diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-07-25 12:57:33 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-25 12:57:33 +0200 |
| commit | b190dab6bc23bcacf127f1f8d93df257f40bb898 (patch) | |
| tree | 7fb68c7a554501f6e8d9a33fedb3ed35d6a8e5bd | |
| parent | 86a3e4c8c331773156283d365aa6a9b103ca44ff (diff) | |
Improve handling of HTTP-Proxy and HTTP-Connect (#1673)
Treat HTTP-Proxy and HTTP-Connect flows like the HTTP ones:
print/serialize all the attributes and allow parsing of replies.
The line about "1kxun" has been removed to avoid regressions in 1KXUN
classification in `tests/pcap/1kxun.pcap`. I haven't fully understod
what was happening but the comment at the beginning of `static
ndpi_category_match category_match[]` says that we can't have overlaps
between `host_match` and `category_match` lists and that is no longer true
since 938e89ca.
Bottom line: removing this line seems the right thing to do, anyway.
| -rw-r--r-- | example/reader_util.c | 5 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 39 | ||||
| -rw-r--r-- | tests/pcap/http-proxy.pcapng | bin | 0 -> 2064 bytes | |||
| -rw-r--r-- | tests/result/KakaoTalk_talk.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/http-proxy.pcapng.out | 9 | ||||
| -rw-r--r-- | tests/result/http_connect.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/quickplay.pcap.out | 14 |
10 files changed, 55 insertions, 25 deletions
diff --git a/example/reader_util.c b/example/reader_util.c index 2344937ad..dfeeb8672 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1140,8 +1140,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl "%s", flow->ndpi_flow->protos.kerberos.username); } /* HTTP */ - else if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) - || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP)) { + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP) + || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP_PROXY) + || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP_CONNECT)) { if(flow->ndpi_flow->http.url != NULL) { ndpi_snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url); flow->http.response_status_code = flow->ndpi_flow->http.response_status_code; diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index f8d5bcfe3..217192fcd 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -1747,7 +1747,6 @@ static ndpi_category_match category_match[] = { { "icq.com", NDPI_PROTOCOL_CATEGORY_CHAT }, { "quickplay.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, { ".71.am", NDPI_PROTOCOL_CATEGORY_STREAMING }, - { ".1kxun.", NDPI_PROTOCOL_CATEGORY_STREAMING }, { "tcad.wedolook.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, { ".rapidvideo.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, { ".playercdn.net", NDPI_PROTOCOL_CATEGORY_STREAMING }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 0ef07454e..53f2dad3a 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8114,6 +8114,8 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp break; case NDPI_PROTOCOL_HTTP: + case NDPI_PROTOCOL_HTTP_PROXY: + case NDPI_PROTOCOL_HTTP_CONNECT: if((flow->host_server_name[0] == '\0') || (flow->http.response_status_code == 0)) return(1); break; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 6a58b5982..5471b911c 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1299,6 +1299,8 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, break; case NDPI_PROTOCOL_HTTP: + case NDPI_PROTOCOL_HTTP_CONNECT: + case NDPI_PROTOCOL_HTTP_PROXY: ndpi_serialize_start_of_block(serializer, "http"); if(flow->host_server_name[0] != '\0') ndpi_serialize_string_string(serializer, "hostname", flow->host_server_name); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index e8f15cb47..dd63c27a4 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -335,6 +335,8 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd struct ndpi_flow_struct *flow, u_int16_t http_protocol, ndpi_protocol_category_t category) { + u_int16_t master_protocol; + #ifdef HTTP_DEBUG printf("=> %s()\n", __FUNCTION__); #endif @@ -347,14 +349,22 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd /* If no custom protocol has been detected */ if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) - || ((http_protocol != NDPI_PROTOCOL_HTTP) && (http_protocol != NDPI_PROTOCOL_HTTP_CONNECT)) + || ((http_protocol != NDPI_PROTOCOL_HTTP) && + (http_protocol != NDPI_PROTOCOL_HTTP_CONNECT) && + (http_protocol != NDPI_PROTOCOL_HTTP_PROXY)) ) flow->guessed_host_protocol_id = http_protocol; // ndpi_int_reset_protocol(flow); + master_protocol = NDPI_PROTOCOL_HTTP; + if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) + master_protocol = flow->detected_protocol_stack[1]; + else if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_CONNECT || + flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_PROXY) + master_protocol = flow->detected_protocol_stack[0]; + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, - (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ? - flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP, + master_protocol, NDPI_CONFIDENCE_DPI); /* This is necessary to inform the core to call this dissector again */ @@ -366,8 +376,10 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd switch(flow->detected_protocol_stack[1]) { case NDPI_PROTOCOL_HTTP_CONNECT: case NDPI_PROTOCOL_HTTP_PROXY: - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) - flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN; + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) { + flow->detected_protocol_stack[0] = flow->detected_protocol_stack[1]; + flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; + } break; } } @@ -402,7 +414,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp if(double_col) double_col[0] = '\0'; if(ndpi_match_hostname_protocol(ndpi_struct, flow, - flow->detected_protocol_stack[1], + flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN ? flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP, flow->host_server_name, strlen(flow->host_server_name)) == 0) { if(flow->http.url && @@ -773,7 +785,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) { if((flow->detected_protocol_stack[1] != NDPI_PROTOCOL_HTTP) - && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_HTTP_CONNECT)) { + && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_HTTP_CONNECT) + && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_HTTP_PROXY)) { NDPI_LOG_INFO(ndpi_struct, "found HTTP/%s\n", ndpi_get_proto_name(ndpi_struct, flow->detected_protocol_stack[0])); ndpi_int_http_add_connection(ndpi_struct, flow, flow->detected_protocol_stack[0], NDPI_PROTOCOL_CATEGORY_WEB); @@ -1272,16 +1285,20 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if((packet->http_url_name.len > 7) && (!strncasecmp((const char*) packet->http_url_name.ptr, "http://", 7))) { NDPI_LOG_INFO(ndpi_struct, "found HTTP_PROXY\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY, flow->detected_protocol_stack[0], NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_HTTP_PROXY, NDPI_CONFIDENCE_DPI); check_content_type_and_change_protocol(ndpi_struct, flow); + flow->http_detected = 1; + flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + return; } if(filename_start == 8 && (strncasecmp((const char *)packet->payload, "CONNECT ", 8) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found HTTP_CONNECT\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT, - (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) ? flow->detected_protocol_stack[0] : NDPI_PROTOCOL_UNKNOWN, - NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_HTTP_CONNECT, NDPI_CONFIDENCE_DPI); check_content_type_and_change_protocol(ndpi_struct, flow); + flow->http_detected = 1; + flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + return; } NDPI_LOG_DBG2(ndpi_struct, diff --git a/tests/pcap/http-proxy.pcapng b/tests/pcap/http-proxy.pcapng Binary files differnew file mode 100644 index 000000000..9247a947a --- /dev/null +++ b/tests/pcap/http-proxy.pcapng diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 00c6824c1..c36f17420 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -1,6 +1,6 @@ Guessed flow protos: 10 -DPI Packets (TCP): 64 (4.27 pkts/flow) +DPI Packets (TCP): 67 (4.47 pkts/flow) DPI Packets (UDP): 6 (1.20 pkts/flow) Confidence Match by port : 4 (flows) Confidence Match by IP : 5 (flows) @@ -30,7 +30,7 @@ JA3 Host Stats: 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/TLS.Facebook][Encrypted][Confidence: DPI][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 71/27][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 141/117 494/295 163/92][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195/78 735/189 228/35][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA][Plen Bins: 30,23,0,0,15,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][ClearText][Confidence: DPI][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][Goodput ratio: 69/69][45.10 sec][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4203/4247 4716/5160 1131/719][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141/142 150/142 6/0][Plen Bins: 0,0,4,95,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][ClearText][Confidence: DPI][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][Goodput ratio: 69/69][43.84 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266/3766 4903/4991 1245/1144][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140/140 142/142 6/6][Plen Bins: 0,0,9,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 285.48/Tencent.QQ][ClearText][Confidence: DPI][cat: Chat/9][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Goodput ratio: 54/34][3.79 sec][Hostname/SNI: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406/439 2019/1166 732/515][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 140/87 665/262 199/71][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][ClearText][Confidence: DPI][cat: Download/7][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Goodput ratio: 54/34][3.79 sec][Hostname/SNI: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406/439 2019/1166 732/515][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 140/87 665/262 199/71][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Binary App Transfer **** Known Proto on Non Std Port **][Risk Score: 300][Risk Info: Expected on port 8080,3128 / Found mime exe octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][6 pkts/543 bytes <-> 5 pkts/945 bytes][Goodput ratio: 25/64][24.77 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 77/47 4920/8061 17431/17434 6679/7163][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 90/189 130/504 24/164][Plen Bins: 16,51,0,16,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][3 pkts/1044 bytes <-> 2 pkts/154 bytes][Goodput ratio: 84/27][51.90 sec][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 265/AmazonAWS][Encrypted][Confidence: Match by IP][cat: Cloud/13][2 pkts/225 bytes <-> 2 pkts/171 bytes][Goodput ratio: 39/20][0.46 sec][PLAIN TEXT (xiaomi.com)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/http-proxy.pcapng.out b/tests/result/http-proxy.pcapng.out new file mode 100644 index 000000000..1db4df408 --- /dev/null +++ b/tests/result/http-proxy.pcapng.out @@ -0,0 +1,9 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 6 (6.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 15 (15.00 diss/flow) + +HTTP_Proxy 11 1652 1 + + 1 TCP 192.168.1.103:1241 <-> 192.168.1.146:8080 [proto: 131/HTTP_Proxy][ClearText][Confidence: DPI][cat: Web/5][6 pkts/654 bytes <-> 5 pkts/998 bytes][Goodput ratio: 45/72][5.24 sec][Hostname/SNI: http.com][bytes ratio: -0.208 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 1048/118 4958/234 1958/116][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 109/200 348/770 107/285][URL: http://http.com/][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0][PLAIN TEXT (GET http)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/http_connect.pcap.out b/tests/result/http_connect.pcap.out index d4fb2debe..d02bfd5ed 100644 --- a/tests/result/http_connect.pcap.out +++ b/tests/result/http_connect.pcap.out @@ -1,6 +1,6 @@ Guessed flow protos: 0 -DPI Packets (TCP): 10 (5.00 pkts/flow) +DPI Packets (TCP): 12 (6.00 pkts/flow) DPI Packets (UDP): 2 (2.00 pkts/flow) Confidence DPI : 3 (flows) Num dissector calls: 31 (10.33 diss/flow) @@ -15,5 +15,5 @@ JA3 Host Stats: 1 TCP 192.168.1.146:35968 <-> 151.101.2.132:443 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][28 pkts/3557 bytes <-> 30 pkts/32939 bytes][Goodput ratio: 48/94][0.11 sec][Hostname/SNI: apache.org][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/4 53/54 11/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 127/1098 583/1450 129/576][TLSv1.3][JA3C: c834494f5948ae026d160656c93c8871][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 2,2,8,8,2,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0] - 2 TCP 192.168.1.103:1714 <-> 192.168.1.146:8080 [proto: 130/HTTP_Connect][ClearText][Confidence: DPI][cat: Web/5][18 pkts/2918 bytes <-> 22 pkts/23923 bytes][Goodput ratio: 65/95][0.11 sec][Hostname/SNI: apache.org][bytes ratio: -0.783 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/5 50/53 13/12][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 162/1087 571/5590 128/1857][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0][PLAIN TEXT (CONNECT apache.org)][Plen Bins: 4,4,20,15,4,4,4,0,0,4,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,20] + 2 TCP 192.168.1.103:1714 <-> 192.168.1.146:8080 [proto: 130/HTTP_Connect][ClearText][Confidence: DPI][cat: Web/5][18 pkts/2918 bytes <-> 22 pkts/23923 bytes][Goodput ratio: 65/95][0.11 sec][Hostname/SNI: apache.org][bytes ratio: -0.783 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/5 50/53 13/12][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 162/1087 571/5590 128/1857][URL: apache.org:443][StatusCode: 200][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0][PLAIN TEXT (CONNECT apache.org)][Plen Bins: 4,4,20,15,4,4,4,0,0,4,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,20] 3 UDP 192.168.1.146:47767 <-> 192.168.1.2:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 48/56][< 1 sec][Hostname/SNI: apache.org][151.101.2.132][PLAIN TEXT (apache)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/quickplay.pcap.out b/tests/result/quickplay.pcap.out