /* Stop after detecting the first protocol */
}
}
- }
+ }
} else {
/* no payload */
+
+ num_calls = 1;
+
if((proto_id != NDPI_PROTOCOL_UNKNOWN) &&
NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask,
ndpi_str->callback_buffer[proto_index].excluded_protocol_bitmask) == 0 &&
@@ -3996,7 +4011,7 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
((ndpi_str->callback_buffer[flow->guessed_protocol_id].ndpi_selection_bitmask &
NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) == 0))
ndpi_str->proto_defaults[flow->guessed_protocol_id].func(ndpi_str, flow),
- func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func;
+ func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func, num_calls++;
}
for (a = 0; a < ndpi_str->callback_buffer_size_tcp_no_payload; a++) {
@@ -4007,25 +4022,29 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
ndpi_str->callback_buffer_tcp_no_payload[a].excluded_protocol_bitmask) == 0 &&
NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_tcp_no_payload[a].detection_bitmask,
detection_bitmask) != 0) {
- ndpi_str->callback_buffer_tcp_no_payload[a].func(ndpi_str, flow);
-
+ ndpi_str->callback_buffer_tcp_no_payload[a].func(ndpi_str, flow), num_calls++;
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
break; /* Stop after detecting the first protocol */
}
}
}
+
+ return(num_calls);
}
/* ********************************************************************************* */
-void ndpi_check_flow_func(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
- NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
- if(flow->packet.tcp != NULL)
- check_ndpi_tcp_flow_func(ndpi_str, flow, ndpi_selection_packet);
+u_int32_t ndpi_check_flow_func(struct ndpi_detection_module_struct *ndpi_str,
+ struct ndpi_flow_struct *flow,
+ NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) {
+ if(!flow)
+ return(0);
+ else if(flow->packet.tcp != NULL)
+ return(check_ndpi_tcp_flow_func(ndpi_str, flow, ndpi_selection_packet));
else if(flow->packet.udp != NULL)
- check_ndpi_udp_flow_func(ndpi_str, flow, ndpi_selection_packet);
+ return(check_ndpi_udp_flow_func(ndpi_str, flow, ndpi_selection_packet));
else
- check_ndpi_other_flow_func(ndpi_str, flow, ndpi_selection_packet);
+ return(check_ndpi_other_flow_func(ndpi_str, flow, ndpi_selection_packet));
}
/* ********************************************************************************* */
@@ -4478,8 +4497,8 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
struct ndpi_flow_struct *flow,
ndpi_protocol *ret) {
/*
- Skype for a host doing MS Teams means MS Teams
- (MS Teams uses Skype as transport protocol for voice/video)
+ Skype for a host doing MS Teams means MS Teams
+ (MS Teams uses Skype as transport protocol for voice/video)
*/
if(flow) {
/* Do not go for DNS when there is an application protocol. Example DNS.Apple */
@@ -4536,7 +4555,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
NDPI_SET_BIT(flow->risk, NDPI_UNSAFE_PROTOCOL);
break;
default:
- /* Nothign to do */
+ /* Nothing to do */
break;
}
}
@@ -4550,9 +4569,14 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
const unsigned short packetlen, const u_int64_t current_time_ms,
struct ndpi_id_struct *src, struct ndpi_id_struct *dst) {
NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet;
- u_int32_t a;
- ndpi_protocol ret = {NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED};
-
+ u_int32_t a, num_calls = 0;
+ ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
+
+ if(flow->fail_with_unknown) {
+ // printf("%s(): FAIL_WITH_UNKNOWN\n", __FUNCTION__);
+ return(ret);
+ }
+
if(ndpi_str->ndpi_log_level >= NDPI_LOG_TRACE)
NDPI_LOG(flow ? flow->detected_protocol_stack[0] : NDPI_PROTOCOL_UNKNOWN, ndpi_str, NDPI_LOG_TRACE,
"START packet processing\n");
@@ -4565,7 +4589,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
flow->num_processed_pkts++;
/* Init default */
- ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+ ret.master_protocol = flow->detected_protocol_stack[1],
+ ret.app_protocol = flow->detected_protocol_stack[0];
if(flow->server_id == NULL)
flow->server_id = dst; /* Default */
@@ -4574,7 +4599,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
if(flow->check_extra_packets) {
ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_time_ms, src, dst);
/* Update in case of new match */
- ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0],
+ ret.master_protocol = flow->detected_protocol_stack[1],
+ ret.app_protocol = flow->detected_protocol_stack[0],
ret.category = flow->category;
goto invalidate_ptr;
} else
@@ -4716,13 +4742,13 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
/* This is a custom protocol and it has priority over everything else */
ret.master_protocol = flow->guessed_protocol_id, ret.app_protocol = flow->guessed_host_protocol_id;
- ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
+ num_calls = ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
ndpi_fill_protocol_category(ndpi_str, flow, &ret);
goto invalidate_ptr;
}
- ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
-
+ num_calls = ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
+
a = flow->packet.detected_protocol_stack[0];
if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->detection_bitmask, a) == 0)
a = NDPI_PROTOCOL_UNKNOWN;
@@ -4835,6 +4861,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
ndpi_reconcile_protocols(ndpi_str, flow, &ret);
+ if(num_calls == 0)
+ flow->fail_with_unknown = 1;
+
invalidate_ptr:
/*
Invalidate packet memory to avoid accessing the pointers below
@@ -5639,7 +5668,7 @@ void ndpi_packet_dst_ip_get(const struct ndpi_packet_struct *packet, ndpi_ip_add
u_int8_t ndpi_is_ipv6(const ndpi_ip_addr_t *ip) {
#ifdef NDPI_DETECTION_SUPPORT_IPV6
return(ip->ipv6.u6_addr.u6_addr32[1] != 0 || ip->ipv6.u6_addr.u6_addr32[2] != 0 ||
- ip->ipv6.u6_addr.u6_addr32[3] != 0);
+ ip->ipv6.u6_addr.u6_addr32[3] != 0);
#else
return(0);
#endif
@@ -6213,7 +6242,7 @@ u_int16_t ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *nd
ndpi_protocol_match_result *ret_match,
u_int16_t master_protocol_id) {
return(ndpi_automa_match_string_subprotocol(ndpi_str, flow, string_to_match, string_to_match_len,
- master_protocol_id, ret_match, 0));
+ master_protocol_id, ret_match, 0));
}
/* ****************************************************** */
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index 9f7620558..3509449b2 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -389,10 +389,8 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
/* This is broadcast */
if(packet->iph) {
-
if((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF))
goto exclude_bt;
-
if(packet->udp) {
u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
@@ -417,9 +415,11 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
char *bt_search = "BT-SEARCH * HTTP/1.1\r\n";
if((ntohs(packet->udp->source) < 1024)
- || (ntohs(packet->udp->dest) < 1024) /* High ports only */)
+ || (ntohs(packet->udp->dest) < 1024) /* High ports only */) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
-
+ }
+
/*
Check for uTP http://www.bittorrent.org/beps/bep_0029.html
@@ -464,7 +464,7 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
flow->bittorrent_stage++;
- if(flow->bittorrent_stage < 10) {
+ if(flow->bittorrent_stage < 5) {
/* We have detected bittorrent but we need to wait until we get a hash */
if(packet->payload_packet_len > 19 /* min size */) {
@@ -489,6 +489,7 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
return;
}
+
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c
index 43acb7b53..c97ab25db 100644
--- a/src/lib/protocols/ciscovpn.c
+++ b/src/lib/protocols/ciscovpn.c
@@ -48,6 +48,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest);
NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over tcp ports\n");
}
+
if(packet->udp != NULL) {
usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest);
NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over udp ports\n");
@@ -107,8 +108,6 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
)
)
{
-
-
/* This is a good query fe577e2b */
NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n");
ndpi_int_ciscovpn_add_connection(ndpi_struct, flow);
@@ -130,7 +129,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
return;
}
- if(flow->num_processed_pkts > 10)
+ if(flow->num_processed_pkts > 5)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c
index f316f96b7..a1f5e56ef 100644
--- a/src/lib/protocols/csgo.c
+++ b/src/lib/protocols/csgo.c
@@ -29,8 +29,8 @@
void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) {
struct ndpi_packet_struct* packet = &flow->packet;
- if (packet->udp != NULL) {
- if (packet->payload_packet_len < sizeof(uint32_t)) {
+ if(packet->udp != NULL) {
+ if(packet->payload_packet_len < sizeof(uint32_t)) {
NDPI_LOG_DBG2(ndpi_struct, "Short csgo packet\n");
return;
}
@@ -38,58 +38,65 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n
uint32_t w = htonl(get_u_int32_t(packet->payload, 0));
NDPI_LOG_DBG2(ndpi_struct, "CSGO: word %08x\n", w);
- if (!flow->csgo_state && packet->payload_packet_len == 23 && w == 0xfffffffful) {
- if (!memcmp(packet->payload + 5, "connect0x", 9)) {
+ if(!flow->csgo_state && packet->payload_packet_len == 23 && w == 0xfffffffful) {
+ if(!memcmp(packet->payload + 5, "connect0x", 9)) {
flow->csgo_state++;
memcpy(flow->csgo_strid, packet->payload + 5, 18);
NDPI_LOG_DBG2(ndpi_struct, "Found csgo connect0x\n");
return;
}
}
- if (flow->csgo_state == 1 && packet->payload_packet_len >= 42 && w == 0xfffffffful) {
- if (!memcmp(packet->payload + 24, flow->csgo_strid, 18)) {
+
+ if(flow->csgo_state == 1 && packet->payload_packet_len >= 42 && w == 0xfffffffful) {
+ if(!memcmp(packet->payload + 24, flow->csgo_strid, 18)) {
flow->csgo_state++;
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
NDPI_LOG_INFO( ndpi_struct, "found csgo connect0x reply\n");
return;
}
}
- if (packet->payload_packet_len == 8 && ( w == 0x3a180000 || w == 0x39180000) ) {
+
+ if(packet->payload_packet_len == 8 && ( w == 0x3a180000 || w == 0x39180000) ) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp 8b\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
}
- if (packet->payload_packet_len >= 36 && w == 0x56533031ul) {
+
+ if(packet->payload_packet_len >= 36 && w == 0x56533031ul) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
}
- if (packet->payload_packet_len >= 36 && w == 0x01007364) {
+
+ if(packet->payload_packet_len >= 36 && w == 0x01007364) {
uint32_t w2 = htonl(get_u_int32_t(packet->payload, 4));
- if (w2 == 0x70696e67) {
+ if(w2 == 0x70696e67) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp ping\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
}
}
- if (flow->csgo_s2 < 3 && (w & 0xffff0000ul) == 0x0d1d0000) {
+
+ if(flow->csgo_s2 < 3 && (w & 0xffff0000ul) == 0x0d1d0000) {
uint32_t w2 = get_u_int32_t(packet->payload, 2);
- if (packet->payload_packet_len == 13) {
- if (!flow->csgo_s2) {
+ if(packet->payload_packet_len == 13) {
+ if(!flow->csgo_s2) {
flow->csgo_id2 = w2;
flow->csgo_s2 = 1;
NDPI_LOG_DBG2( ndpi_struct, "Found csgo udp 0d1d step1\n");
return;
}
- if (flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
+
+ if(flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
NDPI_LOG_DBG2( ndpi_struct, "Found csgo udp 0d1d step1 DUP\n");
return;
}
flow->csgo_s2 = 3;
return;
}
- if (packet->payload_packet_len == 15) {
- if (flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
+
+ if(packet->payload_packet_len == 15) {
+ if(flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp 0d1d\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
@@ -97,31 +104,39 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n
}
flow->csgo_s2 = 3;
}
- if (packet->payload_packet_len >= 140 && (w == 0x02124c6c || w == 0x02125c6c) &&
+
+ if(packet->payload_packet_len >= 140 && (w == 0x02124c6c || w == 0x02125c6c) &&
!memcmp(&packet->payload[3], "lta\000mob\000tpc\000bhj\000bxd\000tae\000urg\000gkh\000", 32)) {
- NDPI_LOG_INFO( ndpi_struct, "found csgo dictionary udp\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
- return;
+ NDPI_LOG_INFO( ndpi_struct, "found csgo dictionary udp\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
+ return;
}
- if (packet->payload_packet_len >= 33 && packet->iph && packet->iph->daddr == 0xffffffff &&
+
+ if(packet->payload_packet_len >= 33 && packet->iph && packet->iph->daddr == 0xffffffff &&
!memcmp(&packet->payload[17], "LanSearch", 9)) {
- NDPI_LOG_INFO( ndpi_struct, "found csgo LanSearch udp\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
- return;
+ NDPI_LOG_INFO( ndpi_struct, "found csgo LanSearch udp\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ }
+
+ if(w == 0) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
}
}
- if (flow->packet_counter > 20)
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
- ndpi_set_bitmask_protocol_detection("CSGO", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_CSGO,
- ndpi_search_csgo,
- NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
+ ndpi_set_bitmask_protocol_detection("CSGO", ndpi_struct, detection_bitmask, *id,
+ NDPI_PROTOCOL_CSGO,
+ ndpi_search_csgo,
+ NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+ ADD_TO_DETECTION_BITMASK);
*id += 1;
}
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index f8f590a5b..a9ae258e7 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -486,6 +486,9 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
+
+ if(flow->packet_counter > 3)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c
index ca5abebad..9f73592f8 100644
--- a/src/lib/protocols/edonkey.c
+++ b/src/lib/protocols/edonkey.c
@@ -165,8 +165,11 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
return;
}
- if(payload_len == 0) return;
-
+ if(payload_len == 0) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
+ }
+
/* Check if we so far detected the protocol in the request or not. */
if(flow->edonkey_stage == 0) {
NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage 0: \n");
@@ -176,7 +179,8 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
/* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
flow->edonkey_stage = packet->packet_direction + 1;
- }
+ } else
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
} else {
NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage);
@@ -193,8 +197,10 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to EDONKEY, resetting the stage to 0\n");
flow->edonkey_stage = 0;
}
-
}
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index 1d70a8cec..015a6a134 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -4,6 +4,19 @@
* Copyright (C) 2015-20 ntop.org
* Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
*
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
*/
#include "ndpi_protocol_ids.h"
@@ -99,6 +112,9 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
}
}
}
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
diff --git a/src/lib/protocols/imo.c b/src/lib/protocols/imo.c
index dfc42a39b..90f2c6086 100644
--- a/src/lib/protocols/imo.c
+++ b/src/lib/protocols/imo.c
@@ -59,7 +59,7 @@ void ndpi_search_imo(struct ndpi_detection_module_struct *ndpi_struct, struct nd
NDPI_LOG_INFO(ndpi_struct, "found IMO\n");
ndpi_int_imo_add_connection(ndpi_struct, flow);
} else {
- if(flow->num_processed_pkts > 7)
+ if(flow->num_processed_pkts > 5)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
else
flow->protos.imo.last_one_byte_pkt = 0;
diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c
index 16c1e0406..ef9125b6e 100644
--- a/src/lib/protocols/netflow.c
+++ b/src/lib/protocols/netflow.c
@@ -117,19 +117,24 @@ void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struc
case 5:
case 7:
case 9:
- if((n == 0) || (n > 30))
+ if((n == 0) || (n > 30)) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
-
+ }
+
switch(version) {
case 1:
expected_len = n * sizeof(struct flow_ver1_rec) + 16 /* header */;
break;
+
case 5:
expected_len = n * sizeof(struct flow_ver5_rec) + 24 /* header */;
break;
+
case 7:
expected_len = n * sizeof(struct flow_ver7_rec) + 24 /* header */;
break;
+
case 9:
/* We need to check the template */
break;
@@ -142,16 +147,21 @@ void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struc
uptime_offset = 8;
break;
+
case 10: /* IPFIX */
{
u_int16_t ipfix_len = n;
- if(ipfix_len != payload_len)
+ if(ipfix_len != payload_len) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
+ }
}
uptime_offset = 4;
break;
+
default:
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
@@ -167,7 +177,8 @@ void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETFLOW, NDPI_PROTOCOL_UNKNOWN);
return;
}
- }
+ } else
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_netflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
diff --git a/src/lib/protocols/noe.c b/src/lib/protocols/noe.c
index da572b6c0..f830d3104 100644
--- a/src/lib/protocols/noe.c
+++ b/src/lib/protocols/noe.c
@@ -2,6 +2,23 @@
* noe.c (Alcatel new office environment)
*
* Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
+ * Copyright (C) 2011-20 - ntop.org
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*
*/
@@ -47,9 +64,9 @@ void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_noe_add_connection(ndpi_struct, flow);
return;
}
- } else {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- }
+ }
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c
index f0e3428cf..076a681f8 100644
--- a/src/lib/protocols/openvpn.c
+++ b/src/lib/protocols/openvpn.c
@@ -3,6 +3,29 @@
*
* Copyright (C) 2011-20 - ntop.org
*
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENVPN
+
+#include "ndpi_api.h"
+
+/*
* OpenVPN TCP / UDP Detection - 128/160 hmac
*
* Detection based upon these openvpn protocol properties:
@@ -21,13 +44,6 @@
*
*/
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENVPN
-
-#include "ndpi_api.h"
-
-
#define P_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3)
#define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3)
#define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3)
@@ -105,17 +121,17 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
}
if(flow->ovpn_counter < P_HARD_RESET_CLIENT_MAX_COUNT && (opcode == P_CONTROL_HARD_RESET_CLIENT_V1 ||
- opcode == P_CONTROL_HARD_RESET_CLIENT_V2)) {
+ opcode == P_CONTROL_HARD_RESET_CLIENT_V2)) {
if(check_pkid_and_detect_hmac_size(ovpn_payload) > 0) {
memcpy(flow->ovpn_session_id, ovpn_payload+1, 8);
NDPI_LOG_DBG2(ndpi_struct,
- "session key: %02x%02x%02x%02x%02x%02x%02x%02x\n",
- flow->ovpn_session_id[0], flow->ovpn_session_id[1], flow->ovpn_session_id[2], flow->ovpn_session_id[3],
- flow->ovpn_session_id[4], flow->ovpn_session_id[5], flow->ovpn_session_id[6], flow->ovpn_session_id[7]);
+ "session key: %02x%02x%02x%02x%02x%02x%02x%02x\n",
+ flow->ovpn_session_id[0], flow->ovpn_session_id[1], flow->ovpn_session_id[2], flow->ovpn_session_id[3],
+ flow->ovpn_session_id[4], flow->ovpn_session_id[5], flow->ovpn_session_id[6], flow->ovpn_session_id[7]);
}
} else if(flow->ovpn_counter >= 1 && flow->ovpn_counter <= P_HARD_RESET_CLIENT_MAX_COUNT &&
- (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || opcode == P_CONTROL_HARD_RESET_SERVER_V2)) {
+ (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || opcode == P_CONTROL_HARD_RESET_SERVER_V2)) {
hmac_size = check_pkid_and_detect_hmac_size(ovpn_payload);
@@ -152,10 +168,12 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
flow->ovpn_counter++;
- if(failed) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- }
+ if(failed)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/protocols/pando.c b/src/lib/protocols/pando.c
deleted file mode 100644
index ece78559d..000000000
--- a/src/lib/protocols/pando.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * pando.c
- *
- * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk>
- *
- * The signature is based on the Libprotoident library.
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PANDO
-
-#include "ndpi_api.h"
-
-static void ndpi_int_pando_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PANDO, NDPI_PROTOCOL_UNKNOWN);
-}
-
-static void ndpi_check_pando_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\x0ePan")) {
- NDPI_LOG_INFO(ndpi_struct, "Found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- }
-}
-
-static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- NDPI_LOG_DBG2(ndpi_struct, "PANDO stage %u: \n", flow->pando_stage);
- if (flow->pando_stage == 0) {
-
- if ((payload_len >= 4) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x09)) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pando_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "UDPA")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pando_stage = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "UDPR") || ndpi_match_strprefix(packet->payload, payload_len, "UDPE")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pando_stage = packet->packet_direction + 5; // packet_direction 0: stage 5, packet_direction 1: stage 6
- return;
- }
-
- } else if ((flow->pando_stage == 1) || (flow->pando_stage == 2)) {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pando_stage - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if ((payload_len == 0) || ((payload_len >= 4) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x09))) {
- NDPI_LOG_INFO(ndpi_struct, "found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0..\n");
- flow->pando_stage = 0;
- }
-
- } else if ((flow->pando_stage == 3) || (flow->pando_stage == 4)) {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pando_stage - packet->packet_direction) == 3) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if ((payload_len == 0) || (ndpi_match_strprefix(packet->payload, payload_len, "UDPR") || ndpi_match_strprefix(packet->payload, payload_len, "UDPE"))) {
- NDPI_LOG_INFO(ndpi_struct, "found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0..\n");
- flow->pando_stage = 0;
- }
-
- } else if ((flow->pando_stage == 5) || (flow->pando_stage == 6)) {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pando_stage - packet->packet_direction) == 5) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "UDPA")) {
- NDPI_LOG_INFO(ndpi_struct, "found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0\n");
- flow->pando_stage = 0;
- }
- }
-}
-
-void ndpi_search_pando(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
-
- NDPI_LOG_DBG(ndpi_struct, "search PANDO\n");
- /* Break after 20 packets. */
- if (flow->packet_counter > 20) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- return;
- }
-
- /* skip marked or retransmitted packets */
- if (packet->tcp_retransmission != 0) {
- return;
- }
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PANDO) {
- return;
- }
-
- ndpi_check_pando_tcp(ndpi_struct, flow);
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PANDO) {
- return;
- }
-
- ndpi_check_pando_udp(ndpi_struct, flow);
-}
-
-
-void init_pando_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
- ndpi_set_bitmask_protocol_detection("Pando_Media_Booster", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_PANDO,
- ndpi_search_pando,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITHOUT_RETRANSMISSION,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
-
- *id += 1;
-}
diff --git a/src/lib/protocols/pplive.c b/src/lib/protocols/pplive.c
deleted file mode 100644
index 2e41d64f5..000000000
--- a/src/lib/protocols/pplive.c
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- * pplive.c
- *
- * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk>
- *
- * The signature is mostly based on the Libprotoident library
- * except the detection of HTTP Steam flows.
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPLIVE
-
-#include "ndpi_api.h"
-
-static void ndpi_int_pplive_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPLIVE, NDPI_PROTOCOL_UNKNOWN);
-}
-
-static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- if (flow->pplive_stage1 == 0) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage 0: \n");
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage1 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x42\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage1 = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\x1c\x1c\x32\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage1 = packet->packet_direction + 5; // packet_direction 0: stage 5, packet_direction 1: stage 6
- return;
- }
-
- } else if ((flow->pplive_stage1 == 1) || (flow->pplive_stage1 == 2)) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1);
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage1 - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x42\x01") || ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage1 = 0;
- }
-
- } else if ((flow->pplive_stage1 == 3) || (flow->pplive_stage1 == 4)) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1);
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage1 - packet->packet_direction) == 3) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage1 = 0;
- }
- } else if ((flow->pplive_stage1 == 5) || (flow->pplive_stage1 == 6)) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1);
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage1 - packet->packet_direction) == 5) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "\x1c\x1c\x32\x01")) {
- NDPI_LOG_INFO(ndpi_struct, "Found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage1 = 0;
- }
- }
-
-}
-
-static void ndpi_check_pplive_udp2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage2);
- if (flow->pplive_stage2 == 0) {
-
- if ((payload_len == 57) && ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage2 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- }
-
- } else {
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage2 - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (payload_len == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage2 = 0;
- }
-
- }
-}
-
-static void ndpi_check_pplive_udp3(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- NDPI_LOG_DBG(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage3);
- if (flow->pplive_stage3 == 0) {
-
- if ((payload_len == 94) && (packet->udp->dest == htons(5041) || packet->udp->source == htons(5041) || packet->udp->dest == htons(8303) || packet->udp->source == htons(8303))) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage3 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- return;
- }
-
- } else {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage3 - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if ((payload_len == 0) || (payload_len == 49) ||(payload_len == 94)) {
- NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage3 = 0;
- }
- }
-
-}
-
-void ndpi_search_pplive(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
-
- NDPI_LOG_DBG(ndpi_struct, "search PPLIVE\n");
-
- /* Break after 20 packets. */
- if (flow->packet_counter > 20) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- return;
- }
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PPLIVE) {
- return;
- }
-
- ndpi_check_pplive_udp1(ndpi_struct, flow);
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PPLIVE) {
- return;
- }
-
- ndpi_check_pplive_udp2(ndpi_struct, flow);
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PPLIVE) {
- return;
- }
-
- ndpi_check_pplive_udp3(ndpi_struct, flow);
-}
-
-
-void init_pplive_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
- ndpi_set_bitmask_protocol_detection("PPLive", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_PPLIVE,
- ndpi_search_pplive,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
-
- *id += 1;
-}
-
diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c
index 5597f64a2..4e2782d9c 100644
--- a/src/lib/protocols/radius.c
+++ b/src/lib/protocols/radius.c
@@ -40,9 +40,11 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct,
if(packet->udp != NULL) {
struct radius_header *h = (struct radius_header*)packet->payload;
/* RFC2865: The minimum length is 20 and maximum length is 4096. */
- if((payload_len < 20) || (payload_len > 4096))
- return;
-
+ if((payload_len < 20) || (payload_len > 4096)) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
+ }
+
if((h->code > 0)
&& (h->code <= 13)
&& (ntohs(h->len) == payload_len)) {
diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c
index 77903d6cc..0e03ea8a8 100644
--- a/src/lib/protocols/rtcp.c
+++ b/src/lib/protocols/rtcp.c
@@ -45,7 +45,7 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
len = packet->payload[2+offset] * 256 + packet->payload[2+offset+1];
rtcp_section_len = (len + 1) * 4;
- if(((offset+rtcp_section_len) > packet->payload_packet_len) || (rtcp_section_len == 0))
+ if(((offset+rtcp_section_len) > packet->payload_packet_len) || (rtcp_section_len == 0) || (len == 0))
goto exclude_rtcp;
else
offset += rtcp_section_len;
@@ -60,6 +60,9 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_INFO(ndpi_struct, "found rtcp\n");
ndpi_int_rtcp_add_connection(ndpi_struct, flow);
}
+
+ if(flow->packet_counter > 3)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
} else {
exclude_rtcp:
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index acea41b54..fdf8d8b9f 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -76,6 +76,8 @@ static u_int8_t isValidMSRTPType(u_int8_t payloadType) {
static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t * payload, const u_int16_t payload_len) {
+ u_int8_t payloadType, payload_type = payload[1] & 0x7F;
+
NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
if((payload_len < 2) || flow->protos.stun_ssl.stun.num_binding_requests) {
@@ -83,9 +85,6 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
return;
}
- //struct ndpi_packet_struct *packet = &flow->packet;
- u_int8_t payloadType, payload_type = payload[1] & 0x7F;
-
/* Check whether this is an RTP flow */
if((payload_len >= 12)
&& (((payload[0] & 0xFF) == 0x80) || ((payload[0] & 0xFF) == 0xA0)) /* RTP magic byte[1] */
@@ -105,13 +104,6 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_INFO(ndpi_struct, "Found Skype for Business (former MS Lync)\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN);
return;
- } else /* RTCP */ {
-#if 0
- /* If it's RTCP the RTCP decoder will catch it */
- NDPI_LOG_INFO(ndpi_struct, "Found MS RTCP\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, NDPI_PROTOCOL_UNKNOWN);
- return;
-#endif
}
}
@@ -136,6 +128,8 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd
&& (dest > 1023)
)
ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len);
+ else
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
/* *************************************************************** */
diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index 4da380a4b..b7806d036 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -48,142 +48,131 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
- if (payload_len > 4) {
+ if(payload_len > 4) {
/* search for STUN Turn ChannelData Prefix */
u_int16_t message_len = ntohs(get_u_int16_t(packet->payload, 2));
- if (payload_len - 4 == message_len) {
+
+ if(payload_len - 4 == message_len) {
NDPI_LOG_DBG2(ndpi_struct, "found STUN TURN ChannelData prefix\n");
payload_len -= 4;
packet_payload += 4;
}
}
- if (payload_len >= 14)
- {
-
- if ((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0)
- && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
-
- NDPI_LOG_INFO(ndpi_struct, "found sip NOTIFY\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "REGISTER ", 9) == 0 || memcmp(packet_payload, "register ", 9) == 0)
- && (memcmp(&packet_payload[9], "SIP:", 4) == 0 || memcmp(&packet_payload[9], "sip:", 4) == 0)) {
-
- NDPI_LOG_INFO(ndpi_struct, "found sip REGISTER\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "INVITE ", 7) == 0 || memcmp(packet_payload, "invite ", 7) == 0)
- && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip INVITE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- /* seen this in second direction on the third position,
- * maybe it could be deleted, if somebody sees it in the first direction,
- * please delete this comment.
- */
-
- /*
- if (memcmp(packet_payload, "SIP/2.0 200 OK", 14) == 0 || memcmp(packet_payload, "sip/2.0 200 OK", 14) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 0K\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
- */
- if (memcmp(packet_payload, "SIP/2.0 ", 8) == 0 || memcmp(packet_payload, "sip/2.0 ", 8) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 *\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "BYE ", 4) == 0 || memcmp(packet_payload, "bye ", 4) == 0)
- && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip BYE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "ACK ", 4) == 0 || memcmp(packet_payload, "ack ", 4) == 0)
- && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0)
- && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0)
- && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0)
- && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- /* SIP message extension RFC 3248 */
- if ((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0)
- && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- /* Courtesy of Miguel Quesada <mquesadab@gmail.com> */
- if ((memcmp(packet_payload, "OPTIONS ", 8) == 0
- || memcmp(packet_payload, "options ", 8) == 0)
- && (memcmp(&packet_payload[8], "SIP:", 4) == 0
- || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
+ if(payload_len >= 14) {
+ if((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0)
+ && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
+
+ NDPI_LOG_INFO(ndpi_struct, "found sip NOTIFY\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "REGISTER ", 9) == 0 || memcmp(packet_payload, "register ", 9) == 0)
+ && (memcmp(&packet_payload[9], "SIP:", 4) == 0 || memcmp(&packet_payload[9], "sip:", 4) == 0)) {
+
+ NDPI_LOG_INFO(ndpi_struct, "found sip REGISTER\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "INVITE ", 7) == 0 || memcmp(packet_payload, "invite ", 7) == 0)
+ && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip INVITE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ /* seen this in second direction on the third position,
+ * maybe it could be deleted, if somebody sees it in the first direction,
+ * please delete this comment.
+ */
+
+ /*
+ if(memcmp(packet_payload, "SIP/2.0 200 OK", 14) == 0 || memcmp(packet_payload, "sip/2.0 200 OK", 14) == 0) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 0K\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
}
+ */
+ if(memcmp(packet_payload, "SIP/2.0 ", 8) == 0 || memcmp(packet_payload, "sip/2.0 ", 8) == 0) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 *\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "BYE ", 4) == 0 || memcmp(packet_payload, "bye ", 4) == 0)
+ && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip BYE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "ACK ", 4) == 0 || memcmp(packet_payload, "ack ", 4) == 0)
+ && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0)
+ && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0)
+ && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ /* SIP message extension RFC 3248 */
+ if((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ /* Courtesy of Miguel Quesada <mquesadab@gmail.com> */
+ if((memcmp(packet_payload, "OPTIONS ", 8) == 0
+ || memcmp(packet_payload, "options ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0
+ || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+ }
/* add bitmask for tcp only, some stupid udp programs
* send a very few (< 10 ) packets before invite (mostly a 0x0a0x0d, but just search the first 3 payload_packets here */
- if (packet->udp != NULL && flow->packet_counter < 20) {
+ if(packet->udp != NULL && flow->packet_counter < 20) {
NDPI_LOG_DBG2(ndpi_struct, "need next packet\n");
return;
}
/* for STUN flows we need some more packets */
- if (packet->udp != NULL && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN && flow->packet_counter < 40) {
+ if(packet->udp != NULL && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN && flow->packet_counter < 40) {
NDPI_LOG_DBG2(ndpi_struct, "need next STUN packet\n");
return;
}
- if (payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) {
+ if(payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) {
NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n");
return;
}
- if (payload_len > 30 && packet_payload[0] == 0x90
- && packet_payload[3] == payload_len - 20 && get_u_int32_t(packet_payload, 4) == 0
- && get_u_int32_t(packet_payload, 8) == 0) {
- flow->sip_yahoo_voice = 1;
- NDPI_LOG_DBG2(ndpi_struct, "maybe sip yahoo. need next packet\n");
- }
- if (flow->sip_yahoo_voice && flow->packet_counter < 10) {
- return;
- }
-
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
@@ -193,15 +182,18 @@ void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct nd
NDPI_LOG_DBG(ndpi_struct, "search sip\n");
- /* skip marked packets */
- if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SIP) {
- if (packet->tcp_retransmission == 0) {
- ndpi_search_sip_handshake(ndpi_struct, flow);
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ else {
+ /* skip marked packets */
+ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SIP) {
+ if(packet->tcp_retransmission == 0) {
+ ndpi_search_sip_handshake(ndpi_struct, flow);
+ }
}
}
}
-
void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
ndpi_set_bitmask_protocol_detection("SIP", ndpi_struct, detection_bitmask, *id,
diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c
index 41d1a7d71..198286c8b 100644
--- a/src/lib/protocols/steam.c
+++ b/src/lib/protocols/steam.c
@@ -267,7 +267,6 @@ void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct
return;
}
-
/* skip marked or retransmitted packets */
if(packet->tcp_retransmission != 0) {
return;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index e4d504821..8db589182 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -27,7 +27,7 @@
#include "ndpi_api.h"
-#define MAX_NUM_STUN_PKTS 8
+#define MAX_NUM_STUN_PKTS 3
// #define DEBUG_STUN 1
// #define DEBUG_LRU 1
@@ -122,15 +122,15 @@ static int is_google_ip_address(u_int32_t host) {
/* ************************************************************ */
/*
- WhatsApp
- 31.13.86.48
- 31.13.92.50
- 157.240.20.51
- 157.240.21.51
- 185.60.216.51
-
- Messenger
- 31.13.86.5
+ WhatsApp
+ 31.13.86.48
+ 31.13.92.50
+ 157.240.20.51
+ 157.240.21.51
+ 185.60.216.51
+
+ Messenger
+ 31.13.86.5
*/
static int is_messenger_ip_address(u_int32_t host) {
@@ -149,14 +149,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
u_int16_t msg_type, msg_len;
int rc;
- /* STUN over TCP does not look good */
- if(flow->packet.tcp)
- return(NDPI_IS_NOT_STUN);
-
/* No need to do ntohl() with 0xFFFFFFFF */
if(flow->packet.iph && (flow->packet.iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- return(NDPI_IS_NOT_STUN);;
+ return(NDPI_IS_NOT_STUN);
}
if(payload_length >= 512) {
@@ -190,25 +186,25 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#endif
/*
- If we're here it's because this does not look like STUN anymore
- as this was a flow that started as STUN and turned into something
- else. Let's investigate what is that about
- */
+ If we're here it's because this does not look like STUN anymore
+ as this was a flow that started as STUN and turned into something
+ else. Let's investigate what is that about
+ */
if(payload[0] == 0x16) {
/* Let's check if this is DTLS used by some socials */
struct ndpi_packet_struct *packet = &flow->packet;
u_int16_t total_len, version = htons(*((u_int16_t*) &packet->payload[1]));
switch (version) {
- case 0xFEFF: /* DTLS 1.0 */
- case 0xFEFD: /* DTLS 1.2 */
- total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13;
-
- if(payload_length == total_len) {
- /* This is DTLS and the only protocol we know behaves like this is signal */
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
- return(NDPI_IS_STUN);
- }
+ case 0xFEFF: /* DTLS 1.0 */
+ case 0xFEFD: /* DTLS 1.2 */
+ total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13;
+
+ if(payload_length == total_len) {
+ /* This is DTLS and the only protocol we know behaves like this is signal */
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
+ return(NDPI_IS_STUN);
+ }
}
}
@@ -218,7 +214,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#if 0
if((flow->packet.udp->dest == htons(3480)) ||
(flow->packet.udp->source == htons(3480))
- )
+ )
printf("[STUN] Here we go\n");;
#endif
@@ -285,7 +281,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
} else if((payload[0] == 0x90) && (((msg_len+11) == payload_length) ||
- (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
+ (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
}
@@ -311,13 +307,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
u_int offset = 20;
/*
- This can either be the standard RTCP or Ms Lync RTCP that
- later will become Ms Lync RTP. In this case we need to
- be careful before deciding about the protocol before dissecting the packet
+ This can either be the standard RTCP or Ms Lync RTCP that
+ later will become Ms Lync RTP. In this case we need to
+ be careful before deciding about the protocol before dissecting the packet
- MS Lync = Skype
- https://en.wikipedia.org/wiki/Skype_for_Business
- */
+ MS Lync = Skype
+ https://en.wikipedia.org/wiki/Skype_for_Business
+ */
while((offset+4) < payload_length) {
u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset]));
@@ -346,36 +342,36 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
break;
case 0x0014: /* Realm */
- {
- u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2]));
+ {
+ u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2]));
- if(flow->host_server_name[0] == '\0') {
- u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len;
- u_int k = offset+4;
+ if(flow->host_server_name[0] == '\0') {
+ u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len;
+ u_int k = offset+4;
- memset(flow->host_server_name, 0, sizeof(flow->host_server_name));
+ memset(flow->host_server_name, 0, sizeof(flow->host_server_name));
- for(j=0; j<i; j++) {
- if((k+i) < payload_length)
- flow->host_server_name[j] = payload[k++];
- else
- break;
- }
+ for(j=0; j<i; j++) {
+ if((k+i) < payload_length)
+ flow->host_server_name[j] = payload[k++];
+ else
+ break;
+ }
#ifdef DEBUG_STUN
- printf("==> [%s]\n", flow->host_server_name);
+ printf("==> [%s]\n", flow->host_server_name);
#endif
- if(strstr((char*) flow->host_server_name, "google.com") != NULL) {
+ if(strstr((char*) flow->host_server_name, "google.com") != NULL) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
return(NDPI_IS_STUN);
- } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
- return(NDPI_IS_STUN);
- }
- }
- }
- break;
+ } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
+ return(NDPI_IS_STUN);
+ }
+ }
+ }
+ break;
case 0xC057: /* Messeger */
if(msg_type == 0x0001) {
@@ -470,7 +466,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
} else
return(NDPI_IS_NOT_STUN);
-udp_stun_found:
+ udp_stun_found:
flow->protos.stun_ssl.stun.num_processed_pkts++;
struct ndpi_packet_struct *packet = &flow->packet;
@@ -489,7 +485,6 @@ udp_stun_found:
return rc;
}
-
void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
@@ -535,13 +530,12 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
return;
}
- if(flow->protos.stun_ssl.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-
if(flow->packet_counter > 0) {
/* This might be a RTP stream: let's make sure we check it */
NDPI_CLR(&flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP);
}
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
@@ -550,7 +544,7 @@ void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
ndpi_set_bitmask_protocol_detection("STUN", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_STUN,
ndpi_search_stun,
- NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD,
+ NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c
index 941520b25..a9d7a21d3 100644
--- a/src/lib/protocols/tftp.c
+++ b/src/lib/protocols/tftp.c
@@ -41,26 +41,31 @@ void ndpi_search_tftp(struct ndpi_detection_module_struct
NDPI_LOG_DBG(ndpi_struct, "search TFTP\n");
- if (packet->payload_packet_len > 3 && flow->l4.udp.tftp_stage == 0
- && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001) {
+ if ((packet->payload_packet_len > 3)
+ && (flow->l4.udp.tftp_stage == 0)
+ && (ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001)) {
NDPI_LOG_DBG2(ndpi_struct, "maybe tftp. need next packet\n");
flow->l4.udp.tftp_stage = 1;
return;
}
- if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1)
- && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) {
- NDPI_LOG_INFO(ndpi_struct, "found tftp\n");
- ndpi_int_tftp_add_connection(ndpi_struct, flow);
- return;
- }
- if (packet->payload_packet_len > 1
- && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0)
- || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) {
- NDPI_LOG_DBG2(ndpi_struct, "skip initial packet\n");
- return;
- }
+ if(flow->l4.udp.tftp_stage == 1) {
+ if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1)
+ && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) {
+
+ NDPI_LOG_INFO(ndpi_struct, "found tftp\n");
+ ndpi_int_tftp_add_connection(ndpi_struct, flow);
+ return;
+ }
+ if (packet->payload_packet_len > 1
+ && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0)
+ || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) {
+ NDPI_LOG_DBG2(ndpi_struct, "skip initial packet\n");
+ return;
+ }
+ }
+
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/tinc.c b/src/lib/protocols/tinc.c
index 62981dbb3..4748700cf 100644
--- a/src/lib/protocols/tinc.c
+++ b/src/lib/protocols/tinc.c
@@ -58,9 +58,9 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN);
}
}
-
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
-
} else if(packet->tcp != NULL) {
if(payload_len == 0) {
if(packet->tcp->syn == 1 && packet->tcp->ack == 0) {
diff --git a/tests/pcap/tftp_rrq.pcap b/tests/pcap/tftp_rrq.pcap
new file mode 100644
index 000000000..6c5efa8ba
--- /dev/null
+++ b/tests/pcap/tftp_rrq.pcap
Binary files differ
diff --git a/tests/result/facebook.pcap.out b/tests/result/facebook.pcap.out
index b8f33fcc1..880c5f2c3 100644
--- a/tests/result/facebook.pcap.out
+++ b/tests/result/facebook.pcap.out
@@ -5,5 +5,5 @@ JA3 Host Stats:
1 192.168.43.18 2
- 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][Goodput ratio: 53/93][0.68 sec][ALPN: h2;spdy/3.1;http/1.1][bytes ratio: -0.785 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 35/31 154/154 52/52][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 140/1005 583/1454 137/604][TLSv1.2][Client: www.facebook.com][JA3C: 5c60e71f1b8cd40e4d40ed5b6d666e3f][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,14,10,3,7,0,0,0,0,0,0,3,3,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0]
+ 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][Goodput ratio: 53/93][0.68 sec][ALPN: h2;spdy/3.1;http/1.1][bytes ratio: -0.785 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 35/31 154/154 52/52][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 140/1005 583/1454 137/604][TLSv1.2][Client: www.facebook.com][JA3C: 5c60e71f1b8cd40e4d40ed5b6d666e3f][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (hTge.tcebook.com)][Plen Bins: 0,14,10,3,7,0,0,0,0,0,0,3,3,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0]
2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][Goodput ratio: 55/85][1.30 sec][ALPN: h2;spdy/3.1;http/1.1][bytes ratio: -0.532 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 148/73 414/313 172/127][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 149/440 449/1454 125/522][TLSv1.2][Client: facebook.com][JA3C: bfcc1a3891601edb4f137ab7ab25b840][ServerNames: *.facebook.com,*.facebook.net,*.fb.com,*.fbcdn.net,*.fbsbx.com,*.m.facebook.com,*.messenger.com,*.xx.fbcdn.net,*.xy.fbcdn.net,*.xz.fbcdn.net,facebook.com,fb.com,messenger.com][JA3S: 2d1eb5817ece335c24904f516ad5da12][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com][Certificate SHA-1: A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9][Validity: 2014-08-28 00:00:00 - 2016-12-30 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,18,9,9,0,9,9,0,9,0,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0]
diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out
index 5eaa9abb6..65a0cc2a4 100644
--- a/tests/result/netflix.pcap.out
+++ b/tests/result/netflix.pcap.out
@@ -51,7 +51,7 @@ JA3 Host Stats:
40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][Goodput ratio: 84/87][0.34 sec][bytes ratio: 0.009 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 31/31 85/65 31/27][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430/507 1514/1514 533/591][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos][Subject: CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,0,8,0,0,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,0,0,0,0,0,8,0,0,0,0,0,25,0,0]
41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][Goodput ratio: 55/83][31.02 sec][ALPN: spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.343 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1820/45 30348/363 7132/103][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 145/390 422/1514 132/520][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,27,5,0,0,5,5,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][Goodput ratio: 70/86][0.32 sec][bytes ratio: -0.244 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 24/22 72/63 26/25][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 222/465 1514/1514 382/579][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos][Subject: CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 16,25,0,8,0,0,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,25,0,0]
- 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][Goodput ratio: 74/84][30.77 sec][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 29/22 143/79 43/29][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 253/423 1514/1514 422/512][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 18,9,0,0,9,0,9,0,0,0,0,0,9,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,18,0,0]
+ 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][Goodput ratio: 74/84][30.77 sec][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 29/22 143/79 43/29][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 253/423 1514/1514 422/512][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (STLCJ@.netflix.com)][Plen Bins: 18,9,0,0,9,0,9,0,0,0,0,0,9,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,18,0,0]
44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][Goodput ratio: 36/84][30.93 sec][ALPN: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2373/20 30602/58 8149/26][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 104/417 309/1514 78/548][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 15,23,15,0,0,0,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][Goodput ratio: 76/81][0.21 sec][bytes ratio: 0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/20 92/54 34/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283/355 1450/1066 419/413][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,12,0,0,12,0,12,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,12,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]
46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][Goodput ratio: 39/69][30.71 sec][bytes ratio: -0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3064/6120 30486/30536 9141/12208][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 108/215 309/989 83/296][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 25,12,12,0,12,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/teams.pcap.out b/tests/result/teams.pcap.out
index b62ad63ac..776f0792b 100644
--- a/tests/result/teams.pcap.out
+++ b/tests/result/teams.pcap.out
@@ -24,13 +24,13 @@ JA3 Host Stats:
3 TCP 192.168.1.6:60532 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][49 pkts/58592 bytes <-> 28 pkts/6555 bytes][Goodput ratio: 94/72][0.71 sec][bytes ratio: 0.799 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/29 177/221 32/57][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1196/234 1494/1506 564/435][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 2,2,2,0,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,81,4,0,0]
4 TCP 192.168.1.6:60554 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][cat: Collaborative/15][24 pkts/2746 bytes <-> 28 pkts/30546 bytes][Goodput ratio: 52/95][0.23 sec][bytes ratio: -0.835 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/9 21/140 7/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 114/1091 1136/1506 217/607][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: config.teams.microsoft.com][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: *.config.teams.microsoft.com,config.teams.microsoft.com][JA3S: 7d8fd34fdb13a7fff30d5a52846b6c4c][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=config.teams.microsoft.com][Certificate SHA-1: B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA][Validity: 2019-12-11 02:04:20 - 2021-12-11 02:04:20][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,0,3,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,7,0,0,0,0,0,65,0,0]
5 TCP 192.168.1.6:60561 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][23 pkts/19184 bytes <-> 14 pkts/5643 bytes][Goodput ratio: 92/83][0.82 sec][bytes ratio: 0.545 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/44 161/136 43/48][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 834/403 1494/1506 690/567][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 4,4,4,0,0,0,9,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,60,9,0,0]
- 6 TCP 192.168.1.6:60535 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][21 pkts/16793 bytes <-> 13 pkts/5565 bytes][Goodput ratio: 92/84][0.33 sec][bytes ratio: 0.502 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/18 48/49 17/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 800/428 1494/1506 681/581][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipeÍ*<—][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 21:3D:34:04:2E:C6:DE:5B:DB:97:83:FC:EB:36:1C:5E:20:CE:40:57][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 5,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,53,10,0,0]
+ 6 TCP 192.168.1.6:60535 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][21 pkts/16793 bytes <-> 13 pkts/5565 bytes][Goodput ratio: 92/84][0.33 sec][bytes ratio: 0.502 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/18 48/49 17/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 800/428 1494/1506 681/581][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipeÍ*<—][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 21:3D:34:04:2E:C6:DE:5B:DB:97:83:FC:EB:36:1C:5E:20:CE:40:57][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Xw@Vfo.pipe.aria.microsoft.com)][Plen Bins: 5,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,53,10,0,0]
7 TCP 192.168.1.6:60559 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][21 pkts/15525 bytes <-> 12 pkts/5499 bytes][Goodput ratio: 91/85][0.35 sec][bytes ratio: 0.477 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/21 52/51 22/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 739/458 1494/1506 682/595][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: a1674500365bdd882188db63730e69a2][Plen Bins: 5,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,0,52,11,0,0]
8 TCP 192.168.1.6:60545 <-> 52.114.77.58:443 [proto: 91.250/TLS.Teams][cat: Collaborative/15][49 pkts/7568 bytes <-> 34 pkts/11426 bytes][Goodput ratio: 65/83][9.23 sec][ALPN: h2;http/1.1][bytes ratio: -0.203 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 226/294 4927/4971 803/983][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154/336 1494/1506 217/458][TLSv1.2][Client: presence.teams.microsoft.com][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][Plen Bins: 0,21,17,10,8,6,4,0,6,2,0,0,2,6,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
9 TCP 192.168.1.6:60549 <-> 13.107.18.11:443 [proto: 91.219/TLS.Microsoft365][cat: Collaborative/15][28 pkts/7696 bytes <-> 26 pkts/9797 bytes][Goodput ratio: 80/85][1.16 sec][ALPN: h2;http/1.1][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 47/23 539/167 115/43][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 275/377 1494/1506 397/471][TLSv1.2][Client: substrate.office.com][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][ServerNames: outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com][JA3S: a66ea560599a2f5c89eec8c3a0d69cee][Issuer: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com][Certificate SHA-1: AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2][Validity: 2019-07-12 00:00:00 - 2021-07-12 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,22,7,0,7,0,7,0,0,3,3,0,0,0,3,0,7,0,3,0,10,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0]
10 TCP 192.168.1.6:60548 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][18 pkts/12047 bytes <-> 11 pkts/5433 bytes][Goodput ratio: 90/86][0.32 sec][bytes ratio: 0.378 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/23 51/51 21/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 669/494 1494/1506 669/609][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 6,6,6,0,0,0,6,0,0,0,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,44,12,0,0]
11 TCP 192.168.1.6:60533 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][cat: Collaborative/15][20 pkts/1861 bytes <-> 20 pkts/12980 bytes][Goodput ratio: 41/91][0.10 sec][ALPN: h2;http/1.1][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/4 29/29 8/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 93/649 312/1506 76/603][TLSv1.2][Client: teams.microsoft.com][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][ServerNames: teams.microsoft.com][JA3S: 0f14538e1c9070becdad7739c67d6363][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=teams.microsoft.com][Certificate SHA-1: 68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E][Validity: 2019-09-12 18:16:45 - 2021-09-12 18:16:45][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,15,10,0,5,0,10,0,5,0,5,0,0,0,0,0,5,0,0,10,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0]
- 12 TCP 192.168.1.6:60540 <-> 52.114.75.70:443 [proto: 91.250/TLS.Teams][cat: Collaborative/15][14 pkts/5711 bytes <-> 10 pkts/8093 bytes][Goodput ratio: 83/92][0.13 sec][ALPN: h2;http/1.1][bytes ratio: -0.173 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/9 32/32 13/14][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 408/809 1494/1506 517/688][TLSv1.2][Client: eu-prod.asyncgw.teams.microsoft.com][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][Plen Bins: 0,7,0,7,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,15,31,0,0]
+ 12 TCP 192.168.1.6:60540 <-> 52.114.75.70:443 [proto: 91.250/TLS.Teams][cat: Collaborative/15][14 pkts/5711 bytes <-> 10 pkts/8093 bytes][Goodput ratio: 83/92][0.13 sec][ALPN: h2;http/1.1][bytes ratio: -0.173 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/9 32/32 13/14][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 408/809 1494/1506 517/688][TLSv1.2][Client: eu-prod.asyncgw.teams.microsoft.com][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][PLAIN TEXT (//ocsp.digicert.commicrosoft.co)][Plen Bins: 0,7,0,7,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,15,31,0,0]
13 TCP 192.168.1.6:60537 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][16 pkts/8418 bytes <-> 10 pkts/5367 bytes][Goodput ratio: 87/88][0.27 sec][bytes ratio: 0.221 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/27 46/46 20/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 526/537 1494/1506 639/623][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,7,7,0,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,31,15,0,0]
14 TCP 192.168.1.6:60555 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][18 pkts/5861 bytes <-> 13 pkts/7901 bytes][Goodput ratio: 80/89][2.79 sec][bytes ratio: -0.148 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 192/269 2443/2490 625/741][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 326/608 1494/1506 448/617][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mobile.pipe.aria.microsoft.com][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,16,11,0,0,5,0,0,0,5,5,0,0,11,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,22,0,0]
15 TCP 192.168.1.6:60547 <-> 52.114.88.59:443 [proto: 91.250/TLS.Teams][cat: Collaborative/15][20 pkts/3926 bytes <-> 15 pkts/8828 bytes][Goodput ratio: 66/89][0.32 sec][ALPN: h2;http/1.1][bytes ratio: -0.384 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/25 91/80 23/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 196/589 1494/1506 320/612][TLSv1.2][Client: chatsvcagg.teams.microsoft.com][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][Plen Bins: 0,21,10,5,0,5,10,5,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,21,0,0]
diff --git a/tests/result/tftp_rrq.pcap.out b/tests/result/tftp_rrq.pcap.out
new file mode 100644
index 000000000..875030d5e
--- /dev/null
+++ b/tests/result/tftp_rrq.pcap.out
@@ -0,0 +1,5 @@
+STUN 1 62 1
+TFTP 98 29793 1
+
+ 1 UDP 192.168.0.10:3445 <-> 192.168.0.253:50618 [proto: 96/TFTP][cat: DataTransfer/4][49 pkts/26853 bytes <-> 49 pkts/2940 bytes][Goodput ratio: 92/7][0.18 sec][bytes ratio: 0.803 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/2 3/3 9/7 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 548/60 558/60 69/0][PLAIN TEXT (Network Working Group )][Plen Bins: 51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 2 UDP 192.168.0.253:50618 -> 192.168.0.10:69 [proto: 78/STUN][cat: Network/14][1 pkts/62 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][< 1 sec][PLAIN TEXT (1350.txt)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/viber.pcap.out b/tests/result/viber.pcap.out
index 107dfb9ca..5f3135047 100644
--- a/tests/result/viber.pcap.out
+++ b/tests/result/viber.pcap.out
@@ -17,7 +17,7 @@ JA3 Host Stats:
2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/TLS.Viber][cat: Chat/9][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][Goodput ratio: 57/91][5.69 sec][ALPN: h2;http/1.1][bytes ratio: -0.669 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 622/10 5492/35 1722/14][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154/776 435/1514 138/635][TLSv1.2][Client: media.cdn.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.cdn.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=thawte, Inc., CN=thawte SSL CA - G2][Subject: C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.cdn.viber.com][Certificate SHA-1: B6:30:6F:02:75:A8:08:0A:AE:AA:9C:6C:9F:B5:8E:4C:82:02:3D:39][Validity: 2016-07-03 00:00:00 - 2018-07-03 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,7,0,7,0,7,0,0,15,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0]
3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][Goodput ratio: 69/86][1.00 sec][ALPN: http/1.1][bytes ratio: -0.398 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/60 176/183 76/72][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 217/468 1514/1514 380/570][TLSv1.2][Client: brahe.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.apptimize.com,apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA][Subject: C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 7,15,0,7,0,15,0,0,7,0,0,0,7,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0]
4 TCP 192.168.0.17:33208 <-> 52.0.253.101:4244 [proto: 144/Viber][cat: VoIP/10][32 pkts/6563 bytes <-> 26 pkts/2782 bytes][Goodput ratio: 68/38][46.77 sec][bytes ratio: 0.405 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1220/1489 7187/7333 2090/2188][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 205/107 657/176 184/43][Plen Bins: 0,3,57,18,0,0,0,0,0,0,3,3,0,3,0,0,9,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/TLS.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][Goodput ratio: 81/77][33.94 sec][ALPN: http/1.1][bytes ratio: 0.217 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2821/2646 23555/23575 6838/7399][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 356/286 1038/884 370/258][TLSv1.2][Client: app-measurement.com][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,7,0,0,0,7,0,0,0,0,0,0,40,0,0,0,7,0,0,0,0,0,0,7,0,15,7,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/TLS.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][Goodput ratio: 81/77][33.94 sec][ALPN: http/1.1][bytes ratio: 0.217 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2821/2646 23555/23575 6838/7399][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 356/286 1038/884 370/258][TLSv1.2][Client: app-measurement.com][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (rXsucYement.com)][Plen Bins: 0,7,0,0,0,7,0,0,0,0,0,0,40,0,0,0,7,0,0,0,0,0,0,7,0,15,7,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][Goodput ratio: 49/89][1.01 sec][ALPN: http/1.1][bytes ratio: -0.634 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/51 273/178 102/80][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 131/583 432/1514 112/601][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.apptimize.com,apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA][Subject: C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 18,0,0,9,0,9,0,0,9,0,0,9,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0]
7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/TLS][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][Goodput ratio: 55/90][0.23 sec][ALPN: http/1.1][bytes ratio: -0.605 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29/19 152/60 47/24][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 153/693 631/1514 169/616][TLSv1.2][Client: venetia.iad.appboy.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Plen Bins: 0,0,11,0,0,11,0,0,11,0,11,0,0,0,0,0,0,11,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0]
8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][Goodput ratio: 48/88][0.92 sec][ALPN: http/1.1][bytes ratio: -0.617 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 93/53 185/189 87/84][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 133/560 433/1514 111/605][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Plen Bins: 18,0,0,9,0,9,0,0,18,0,0,9,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0]
diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out
index aed03611c..65c1a8662 100644
--- a/tests/result/webex.pcap.out
+++ b/tests/result/webex.pcap.out
@@ -11,7 +11,7 @@ JA3 Host Stats:
1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][Goodput ratio: 6/96][62.34 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 135/140 2165/2214 262/271][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57/1282 528/29696 36/3292][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** TLS Certificate Mismatch **][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,1,2,0,63,3,1,1,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,4,0,0,0,15]
- 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][Goodput ratio: 68/99][2.76 sec][bytes ratio: -0.912 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112/101 455/404 117/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 172/3746 590/18020 206/5749][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 0,3,0,0,3,0,0,3,0,0,0,0,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,45]
+ 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][Goodput ratio: 68/99][2.76 sec][bytes ratio: -0.912 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112/101 455/404 117/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 172/3746 590/18020 206/5749][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (MBkIFO.webex.com)][Plen Bins: 0,3,0,0,3,0,0,3,0,0,0,0,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,45]
3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][Goodput ratio: 77/97][5.52 sec][bytes ratio: -0.750 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/138 1189/1223 220/218][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 240/1717 590/17734 233/3849][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][ServerNames: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 0,2,4,0,0,0,2,0,4,2,0,0,0,2,4,2,24,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,22,0,0,0,0,24]
4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][Goodput ratio: 48/97][2.62 sec][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 144/154 1031/979 260/240][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106/2130 590/8901 135/2682][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** TLS Certificate Mismatch **][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,0,0,5,0,0,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0,0,34]
5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][Goodput ratio: 56/98][3.76 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/5 383/399 1876/1875 577/571][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128/2863 528/14373 150/4304][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** TLS Certificate Mismatch **][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,18,0,0,9,9,0,0,0,0,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45]
diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out
index d072c1c8f..fa219dc45 100644
--- a/tests/result/whatsapp_login_call.pcap.out
+++ b/tests/result/whatsapp_login_call.pcap.out
@@ -17,7 +17,7 @@ JA3 Host Stats:
1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][Goodput ratio: 71/55][9.73 sec][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/33 198/347 51/47][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145/93 525/488 100/64][Risk: ** Known protocol on non standard port **][PLAIN TEXT (zTdFPOk)][Plen Bins: 24,37,19,5,0,1,1,0,3,3,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][Goodput ratio: 66/81][7.74 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/124 307/539 63/96][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124/226 484/552 75/128][Risk: ** Known protocol on non standard port **][Plen Bins: 9,34,26,10,4,1,2,3,1,1,1,2,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 3 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86/80][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 122/108 1665/1391 340/319][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 406/276 1494/1002 489/348][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 4,8,4,0,0,0,0,4,0,0,16,0,0,0,8,8,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]
+ 3 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86/80][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 122/108 1665/1391 340/319][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 406/276 1494/1002 489/348][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (CeQijUunes.apple.com)][Plen Bins: 4,8,4,0,0,0,0,4,0,0,16,0,0,0,8,8,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]
4 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 85/90][32.84 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1909/37 30435/294 7133/82][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364/563 1494/1494 553/634][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][ServerNames: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Issuer: CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US][Subject: CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2015-05-06 01:09:47 - 2016-06-04 01:09:47][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 5,11,0,11,0,5,0,0,5,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,45,0,0]
5 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][Goodput ratio: 85/77][0.94 sec][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/42 225/228 76/81][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 363/236 1494/1002 464/321][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 6,13,6,0,0,0,0,6,0,0,13,0,0,0,6,6,0,13,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]
6 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 85/39][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12860/12856 101116/101113 13163/13164][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430/109 1506/300 467/83][PLAIN TEXT (yfV.nY)][Plen Bins: 0,9,36,0,0,0,9,9,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out
index f7f4c25f0..4741fd029 100644
--- a/tests/result/zoom.pcap.out
+++ b/tests/result/zoom.pcap.out
@@ -33,7 +33,7 @@ JA3 Host Stats:
15 UDP 192.168.1.117:60620 <-> 109.94.160.99:8801 [proto: 189/Zoom][cat: Video/26][4 pkts/408 bytes <-> 3 pkts/222 bytes][Goodput ratio: 59/41][1.24 sec][bytes ratio: 0.295 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/31 413/16 1209/31 563/16][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 102/74 149/85 33/10][PLAIN TEXT (replace)][Plen Bins: 28,57,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
16 UDP 192.168.1.117:23903 <-> 162.255.37.14:3478 [proto: 78.189/STUN.Zoom][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.19 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/9 10/9 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
17 UDP 192.168.1.117:23903 <-> 162.255.38.14:3478 [proto: 78.189/STUN.Zoom][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.18 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/10 10/10 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 18 UDP 192.168.1.117:23903 <-> 162.255.38.14:3479 [proto: 78.189/STUN.Zoom][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.18 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/10 10/10 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Risk: ** Known protocol on non standard port **][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 18 UDP 192.168.1.117:23903 <-> 162.255.38.14:3479 [proto: 78.189/STUN.Zoom][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.18 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/10 10/10 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
19 UDP 192.168.1.117:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][3 pkts/330 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Host: workgroup][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACACA)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
20 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][1 pkts/321 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Host: tl-sg116e][DHCP Fingerprint: 1,3][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
21 TCP 192.168.1.117:54341 -> 62.149.152.153:993 [proto: 51/IMAPS][cat: Email/3][2 pkts/226 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][3.59 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.