index 1b809c9a5..f499f0770 100644 --- a/tests/result/quickplay.pcap.out +++ b/tests/result/quickplay.pcap.out @@ -1,8 +1,8 @@ Guessed flow protos: 8 -DPI Packets (TCP): 75 (3.57 pkts/flow) +DPI Packets (TCP): 78 (3.71 pkts/flow) Confidence DPI : 21 (flows) -Num dissector calls: 273 (13.00 diss/flow) +Num dissector calls: 245 (11.67 diss/flow) HTTP 133 96179 11 QQ 12 4781 5 @@ -21,11 +21,11 @@ Xiaomi 2 1469 1 9 TCP 10.54.169.250:52007 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Streaming/17][3 pkts/1583 bytes <-> 1 pkts/1152 bytes][Goodput ratio: 89/95][2.46 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV80R192/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV80R192-index.m3u8?e=1428999699][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Streaming/17][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Goodput ratio: 90/95][0.64 sec][Hostname/SNI: play-singtelhawk.quickplay.com][URL: play-singtelhawk.quickplay.com/vstb/playlist_5_6241_357.m3u8?action=145&appId=5006&carrierId=23&appVersion=1.0&contentId=6241&contentTypeId=3&deviceName=androidmobile&encodingId=357&drmId=4&drmVersion=1.5&delivery=5&prefLanguage=eng&webvtt=true&userid=091][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /vstb/playlist)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.287/HTTP.Xiaomi][ClearText][Confidence: DPI][cat: Web/5][1 pkts/638 bytes <-> 1 pkts/831 bytes][Goodput ratio: 91/93][0.32 sec][Hostname/SNI: api.account.xiaomi.com][URL: api.account.xiaomi.com/pass/v2/safe/user/coreInfo?signature=u%2F73dEXBHbejev0ISNwnGyyfeTw%3D&userId=Mz5Xr5UXKuw83hxd6Yms2w%3D%3D][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /pass/v)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 12 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][ClearText][Confidence: DPI][cat: Chat/9][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Goodput ratio: 91/61][2.08 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmsnssync][StatusCode: 0][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/461 bytes <-> 2 pkts/522 bytes][Goodput ratio: 88/78][2.81 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/getcontactlabellist][StatusCode: 200][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 285.48/Tencent.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/681 bytes <-> 1 pkts/262 bytes][Goodput ratio: 92/78][0.14 sec][Hostname/SNI: hkminorshort.weixin.qq.com][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 285.48/Tencent.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/616 bytes <-> 1 pkts/261 bytes][Goodput ratio: 91/78][0.37 sec][Hostname/SNI: hkextshort.weixin.qq.com][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 285.48/Tencent.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/380 bytes <-> 1 pkts/261 bytes][Goodput ratio: 85/78][0.34 sec][Hostname/SNI: hkextshort.weixin.qq.com][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][ClearText][Confidence: DPI][cat: Chat/9][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Goodput ratio: 91/61][2.08 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmsnssync][StatusCode: 0][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/461 bytes <-> 2 pkts/522 bytes][Goodput ratio: 88/78][2.81 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/getcontactlabellist][StatusCode: 200][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/681 bytes <-> 1 pkts/262 bytes][Goodput ratio: 92/78][0.14 sec][Hostname/SNI: hkminorshort.weixin.qq.com][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/616 bytes <-> 1 pkts/261 bytes][Goodput ratio: 91/78][0.37 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/androidgcmreg][StatusCode: 200][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][ClearText][Confidence: DPI][cat: Chat/9][1 pkts/380 bytes <-> 1 pkts/261 bytes][Goodput ratio: 85/78][0.34 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmbatchemojidownload][StatusCode: 200][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 TCP 10.54.169.250:52285 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][ClearText][Confidence: DPI][cat: SocialNetwork/6][1 pkts/243 bytes <-> 1 pkts/339 bytes][Goodput ratio: 77/83][0.46 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 TCP 10.54.169.250:52288 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][ClearText][Confidence: DPI][cat: SocialNetwork/6][1 pkts/243 bytes <-> 1 pkts/339 bytes][Goodput ratio: 77/83][0.46 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 10.54.169.250:44793 <-> 31.13.68.49:80 [proto: 7.119/HTTP.Facebook][ClearText][Confidence: DPI][cat: SocialNetwork/6][1 pkts/237 bytes <-> 1 pkts/339 bytes][Goodput ratio: 76/83][0.34 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; GT-I9505 Build/KOT49H)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |