diff options
| author | Luca Deri <deri@ntop.org> | 2017-05-01 21:21:03 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2017-05-01 21:21:03 +0200 |
| commit | aa6167bb421f5a2daed8c3665e4092cdc22bd304 (patch) | |
| tree | 2bc39b32fd929b55e852f5c607e7efd693ee1524 | |
| parent | 205b82f6ba0018f2b7620a0558bfd78723fc2a2d (diff) | |
| parent | a03a343723889c49c33c1011aac13ef61c36f7b7 (diff) | |
Merge branch 'dev' of https://github.com/ntop/nDPI into dev
64 files changed, 3007 insertions, 869 deletions
diff --git a/configure.ac b/configure.ac index 239187360..c970cbe5b 100644 --- a/configure.ac +++ b/configure.ac @@ -82,15 +82,6 @@ AS_IF([test "x$enable_json_c" != "xno"], [ []) ]) -OLD_LIBS=$LIBS -LIBS="-L/opt/napatech3/lib $LIBS" -AC_CHECK_LIB([ntapi], - [NT_Init], - [PCAP_LIB="$PCAP_LIB -L/opt/napatech3/lib -lntapi"], - [], [] ) -LIBS=$OLD_LIBS - - AC_CHECK_LIB(pthread, pthread_setaffinity_np, AC_DEFINE_UNQUOTED(HAVE_PTHREAD_SETAFFINITY_NP, 1, [libc has pthread_setaffinity_np])) AC_CONFIG_FILES([Makefile src/lib/Makefile example/Makefile tests/Makefile libndpi.pc]) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index dda137df9..ac3d75e77 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -24,11 +24,11 @@ #endif #include <stdio.h> #include <stdlib.h> +#include <getopt.h> #ifdef WIN32 #include <winsock2.h> /* winsock.h is included automatically */ #include <process.h> #include <io.h> -#include <getopt.h> #define getopt getopt____ #else #include <unistd.h> @@ -44,6 +44,7 @@ #include <assert.h> #include "../config.h" #include "ndpi_api.h" +#include "uthash.h" #ifdef HAVE_JSON_C #include <json.h> @@ -68,10 +69,12 @@ static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; /** User preferences **/ static u_int8_t enable_protocol_guess = 1, verbose = 0, nDPI_traceLevel = 0, json_flag = 0; +static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; static u_int8_t shutdown_app = 0, quiet_mode = 0; static u_int8_t num_threads = 1; +static struct timeval begin, end; #ifdef linux static int core_affinity[MAX_NUM_READER_THREADS]; #endif @@ -81,6 +84,40 @@ static time_t capture_for = 0; static time_t capture_until = 0; static u_int32_t num_flows; +struct info_pair{ + u_int32_t addr; + int count; +}; + +typedef struct node_a{ + u_int32_t addr; + int count; + struct node_a *left, *right; +}addr_node; + +struct port_stats { + u_int32_t port; /* we'll use this field as the key */ + u_int32_t num_pkts, num_bytes; + u_int32_t num_addr; /*to hold number of distinct IP addresses */ + u_int32_t cumulative_addr; /*to hold cumulative some of IP addresses */ + addr_node *addr_tree; /* to hold distinct IP addresses */ + struct info_pair top_ip_addrs[MAX_NUM_IP_ADDRESS]; + UT_hash_handle hh; /* makes this structure hashable */ +}; + +struct port_stats *srcStats = NULL, *dstStats = NULL; + +struct ndpi_packet_trailer { + u_int32_t magic; /* 0x19682017 */ + u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; + char name[16]; +}; + +static pcap_dumper_t *extcap_dumper = NULL; +static char extcap_buf[16384]; +static char *extcap_capture_fifo = NULL; +static u_int16_t extcap_packet_filter = (u_int16_t)-1; + // struct associated to a workflow for a thread struct reader_thread { struct ndpi_workflow * workflow; @@ -104,9 +141,19 @@ typedef struct ndpi_id { u_int32_t current_ndpi_memory = 0, max_ndpi_memory = 0; +void test_lib(); /* Forward */ + +/* ********************************** */ + +#ifdef DEBUG_TRACE +FILE *trace = NULL; +#endif + /********************** FUNCTIONS ********************* */ + + /** * @brief Set main components necessary to the detection */ @@ -119,13 +166,14 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle); static void help(u_int long_help) { printf("Welcome to nDPI %s\n\n", ndpi_revision()); - printf("ndpiReader -i <file|device> [-f <filter>][-s <duration>]\n" + printf("ndpiReader -i <file|device> [-f <filter>][-s <duration>][-m <duration>]\n" " [-p <protos>][-l <loops> [-q][-d][-h][-t][-v <level>]\n" " [-n <threads>] [-w <file>] [-j <file>]\n\n" "Usage:\n" " -i <file.pcap|device> | Specify a pcap file/playlist to read packets from or a device for live capture (comma-separated list)\n" " -f <BPF filter> | Specify a BPF filter for filtering selected traffic\n" " -s <duration> | Maximum capture duration in seconds (live traffic capture only)\n" + " -m <duration> | Split analysis duration in <duration> max seconds\n" " -p <file>.protos | Specify a protocol file (eg. protos.txt)\n" " -l <num loops> | Number of detection loops (test only)\n" " -n <num threads> | Number of threads. Default: number of interfaces in -i. Ignored with pcap files.\n" @@ -140,7 +188,21 @@ static void help(u_int long_help) { " -w <path> | Write test output on the specified file. This is useful for\n" " | testing purposes in order to compare results across runs\n" " -h | This help\n" - " -v <1|2> | Verbose 'unknown protocol' packet print. 1=verbose, 2=very verbose\n"); + " -v <1|2|3> | Verbose 'unknown protocol' packet print. 1=verbose, 2=very verbose, 3=port stats\n"); + + #ifndef WIN32 + printf("\nExcap (wireshark) options:\n" + " --extcap-interfaces\n" + " --extcap-version\n" + " --extcap-dlts\n" + " --extcap-interface <name>\n" + " --extcap-config\n" + " --capture\n" + " --extcap-capture-filter\n" + " --fifo <path to file or pipe>\n" + " --debug\n" + ); + #endif if(long_help) { printf("\n\nSupported protocols:\n"); @@ -152,28 +214,175 @@ static void help(u_int long_help) { } +static struct option longopts[] = { + /* mandatory extcap options */ + { "extcap-interfaces", no_argument, NULL, '0'}, + { "extcap-version", optional_argument, NULL, '1'}, + { "extcap-dlts", no_argument, NULL, '2'}, + { "extcap-interface", required_argument, NULL, '3'}, + { "extcap-config", no_argument, NULL, '4'}, + { "capture", no_argument, NULL, '5'}, + { "extcap-capture-filter", required_argument, NULL, '6'}, + { "fifo", required_argument, NULL, '7'}, + { "debug", optional_argument, NULL, '8'}, + { "ndpi-proto-filter", required_argument, NULL, '9'}, + + /* ndpiReader options */ + { "enable-protocol-guess", no_argument, NULL, 'd'}, + { "interface", required_argument, NULL, 'i'}, + { "filter", required_argument, NULL, 'f'}, + { "cpu-bind", required_argument, NULL, 'g'}, + { "loops", required_argument, NULL, 'l'}, + { "num-threads", required_argument, NULL, 'n'}, + + { "protos", required_argument, NULL, 'p'}, + { "capture-duration", required_argument, NULL, 's'}, + { "decode-tunnels", no_argument, NULL, 't'}, + { "revision", no_argument, NULL, 'r'}, + { "verbose", no_argument, NULL, 'v'}, + { "version", no_argument, NULL, 'V'}, + { "help", no_argument, NULL, 'h'}, + { "json", required_argument, NULL, 'j'}, + { "result-path", required_argument, NULL, 'w'}, + { "quiet", no_argument, NULL, 'q'}, + + {0, 0, 0, 0} +}; + +/* ********************************** */ + +void extcap_interfaces() { + printf("extcap {version=%s}\n", ndpi_revision()); + printf("interface {value=ndpi}{display=nDPI interface}\n"); + exit(0); +} + +/* ********************************** */ + +void extcap_dlts() { + u_int dlts_number = DLT_EN10MB; + printf("dlt {number=%u}{name=%s}{display=%s}\n", dlts_number, "ndpi", "nDPI Interface"); + exit(0); +} + +/* ********************************** */ + +struct ndpi_proto_sorter { + int id; + char name[16]; +}; + +int cmpProto(const void *_a, const void *_b) { + struct ndpi_proto_sorter *a = (struct ndpi_proto_sorter*)_a; + struct ndpi_proto_sorter *b = (struct ndpi_proto_sorter*)_b; + + return(strcmp(a->name, b->name)); +} + +void extcap_config() { + int i, argidx = 0; + struct ndpi_detection_module_struct *ndpi_mod; + struct ndpi_proto_sorter *protos; + + /* -i <interface> */ + printf("arg {number=%u}{call=-i}{display=Capture Interface or Pcap File Path}{type=string}" + "{tooltip=The interface name}\n", argidx++); + +#if 0 + printf("arg {number=%u}{call=-i}{display=Pcap File to Analize}{type=fileselect}" + "{tooltip=The pcap file to analyze (if the interface is unspecified)}\n", argidx++); +#endif + + setupDetection(0, NULL); + ndpi_mod = ndpi_thread_info[0].workflow->ndpi_struct; + + protos = (struct ndpi_proto_sorter*)malloc(sizeof(struct ndpi_proto_sorter)*ndpi_mod->ndpi_num_supported_protocols); + if(!protos) exit(0); + + for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) { + protos[i].id = i; + snprintf(protos[i].name, sizeof(protos[i].name), "%s", ndpi_mod->proto_defaults[i].protoName); + } + + qsort(protos, ndpi_mod->ndpi_num_supported_protocols, sizeof(struct ndpi_proto_sorter), cmpProto); + + printf("arg {number=%u}{call=-9}{display=nDPI Protocol Filter}{type=selector}" + "{tooltip=nDPI Protocol to be filtered}\n", argidx); + + printf("value {arg=%d}{value=%d}{display=%s}\n", argidx, -1, "All Protocols (no nDPI filtering)"); + + for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) + printf("value {arg=%d}{value=%d}{display=%s (%u)}\n", argidx, protos[i].id, + protos[i].name, protos[i].id); + + free(protos); + + exit(0); +} + +/* ********************************** */ + +void extcap_capture() { +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, " #### %s #### \n", __FUNCTION__); +#endif + + if((extcap_dumper = pcap_dump_open(pcap_open_dead(DLT_EN10MB, 16384 /* MTU */), + extcap_capture_fifo)) == NULL) { + fprintf(stderr, "Unable to open the pcap dumper on %s", extcap_capture_fifo); + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Unable to open the pcap dumper on %s\n", + extcap_capture_fifo); +#endif + return; + } + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Starting packet capture [%p]\n", extcap_dumper); +#endif +} + +/* ********************************** */ + /** * @brief Option parser */ static void parseOptions(int argc, char **argv) { - + int option_idx = 0, do_capture = 0; char *__pcap_file = NULL, *bind_mask = NULL; int thread_id, opt; #ifdef linux u_int num_cores = sysconf(_SC_NPROCESSORS_ONLN); #endif - while ((opt = getopt(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q")) != EOF) { +#ifdef DEBUG_TRACE + trace = fopen("/tmp/ndpiReader.log", "a"); + + if(trace) fprintf(trace, " #### %s #### \n", __FUNCTION__); +#endif + + while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:m:", longopts, &option_idx)) != EOF) { +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); +#endif + switch (opt) { case 'd': enable_protocol_guess = 0; break; case 'i': + case '3': _pcap_file[0] = optarg; break; + case 'm': + pcap_analysis_duration = atol(optarg); + break; + case 'f': + case '6': _bpf_filter = optarg; break; @@ -240,12 +449,47 @@ static void parseOptions(int argc, char **argv) { quiet_mode = 1; break; + /* Extcap */ + case '0': + extcap_interfaces(); + break; + + case '1': + printf("extcap {version=%s}\n", ndpi_revision()); + break; + + case '2': + extcap_dlts(); + break; + + case '4': + extcap_config(); + break; + + case '5': + do_capture = 1; + break; + + case '7': + extcap_capture_fifo = strdup(optarg); + break; + + case '8': + nDPI_traceLevel = 9; + break; + + case '9': + extcap_packet_filter = atoi(optarg); + break; + default: help(0); break; } } + if(do_capture) extcap_capture(); + // check parameters if(_pcap_file[0] == NULL || strcmp(_pcap_file[0], "") == 0) { help(0); @@ -277,6 +521,10 @@ static void parseOptions(int argc, char **argv) { } } #endif + +#ifdef DEBUG_TRACE + if(trace) fclose(trace); +#endif } @@ -355,22 +603,31 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { #endif FILE *out = results_file ? results_file : stdout; + if((verbose != 1) && (verbose != 2)) + return; + if(!json_flag) { fprintf(out, "\t%u", ++num_flows); - fprintf(out, "\t%s %s%s%s:%u <-> %s%s%s:%u ", - ipProto2Name(flow->protocol), - (flow->ip_version == 6) ? "[" : "", - flow->lower_name, - (flow->ip_version == 6) ? "]" : "", - ntohs(flow->lower_port), - (flow->ip_version == 6) ? "[" : "", - flow->upper_name, - (flow->ip_version == 6) ? "]" : "", - ntohs(flow->upper_port)); + fprintf(out, "\t%s ", ipProto2Name(flow->protocol)); + + if(flow->src_to_dst_direction == 1) + fprintf(out, "%s%s%s:%u <-> %s%s%s:%u ", + (flow->ip_version == 6) ? "[" : "", + flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port), + (flow->ip_version == 6) ? "[" : "", + flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port) + ); + else + fprintf(out, "%s%s%s:%u <-> %s%s%s:%u ", + (flow->ip_version == 6) ? "[" : "", + flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port), + (flow->ip_version == 6) ? "[" : "", + flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port) + ); if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); - + if(flow->detected_protocol.master_protocol) { char buf[64]; @@ -388,7 +645,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); - + if(flow->ssh_ssl.client_info[0] != '\0') fprintf(out, "[client: %s]", flow->ssh_ssl.client_info); if(flow->ssh_ssl.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_ssl.server_info); if(flow->bittorent_hash[0] != '\0') fprintf(out, "[BT Hash: %s]", flow->bittorent_hash); @@ -502,7 +759,6 @@ static u_int16_t node_guess_undetected_protocol(u_int16_t thread_id, struct ndpi * @brief Proto Guess Walker */ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) { - struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node; u_int16_t thread_id = *((u_int16_t *) user_data); @@ -524,6 +780,175 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept } } +/* *********************************************** */ + +int updateIpTree(const u_int32_t key, addr_node **vrootp) { + addr_node *q; + addr_node **rootp = vrootp; + + if(rootp == (addr_node **)0) + return 0; + + while (*rootp != (addr_node *)0) { /* Knuth's T1: */ + if(key == ((*rootp)->addr)) { /* T2: */ + return ++((*rootp)->count); + } + + rootp = (key < ((*rootp)->addr)) ? + &(*rootp)->left : /* T3: follow left branch */ + &(*rootp)->right; /* T4: follow right branch */ + } + + q = (addr_node *) malloc(sizeof(addr_node)); /* T5: key not found */ + if(q != (addr_node *)0) { /* make new node */ + *rootp = q; /* link new node to old */ + q->addr = key; /* initialize new node */ + q->count = UPDATED_TREE; + q->left = q->right = (addr_node *)0; + return q->count; + } + + return(0); +} + +/* *********************************************** */ + +void freeIpTree(addr_node *root) { + while (root != NULL) { + addr_node *left = root->left; + + if(left == NULL) { + addr_node *right = root->right; + root->right = NULL; + root = right; + } else { + /* Rotate the left child up.*/ + root->left = left->right; + left->right = root; + root = left; + } + } +} + +/* *********************************************** */ + +void updateTopIpAddress(u_int32_t addr, int count, struct info_pair top[], int size){ + int update = 0; + int i; + int min_i = 0; + int min = count; + + if(count == 0) return; + + struct info_pair pair; + pair.addr = addr, pair.count = count; + + /* if the same ip with a bigger + count just update it */ + for(i=0; i<size; i++) { + if(top[i].addr == addr) { + top[i].count = count; + return; + } + } + + /* if array is not full yet + add it to the first empty place */ + for(i=0; i<size; i++) { + if(top[i].addr != addr && top[i].count == 0) { + top[i] = pair; + return; + } + } + + /* if bigger than the smallest one, replace it */ + for(i=0; i<size; i++) { + if(top[i].count < count && top[i].count < min){ + min = top[i].count; + min_i = i; + update = 1; + } + } + + if(update) + top[min_i] = pair; +} + +/* *********************************************** */ +static void updatePortStats(struct port_stats **stats, u_int32_t port, u_int32_t addr, u_int32_t num_pkts, u_int32_t num_bytes) { + struct port_stats *s; + char ipname[48]; + int count; + + HASH_FIND_INT(*stats, &port, s); + if(s == NULL) { + s = (struct port_stats*)malloc(sizeof(struct port_stats)); + if(!s) return; + + s->port = port, s->num_pkts = 0, s->num_bytes = 0; + s->num_addr = 1, s->cumulative_addr = 1; + + memset(s->top_ip_addrs, 0, MAX_NUM_IP_ADDRESS*sizeof(struct info_pair)); + updateTopIpAddress(addr, 1, s->top_ip_addrs, MAX_NUM_IP_ADDRESS); + + s->addr_tree = (addr_node *) malloc(sizeof(addr_node)); + if(!s->addr_tree) return; + + s->addr_tree->addr = addr; + s->addr_tree->count = 1; + s->addr_tree->left = NULL; + s->addr_tree->right = NULL; + + HASH_ADD_INT(*stats, port, s); + } + + count = updateIpTree(addr, &(*s).addr_tree); + if(count == UPDATED_TREE) s->num_addr++; + + if(count) { + s->cumulative_addr++; + updateTopIpAddress(addr, count, s->top_ip_addrs, MAX_NUM_IP_ADDRESS); + } + + s->num_pkts += num_pkts, s->num_bytes += num_bytes; +} + +/* *********************************************** */ + +static void deletePortsStats(struct port_stats *stats) { + struct port_stats *current_port, *tmp; + + HASH_ITER(hh, stats, current_port, tmp) { + HASH_DEL(stats, current_port); + freeIpTree(current_port->addr_tree); + free(current_port->addr_tree); + free(current_port); + } +} + +/* *********************************************** */ + +/** + * @brief Ports stats + */ +static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) { + struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node; + u_int16_t sport, dport; + u_int32_t saddr, daddr; + + if(flow->src_to_dst_direction == 1) { + sport = ntohs(flow->lower_port), dport = ntohs(flow->upper_port); + saddr = flow->lower_ip, daddr = flow->upper_ip; + } + else { + sport = ntohs(flow->upper_port), dport = ntohs(flow->lower_port); + saddr = flow->upper_ip, daddr = flow->lower_ip; + } + updatePortStats(&srcStats, sport, saddr, flow->packets, flow->bytes); + updatePortStats(&dstStats, dport, daddr, flow->packets, flow->bytes); +} + +/* *********************************************** */ /** * @brief Idle Scan Walker @@ -659,7 +1084,6 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { * @brief End of detection and free flow */ static void terminateDetection(u_int16_t thread_id) { - ndpi_workflow_free(ndpi_thread_info[thread_id].workflow); } @@ -728,12 +1152,12 @@ static void json_init() { } #endif +/* *********************************************** */ /** * @brief Bytes stats format */ char* formatBytes(u_int32_t howMuch, char *buf, u_int buf_len) { - char unit = 'B'; if(howMuch < 1024) { @@ -755,12 +1179,60 @@ char* formatBytes(u_int32_t howMuch, char *buf, u_int buf_len) { return(buf); } +/* *********************************************** */ + +static int port_stats_sort(void *_a, void *_b) { + struct port_stats *a = (struct port_stats*)_a; + struct port_stats *b = (struct port_stats*)_b; + + return(b->num_pkts - a->num_pkts); +} + +/* *********************************************** */ + +static int info_pair_cmp (const void *_a, const void *_b) +{ + struct info_pair *a = (struct info_pair *)_a; + struct info_pair *b = (struct info_pair *)_b; + return b->count - a->count; +} + +/* *********************************************** */ + +void printPortStats(struct port_stats *stats) { + struct port_stats *s, *tmp; + char ip_name[48]; + int i = 0, j = 0, first = 1; + + HASH_ITER(hh, stats, s, tmp) { + i++; + printf("\t%2d\tPort %5u\t[%u IP address(es)/%u pkts/%u bytes]\n\t\tTop IP Stats:\n", + i, s->port, s->num_addr, s->num_pkts, s->num_bytes); + + qsort(&s->top_ip_addrs[0], MAX_NUM_IP_ADDRESS, sizeof(struct info_pair), info_pair_cmp); + + for(j=0; j<MAX_NUM_IP_ADDRESS; j++) { + if(s->top_ip_addrs[j].count != 0) { + inet_ntop(AF_INET, &s->top_ip_addrs[j].addr, ip_name, sizeof(ip_name)); + printf("\t\t%-16s ~ %.2f%%\n", + ip_name, ((s->top_ip_addrs[j].count) * 100.0) / s->cumulative_addr); + first = 0; + } + } + + printf("\n"); + first = 1; + + if(i >= 10) break; + } +} + +/* *********************************************** */ /** * @brief Print result */ static void printResults(u_int64_t tot_usec) { - u_int32_t i; u_int64_t total_flow_bytes = 0; u_int32_t avg_pkt_size = 0; @@ -780,8 +1252,15 @@ static void printResults(u_int64_t tot_usec) { && (ndpi_thread_info[thread_id].workflow->stats.raw_packet_count == 0)) continue; - for(i=0; i<NUM_ROOTS; i++) + for(i=0; i<NUM_ROOTS; i++) { ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], node_proto_guess_walker, &thread_id); + if(verbose == 3) ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], port_stats_walker, &thread_id); + } + + if(verbose == 3) { + HASH_SORT(srcStats, port_stats_sort); + HASH_SORT(dstStats, port_stats_sort); + } /* Stats aggregation */ cumulative_stats.guessed_flow_protocols += ndpi_thread_info[thread_id].workflow->stats.guessed_flow_protocols; @@ -809,6 +1288,8 @@ static void printResults(u_int64_t tot_usec) { cumulative_stats.max_packet_len += ndpi_thread_info[thread_id].workflow->stats.max_packet_len; } + if(cumulative_stats.total_wire_bytes == 0) return; + if(!quiet_mode) { printf("\nnDPI Memory statistics:\n"); printf("\tnDPI Memory (once): %-13s\n", formatBytes(sizeof(struct ndpi_detection_module_struct), buf, sizeof(buf))); @@ -847,15 +1328,20 @@ static void printResults(u_int64_t tot_usec) { printf("\tPacket Len > 1500: %-13lu\n", (unsigned long)cumulative_stats.packet_len[5]); if(tot_usec > 0) { - char buf[32], buf1[32]; + char buf[32], buf1[32], when[64]; float t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)tot_usec; float b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)tot_usec; float traffic_duration; - if (live_capture) traffic_duration = tot_usec; + if(live_capture) traffic_duration = tot_usec; else traffic_duration = (pcap_end.tv_sec*1000000 + pcap_end.tv_usec) - (pcap_start.tv_sec*1000000 + pcap_start.tv_usec); printf("\tnDPI throughput: %s pps / %s/sec\n", formatPackets(t, buf), formatTraffic(b, 1, buf1)); t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)traffic_duration; b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)traffic_duration; + + strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime(&pcap_start.tv_sec)); + printf("\tAnalysis begin: %s\n", when); + strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime(&pcap_end.tv_sec)); + printf("\tAnalysis end: %s\n", when); printf("\tTraffic throughput: %s pps / %s/sec\n", formatPackets(t, buf), formatTraffic(b, 1, buf1)); printf("\tTraffic duration: %.3f sec\n", traffic_duration/1000000); } @@ -957,7 +1443,7 @@ static void printResults(u_int64_t tot_usec) { // printf("\n\nTotal Flow Traffic: %llu (diff: %llu)\n", total_flow_bytes, cumulative_stats.total_ip_bytes-total_flow_bytes); - if(verbose) { + if((verbose == 1) || (verbose == 2)) { FILE *out = results_file ? results_file : stdout; if(!json_flag) fprintf(out, "\n"); @@ -1003,6 +1489,17 @@ static void printResults(u_int64_t tot_usec) { fclose(json_fp); #endif } + + if(verbose == 3) { + printf("\n\nSource Ports Stats:\n"); + printPortStats(srcStats); + + printf("\nDestination Ports Stats:\n"); + printPortStats(dstStats); + + deletePortsStats(srcStats), deletePortsStats(dstStats); + srcStats = NULL, dstStats = NULL; + } } @@ -1010,14 +1507,11 @@ static void printResults(u_int64_t tot_usec) { * @brief Force a pcap_dispatch() or pcap_loop() call to return */ static void breakPcapLoop(u_int16_t thread_id) { - if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) { pcap_breakloop(ndpi_thread_info[thread_id].workflow->pcap_handle); } } - - /** * @brief Sigproc is executed for each packet in the pcap file */ @@ -1135,16 +1629,17 @@ static pcap_t * openPcapFileOrDevice(u_int16_t thread_id, const u_char * pcap_fi /** * @brief Check pcap packet */ -static void pcap_packet_callback_checked(u_char *args, - const struct pcap_pkthdr *header, - const u_char *packet) { - +static void pcap_process_packet(u_char *args, + const struct pcap_pkthdr *header, + const u_char *packet) { + struct ndpi_proto p; u_int16_t thread_id = *((u_int16_t*)args); /* allocate an exact size buffer to check overflows */ uint8_t *packet_checked = malloc(header->caplen); + memcpy(packet_checked, packet, header->caplen); - ndpi_workflow_process_packet(ndpi_thread_info[thread_id].workflow, header, packet_checked); + p = ndpi_workflow_process_packet(ndpi_thread_info[thread_id].workflow, header, packet_checked); if((capture_until != 0) && (header->ts.tv_sec >= capture_until)) { if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) @@ -1153,8 +1648,8 @@ static void pcap_packet_callback_checked(u_char *args, } /* Check if capture is live or not */ - if (!live_capture) { - if (!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec; + if(!live_capture) { + if(!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec; pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec; } @@ -1182,11 +1677,73 @@ static void pcap_packet_callback_checked(u_char *args, } } +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Found %u bytes packet %u.%u\n", header->caplen, p.app_protocol, p.master_protocol); +#endif + + if(extcap_dumper + && ((extcap_packet_filter == (u_int16_t)-1) + || (p.app_protocol == extcap_packet_filter) + || (p.master_protocol == extcap_packet_filter) + ) + ) { + struct pcap_pkthdr h; + uint32_t *crc, delta = sizeof(struct ndpi_packet_trailer) + 4 /* ethernet trailer */; + struct ndpi_packet_trailer *trailer; + + memcpy(&h, header, sizeof(h)); + + if(h.caplen > (sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4)) { + printf("INTERNAL ERROR: caplen=%u\n", h.caplen); + h.caplen = sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4; + } + + trailer = (struct ndpi_packet_trailer*)&extcap_buf[h.caplen]; + memcpy(extcap_buf, packet, h.caplen); + memset(trailer, 0, sizeof(struct ndpi_packet_trailer)); + trailer->magic = htonl(0x19680924); + trailer->master_protocol = htons(p.master_protocol), trailer->app_protocol = htons(p.app_protocol); + ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, p, trailer->name, sizeof(trailer->name)); + crc = (uint32_t*)&extcap_buf[h.caplen+sizeof(struct ndpi_packet_trailer)]; + *crc = 0; + ethernet_crc32((const void*)extcap_buf, h.caplen+sizeof(struct ndpi_packet_trailer), crc); + h.caplen += delta, h.len += delta; + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Dumping %u bytes packet\n", h.caplen); +#endif + + pcap_dump((u_char*)extcap_dumper, &h, (const u_char *)extcap_buf); + pcap_dump_flush(extcap_dumper); + } + /* check for buffer changes */ if(memcmp(packet, packet_checked, header->caplen) != 0) - printf("INTERNAL ERROR: ingress packet was modified by nDPI: this should not happen [thread_id=%u, packetId=%lu]\n", - thread_id, (unsigned long)ndpi_thread_info[thread_id].workflow->stats.raw_packet_count); + printf("INTERNAL ERROR: ingress packet was modified by nDPI: this should not happen [thread_id=%u, packetId=%lu, caplen=%u]\n", + thread_id, (unsigned long)ndpi_thread_info[thread_id].workflow->stats.raw_packet_count, header->caplen); free(packet_checked); + + if((pcap_end.tv_sec-pcap_start.tv_sec) > pcap_analysis_duration) { + int i; + u_int64_t tot_usec; + + gettimeofday(&end, NULL); + tot_usec = end.tv_sec*1000000 + end.tv_usec - (begin.tv_sec*1000000 + begin.tv_usec); + + printResults(tot_usec); + + for(i=0; i<ndpi_thread_info[thread_id].workflow->prefs.num_roots; i++) { + ndpi_tdestroy(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], ndpi_flow_info_freer); + ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i] = NULL; + + memset(&ndpi_thread_info[thread_id].workflow->stats, 0, sizeof(struct ndpi_stats)); + } + + printf("\n-------------------------------------------\n\n"); + + memcpy(&begin, &end, sizeof(begin)); + memcpy(&pcap_start, &pcap_end, sizeof(pcap_start)); + } } @@ -1194,12 +1751,10 @@ static void pcap_packet_callback_checked(u_char *args, * @brief Call pcap_loop() to process packets from a live capture or savefile */ static void runPcapLoop(u_int16_t thread_id) { - if((!shutdown_app) && (ndpi_thread_info[thread_id].workflow->pcap_handle != NULL)) - pcap_loop(ndpi_thread_info[thread_id].workflow->pcap_handle, -1, &pcap_packet_callback_checked, (u_char*)&thread_id); + pcap_loop(ndpi_thread_info[thread_id].workflow->pcap_handle, -1, &pcap_process_packet, (u_char*)&thread_id); } - /** * @brief Process a running thread */ @@ -1224,7 +1779,7 @@ void * processing_thread(void *_thread_id) { if((!json_flag) && (!quiet_mode)) printf("Running thread %ld...\n", thread_id); pcap_loop: - runPcapLoop(thread_id); + runPcapLoop(thread_id); if(playlist_fp[thread_id] != NULL) { /* playlist: read next file */ char filename[256]; @@ -1244,8 +1799,7 @@ void * processing_thread(void *_thread_id) { * @brief Begin, process, end detection process */ void test_lib() { - - struct timeval begin, end; + struct timeval end; u_int64_t tot_usec; long thread_id; @@ -1253,20 +1807,48 @@ void test_lib() { json_init(); #endif +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Num threads: %d\n", num_threads); +#endif + for(thread_id = 0; thread_id < num_threads; thread_id++) { - pcap_t * cap = openPcapFileOrDevice(thread_id, (const u_char*)_pcap_file[thread_id]); + pcap_t *cap; + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Opening %s\n", (const u_char*)_pcap_file[thread_id]); +#endif + + cap = openPcapFileOrDevice(thread_id, (const u_char*)_pcap_file[thread_id]); setupDetection(thread_id, cap); } gettimeofday(&begin, NULL); - /* Running processing threads */ - for(thread_id = 0; thread_id < num_threads; thread_id++) - pthread_create(&ndpi_thread_info[thread_id].pthread, NULL, processing_thread, (void *) thread_id); + int status; + void * thd_res; + /* Running processing threads */ + for(thread_id = 0; thread_id < num_threads; thread_id++) { + status = pthread_create(&ndpi_thread_info[thread_id].pthread, NULL, processing_thread, (void *) thread_id); + /* check pthreade_create return value */ + if(status != 0) { + fprintf(stderr, "error on create %ld thread\n", thread_id); + exit(-1); + } + } /* Waiting for completion */ - for(thread_id = 0; thread_id < num_threads; thread_id++) - pthread_join(ndpi_thread_info[thread_id].pthread, NULL); + for(thread_id = 0; thread_id < num_threads; thread_id++) { + status = pthread_join(ndpi_thread_info[thread_id].pthread, &thd_res); + /* check pthreade_join return value */ + if(status != 0) { + fprintf(stderr, "error on join %ld thread\n", thread_id); + exit(-1); + } + if(thd_res != NULL) { + fprintf(stderr, "error on returned value of %ld joined thread\n", thread_id); + exit(-1); + } + } gettimeofday(&end, NULL); tot_usec = end.tv_sec*1000000 + end.tv_usec - (begin.tv_sec*1000000 + begin.tv_usec); @@ -1275,9 +1857,9 @@ void test_lib() { printResults(tot_usec); for(thread_id = 0; thread_id < num_threads; thread_id++) { - if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) { + if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) pcap_close(ndpi_thread_info[thread_id].workflow->pcap_handle); - } + terminateDetection(thread_id); } } @@ -1304,8 +1886,6 @@ int main(int argc, char **argv) { automataUnitTest(); memset(ndpi_thread_info, 0, sizeof(ndpi_thread_info)); - memset(&pcap_start, 0, sizeof(pcap_start)); - memset(&pcap_end, 0, sizeof(pcap_end)); parseOptions(argc, argv); @@ -1325,8 +1905,9 @@ int main(int argc, char **argv) { for(i=0; i<num_loops; i++) test_lib(); - if(results_path) free(results_path); - if(results_file) fclose(results_file); + if(results_path) free(results_path); + if(results_file) fclose(results_file); + if(extcap_dumper) pcap_dump_close(extcap_dumper); return 0; } diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 3ab6d8da4..1ba77eb80 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -48,6 +48,7 @@ #define MPLS_MULTI 0x8848 #define PPPoE 0x8864 #define SNAP 0xaa +#define BSTP 0x42 /* Bridge Spanning Tree Protocol */ /* mask for FCF */ #define WIFI_DATA 0x2 /* 0000 0010 */ @@ -62,6 +63,10 @@ #define GTP_U_V1_PORT 2152 #define TZSP_PORT 37008 +#ifndef DLT_LINUX_SLL +#define DLT_LINUX_SLL 113 +#endif + #include "ndpi_main.h" #include "ndpi_util.h" @@ -124,7 +129,7 @@ struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * pre /* ***************************************************** */ -static void ndpi_flow_info_freer(void *node) { +void ndpi_flow_info_freer(void *node) { struct ndpi_flow_info *flow = (struct ndpi_flow_info*)node; ndpi_free_flow_info_half(flow); @@ -215,7 +220,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow return NULL; if((iph->ihl * 4) > ipsize || ipsize < ntohs(iph->tot_len) - || (iph->frag_off & htons(0x1FFF)) != 0) + /* || (iph->frag_off & htons(0x1FFF)) != 0 */) return NULL; l4_offset = iph->ihl * 4; @@ -255,9 +260,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow if(iph->protocol == IPPROTO_TCP && l4_packet_len >= 20) { u_int tcp_len; - workflow->stats.tcp_count++; - // tcp + workflow->stats.tcp_count++; *tcph = (struct ndpi_tcphdr *)l4; *sport = ntohs((*tcph)->source), *dport = ntohs((*tcph)->dest); @@ -284,8 +288,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= 8) { // udp - workflow->stats.udp_count++; + workflow->stats.udp_count++; *udph = (struct ndpi_udphdr *)l4; *sport = ntohs((*udph)->source), *dport = ntohs((*udph)->dest); *payload = &l4[sizeof(struct ndpi_udphdr)]; @@ -328,7 +332,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow if(ret == NULL) { if(workflow->stats.ndpi_flow_count == workflow->prefs.max_ndpi_flows) { - NDPI_LOG(0, workflow->ndpi_struct, NDPI_LOG_ERROR, "maximum flow count (%u) has been exceeded\n", workflow->prefs.max_ndpi_flows); + NDPI_LOG(0, workflow->ndpi_struct, NDPI_LOG_ERROR, + "maximum flow count (%u) has been exceeded\n", + workflow->prefs.max_ndpi_flows); exit(-1); } else { struct ndpi_flow_info *newflow = (struct ndpi_flow_info*)malloc(sizeof(struct ndpi_flow_info)); @@ -343,6 +349,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow newflow->lower_ip = lower_ip, newflow->upper_ip = upper_ip; newflow->lower_port = lower_port, newflow->upper_port = upper_port; newflow->ip_version = version; + newflow->src_to_dst_direction = *src_to_dst_direction; if(version == IPVERSION) { inet_ntop(AF_INET, &lower_ip, newflow->lower_name, sizeof(newflow->lower_name)); @@ -435,19 +442,19 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { if(!flow->ndpi_flow) return; - - snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", + + snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", flow->ndpi_flow->host_server_name); /* BITTORRENT */ if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_BITTORRENT) { int i, j, n = 0; - + for(i=0, j = 0; j < sizeof(flow->bittorent_hash)-1; i++) { sprintf(&flow->bittorent_hash[j], "%02x", flow->ndpi_flow->bittorent_hash[i]); j += 2, n += flow->ndpi_flow->bittorent_hash[i]; } - + if(n == 0) flow->bittorent_hash[0] = '\0'; } /* MDNS */ @@ -498,13 +505,13 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl @Note: ipsize = header->len - ip_offset ; rawsize = header->len */ -static unsigned int packet_processing(struct ndpi_workflow * workflow, - const u_int64_t time, - u_int16_t vlan_id, - const struct ndpi_iphdr *iph, - struct ndpi_ipv6hdr *iph6, - u_int16_t ip_offset, - u_int16_t ipsize, u_int16_t rawsize) { +static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, + const u_int64_t time, + u_int16_t vlan_id, + const struct ndpi_iphdr *iph, + struct ndpi_ipv6hdr *iph6, + u_int16_t ip_offset, + u_int16_t ipsize, u_int16_t rawsize) { struct ndpi_id_struct *src, *dst; struct ndpi_flow_info *flow = NULL; struct ndpi_flow_struct *ndpi_flow = NULL; @@ -513,7 +520,8 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, struct ndpi_udphdr *udph = NULL; u_int16_t sport, dport, payload_len; u_int8_t *payload; - u_int8_t src_to_dst_direction= 1; + u_int8_t src_to_dst_direction = 1; + struct ndpi_proto nproto = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; if(iph) flow = get_ndpi_flow_info(workflow, IPVERSION, vlan_id, iph, NULL, @@ -535,12 +543,13 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, ndpi_flow = flow->ndpi_flow; flow->packets++, flow->bytes += rawsize; flow->last_seen = time; - } else { - return(0); + } else { // flow is NULL + workflow->stats.total_discarded_bytes++; + return(nproto); } /* Protocol already detected */ - if(flow->detection_completed) return(0); + if(flow->detection_completed) return(flow->detected_protocol); flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, @@ -550,32 +559,29 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, || ((proto == IPPROTO_UDP) && (flow->packets > 8)) || ((proto == IPPROTO_TCP) && (flow->packets > 10))) { /* New protocol detected or give up */ - flow->detection_completed = 1; - } - if(flow->detection_completed) { if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) - flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, - flow->ndpi_flow); - } + flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, + flow->ndpi_flow); + process_ndpi_collected_info(workflow, flow); + } - process_ndpi_collected_info(workflow, flow); - return 0; + return(flow->detected_protocol); } /* ****************************************************** */ -void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, - const struct pcap_pkthdr *header, - const u_char *packet) { +struct ndpi_proto ndpi_workflow_process_packet (struct ndpi_workflow * workflow, + const struct pcap_pkthdr *header, + const u_char *packet) { /* * Declare pointers to packet headers */ /* --- Ethernet header --- */ const struct ndpi_ethhdr *ethernet; /* --- LLC header --- */ - const struct ndpi_llc_header *llc; + const struct ndpi_llc_header_snap *llc; /* --- Cisco HDLC header --- */ const struct ndpi_chdlc *chdlc; @@ -593,6 +599,8 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, /** --- IPv6 header --- **/ struct ndpi_ipv6hdr *iph6; + struct ndpi_proto nproto = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; + /* lengths and offsets */ u_int16_t eth_offset = 0; u_int16_t radio_len; @@ -629,7 +637,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, datalink_check: switch(datalink_type) { - case DLT_NULL : + case DLT_NULL: if(ntohl(*((u_int32_t*)&packet[eth_offset])) == 2) type = ETH_P_IP; else @@ -653,7 +661,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, break; /* IEEE 802.3 Ethernet - 1 */ - case DLT_EN10MB : + case DLT_EN10MB: ethernet = (struct ndpi_ethhdr *) &packet[eth_offset]; ip_offset = sizeof(struct ndpi_ethhdr) + eth_offset; check = ntohs(ethernet->h_proto); @@ -664,32 +672,34 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, type = check; if(pyld_eth_len != 0) { + llc = (struct ndpi_llc_header_snap *)(&packet[ip_offset]); /* check for LLC layer with SNAP extension */ - if(packet[ip_offset] == SNAP) { - llc = (struct ndpi_llc_header *)(&packet[ip_offset]); + if(llc->dsap == SNAP || llc->ssap == SNAP) { type = llc->snap.proto_ID; ip_offset += + 8; } + /* No SNAP extension - Spanning Tree pkt must be discarted */ + else if(llc->dsap == BSTP || llc->ssap == BSTP) { + goto v4_warning; + } } break; /* Linux Cooked Capture - 113 */ -#ifdef __linux__ - case DLT_LINUX_SLL : + case DLT_LINUX_SLL: type = (packet[eth_offset+14] << 8) + packet[eth_offset+15]; ip_offset = 16 + eth_offset; break; -#endif /* Radiotap link-layer - 127 */ - case DLT_IEEE802_11_RADIO : + case DLT_IEEE802_11_RADIO: radiotap = (struct ndpi_radiotap_header *) &packet[eth_offset]; radio_len = radiotap->len; /* Check Bad FCS presence */ if((radiotap->flags & BAD_FCS) == BAD_FCS) { workflow->stats.total_discarded_bytes += header->len; - return; + return(nproto); } /* Calculate 802.11 header length (variable) */ @@ -705,12 +715,12 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, break; /* Check ether_type from LLC */ - llc = (struct ndpi_llc_header*)(packet + eth_offset + wifi_len + radio_len); + llc = (struct ndpi_llc_header_snap*)(packet + eth_offset + wifi_len + radio_len); if(llc->dsap == SNAP) type = ntohs(llc->snap.proto_ID); /* Set IP header offset */ - ip_offset = wifi_len + radio_len + sizeof(struct ndpi_llc_header) + eth_offset; + ip_offset = wifi_len + radio_len + sizeof(struct ndpi_llc_header_snap) + eth_offset; break; case DLT_RAW: @@ -719,7 +729,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, default: /* printf("Unknown datalink %d\n", datalink_type); */ - return; + return(nproto); } /* check ether type */ @@ -800,7 +810,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, } workflow->stats.total_discarded_bytes += header->len; - return; + return(nproto); } } else if(iph->version == 6) { iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset]; @@ -825,7 +835,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, ipv4_warning_used = 1; } workflow->stats.total_discarded_bytes += header->len; - return; + return(nproto); } if(workflow->prefs.decode_tunnels && (proto == IPPROTO_UDP)) { @@ -884,7 +894,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, offset += tag_len; if(offset >= header->caplen) - return; /* Invalid packet */ + return(nproto); /* Invalid packet */ else { eth_offset = offset; goto datalink_check; @@ -895,6 +905,53 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, } /* process the packet */ - packet_processing(workflow, time, vlan_id, iph, iph6, - ip_offset, header->len - ip_offset, header->len); + return(packet_processing(workflow, time, vlan_id, iph, iph6, + ip_offset, header->len - ip_offset, header->len)); +} + +/* ********************************************************** */ +/* http://home.thep.lu.se/~bjorn/crc/crc32_fast.c */ +/* ********************************************************** */ + +static uint32_t crc32_for_byte(uint32_t r) { + int j; + + for(j = 0; j < 8; ++j) + r = (r & 1? 0: (uint32_t)0xEDB88320L) ^ r >> 1; + return r ^ (uint32_t)0xFF000000L; +} + +/* Any unsigned integer type with at least 32 bits may be used as + * accumulator type for fast crc32-calulation, but unsigned long is + * probably the optimal choice for most systems. */ +typedef unsigned long accum_t; + +static void init_tables(uint32_t* table, uint32_t* wtable) { + size_t i, k, w, j; + + for(i = 0; i < 0x100; ++i) + table[i] = crc32_for_byte(i); + for(k = 0; k < sizeof(accum_t); ++k) + for(i = 0; i < 0x100; ++i) { + for(j = w = 0; j < sizeof(accum_t); ++j) + w = table[(uint8_t)(j == k? w ^ i: w)] ^ w >> 8; + wtable[(k << 8) + i] = w ^ (k? wtable[0]: 0); + } +} + +void ethernet_crc32(const void* data, size_t n_bytes, uint32_t* crc) { + static uint32_t table[0x100], wtable[0x100*sizeof(accum_t)]; + size_t n_accum = n_bytes/sizeof(accum_t); + size_t i, k, j; + + if(!*table) + init_tables(table, wtable); + for(i = 0; i < n_accum; ++i) { + accum_t a = *crc ^ ((accum_t*)data)[i]; + for(j = *crc = 0; j < sizeof(accum_t); ++j) + *crc ^= wtable[(j << 8) + (uint8_t)(a >> 8*j)]; + } + + for(i = n_accum*sizeof(accum_t); i < n_bytes; ++i) + *crc = table[(uint8_t)*crc ^ ((uint8_t*)data)[i]] ^ *crc >> 8; } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 1c092cbfa..ca9f20274 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -38,7 +38,8 @@ #define NUM_ROOTS 512 #define MAX_NDPI_FLOWS 200000000 #define TICK_RESOLUTION 1000 - +#define MAX_NUM_IP_ADDRESS 5 /* len of ip address array */ +#define UPDATED_TREE 1 // flow tracking typedef struct ndpi_flow_info { @@ -46,7 +47,7 @@ typedef struct ndpi_flow_info { u_int32_t upper_ip; u_int16_t lower_port; u_int16_t upper_port; - u_int8_t detection_completed, protocol; + u_int8_t detection_completed, protocol, src_to_dst_direction; u_int16_t vlan_id; struct ndpi_flow_struct *ndpi_flow; char lower_name[48], upper_name[48]; @@ -138,9 +139,9 @@ void ndpi_free_flow_info_half(struct ndpi_flow_info *flow); /* Process a packet and update the workflow */ -void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, - const struct pcap_pkthdr *header, - const u_char *packet); +struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, + const struct pcap_pkthdr *header, + const u_char *packet); /* flow callbacks for complete detected flow @@ -160,5 +161,6 @@ static inline void ndpi_workflow_set_flow_giveup_callback(struct ndpi_workflow * /* compare two nodes in workflow */ int ndpi_workflow_node_cmp(const void *a, const void *b); void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); - +void ethernet_crc32(const void* data, size_t n_bytes, uint32_t* crc); +void ndpi_flow_info_freer(void *node); #endif diff --git a/example/uthash.h b/example/uthash.h new file mode 100644 index 000000000..f78a73b86 --- /dev/null +++ b/example/uthash.h @@ -0,0 +1,1096 @@ +/* +Copyright (c) 2003-2017, Troy D. Hanson http://troydhanson.github.com/uthash/ +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER +OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + +#ifndef UTHASH_H +#define UTHASH_H + +#define UTHASH_VERSION 2.0.2 + +#include <string.h> /* memcmp,strlen */ +#include <stddef.h> /* ptrdiff_t */ +#include <stdlib.h> /* exit() */ + +/* These macros use decltype or the earlier __typeof GNU extension. + As decltype is only available in newer compilers (VS2010 or gcc 4.3+ + when compiling c++ source) this code uses whatever method is needed + or, for VS2008 where neither is available, uses casting workarounds. */ +#if !defined(DECLTYPE) && !defined(NO_DECLTYPE) +#if defined(_MSC_VER) /* MS compiler */ +#if _MSC_VER >= 1600 && defined(__cplusplus) /* VS2010 or newer in C++ mode */ +#define DECLTYPE(x) (decltype(x)) +#else /* VS2008 or older (or VS2010 in C mode) */ +#define NO_DECLTYPE +#endif +#elif defined(__BORLANDC__) || defined(__ICCARM__) || defined(__LCC__) || defined(__WATCOMC__) +#define NO_DECLTYPE +#else /* GNU, Sun and other compilers */ +#define DECLTYPE(x) (__typeof(x)) +#endif +#endif + +#ifdef NO_DECLTYPE +#define DECLTYPE(x) +#define DECLTYPE_ASSIGN(dst,src) \ +do { \ + char **_da_dst = (char**)(&(dst)); \ + *_da_dst = (char*)(src); \ +} while (0) +#else +#define DECLTYPE_ASSIGN(dst,src) \ +do { \ + (dst) = DECLTYPE(dst)(src); \ +} while (0) +#endif + +/* a number of the hash function use uint32_t which isn't defined on Pre VS2010 */ +#if defined(_WIN32) +#if defined(_MSC_VER) && _MSC_VER >= 1600 +#include <stdint.h> +#elif defined(__WATCOMC__) || defined(__MINGW32__) || defined(__CYGWIN__) +#include <stdint.h> +#else +typedef unsigned int uint32_t; +typedef unsigned char uint8_t; +#endif +#elif defined(__GNUC__) && !defined(__VXWORKS__) +#include <stdint.h> +#else +typedef unsigned int uint32_t; +typedef unsigned char uint8_t; +#endif + +#ifndef uthash_fatal +#define uthash_fatal(msg) exit(-1) /* fatal error (out of memory,etc) */ +#endif +#ifndef uthash_malloc +#define uthash_malloc(sz) malloc(sz) /* malloc fcn */ +#endif +#ifndef uthash_free +#define uthash_free(ptr,sz) free(ptr) /* free fcn */ +#endif +#ifndef uthash_strlen +#define uthash_strlen(s) strlen(s) +#endif +#ifndef uthash_memcmp +#define uthash_memcmp(a,b,n) memcmp(a,b,n) +#endif + +#ifndef uthash_noexpand_fyi +#define uthash_noexpand_fyi(tbl) /* can be defined to log noexpand */ +#endif +#ifndef uthash_expand_fyi +#define uthash_expand_fyi(tbl) /* can be defined to log expands */ +#endif + +/* initial number of buckets */ +#define HASH_INITIAL_NUM_BUCKETS 32U /* initial number of buckets */ +#define HASH_INITIAL_NUM_BUCKETS_LOG2 5U /* lg2 of initial number of buckets */ +#define HASH_BKT_CAPACITY_THRESH 10U /* expand when bucket count reaches */ + +/* calculate the element whose hash handle address is hhp */ +#define ELMT_FROM_HH(tbl,hhp) ((void*)(((char*)(hhp)) - ((tbl)->hho))) +/* calculate the hash handle from element address elp */ +#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle *)(((char*)(elp)) + ((tbl)->hho))) + +#define HASH_VALUE(keyptr,keylen,hashv) \ +do { \ + HASH_FCN(keyptr, keylen, hashv); \ +} while (0) + +#define HASH_FIND_BYHASHVALUE(hh,head,keyptr,keylen,hashval,out) \ +do { \ + (out) = NULL; \ + if (head) { \ + unsigned _hf_bkt; \ + HASH_TO_BKT(hashval, (head)->hh.tbl->num_buckets, _hf_bkt); \ + if (HASH_BLOOM_TEST((head)->hh.tbl, hashval) != 0) { \ + HASH_FIND_IN_BKT((head)->hh.tbl, hh, (head)->hh.tbl->buckets[ _hf_bkt ], keyptr, keylen, hashval, out); \ + } \ + } \ +} while (0) + +#define HASH_FIND(hh,head,keyptr,keylen,out) \ +do { \ + unsigned _hf_hashv; \ + HASH_VALUE(keyptr, keylen, _hf_hashv); \ + HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \ +} while (0) + +#ifdef HASH_BLOOM +#define HASH_BLOOM_BITLEN (1UL << HASH_BLOOM) +#define HASH_BLOOM_BYTELEN (HASH_BLOOM_BITLEN/8UL) + (((HASH_BLOOM_BITLEN%8UL)!=0UL) ? 1UL : 0UL) +#define HASH_BLOOM_MAKE(tbl) \ +do { \ + (tbl)->bloom_nbits = HASH_BLOOM; \ + (tbl)->bloom_bv = (uint8_t*)uthash_malloc(HASH_BLOOM_BYTELEN); \ + if (!((tbl)->bloom_bv)) { uthash_fatal( "out of memory"); } \ + memset((tbl)->bloom_bv, 0, HASH_BLOOM_BYTELEN); \ + (tbl)->bloom_sig = HASH_BLOOM_SIGNATURE; \ +} while (0) + +#define HASH_BLOOM_FREE(tbl) \ +do { \ + uthash_free((tbl)->bloom_bv, HASH_BLOOM_BYTELEN); \ +} while (0) + +#define HASH_BLOOM_BITSET(bv,idx) (bv[(idx)/8U] |= (1U << ((idx)%8U))) +#define HASH_BLOOM_BITTEST(bv,idx) (bv[(idx)/8U] & (1U << ((idx)%8U))) + +#define HASH_BLOOM_ADD(tbl,hashv) \ + HASH_BLOOM_BITSET((tbl)->bloom_bv, (hashv & (uint32_t)((1ULL << (tbl)->bloom_nbits) - 1U))) + +#define HASH_BLOOM_TEST(tbl,hashv) \ + HASH_BLOOM_BITTEST((tbl)->bloom_bv, (hashv & (uint32_t)((1ULL << (tbl)->bloom_nbits) - 1U))) + +#else +#define HASH_BLOOM_MAKE(tbl) +#define HASH_BLOOM_FREE(tbl) +#define HASH_BLOOM_ADD(tbl,hashv) +#define HASH_BLOOM_TEST(tbl,hashv) (1) +#define HASH_BLOOM_BYTELEN 0U +#endif + +#define HASH_MAKE_TABLE(hh,head) \ +do { \ + (head)->hh.tbl = (UT_hash_table*)uthash_malloc( \ + sizeof(UT_hash_table)); \ + if (!((head)->hh.tbl)) { uthash_fatal( "out of memory"); } \ + memset((head)->hh.tbl, 0, sizeof(UT_hash_table)); \ + (head)->hh.tbl->tail = &((head)->hh); \ + (head)->hh.tbl->num_buckets = HASH_INITIAL_NUM_BUCKETS; \ + (head)->hh.tbl->log2_num_buckets = HASH_INITIAL_NUM_BUCKETS_LOG2; \ + (head)->hh.tbl->hho = (char*)(&(head)->hh) - (char*)(head); \ + (head)->hh.tbl->buckets = (UT_hash_bucket*)uthash_malloc( \ + HASH_INITIAL_NUM_BUCKETS*sizeof(struct UT_hash_bucket)); \ + if (! (head)->hh.tbl->buckets) { uthash_fatal( "out of memory"); } \ + memset((head)->hh.tbl->buckets, 0, \ + HASH_INITIAL_NUM_BUCKETS*sizeof(struct UT_hash_bucket)); \ + HASH_BLOOM_MAKE((head)->hh.tbl); \ + (head)->hh.tbl->signature = HASH_SIGNATURE; \ +} while (0) + +#define HASH_REPLACE_BYHASHVALUE_INORDER(hh,head,fieldname,keylen_in,hashval,add,replaced,cmpfcn) \ +do { \ + (replaced) = NULL; \ + HASH_FIND_BYHASHVALUE(hh, head, &((add)->fieldname), keylen_in, hashval, replaced); \ + if (replaced) { \ + HASH_DELETE(hh, head, replaced); \ + } \ + HASH_ADD_KEYPTR_BYHASHVALUE_INORDER(hh, head, &((add)->fieldname), keylen_in, hashval, add, cmpfcn); \ +} while (0) + +#define HASH_REPLACE_BYHASHVALUE(hh,head,fieldname,keylen_in,hashval,add,replaced) \ +do { \ + (replaced) = NULL; \ + HASH_FIND_BYHASHVALUE(hh, head, &((add)->fieldname), keylen_in, hashval, replaced); \ + if (replaced) { \ + HASH_DELETE(hh, head, replaced); \ + } \ + HASH_ADD_KEYPTR_BYHASHVALUE(hh, head, &((add)->fieldname), keylen_in, hashval, add); \ +} while (0) + +#define HASH_REPLACE(hh,head,fieldname,keylen_in,add,replaced) \ +do { \ + unsigned _hr_hashv; \ + HASH_VALUE(&((add)->fieldname), keylen_in, _hr_hashv); \ + HASH_REPLACE_BYHASHVALUE(hh, head, fieldname, keylen_in, _hr_hashv, add, replaced); \ +} while (0) + +#define HASH_REPLACE_INORDER(hh,head,fieldname,keylen_in,add,replaced,cmpfcn) \ +do { \ + unsigned _hr_hashv; \ + HASH_VALUE(&((add)->fieldname), keylen_in, _hr_hashv); \ + HASH_REPLACE_BYHASHVALUE_INORDER(hh, head, fieldname, keylen_in, _hr_hashv, add, replaced, cmpfcn); \ +} while (0) + +#define HASH_APPEND_LIST(hh, head, add) \ +do { \ + (add)->hh.next = NULL; \ + (add)->hh.prev = ELMT_FROM_HH((head)->hh.tbl, (head)->hh.tbl->tail); \ + (head)->hh.tbl->tail->next = (add); \ + (head)->hh.tbl->tail = &((add)->hh); \ +} while (0) + +#define HASH_AKBI_INNER_LOOP(hh,head,add,cmpfcn) \ +do { \ + do { \ + if (cmpfcn(DECLTYPE(head)(_hs_iter), add) > 0) \ + break; \ + } while ((_hs_iter = HH_FROM_ELMT((head)->hh.tbl, _hs_iter)->next)); \ +} while (0) + +#ifdef NO_DECLTYPE +#undef HASH_AKBI_INNER_LOOP +#define HASH_AKBI_INNER_LOOP(hh,head,add,cmpfcn) \ +do { \ + char *_hs_saved_head = (char*)(head); \ + do { \ + DECLTYPE_ASSIGN(head, _hs_iter); \ + if (cmpfcn(head, add) > 0) { \ + DECLTYPE_ASSIGN(head, _hs_saved_head); \ + break; \ + } \ + DECLTYPE_ASSIGN(head, _hs_saved_head); \ + } while ((_hs_iter = HH_FROM_ELMT((head)->hh.tbl, _hs_iter)->next)); \ +} while (0) +#endif + +#define HASH_ADD_KEYPTR_BYHASHVALUE_INORDER(hh,head,keyptr,keylen_in,hashval,add,cmpfcn) \ +do { \ + unsigned _ha_bkt; \ + (add)->hh.hashv = (hashval); \ + (add)->hh.key = (char*) (keyptr); \ + (add)->hh.keylen = (unsigned) (keylen_in); \ + if (!(head)) { \ + (add)->hh.next = NULL; \ + (add)->hh.prev = NULL; \ + (head) = (add); \ + HASH_MAKE_TABLE(hh, head); \ + } else { \ + void *_hs_iter = (head); \ + (add)->hh.tbl = (head)->hh.tbl; \ + HASH_AKBI_INNER_LOOP(hh, head, add, cmpfcn); \ + if (_hs_iter) { \ + (add)->hh.next = _hs_iter; \ + if (((add)->hh.prev = HH_FROM_ELMT((head)->hh.tbl, _hs_iter)->prev)) { \ + HH_FROM_ELMT((head)->hh.tbl, (add)->hh.prev)->next = (add); \ + } else { \ + (head) = (add); \ + } \ + HH_FROM_ELMT((head)->hh.tbl, _hs_iter)->prev = (add); \ + } else { \ + HASH_APPEND_LIST(hh, head, add); \ + } \ + } \ + (head)->hh.tbl->num_items++; \ + HASH_TO_BKT(hashval, (head)->hh.tbl->num_buckets, _ha_bkt); \ + HASH_ADD_TO_BKT((head)->hh.tbl->buckets[_ha_bkt], &(add)->hh); \ + HASH_BLOOM_ADD((head)->hh.tbl, hashval); \ + HASH_EMIT_KEY(hh, head, keyptr, keylen_in); \ + HASH_FSCK(hh, head); \ +} while (0) + +#define HASH_ADD_KEYPTR_INORDER(hh,head,keyptr,keylen_in,add,cmpfcn) \ +do { \ + unsigned _hs_hashv; \ + HASH_VALUE(keyptr, keylen_in, _hs_hashv); \ + HASH_ADD_KEYPTR_BYHASHVALUE_INORDER(hh, head, keyptr, keylen_in, _hs_hashv, add, cmpfcn); \ +} while (0) + +#define HASH_ADD_BYHASHVALUE_INORDER(hh,head,fieldname,keylen_in,hashval,add,cmpfcn) \ + HASH_ADD_KEYPTR_BYHASHVALUE_INORDER(hh, head, &((add)->fieldname), keylen_in, hashval, add, cmpfcn) + +#define HASH_ADD_INORDER(hh,head,fieldname,keylen_in,add,cmpfcn) \ + HASH_ADD_KEYPTR_INORDER(hh, head, &((add)->fieldname), keylen_in, add, cmpfcn) + +#define HASH_ADD_KEYPTR_BYHASHVALUE(hh,head,keyptr,keylen_in,hashval,add) \ +do { \ + unsigned _ha_bkt; \ + (add)->hh.hashv = (hashval); \ + (add)->hh.key = (char*) (keyptr); \ + (add)->hh.keylen = (unsigned) (keylen_in); \ + if (!(head)) { \ + (add)->hh.next = NULL; \ + (add)->hh.prev = NULL; \ + (head) = (add); \ + HASH_MAKE_TABLE(hh, head); \ + } else { \ + (add)->hh.tbl = (head)->hh.tbl; \ + HASH_APPEND_LIST(hh, head, add); \ + } \ + (head)->hh.tbl->num_items++; \ + HASH_TO_BKT(hashval, (head)->hh.tbl->num_buckets, _ha_bkt); \ + HASH_ADD_TO_BKT((head)->hh.tbl->buckets[_ha_bkt], &(add)->hh); \ + HASH_BLOOM_ADD((head)->hh.tbl, hashval); \ + HASH_EMIT_KEY(hh, head, keyptr, keylen_in); \ + HASH_FSCK(hh, head); \ +} while (0) + +#define HASH_ADD_KEYPTR(hh,head,keyptr,keylen_in,add) \ +do { \ + unsigned _ha_hashv; \ + HASH_VALUE(keyptr, keylen_in, _ha_hashv); \ + HASH_ADD_KEYPTR_BYHASHVALUE(hh, head, keyptr, keylen_in, _ha_hashv, add); \ +} while (0) + +#define HASH_ADD_BYHASHVALUE(hh,head,fieldname,keylen_in,hashval,add) \ + HASH_ADD_KEYPTR_BYHASHVALUE(hh, head, &((add)->fieldname), keylen_in, hashval, add) + +#define HASH_ADD(hh,head,fieldname,keylen_in,add) \ + HASH_ADD_KEYPTR(hh, head, &((add)->fieldname), keylen_in, add) + +#define HASH_TO_BKT(hashv,num_bkts,bkt) \ +do { \ + bkt = ((hashv) & ((num_bkts) - 1U)); \ +} while (0) + +/* delete "delptr" from the hash table. + * "the usual" patch-up process for the app-order doubly-linked-list. + * The use of _hd_hh_del below deserves special explanation. + * These used to be expressed using (delptr) but that led to a bug + * if someone used the same symbol for the head and deletee, like + * HASH_DELETE(hh,users,users); + * We want that to work, but by changing the head (users) below + * we were forfeiting our ability to further refer to the deletee (users) + * in the patch-up process. Solution: use scratch space to + * copy the deletee pointer, then the latter references are via that + * scratch pointer rather than through the repointed (users) symbol. + */ +#define HASH_DELETE(hh,head,delptr) \ +do { \ + struct UT_hash_handle *_hd_hh_del; \ + if ( ((delptr)->hh.prev == NULL) && ((delptr)->hh.next == NULL) ) { \ + uthash_free((head)->hh.tbl->buckets, \ + (head)->hh.tbl->num_buckets*sizeof(struct UT_hash_bucket) ); \ + HASH_BLOOM_FREE((head)->hh.tbl); \ + uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \ + head = NULL; \ + } else { \ + unsigned _hd_bkt; \ + _hd_hh_del = &((delptr)->hh); \ + if ((delptr) == ELMT_FROM_HH((head)->hh.tbl,(head)->hh.tbl->tail)) { \ + (head)->hh.tbl->tail = \ + (UT_hash_handle*)((ptrdiff_t)((delptr)->hh.prev) + \ + (head)->hh.tbl->hho); \ + } \ + if ((delptr)->hh.prev != NULL) { \ + ((UT_hash_handle*)((ptrdiff_t)((delptr)->hh.prev) + \ + (head)->hh.tbl->hho))->next = (delptr)->hh.next; \ + } else { \ + DECLTYPE_ASSIGN(head,(delptr)->hh.next); \ + } \ + if (_hd_hh_del->next != NULL) { \ + ((UT_hash_handle*)((ptrdiff_t)_hd_hh_del->next + \ + (head)->hh.tbl->hho))->prev = \ + _hd_hh_del->prev; \ + } \ + HASH_TO_BKT( _hd_hh_del->hashv, (head)->hh.tbl->num_buckets, _hd_bkt); \ + HASH_DEL_IN_BKT(hh,(head)->hh.tbl->buckets[_hd_bkt], _hd_hh_del); \ + (head)->hh.tbl->num_items--; \ + } \ + HASH_FSCK(hh,head); \ +} while (0) + + +/* convenience forms of HASH_FIND/HASH_ADD/HASH_DEL */ +#define HASH_FIND_STR(head,findstr,out) \ + HASH_FIND(hh,head,findstr,(unsigned)uthash_strlen(findstr),out) +#define HASH_ADD_STR(head,strfield,add) \ + HASH_ADD(hh,head,strfield[0],(unsigned)uthash_strlen(add->strfield),add) +#define HASH_REPLACE_STR(head,strfield,add,replaced) \ + HASH_REPLACE(hh,head,strfield[0],(unsigned)uthash_strlen(add->strfield),add,replaced) +#define HASH_FIND_INT(head,findint,out) \ + HASH_FIND(hh,head,findint,sizeof(int),out) +#define HASH_ADD_INT(head,intfield,add) \ + HASH_ADD(hh,head,intfield,sizeof(int),add) +#define HASH_REPLACE_INT(head,intfield,add,replaced) \ + HASH_REPLACE(hh,head,intfield,sizeof(int),add,replaced) +#define HASH_FIND_PTR(head,findptr,out) \ + HASH_FIND(hh,head,findptr,sizeof(void *),out) +#define HASH_ADD_PTR(head,ptrfield,add) \ + HASH_ADD(hh,head,ptrfield,sizeof(void *),add) +#define HASH_REPLACE_PTR(head,ptrfield,add,replaced) \ + HASH_REPLACE(hh,head,ptrfield,sizeof(void *),add,replaced) +#define HASH_DEL(head,delptr) \ + HASH_DELETE(hh,head,delptr) + +/* HASH_FSCK checks hash integrity on every add/delete when HASH_DEBUG is defined. + * This is for uthash developer only; it compiles away if HASH_DEBUG isn't defined. + */ +#ifdef HASH_DEBUG +#define HASH_OOPS(...) do { fprintf(stderr,__VA_ARGS__); exit(-1); } while (0) +#define HASH_FSCK(hh,head) \ +do { \ + struct UT_hash_handle *_thh; \ + if (head) { \ + unsigned _bkt_i; \ + unsigned _count; \ + char *_prev; \ + _count = 0; \ + for( _bkt_i = 0; _bkt_i < (head)->hh.tbl->num_buckets; _bkt_i++) { \ + unsigned _bkt_count = 0; \ + _thh = (head)->hh.tbl->buckets[_bkt_i].hh_head; \ + _prev = NULL; \ + while (_thh) { \ + if (_prev != (char*)(_thh->hh_prev)) { \ + HASH_OOPS("invalid hh_prev %p, actual %p\n", \ + _thh->hh_prev, _prev ); \ + } \ + _bkt_count++; \ + _prev = (char*)(_thh); \ + _thh = _thh->hh_next; \ + } \ + _count += _bkt_count; \ + if ((head)->hh.tbl->buckets[_bkt_i].count != _bkt_count) { \ + HASH_OOPS("invalid bucket count %u, actual %u\n", \ + (head)->hh.tbl->buckets[_bkt_i].count, _bkt_count); \ + } \ + } \ + if (_count != (head)->hh.tbl->num_items) { \ + HASH_OOPS("invalid hh item count %u, actual %u\n", \ + (head)->hh.tbl->num_items, _count ); \ + } \ + /* traverse hh in app order; check next/prev integrity, count */ \ + _count = 0; \ + _prev = NULL; \ + _thh = &(head)->hh; \ + while (_thh) { \ + _count++; \ + if (_prev !=(char*)(_thh->prev)) { \ + HASH_OOPS("invalid prev %p, actual %p\n", \ + _thh->prev, _prev ); \ + } \ + _prev = (char*)ELMT_FROM_HH((head)->hh.tbl, _thh); \ + _thh = ( _thh->next ? (UT_hash_handle*)((char*)(_thh->next) + \ + (head)->hh.tbl->hho) : NULL ); \ + } \ + if (_count != (head)->hh.tbl->num_items) { \ + HASH_OOPS("invalid app item count %u, actual %u\n", \ + (head)->hh.tbl->num_items, _count ); \ + } \ + } \ +} while (0) +#else +#define HASH_FSCK(hh,head) +#endif + +/* When compiled with -DHASH_EMIT_KEYS, length-prefixed keys are emitted to + * the descriptor to which this macro is defined for tuning the hash function. + * The app can #include <unistd.h> to get the prototype for write(2). */ +#ifdef HASH_EMIT_KEYS +#define HASH_EMIT_KEY(hh,head,keyptr,fieldlen) \ +do { \ + unsigned _klen = fieldlen; \ + write(HASH_EMIT_KEYS, &_klen, sizeof(_klen)); \ + write(HASH_EMIT_KEYS, keyptr, (unsigned long)fieldlen); \ +} while (0) +#else +#define HASH_EMIT_KEY(hh,head,keyptr,fieldlen) +#endif + +/* default to Jenkin's hash unless overridden e.g. DHASH_FUNCTION=HASH_SAX */ +#ifdef HASH_FUNCTION +#define HASH_FCN HASH_FUNCTION +#else +#define HASH_FCN HASH_JEN +#endif + +/* The Bernstein hash function, used in Perl prior to v5.6. Note (x<<5+x)=x*33. */ +#define HASH_BER(key,keylen,hashv) \ +do { \ + unsigned _hb_keylen=(unsigned)keylen; \ + const unsigned char *_hb_key=(const unsigned char*)(key); \ + (hashv) = 0; \ + while (_hb_keylen-- != 0U) { \ + (hashv) = (((hashv) << 5) + (hashv)) + *_hb_key++; \ + } \ +} while (0) + + +/* SAX/FNV/OAT/JEN hash functions are macro variants of those listed at + * http://eternallyconfuzzled.com/tuts/algorithms/jsw_tut_hashing.aspx */ +#define HASH_SAX(key,keylen,hashv) \ +do { \ + unsigned _sx_i; \ + const unsigned char *_hs_key=(const unsigned char*)(key); \ + hashv = 0; \ + for(_sx_i=0; _sx_i < keylen; _sx_i++) { \ + hashv ^= (hashv << 5) + (hashv >> 2) + _hs_key[_sx_i]; \ + } \ +} while (0) +/* FNV-1a variation */ +#define HASH_FNV(key,keylen,hashv) \ +do { \ + unsigned _fn_i; \ + const unsigned char *_hf_key=(const unsigned char*)(key); \ + hashv = 2166136261U; \ + for(_fn_i=0; _fn_i < keylen; _fn_i++) { \ + hashv = hashv ^ _hf_key[_fn_i]; \ + hashv = hashv * 16777619U; \ + } \ +} while (0) + +#define HASH_OAT(key,keylen,hashv) \ +do { \ + unsigned _ho_i; \ + const unsigned char *_ho_key=(const unsigned char*)(key); \ + hashv = 0; \ + for(_ho_i=0; _ho_i < keylen; _ho_i++) { \ + hashv += _ho_key[_ho_i]; \ + hashv += (hashv << 10); \ + hashv ^= (hashv >> 6); \ + } \ + hashv += (hashv << 3); \ + hashv ^= (hashv >> 11); \ + hashv += (hashv << 15); \ +} while (0) + +#define HASH_JEN_MIX(a,b,c) \ +do { \ + a -= b; a -= c; a ^= ( c >> 13 ); \ + b -= c; b -= a; b ^= ( a << 8 ); \ + c -= a; c -= b; c ^= ( b >> 13 ); \ + a -= b; a -= c; a ^= ( c >> 12 ); \ + b -= c; b -= a; b ^= ( a << 16 ); \ + c -= a; c -= b; c ^= ( b >> 5 ); \ + a -= b; a -= c; a ^= ( c >> 3 ); \ + b -= c; b -= a; b ^= ( a << 10 ); \ + c -= a; c -= b; c ^= ( b >> 15 ); \ +} while (0) + +#define HASH_JEN(key,keylen,hashv) \ +do { \ + unsigned _hj_i,_hj_j,_hj_k; \ + unsigned const char *_hj_key=(unsigned const char*)(key); \ + hashv = 0xfeedbeefu; \ + _hj_i = _hj_j = 0x9e3779b9u; \ + _hj_k = (unsigned)(keylen); \ + while (_hj_k >= 12U) { \ + _hj_i += (_hj_key[0] + ( (unsigned)_hj_key[1] << 8 ) \ + + ( (unsigned)_hj_key[2] << 16 ) \ + + ( (unsigned)_hj_key[3] << 24 ) ); \ + _hj_j += (_hj_key[4] + ( (unsigned)_hj_key[5] << 8 ) \ + + ( (unsigned)_hj_key[6] << 16 ) \ + + ( (unsigned)_hj_key[7] << 24 ) ); \ + hashv += (_hj_key[8] + ( (unsigned)_hj_key[9] << 8 ) \ + + ( (unsigned)_hj_key[10] << 16 ) \ + + ( (unsigned)_hj_key[11] << 24 ) ); \ + \ + HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ + \ + _hj_key += 12; \ + _hj_k -= 12U; \ + } \ + hashv += (unsigned)(keylen); \ + switch ( _hj_k ) { \ + case 11: hashv += ( (unsigned)_hj_key[10] << 24 ); /* FALLTHROUGH */ \ + case 10: hashv += ( (unsigned)_hj_key[9] << 16 ); /* FALLTHROUGH */ \ + case 9: hashv += ( (unsigned)_hj_key[8] << 8 ); /* FALLTHROUGH */ \ + case 8: _hj_j += ( (unsigned)_hj_key[7] << 24 ); /* FALLTHROUGH */ \ + case 7: _hj_j += ( (unsigned)_hj_key[6] << 16 ); /* FALLTHROUGH */ \ + case 6: _hj_j += ( (unsigned)_hj_key[5] << 8 ); /* FALLTHROUGH */ \ + case 5: _hj_j += _hj_key[4]; /* FALLTHROUGH */ \ + case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \ + case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \ + case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \ + case 1: _hj_i += _hj_key[0]; \ + } \ + HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ +} while (0) + +/* The Paul Hsieh hash function */ +#undef get16bits +#if (defined(__GNUC__) && defined(__i386__)) || defined(__WATCOMC__) \ + || defined(_MSC_VER) || defined (__BORLANDC__) || defined (__TURBOC__) +#define get16bits(d) (*((const uint16_t *) (d))) +#endif + +#if !defined (get16bits) +#define get16bits(d) ((((uint32_t)(((const uint8_t *)(d))[1])) << 8) \ + +(uint32_t)(((const uint8_t *)(d))[0]) ) +#endif +#define HASH_SFH(key,keylen,hashv) \ +do { \ + unsigned const char *_sfh_key=(unsigned const char*)(key); \ + uint32_t _sfh_tmp, _sfh_len = (uint32_t)keylen; \ + \ + unsigned _sfh_rem = _sfh_len & 3U; \ + _sfh_len >>= 2; \ + hashv = 0xcafebabeu; \ + \ + /* Main loop */ \ + for (;_sfh_len > 0U; _sfh_len--) { \ + hashv += get16bits (_sfh_key); \ + _sfh_tmp = ((uint32_t)(get16bits (_sfh_key+2)) << 11) ^ hashv; \ + hashv = (hashv << 16) ^ _sfh_tmp; \ + _sfh_key += 2U*sizeof (uint16_t); \ + hashv += hashv >> 11; \ + } \ + \ + /* Handle end cases */ \ + switch (_sfh_rem) { \ + case 3: hashv += get16bits (_sfh_key); \ + hashv ^= hashv << 16; \ + hashv ^= (uint32_t)(_sfh_key[sizeof (uint16_t)]) << 18; \ + hashv += hashv >> 11; \ + break; \ + case 2: hashv += get16bits (_sfh_key); \ + hashv ^= hashv << 11; \ + hashv += hashv >> 17; \ + break; \ + case 1: hashv += *_sfh_key; \ + hashv ^= hashv << 10; \ + hashv += hashv >> 1; \ + } \ + \ + /* Force "avalanching" of final 127 bits */ \ + hashv ^= hashv << 3; \ + hashv += hashv >> 5; \ + hashv ^= hashv << 4; \ + hashv += hashv >> 17; \ + hashv ^= hashv << 25; \ + hashv += hashv >> 6; \ +} while (0) + +#ifdef HASH_USING_NO_STRICT_ALIASING +/* The MurmurHash exploits some CPU's (x86,x86_64) tolerance for unaligned reads. + * For other types of CPU's (e.g. Sparc) an unaligned read causes a bus error. + * MurmurHash uses the faster approach only on CPU's where we know it's safe. + * + * Note the preprocessor built-in defines can be emitted using: + * + * gcc -m64 -dM -E - < /dev/null (on gcc) + * cc -## a.c (where a.c is a simple test file) (Sun Studio) + */ +#if (defined(__i386__) || defined(__x86_64__) || defined(_M_IX86)) +#define MUR_GETBLOCK(p,i) p[i] +#else /* non intel */ +#define MUR_PLUS0_ALIGNED(p) (((unsigned long)p & 3UL) == 0UL) +#define MUR_PLUS1_ALIGNED(p) (((unsigned long)p & 3UL) == 1UL) +#define MUR_PLUS2_ALIGNED(p) (((unsigned long)p & 3UL) == 2UL) +#define MUR_PLUS3_ALIGNED(p) (((unsigned long)p & 3UL) == 3UL) +#define WP(p) ((uint32_t*)((unsigned long)(p) & ~3UL)) +#if (defined(__BIG_ENDIAN__) || defined(SPARC) || defined(__ppc__) || defined(__ppc64__)) +#define MUR_THREE_ONE(p) ((((*WP(p))&0x00ffffff) << 8) | (((*(WP(p)+1))&0xff000000) >> 24)) +#define MUR_TWO_TWO(p) ((((*WP(p))&0x0000ffff) <<16) | (((*(WP(p)+1))&0xffff0000) >> 16)) +#define MUR_ONE_THREE(p) ((((*WP(p))&0x000000ff) <<24) | (((*(WP(p)+1))&0xffffff00) >> 8)) +#else /* assume little endian non-intel */ +#define MUR_THREE_ONE(p) ((((*WP(p))&0xffffff00) >> 8) | (((*(WP(p)+1))&0x000000ff) << 24)) +#define MUR_TWO_TWO(p) ((((*WP(p))&0xffff0000) >>16) | (((*(WP(p)+1))&0x0000ffff) << 16)) +#define MUR_ONE_THREE(p) ((((*WP(p))&0xff000000) >>24) | (((*(WP(p)+1))&0x00ffffff) << 8)) +#endif +#define MUR_GETBLOCK(p,i) (MUR_PLUS0_ALIGNED(p) ? ((p)[i]) : \ + (MUR_PLUS1_ALIGNED(p) ? MUR_THREE_ONE(p) : \ + (MUR_PLUS2_ALIGNED(p) ? MUR_TWO_TWO(p) : \ + MUR_ONE_THREE(p)))) +#endif +#define MUR_ROTL32(x,r) (((x) << (r)) | ((x) >> (32 - (r)))) +#define MUR_FMIX(_h) \ +do { \ + _h ^= _h >> 16; \ + _h *= 0x85ebca6bu; \ + _h ^= _h >> 13; \ + _h *= 0xc2b2ae35u; \ + _h ^= _h >> 16; \ +} while (0) + +#define HASH_MUR(key,keylen,hashv) \ +do { \ + const uint8_t *_mur_data = (const uint8_t*)(key); \ + const int _mur_nblocks = (int)(keylen) / 4; \ + uint32_t _mur_h1 = 0xf88D5353u; \ + uint32_t _mur_c1 = 0xcc9e2d51u; \ + uint32_t _mur_c2 = 0x1b873593u; \ + uint32_t _mur_k1 = 0; \ + const uint8_t *_mur_tail; \ + const uint32_t *_mur_blocks = (const uint32_t*)(_mur_data+(_mur_nblocks*4)); \ + int _mur_i; \ + for(_mur_i = -_mur_nblocks; _mur_i!=0; _mur_i++) { \ + _mur_k1 = MUR_GETBLOCK(_mur_blocks,_mur_i); \ + _mur_k1 *= _mur_c1; \ + _mur_k1 = MUR_ROTL32(_mur_k1,15); \ + _mur_k1 *= _mur_c2; \ + \ + _mur_h1 ^= _mur_k1; \ + _mur_h1 = MUR_ROTL32(_mur_h1,13); \ + _mur_h1 = (_mur_h1*5U) + 0xe6546b64u; \ + } \ + _mur_tail = (const uint8_t*)(_mur_data + (_mur_nblocks*4)); \ + _mur_k1=0; \ + switch((keylen) & 3U) { \ + case 3: _mur_k1 ^= (uint32_t)_mur_tail[2] << 16; /* FALLTHROUGH */ \ + case 2: _mur_k1 ^= (uint32_t)_mur_tail[1] << 8; /* FALLTHROUGH */ \ + case 1: _mur_k1 ^= (uint32_t)_mur_tail[0]; \ + _mur_k1 *= _mur_c1; \ + _mur_k1 = MUR_ROTL32(_mur_k1,15); \ + _mur_k1 *= _mur_c2; \ + _mur_h1 ^= _mur_k1; \ + } \ + _mur_h1 ^= (uint32_t)(keylen); \ + MUR_FMIX(_mur_h1); \ + hashv = _mur_h1; \ +} while (0) +#endif /* HASH_USING_NO_STRICT_ALIASING */ + +/* iterate over items in a known bucket to find desired item */ +#define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,hashval,out) \ +do { \ + if ((head).hh_head != NULL) { \ + DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (head).hh_head)); \ + } else { \ + (out) = NULL; \ + } \ + while ((out) != NULL) { \ + if ((out)->hh.hashv == (hashval) && (out)->hh.keylen == (keylen_in)) { \ + if (uthash_memcmp((out)->hh.key, keyptr, keylen_in) == 0) { \ + break; \ + } \ + } \ + if ((out)->hh.hh_next != NULL) { \ + DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (out)->hh.hh_next)); \ + } else { \ + (out) = NULL; \ + } \ + } \ +} while (0) + +/* add an item to a bucket */ +#define HASH_ADD_TO_BKT(head,addhh) \ +do { \ + head.count++; \ + (addhh)->hh_next = head.hh_head; \ + (addhh)->hh_prev = NULL; \ + if (head.hh_head != NULL) { (head).hh_head->hh_prev = (addhh); } \ + (head).hh_head=addhh; \ + if ((head.count >= ((head.expand_mult+1U) * HASH_BKT_CAPACITY_THRESH)) \ + && ((addhh)->tbl->noexpand != 1U)) { \ + HASH_EXPAND_BUCKETS((addhh)->tbl); \ + } \ +} while (0) + +/* remove an item from a given bucket */ +#define HASH_DEL_IN_BKT(hh,head,hh_del) \ + (head).count--; \ + if ((head).hh_head == hh_del) { \ + (head).hh_head = hh_del->hh_next; \ + } \ + if (hh_del->hh_prev) { \ + hh_del->hh_prev->hh_next = hh_del->hh_next; \ + } \ + if (hh_del->hh_next) { \ + hh_del->hh_next->hh_prev = hh_del->hh_prev; \ + } + +/* Bucket expansion has the effect of doubling the number of buckets + * and redistributing the items into the new buckets. Ideally the + * items will distribute more or less evenly into the new buckets + * (the extent to which this is true is a measure of the quality of + * the hash function as it applies to the key domain). + * + * With the items distributed into more buckets, the chain length + * (item count) in each bucket is reduced. Thus by expanding buckets + * the hash keeps a bound on the chain length. This bounded chain + * length is the essence of how a hash provides constant time lookup. + * + * The calculation of tbl->ideal_chain_maxlen below deserves some + * explanation. First, keep in mind that we're calculating the ideal + * maximum chain length based on the *new* (doubled) bucket count. + * In fractions this is just n/b (n=number of items,b=new num buckets). + * Since the ideal chain length is an integer, we want to calculate + * ceil(n/b). We don't depend on floating point arithmetic in this + * hash, so to calculate ceil(n/b) with integers we could write + * + * ceil(n/b) = (n/b) + ((n%b)?1:0) + * + * and in fact a previous version of this hash did just that. + * But now we have improved things a bit by recognizing that b is + * always a power of two. We keep its base 2 log handy (call it lb), + * so now we can write this with a bit shift and logical AND: + * + * ceil(n/b) = (n>>lb) + ( (n & (b-1)) ? 1:0) + * + */ +#define HASH_EXPAND_BUCKETS(tbl) \ +do { \ + unsigned _he_bkt; \ + unsigned _he_bkt_i; \ + struct UT_hash_handle *_he_thh, *_he_hh_nxt; \ + UT_hash_bucket *_he_new_buckets, *_he_newbkt; \ + _he_new_buckets = (UT_hash_bucket*)uthash_malloc( \ + 2UL * tbl->num_buckets * sizeof(struct UT_hash_bucket)); \ + if (!_he_new_buckets) { uthash_fatal( "out of memory"); } \ + memset(_he_new_buckets, 0, \ + 2UL * tbl->num_buckets * sizeof(struct UT_hash_bucket)); \ + tbl->ideal_chain_maxlen = \ + (tbl->num_items >> (tbl->log2_num_buckets+1U)) + \ + (((tbl->num_items & ((tbl->num_buckets*2U)-1U)) != 0U) ? 1U : 0U); \ + tbl->nonideal_items = 0; \ + for(_he_bkt_i = 0; _he_bkt_i < tbl->num_buckets; _he_bkt_i++) \ + { \ + _he_thh = tbl->buckets[ _he_bkt_i ].hh_head; \ + while (_he_thh != NULL) { \ + _he_hh_nxt = _he_thh->hh_next; \ + HASH_TO_BKT( _he_thh->hashv, tbl->num_buckets*2U, _he_bkt); \ + _he_newbkt = &(_he_new_buckets[ _he_bkt ]); \ + if (++(_he_newbkt->count) > tbl->ideal_chain_maxlen) { \ + tbl->nonideal_items++; \ + _he_newbkt->expand_mult = _he_newbkt->count / \ + tbl->ideal_chain_maxlen; \ + } \ + _he_thh->hh_prev = NULL; \ + _he_thh->hh_next = _he_newbkt->hh_head; \ + if (_he_newbkt->hh_head != NULL) { _he_newbkt->hh_head->hh_prev = \ + _he_thh; } \ + _he_newbkt->hh_head = _he_thh; \ + _he_thh = _he_hh_nxt; \ + } \ + } \ + uthash_free( tbl->buckets, tbl->num_buckets*sizeof(struct UT_hash_bucket) ); \ + tbl->num_buckets *= 2U; \ + tbl->log2_num_buckets++; \ + tbl->buckets = _he_new_buckets; \ + tbl->ineff_expands = (tbl->nonideal_items > (tbl->num_items >> 1)) ? \ + (tbl->ineff_expands+1U) : 0U; \ + if (tbl->ineff_expands > 1U) { \ + tbl->noexpand=1; \ + uthash_noexpand_fyi(tbl); \ + } \ + uthash_expand_fyi(tbl); \ +} while (0) + + +/* This is an adaptation of Simon Tatham's O(n log(n)) mergesort */ +/* Note that HASH_SORT assumes the hash handle name to be hh. + * HASH_SRT was added to allow the hash handle name to be passed in. */ +#define HASH_SORT(head,cmpfcn) HASH_SRT(hh,head,cmpfcn) +#define HASH_SRT(hh,head,cmpfcn) \ +do { \ + unsigned _hs_i; \ + unsigned _hs_looping,_hs_nmerges,_hs_insize,_hs_psize,_hs_qsize; \ + struct UT_hash_handle *_hs_p, *_hs_q, *_hs_e, *_hs_list, *_hs_tail; \ + if (head != NULL) { \ + _hs_insize = 1; \ + _hs_looping = 1; \ + _hs_list = &((head)->hh); \ + while (_hs_looping != 0U) { \ + _hs_p = _hs_list; \ + _hs_list = NULL; \ + _hs_tail = NULL; \ + _hs_nmerges = 0; \ + while (_hs_p != NULL) { \ + _hs_nmerges++; \ + _hs_q = _hs_p; \ + _hs_psize = 0; \ + for ( _hs_i = 0; _hs_i < _hs_insize; _hs_i++ ) { \ + _hs_psize++; \ + _hs_q = (UT_hash_handle*)((_hs_q->next != NULL) ? \ + ((void*)((char*)(_hs_q->next) + \ + (head)->hh.tbl->hho)) : NULL); \ + if (! (_hs_q) ) { break; } \ + } \ + _hs_qsize = _hs_insize; \ + while ((_hs_psize > 0U) || ((_hs_qsize > 0U) && (_hs_q != NULL))) {\ + if (_hs_psize == 0U) { \ + _hs_e = _hs_q; \ + _hs_q = (UT_hash_handle*)((_hs_q->next != NULL) ? \ + ((void*)((char*)(_hs_q->next) + \ + (head)->hh.tbl->hho)) : NULL); \ + _hs_qsize--; \ + } else if ( (_hs_qsize == 0U) || (_hs_q == NULL) ) { \ + _hs_e = _hs_p; \ + if (_hs_p != NULL){ \ + _hs_p = (UT_hash_handle*)((_hs_p->next != NULL) ? \ + ((void*)((char*)(_hs_p->next) + \ + (head)->hh.tbl->hho)) : NULL); \ + } \ + _hs_psize--; \ + } else if (( \ + cmpfcn(DECLTYPE(head)(ELMT_FROM_HH((head)->hh.tbl,_hs_p)), \ + DECLTYPE(head)(ELMT_FROM_HH((head)->hh.tbl,_hs_q))) \ + ) <= 0) { \ + _hs_e = _hs_p; \ + if (_hs_p != NULL){ \ + _hs_p = (UT_hash_handle*)((_hs_p->next != NULL) ? \ + ((void*)((char*)(_hs_p->next) + \ + (head)->hh.tbl->hho)) : NULL); \ + } \ + _hs_psize--; \ + } else { \ + _hs_e = _hs_q; \ + _hs_q = (UT_hash_handle*)((_hs_q->next != NULL) ? \ + ((void*)((char*)(_hs_q->next) + \ + (head)->hh.tbl->hho)) : NULL); \ + _hs_qsize--; \ + } \ + if ( _hs_tail != NULL ) { \ + _hs_tail->next = ((_hs_e != NULL) ? \ + ELMT_FROM_HH((head)->hh.tbl,_hs_e) : NULL); \ + } else { \ + _hs_list = _hs_e; \ + } \ + if (_hs_e != NULL) { \ + _hs_e->prev = ((_hs_tail != NULL) ? \ + ELMT_FROM_HH((head)->hh.tbl,_hs_tail) : NULL); \ + } \ + _hs_tail = _hs_e; \ + } \ + _hs_p = _hs_q; \ + } \ + if (_hs_tail != NULL){ \ + _hs_tail->next = NULL; \ + } \ + if ( _hs_nmerges <= 1U ) { \ + _hs_looping=0; \ + (head)->hh.tbl->tail = _hs_tail; \ + DECLTYPE_ASSIGN(head,ELMT_FROM_HH((head)->hh.tbl, _hs_list)); \ + } \ + _hs_insize *= 2U; \ + } \ + HASH_FSCK(hh,head); \ + } \ +} while (0) + +/* This function selects items from one hash into another hash. + * The end result is that the selected items have dual presence + * in both hashes. There is no copy of the items made; rather + * they are added into the new hash through a secondary hash + * hash handle that must be present in the structure. */ +#define HASH_SELECT(hh_dst, dst, hh_src, src, cond) \ +do { \ + unsigned _src_bkt, _dst_bkt; \ + void *_last_elt=NULL, *_elt; \ + UT_hash_handle *_src_hh, *_dst_hh, *_last_elt_hh=NULL; \ + ptrdiff_t _dst_hho = ((char*)(&(dst)->hh_dst) - (char*)(dst)); \ + if (src != NULL) { \ + for(_src_bkt=0; _src_bkt < (src)->hh_src.tbl->num_buckets; _src_bkt++) { \ + for(_src_hh = (src)->hh_src.tbl->buckets[_src_bkt].hh_head; \ + _src_hh != NULL; \ + _src_hh = _src_hh->hh_next) { \ + _elt = ELMT_FROM_HH((src)->hh_src.tbl, _src_hh); \ + if (cond(_elt)) { \ + _dst_hh = (UT_hash_handle*)(((char*)_elt) + _dst_hho); \ + _dst_hh->key = _src_hh->key; \ + _dst_hh->keylen = _src_hh->keylen; \ + _dst_hh->hashv = _src_hh->hashv; \ + _dst_hh->prev = _last_elt; \ + _dst_hh->next = NULL; \ + if (_last_elt_hh != NULL) { _last_elt_hh->next = _elt; } \ + if (dst == NULL) { \ + DECLTYPE_ASSIGN(dst,_elt); \ + HASH_MAKE_TABLE(hh_dst,dst); \ + } else { \ + _dst_hh->tbl = (dst)->hh_dst.tbl; \ + } \ + HASH_TO_BKT(_dst_hh->hashv, _dst_hh->tbl->num_buckets, _dst_bkt); \ + HASH_ADD_TO_BKT(_dst_hh->tbl->buckets[_dst_bkt],_dst_hh); \ + (dst)->hh_dst.tbl->num_items++; \ + _last_elt = _elt; \ + _last_elt_hh = _dst_hh; \ + } \ + } \ + } \ + } \ + HASH_FSCK(hh_dst,dst); \ +} while (0) + +#define HASH_CLEAR(hh,head) \ +do { \ + if (head != NULL) { \ + uthash_free((head)->hh.tbl->buckets, \ + (head)->hh.tbl->num_buckets*sizeof(struct UT_hash_bucket)); \ + HASH_BLOOM_FREE((head)->hh.tbl); \ + uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \ + (head)=NULL; \ + } \ +} while (0) + +#define HASH_OVERHEAD(hh,head) \ + ((head != NULL) ? ( \ + (size_t)(((head)->hh.tbl->num_items * sizeof(UT_hash_handle)) + \ + ((head)->hh.tbl->num_buckets * sizeof(UT_hash_bucket)) + \ + sizeof(UT_hash_table) + \ + (HASH_BLOOM_BYTELEN))) : 0U) + +#ifdef NO_DECLTYPE +#define HASH_ITER(hh,head,el,tmp) \ +for(((el)=(head)), ((*(char**)(&(tmp)))=(char*)((head!=NULL)?(head)->hh.next:NULL)); \ + (el) != NULL; ((el)=(tmp)), ((*(char**)(&(tmp)))=(char*)((tmp!=NULL)?(tmp)->hh.next:NULL))) +#else +#define HASH_ITER(hh,head,el,tmp) \ +for(((el)=(head)), ((tmp)=DECLTYPE(el)((head!=NULL)?(head)->hh.next:NULL)); \ + (el) != NULL; ((el)=(tmp)), ((tmp)=DECLTYPE(el)((tmp!=NULL)?(tmp)->hh.next:NULL))) +#endif + +/* obtain a count of items in the hash */ +#define HASH_COUNT(head) HASH_CNT(hh,head) +#define HASH_CNT(hh,head) ((head != NULL)?((head)->hh.tbl->num_items):0U) + +typedef struct UT_hash_bucket { + struct UT_hash_handle *hh_head; + unsigned count; + + /* expand_mult is normally set to 0. In this situation, the max chain length + * threshold is enforced at its default value, HASH_BKT_CAPACITY_THRESH. (If + * the bucket's chain exceeds this length, bucket expansion is triggered). + * However, setting expand_mult to a non-zero value delays bucket expansion + * (that would be triggered by additions to this particular bucket) + * until its chain length reaches a *multiple* of HASH_BKT_CAPACITY_THRESH. + * (The multiplier is simply expand_mult+1). The whole idea of this + * multiplier is to reduce bucket expansions, since they are expensive, in + * situations where we know that a particular bucket tends to be overused. + * It is better to let its chain length grow to a longer yet-still-bounded + * value, than to do an O(n) bucket expansion too often. + */ + unsigned expand_mult; + +} UT_hash_bucket; + +/* random signature used only to find hash tables in external analysis */ +#define HASH_SIGNATURE 0xa0111fe1u +#define HASH_BLOOM_SIGNATURE 0xb12220f2u + +typedef struct UT_hash_table { + UT_hash_bucket *buckets; + unsigned num_buckets, log2_num_buckets; + unsigned num_items; + struct UT_hash_handle *tail; /* tail hh in app order, for fast append */ + ptrdiff_t hho; /* hash handle offset (byte pos of hash handle in element */ + + /* in an ideal situation (all buckets used equally), no bucket would have + * more than ceil(#items/#buckets) items. that's the ideal chain length. */ + unsigned ideal_chain_maxlen; + + /* nonideal_items is the number of items in the hash whose chain position + * exceeds the ideal chain maxlen. these items pay the penalty for an uneven + * hash distribution; reaching them in a chain traversal takes >ideal steps */ + unsigned nonideal_items; + + /* ineffective expands occur when a bucket doubling was performed, but + * afterward, more than half the items in the hash had nonideal chain + * positions. If this happens on two consecutive expansions we inhibit any + * further expansion, as it's not helping; this happens when the hash + * function isn't a good fit for the key domain. When expansion is inhibited + * the hash will still work, albeit no longer in constant time. */ + unsigned ineff_expands, noexpand; + + uint32_t signature; /* used only to find hash tables in external analysis */ +#ifdef HASH_BLOOM + uint32_t bloom_sig; /* used only to test bloom exists in external analysis */ + uint8_t *bloom_bv; + uint8_t bloom_nbits; +#endif + +} UT_hash_table; + +typedef struct UT_hash_handle { + struct UT_hash_table *tbl; + void *prev; /* prev element in app order */ + void *next; /* next element in app order */ + struct UT_hash_handle *hh_prev; /* previous hh in bucket order */ + struct UT_hash_handle *hh_next; /* next hh in bucket order */ + void *key; /* ptr to enclosing struct's key */ + unsigned keylen; /* enclosing struct's key len */ + unsigned hashv; /* result of hash-fcn(key) */ +} UT_hash_handle; + +#endif /* UTHASH_H */ diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 7eada61e2..726736a06 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -1,7 +1,7 @@ /* * ndpi_protocol_ids.h * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2011-17 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -224,49 +224,45 @@ #define NDPI_PROTOCOL_TELEGRAM 185 /* Gianluca Costa <g.costa@xplico.org> */ #define NDPI_PROTOCOL_VEVO 186 #define NDPI_PROTOCOL_PANDORA 187 -#define NDPI_PROTOCOL_QUIC 188 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> - Michele Campus <michelecampus5@gmail.com> */ +#define NDPI_PROTOCOL_QUIC 188 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> - Michele Campus <michelecampus5@gmail.com> */ #define NDPI_PROTOCOL_WHATSAPP_VOICE 189 -#define NDPI_PROTOCOL_EAQ 190 - -/* 191, 192 are free */ -#define NDPI_PROTOCOL_FREE_191 191 -#define NDPI_PROTOCOL_FREE_192 192 - +#define NDPI_PROTOCOL_EAQ 190 +#define NDPI_PROTOCOL_OOKLA 191 +#define NDPI_PROTOCOL_AMQP 192 #define NDPI_PROTOCOL_KAKAOTALK 193 /* KakaoTalk Chat (no voice call) */ #define NDPI_PROTOCOL_KAKAOTALK_VOICE 194 /* KakaoTalk Voice */ -#define NDPI_PROTOCOL_TWITCH 195 /* Edoardo Dominici <edoaramis@gmail.com> */ +#define NDPI_PROTOCOL_TWITCH 195 /* Edoardo Dominici <edoaramis@gmail.com> */ #define NDPI_PROTOCOL_QUICKPLAY 196 /* Streaming service used by various services such as hooq.tv */ +#define NDPI_PROTOCOL_WECHAT 197 -/* 197 is free */ -#define NDPI_PROTOCOL_FREE_197 197 +#define NDPI_PROTOCOL_MPEGTS 198 +#define NDPI_PROTOCOL_SNAPCHAT 199 +#define NDPI_PROTOCOL_SINA 200 +#define NDPI_PROTOCOL_HANGOUT 201 +#define NDPI_PROTOCOL_IFLIX 202 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ +#define NDPI_PROTOCOL_GITHUB 203 +#define NDPI_PROTOCOL_BJNP 204 +#define NDPI_PROTOCOL_1KXUN 205 +#define NDPI_PROTOCOL_IQIYI 206 +#define NDPI_PROTOCOL_SMPP 207 /* Damir Franusic <df@release14.org> */ -#define NDPI_PROTOCOL_MPEGTS 198 -#define NDPI_PROTOCOL_SNAPCHAT 199 -#define NDPI_PROTOCOL_SINA 200 -#define NDPI_PROTOCOL_HANGOUT 201 -#define NDPI_PROTOCOL_IFLIX 202 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ -#define NDPI_PROTOCOL_GITHUB 203 -#define NDPI_PROTOCOL_BJNP 204 -#define NDPI_PROTOCOL_1KXUN 205 -#define NDPI_PROTOCOL_IQIYI 206 -#define NDPI_PROTOCOL_SMPP 207 /* Damir Franusic <df@release14.org> */ +#define NDPI_PROTOCOL_DNSCRYPT 208 -/* 208 - 209 free */ -#define NDPI_PROTOCOL_FREE_208 208 -#define NDPI_PROTOCOL_FREE_209 209 +/* 209 free */ +#define NDPI_PROTOCOL_FREE_209 209 -#define NDPI_PROTOCOL_DEEZER 210 +#define NDPI_PROTOCOL_DEEZER 210 #define NDPI_PROTOCOL_INSTAGRAM 211 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> */ #define NDPI_PROTOCOL_MICROSOFT 212 #define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci <matteobracci1@gmail.com> */ -#define NDPI_PROTOCOL_TEREDO 214 +#define NDPI_PROTOCOL_TEREDO 214 #define NDPI_PROTOCOL_HOTSPOT_SHIELD 215 -#define NDPI_PROTOCOL_HEP 216 /* sipcapture.org QXIP BV */ +#define NDPI_PROTOCOL_HEP 216 /* sipcapture.org QXIP BV */ /* 217 is free */ -#define NDPI_PROTOCOL_FREE_217 217 +#define NDPI_PROTOCOL_FREE_217 217 -#define NDPI_PROTOCOL_OCS 218 +#define NDPI_PROTOCOL_OCS 218 #define NDPI_PROTOCOL_OFFICE_365 219 #define NDPI_PROTOCOL_CLOUDFLARE 220 #define NDPI_PROTOCOL_MS_ONE_DRIVE 221 @@ -274,11 +270,11 @@ #define NDPI_PROTOCOL_RX 223 /* 224 is free */ -#define NDPI_PROTOCOL_FREE_224 224 +#define NDPI_PROTOCOL_FREE_224 224 -#define NDPI_PROTOCOL_OPENDNS 225 -#define NDPI_PROTOCOL_GIT 226 -#define NDPI_PROTOCOL_DRDA 227 +#define NDPI_PROTOCOL_OPENDNS 225 +#define NDPI_PROTOCOL_GIT 226 +#define NDPI_PROTOCOL_DRDA 227 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ #define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_DRDA diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index edf4ca3dc..b3b4092b4 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -202,6 +202,7 @@ void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i void init_applejuice_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_armagetron_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ayiya_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_battlefield_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 490098086..e1fbeb71c 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -138,14 +138,12 @@ struct ndpi_snap_extension } PACK_OFF; PACK_ON -struct ndpi_llc_header +struct ndpi_llc_header_snap { u_int8_t dsap; u_int8_t ssap; u_int8_t ctrl; -#ifdef SNAP_EXT struct ndpi_snap_extension snap; -#endif } PACK_OFF; /* ++++++++++ RADIO TAP header (for IEEE 802.11) +++++++++++++ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 987975c47..3770c9cfc 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -21,6 +21,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/applejuice.c \ protocols/armagetron.c \ protocols/ayiya.c \ + protocols/amqp.c \ protocols/battlefield.c \ protocols/bgp.c \ protocols/bittorrent.c \ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 1ad13fbd2..85cfc0ec9 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -79,6 +79,17 @@ static ndpi_network host_protocol_list[] = { { 0xA92F2320 /* 169.47.35.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + /* + WeChat + 203.205.147.171 + 203.205.147.173 + 203.205.151.162 + */ + + { 0xCBCD93AB /* 203.205.147.171/32 */, 32, NDPI_PROTOCOL_WECHAT }, + { 0xCBCD93AD /* 203.205.147.173/32 */, 32, NDPI_PROTOCOL_WECHAT }, + { 0xCBCD97A2 /* 203.205.151.162/32 */, 32, NDPI_PROTOCOL_WECHAT }, + /* OpenDNS, LLC origin AS36692, AS30607 @@ -823,6 +834,21 @@ static ndpi_network host_protocol_list[] = { { 0x959AA000 /* 149.154.160.0/20 */, 20, NDPI_PROTOCOL_TELEGRAM }, /* + BitTorrent + */ + + { 0xB9381424 /* 185.56.20.36/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0xC0DEED0A /* 192.222.237.10/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0x4DDEAE14 /* 77.222.174.20/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0x25779CBD /* 37.119.156.189/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0x05277C26 /* 5.39.124.38/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0x4FC0AB43 /* 79.192.171.67/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0xAC100010 /* 172.16.0.16/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0xB2A4F550 /* 178.164.245.80/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + { 0xAE597B3E /* 174.89.123.62/32 */, 32, NDPI_PROTOCOL_BITTORRENT }, + + + /* Tor http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv From 02/17/2017 @@ -7941,14 +7967,18 @@ ndpi_protocol_match host_match[] = { { "amazonaws.com", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "amazon-adsystem.com", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".cloudfront.net", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".apple.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".mzstatic.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".icloud.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "itunes.apple.com", "AppleiTunes", NDPI_PROTOCOL_APPLE_ITUNES, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN }, + { ".cnn.c", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN }, { ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN }, + { ".dropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, { "log.getdropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".ebay.", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebay.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaystatic.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, @@ -7956,11 +7986,15 @@ ndpi_protocol_match host_match[] = { { ".ebayrtm.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaystratus.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebayimg.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { "facebook.com", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { "fbstatic-a.akamaihd.net", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { ".fbcdn.net", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { "fbcdn-", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, /* fbcdn-video-a-akamaihd.net */ { ".facebook.net", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, + + { ".speedtest.net", "Ookla", NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_CATEGORY_NETWORK_TOOL, NDPI_PROTOCOL_ACCEPTABLE }, + { ".google.", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".gstatic.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".googlesyndication.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, @@ -7974,18 +8008,25 @@ ndpi_protocol_match host_match[] = { { "googleapis.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "ggpht.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "1e100.net", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { "maps.google.", "GoogleMaps", NDPI_PROTOCOL_GOOGLE_MAPS, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "maps.gstatic.com", "GoogleMaps", NDPI_PROTOCOL_GOOGLE_MAPS, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".gmail.", "GMail", NDPI_PROTOCOL_GMAIL, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE }, { "mail.google.", "GMail", NDPI_PROTOCOL_GMAIL, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE }, + { "mail.outlook.com", "Hotmail", NDPI_PROTOCOL_HOTMAIL, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE }, + { ".last.fm", "LastFM", NDPI_PROTOCOL_LASTFM, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN }, + { "msn.com", "MSN", NDPI_PROTOCOL_MSN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN }, + { "netflix.com", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "nflxext.com", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "nflximg.com", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "nflximg.net", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "nflxvideo.net", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".skype.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypeassets.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypedata.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, @@ -7995,20 +8036,27 @@ ndpi_protocol_match host_match[] = { { "e7768.b.akamaiedge.net", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { "e4593.dspg.akamaiedge.net", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { "e4593.g.akamaiedge.net", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, + { ".tuenti.com", "Tuenti", NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".twttr.com", "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "twitter.", "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "twimg.com", "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { ".viber.com", "Viber", NDPI_PROTOCOL_VIBER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, { ".cdn.viber.com", "Viber", NDPI_PROTOCOL_VIBER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, + { "wikipedia.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "wikimedia.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "mediawiki.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "wikimediafoundation.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".whatsapp.", "WhatsApp", NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, + { ".yahoo.", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".yimg.com", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "yahooapis.", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { "youtube.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "youtu.be.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "yt3.ggpht.com", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, @@ -8017,17 +8065,26 @@ ndpi_protocol_match host_match[] = { { "youtube-nocookie.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "ggpht.com", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "googleusercontent.com", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".vevo.com", "Vevo", NDPI_PROTOCOL_VEVO, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".spotify.", "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".pandora.com", "Pandora", NDPI_PROTOCOL_PANDORA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".torproject.org", "Tor", NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, + { ".kakao.com", "KakaoTalk", NDPI_PROTOCOL_KAKAOTALK, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_FUN }, + { "ttvnw.net", "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "static-cdn.jtvnw.net", "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "www-cdn.jtvnw.net", "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { "quickplay.com", "QuickPlay", NDPI_PROTOCOL_QUICKPLAY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".qq.com", "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, { ".gtimg.com", "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + { ".weibo.com", "Sina(Weibo)", NDPI_PROTOCOL_SINA, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { ".sinaimg.cn", "Sina", NDPI_PROTOCOL_SINA, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { ".sinajs.cn", "Sina", NDPI_PROTOCOL_SINA, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, @@ -8048,6 +8105,7 @@ ndpi_protocol_match host_match[] = { { "instagramstatic-", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN }, { ".waze.com", "Waze", NDPI_PROTOCOL_WAZE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".deezer.com", "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".microsoft.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_SYSTEM, NDPI_PROTOCOL_ACCEPTABLE }, @@ -8056,17 +8114,22 @@ ndpi_protocol_match host_match[] = { { ".webtrends.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".msecnd.net", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".visualstudio.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "bn1301.storage.live.com", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE,NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "*.gateway.messenger.live.com", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "skyapi.live.net", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "d.docs.live.net", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, + { "update.microsoft.com", "WindowsUpdate", NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_CATEGORY_SYSTEM, NDPI_PROTOCOL_ACCEPTABLE }, { ".windowsupdate.com", "WindowsUpdate", NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_CATEGORY_SYSTEM, NDPI_PROTOCOL_ACCEPTABLE }, { "worldofwarcraft.com", "WorldOfWarcraft", NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, + { ".anchorfree.", "HotspotShield", NDPI_PROTOCOL_HOTSPOT_SHIELD, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, { "hotspotshield.com", "HotspotShield", NDPI_PROTOCOL_HOTSPOT_SHIELD, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, + { ".webex.com", "Webex", NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { ".ocsdomain.com", "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_FUN }, { "ocs.fr", "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_FUN }, { ".ocs.fr", "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_FUN }, @@ -8082,16 +8145,6 @@ ndpi_protocol_match host_match[] = { { "evsecure-crl.verisign.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, { ".omniroot.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, -#if 0 - /* The lines below are not just for Office 365 so they cannot be used for this purpose */ - { ".verisign.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".symcb.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".symcd.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".verisign.net", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".geotrust.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".entrust.net", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".public-trust.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, -#endif /* http://www.urlquery.net/report.php?id=1453233646161 */ { "lifedom.top", "Cloudflare", NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "coby.ns.cloudflare.com", "Cloudflare", NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, @@ -8122,17 +8175,30 @@ ndpi_protocol_match host_match[] = { { ".qiyi.com", "iQIYI", NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { ".71.am", "iQIYI", NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { ".qiyipic.com", "iQIYI", NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".ppstream.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { ".pps.tv", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".1kxun.", "1kxun", NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "tcad.wedolook.com", "1kxun", NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { ".steampowered.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, { "steamcommunity.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, { ".steamcontent.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, - { ".steamstatic.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, - { "steamcommunity-a.akamaihd.net", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, + { ".steamstatic.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, + { "steamcommunity-a.akamaihd.net", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, + + { ".wechat.com", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + { ".wechat.org", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + { ".wechatapp.com", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + { ".we.chat", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + { ".wx.", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + { ".weixin.", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + { ".mmsns.qpic.cn", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, + + { "dnscrypt.org", "DNScrypt", NDPI_PROTOCOL_DNSCRYPT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "torrent.", "BitTorrent", NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_CATEGORY_P2P, NDPI_PROTOCOL_ACCEPTABLE }, { NULL, 0 } }; @@ -8205,6 +8271,8 @@ ndpi_protocol_match content_match[] = { - www.qbtxzhetq4s2f.com - www.fgd2iwya7vinfutj5wq5we.net + See also DGA (Domain Generation Algorithm) + In essence www.<name>.com|net To do things properly we should check if host name in the certificate diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 8783ef6cd..b318ce566 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -187,7 +187,7 @@ static void ndpi_tdestroy_recurse(ndpi_node* root, void (*free_action)(void *)) void ndpi_tdestroy(void *vrootp, void (*freefct)(void *)) { ndpi_node *root = (ndpi_node *) vrootp; - + if(root != NULL) ndpi_tdestroy_recurse(root, freefct); } @@ -338,7 +338,7 @@ void ndpi_flow_free(void *ptr) { if(_ndpi_flow_free) _ndpi_flow_free(ptr); else void * ndpi_realloc(void *ptr, size_t old_size, size_t new_size) { void *ret = ndpi_malloc(new_size); - + if(!ret) return(ret); else { @@ -477,9 +477,9 @@ static int ndpi_default_ports_tree_node_t_cmp(const void *a, const void *b) { ndpi_default_ports_tree_node_t *fa = (ndpi_default_ports_tree_node_t*)a; ndpi_default_ports_tree_node_t *fb = (ndpi_default_ports_tree_node_t*)b; - + //printf("[NDPI] %s(%d, %d)\n", __FUNCTION__, fa->default_port, fb->default_port); - + return((fa->default_port == fb->default_port) ? 0 : ((fa->default_port < fb->default_port) ? -1 : 1)); } @@ -488,7 +488,7 @@ static int ndpi_default_ports_tree_node_t_cmp(const void *a, const void *b) void ndpi_default_ports_tree_node_t_walker(const void *node, const ndpi_VISIT which, const int depth) { ndpi_default_ports_tree_node_t *f = *(ndpi_default_ports_tree_node_t **)node; - + printf("<%d>Walk on node %s (%u)\n", depth, @@ -902,7 +902,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BITTORRENT, no_master, no_master, "BitTorrent", NDPI_PROTOCOL_CATEGORY_P2P, - ndpi_build_default_ports(ports_a, 51413, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_a, 51413, 53646, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 6771, 51413, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEREDO, no_master, @@ -1016,7 +1016,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_HTTP_DOWNLOAD, no_master, - no_master, "HTTPDownload", NDPI_PROTOCOL_CATEGORY_FILE_TRANSFER, + no_master, "HTTP_Download", NDPI_PROTOCOL_CATEGORY_FILE_TRANSFER, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_QQLIVE, @@ -1606,12 +1606,23 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "SMPP", NDPI_PROTOCOL_CATEGORY_P2P, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ - - /* To be removed as soon as we define new protocols */ - ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_191); - ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_192); - ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_197); - ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_208); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OOKLA, + no_master, + no_master, "Ookla", NDPI_PROTOCOL_CATEGORY_NETWORK_TOOL, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AMQP, + no_master, + no_master, "AMQP", NDPI_PROTOCOL_CATEGORY_RPC, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DNSCRYPT, + no_master, + no_master, "DNScrypt", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + +/* To be removed as soon as we define new protocols */ ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_209); ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_217); ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_224); @@ -2706,6 +2717,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* BITTORRENT */ init_bittorrent_dissector(ndpi_struct, &a, detection_bitmask); + /* AMQP */ + init_amqp_dissector(ndpi_struct, &a, detection_bitmask); + /* ----------------------------------------------------------------- */ @@ -3293,8 +3307,8 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct, && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer_tcp_payload[a].detection_bitmask, detection_bitmask) != 0) { ndpi_struct->callback_buffer_tcp_payload[a].func(ndpi_struct, flow); - - + + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) break; /* Stop after detecting the first protocol */ } @@ -3359,7 +3373,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(flow->protos.ssl.client_certificate[0] != '\0') { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN); - } else { + } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->packet.l4_protocol == IPPROTO_TCP) && (flow->l4.tcp.ssl_stage > 1)) @@ -3497,9 +3511,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct /* guess protocol */ flow->guessed_protocol_id = (int16_t) ndpi_guess_protocol_id(ndpi_struct, protocol, sport, dport, &user_defined_proto); - + if(user_defined_proto && flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) { - + if(flow->packet.iph) { /* guess host protocol */ flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->saddr); @@ -3508,7 +3522,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) /* ret.master_protocol = flow->guessed_protocol_id , ret.app_protocol = flow->guessed_host_protocol_id; /\* ****** *\/ */ ret = ndpi_detection_giveup(ndpi_struct, flow); - + return(ret); } } else { @@ -3520,7 +3534,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } } } - + check_ndpi_flow_func(ndpi_struct, flow, &ndpi_selection_packet); a = flow->packet.detected_protocol_stack[0]; @@ -4123,7 +4137,7 @@ void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, /* flow->packet.detected_protocol_stack[0] = flow->guessed_host_protocol_id; */ /* /\* master proto for packet *\/ */ /* flow->packet.detected_protocol_stack[1] = flow->guessed_protocol_id; */ - + /* } */ /* } */ @@ -4358,7 +4372,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct if(rc != NDPI_PROTOCOL_UNKNOWN) { ret.app_protocol = rc, ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, dport, &user_defined_proto); - + if(ret.app_protocol == ret.master_protocol) ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; diff --git a/src/lib/protocols/amqp.c b/src/lib/protocols/amqp.c new file mode 100644 index 000000000..72bbc0a38 --- /dev/null +++ b/src/lib/protocols/amqp.c @@ -0,0 +1,83 @@ +/* + * amqp.c + * + * Copyright (C) 2011-17 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + + +#include "ndpi_protocols.h" +#ifdef NDPI_PROTOCOL_AMQP + +PACK_ON +struct amqp_header { + u_int8_t ptype; + u_int16_t channel; + u_int32_t length; + u_int16_t class_id, method; +} PACK_OFF; + +static void ndpi_int_amqp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow/* , */ + /* ndpi_protocol_type_t protocol_type */) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AMQP, NDPI_PROTOCOL_UNKNOWN); +} + +void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG(NDPI_PROTOCOL_AMQP, ndpi_struct, NDPI_LOG_DEBUG, "search amqp. \n"); + + if (packet->tcp != NULL) { + if(packet->payload_packet_len > sizeof(struct amqp_header)) { + struct amqp_header *h = (struct amqp_header*)packet->payload; + + if(h->ptype <= 3) { + u_int32_t length = htonl(h->length); + + if(((length+8) >= packet->payload_packet_len) + && (length < 32768) /* Upper bound */) { + u_int16_t class_id = htons(h->class_id); + + if((class_id >= 10) /* Connection */ + && (class_id <= 110) /* Tunnel */) { + u_int16_t method = htons(h->method); + + if(method <= 120 /* Method basic NACK */) { + NDPI_LOG(NDPI_PROTOCOL_AMQP, ndpi_struct, NDPI_LOG_DEBUG, "found amqp over tcp. \n"); + ndpi_int_amqp_add_connection(ndpi_struct, flow); + return; + } + } + } + } + } + } +} + + +void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { + ndpi_set_bitmask_protocol_detection("AMQP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_AMQP, + ndpi_search_amqp, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 1bef7f8f5..0b734fa84 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -63,7 +63,6 @@ static void flash_check_http_payload(struct ndpi_detection_module_struct pos = &packet->payload[packet->empty_line_position] + 2; - if(memcmp(pos, "FLV", 3) == 0 && pos[3] == 0x01 && (pos[4] == 0x01 || pos[4] == 0x04 || pos[4] == 0x05) && pos[5] == 0x00 && pos[6] == 0x00 && pos[7] == 0x00 && pos[8] == 0x09) { @@ -330,7 +329,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ return; } } - + NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "User Agent Type Line found %.*s\n", packet->user_agent_line.len, packet->user_agent_line.ptr); } @@ -341,7 +340,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HOST Line found %.*s\n", packet->host_line.len, packet->host_line.ptr); - + /* call ndpi_match_host_subprotocol to see if there is a match with known-host http subprotocol */ if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) ndpi_match_host_subprotocol(ndpi_struct, flow, @@ -357,13 +356,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ len = ndpi_min(packet->forwarded_line.len, sizeof(flow->nat_ip)-1); strncpy((char*)flow->nat_ip, (char*)packet->forwarded_line.ptr, len); flow->nat_ip[len] = '\0'; - + if(ndpi_struct->http_dont_dissect_response) parseHttpSubprotocol(ndpi_struct, flow); /** check result of host subprotocol detection - + if "detected" in flow == 0 then "detected" = "guess" else "guess" = "detected" **/ @@ -386,7 +385,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ (char *)packet->http_origin.ptr, packet->http_origin.len, NDPI_PROTOCOL_HTTP); - + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) { ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]); @@ -534,225 +533,6 @@ static void http_bitmask_exclude(struct ndpi_flow_struct *flow) #endif } -void _org_ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - u_int16_t filename_start; - - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "search http\n"); - - /* set client-server_direction */ - if(flow->l4.tcp.http_setup_dir == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "initializes http to stage: 1 \n"); - flow->l4.tcp.http_setup_dir = 1 + packet->packet_direction; - } - - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK - (ndpi_struct->generic_http_packet_bitmask, packet->detected_protocol_stack[0]) != 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "protocol might be detected earlier as http jump to payload type detection\n"); - goto http_parse_detection; - } - - if(flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http stage: 1\n"); - - if(flow->l4.tcp.http_wait_for_retransmission) { - if(!packet->tcp_retransmission) { - if(flow->packet_counter <= 5) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "still waiting for retransmission\n"); - return; - } else { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "retransmission not found, exclude\n"); - http_bitmask_exclude(flow); - return; - } - } - } - - if(flow->l4.tcp.http_stage == 0) { - filename_start = http_request_url_offset(ndpi_struct, flow); - if(filename_start == 0) { - if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response found (truncated flow ?)\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); - return; - } - - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "filename not found, exclude\n"); - http_bitmask_exclude(flow); - return; - } - // parse packet - ndpi_parse_packet_line_info(ndpi_struct, flow); - - if(packet->parsed_lines <= 1) { - /* parse one more packet .. */ - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "just one line, search next packet\n"); - - packet->http_method.ptr = packet->line[0].ptr; - packet->http_method.len = filename_start - 1; - flow->l4.tcp.http_stage = 1; - return; - } - // parsed_lines > 1 here - if(packet->line[0].len >= (9 + filename_start) - && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { - u_int16_t proto_id; - - packet->http_url_name.ptr = &packet->payload[filename_start]; - packet->http_url_name.len = packet->line[0].len - (filename_start + 9); - - packet->http_method.ptr = packet->line[0].ptr; - packet->http_method.len = filename_start - 1; - - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http structure detected, adding\n"); - - if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) /* nathan@getoffmalawn.com */ - proto_id = NDPI_PROTOCOL_HTTP_CONNECT; - else { - if((packet->http_url_name.len > 7) && (!strncmp((const char*)packet->http_url_name.ptr, "http://", 7))) - proto_id = NDPI_PROTOCOL_HTTP_PROXY; - else { - proto_id = NDPI_PROTOCOL_HTTP; - } - } - - ndpi_int_http_add_connection(ndpi_struct, flow, proto_id); - check_content_type_and_change_protocol(ndpi_struct, flow); - /* HTTP found, look for host... */ - if(packet->host_line.ptr != NULL) { - /* aaahh, skip this direction and wait for a server reply here */ - flow->l4.tcp.http_stage = 2; - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n"); - return; - } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n"); - - /* host not found, check in next packet after */ - flow->l4.tcp.http_stage = 1; - return; - } - } else if(flow->l4.tcp.http_stage == 1) { - /* SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP... */ - /* UNKNOWN TRAFFIC, HERE FOR HTTP again.. */ - // parse packet - ndpi_parse_packet_line_info(ndpi_struct, flow); - - if(packet->parsed_lines <= 1) { - /* wait some packets in case request is split over more than 2 packets */ - if(flow->packet_counter < 5) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "line still not finished, search next packet\n"); - return; - } else { - /* stop parsing here */ - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n"); - http_bitmask_exclude(flow); - return; - } - } - // http://www.slideshare.net/DSPIP/rtsp-analysis-wireshark - if(packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); - check_content_type_and_change_protocol(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP START HTTP found in 2. packet, check host here...\n"); - /* HTTP found, look for host... */ - flow->l4.tcp.http_stage = 2; - - return; - } - } - } else { - /* We have received a response for a previously identified partial HTTP request */ - - if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { - /* - In apache if you do "GET /\n\n" the response comes without any header so we can assume that - this can be the case - */ - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); - return; - } - - } - - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n"); - http_bitmask_exclude(flow); - return; - - http_parse_detection: - if(flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) { - /* we have something like http here, so check for host and content type if possible */ - if(flow->l4.tcp.http_stage == 0 || flow->l4.tcp.http_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN MAYBE NEXT GET/POST...\n"); - // parse packet - ndpi_parse_packet_line_info(ndpi_struct, flow); - /* check for url here */ - filename_start = http_request_url_offset(ndpi_struct, flow); - if(filename_start != 0 && packet->parsed_lines > 1 && packet->line[0].len >= (9 + filename_start) - && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { - packet->http_url_name.ptr = &packet->payload[filename_start]; - packet->http_url_name.len = packet->line[0].len - (filename_start + 9); - - packet->http_method.ptr = packet->line[0].ptr; - packet->http_method.len = filename_start - 1; - - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "next http action, " - "resetting to http and search for other protocols later.\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); - } - check_content_type_and_change_protocol(ndpi_struct, flow); - /* HTTP found, look for host... */ - if(packet->host_line.ptr != NULL) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP RUN MAYBE NEXT HOST found, skipping all packets from this direction\n"); - /* aaahh, skip this direction and wait for a server reply here */ - flow->l4.tcp.http_stage = 2; - return; - } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP RUN MAYBE NEXT HOST NOT found, scanning one more packet from this direction\n"); - flow->l4.tcp.http_stage = 1; - } else if(flow->l4.tcp.http_stage == 1) { - // parse packet and maybe find a packet info with host ptr,... - ndpi_parse_packet_line_info(ndpi_struct, flow); - check_content_type_and_change_protocol(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN second packet scanned\n"); - /* HTTP found, look for host... */ - flow->l4.tcp.http_stage = 2; - } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP skipping client packets after second packet\n"); - return; - } - /* server response */ - if(flow->l4.tcp.http_stage > 0) { - /* first packet from server direction, might have a content line */ - ndpi_parse_packet_line_info(ndpi_struct, flow); - check_content_type_and_change_protocol(ndpi_struct, flow); - - if(packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "empty line. check_http_payload.\n"); - check_http_payload(ndpi_struct, flow); - } - - if(flow->l4.tcp.http_stage == 2) { - flow->l4.tcp.http_stage = 3; - } else { - flow->l4.tcp.http_stage = 0; - } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP response first or second packet scanned,new stage is: %u\n", flow->l4.tcp.http_stage); - return; - } else { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response next packet skipped\n"); - } -} - /*************************************************************************************************/ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, @@ -771,10 +551,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct filename_start = http_request_url_offset(ndpi_struct, flow); - if(filename_start == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Filename HTTP not found, we look for possible truncate flow...\n"); + if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response found (truncated flow ?)\n"); @@ -783,6 +563,24 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct return; } + if((packet->payload_packet_len == 3) && memcmp(packet->payload, "HI\n", 3) == 0) { + /* This looks like Ookla: we don't give up with HTTP yet */ + flow->l4.tcp.http_stage = 1; + return; + } + + if((packet->payload_packet_len == 23) && (memcmp(packet->payload, "<policy-file-request/>", 23) == 0)) { + /* + <policy-file-request/> + <cross-domain-policy> + <allow-access-from domain="*.ookla.com" to-ports="8080"/> + <allow-access-from domain="*.speedtest.net" to-ports="8080"/> + </cross-domain-policy> + */ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); + return; + } + NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Exclude HTTP\n"); http_bitmask_exclude(flow); return; @@ -817,6 +615,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct packet->http_method.ptr = packet->line[0].ptr; packet->http_method.len = filename_start - 1; + /* Check for Ookla */ + if((packet->referer_line.len > 0) + && ndpi_strnstr((const char *)packet->referer_line.ptr, "www.speedtest.net", packet->referer_line.len)) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_HTTP); + return; + } + /* Check for additional field introduced by Steam */ int x = 1; if((memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) { @@ -824,7 +629,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct check_content_type_and_change_protocol(ndpi_struct, flow); return; } - + /* Check for additional field introduced by Facebook */ x = 1; while(packet->line[x].len != 0) { @@ -881,8 +686,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct check_content_type_and_change_protocol(ndpi_struct, flow); } - if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) /* nathan@getoffmalawn.com */ - { + if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) { + /* nathan@getoffmalawn.com */ NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP_CONNECT Found.\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT); check_content_type_and_change_protocol(ndpi_struct, flow); @@ -892,14 +697,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct "HTTP START Found, we will look for sub-protocols (content and host)...\n"); if(packet->host_line.ptr != NULL) { - /** nDPI is pretty scrupulous about HTTP so it waits until the HTTP response is received just to check that it conforms with the HTTP specs. However this might be a waste of time as in 99.99% of the cases is like that. */ - + if(ndpi_struct->http_dont_dissect_response) { if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) /* No subprotocol found */ ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); @@ -911,7 +715,6 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } check_content_type_and_change_protocol(ndpi_struct, flow); - return; } } @@ -922,6 +725,16 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %u: \n", flow->l4.tcp.http_stage); + + if(flow->l4.tcp.http_stage == 1) { + if((packet->payload_packet_len > 6) && memcmp(packet->payload, "HELLO ", 6) == 0) { + /* This looks like Ookla */ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); + return; + } else + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA); + } + /** At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return, otherwise check the second packet for the http request diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index 869b36378..d6ca25cde 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -579,7 +579,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct { /* request ID */ req_ID = get_u_int32_t(packet->payload, 12); - if((req_ID <= 4294967295)) + if((req_ID <= ((u_int32_t)-1))) { NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR Detected \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); diff --git a/tests/pcap/amqp.pcap b/tests/pcap/amqp.pcap Binary files differnew file mode 100644 index 000000000..30633f1ed --- /dev/null +++ b/tests/pcap/amqp.pcap diff --git a/tests/pcap/bittorrent_ip.pcap b/tests/pcap/bittorrent_ip.pcap Binary files differnew file mode 100644 index 000000000..8c7ff6ed5 --- /dev/null +++ b/tests/pcap/bittorrent_ip.pcap diff --git a/tests/pcap/dnscrypt.pcap b/tests/pcap/dnscrypt.pcap Binary files differnew file mode 100644 index 000000000..44c588705 --- /dev/null +++ b/tests/pcap/dnscrypt.pcap diff --git a/tests/pcap/ookla.pcap b/tests/pcap/ookla.pcap Binary files differnew file mode 100644 index 000000000..a5fb5f72a --- /dev/null +++ b/tests/pcap/ookla.pcap diff --git a/tests/pcap/wechat.pcap b/tests/pcap/wechat.pcap Binary files differnew file mode 100644 index 000000000..f731d9925 --- /dev/null +++ b/tests/pcap/wechat.pcap diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 4eea2595d..f0e7365a9 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -15,38 +15,38 @@ LLMNR 89 6799 47 Lync 2 132 1 1kxun 967 535718 28 - 1 TCP 192.168.5.16:53406 <-> 119.235.235.84:443 [proto: 91/SSL][23 pkts/7434 bytes] + 1 TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91/SSL][23 pkts/7434 bytes] 2 TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7.205/HTTP.1kxun][419 pkts/183693 bytes][Host: 183.131.48.144] - 3 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:53938 [proto: 154/LLMNR][2 pkts/172 bytes][Host: isatap] - 4 UDP [fe80::9bd:81dd:2fdc:5750]:5355 <-> [ff02::1:3]:61548 [proto: 154/LLMNR][2 pkts/190 bytes][Host: caesar-thinkpad] - 5 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:58468 [proto: 154/LLMNR][2 pkts/178 bytes][Host: wangs-ltw] + 3 UDP [ff02::1:3]:53938 <-> [fe80::5d92:62a8:ebde:1319]:5355 [proto: 154/LLMNR][2 pkts/172 bytes][Host: isatap] + 4 UDP [ff02::1:3]:61548 <-> [fe80::9bd:81dd:2fdc:5750]:5355 [proto: 154/LLMNR][2 pkts/190 bytes][Host: caesar-thinkpad] + 5 UDP [ff02::1:3]:58468 <-> [fe80::5d92:62a8:ebde:1319]:5355 [proto: 154/LLMNR][2 pkts/178 bytes][Host: wangs-ltw] 6 UDP 192.168.2.186:32768 <-> 255.255.255.255:1947 [proto: 205/1kxun][2 pkts/164 bytes] 7 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][19 pkts/3642 bytes][client: 1] 8 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][19 pkts/3638 bytes][client: 1] 9 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][17 pkts/3518 bytes][client: 1] - 10 UDP [fe80::9bd:81dd:2fdc:5750]:5355 <-> [ff02::1:3]:64568 [proto: 154/LLMNR][2 pkts/190 bytes][Host: caesar-thinkpad] - 11 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:61172 [proto: 154/LLMNR][2 pkts/174 bytes][Host: sonusav] + 10 UDP [ff02::1:3]:64568 <-> [fe80::9bd:81dd:2fdc:5750]:5355 [proto: 154/LLMNR][2 pkts/190 bytes][Host: caesar-thinkpad] + 11 UDP [ff02::1:3]:61172 <-> [fe80::5d92:62a8:ebde:1319]:5355 [proto: 154/LLMNR][2 pkts/174 bytes][Host: sonusav] 12 TCP 192.168.5.16:53627 <-> 203.69.81.73:80 [proto: 7.205/HTTP.1kxun][14 pkts/9498 bytes][Host: dl-obs.official.line.naver.jp] - 13 UDP [fe80::4568:efbc:40b1:1346]:5355 <-> [ff02::1:3]:50194 [proto: 154/LLMNR][2 pkts/176 bytes][Host: kevin-pc] - 14 UDP 168.95.1.1:53 <-> 192.168.5.16:63372 [proto: 5/DNS][2 pkts/378 bytes][Host: dl-obs.official.line.naver.jp] + 13 UDP [ff02::1:3]:50194 <-> [fe80::4568:efbc:40b1:1346]:5355 [proto: 154/LLMNR][2 pkts/176 bytes][Host: kevin-pc] + 14 UDP 192.168.5.16:63372 <-> 168.95.1.1:53 [proto: 5/DNS][2 pkts/378 bytes][Host: dl-obs.official.line.naver.jp] 15 UDP 192.168.5.45:59461 <-> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] 16 UDP 192.168.5.45:59789 <-> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] 17 TCP 192.168.115.8:49607 <-> 218.244.135.170:9099 [proto: 7.205/HTTP.1kxun][13 pkts/1452 bytes][Host: 218.244.135.170:9099] 18 UDP 192.168.5.48:49701 <-> 239.255.255.250:1900 [proto: 12/SSDP][7 pkts/1253 bytes] - 19 UDP [fe80::4568:efbc:40b1:1346]:5355 <-> [ff02::1:3]:57148 [proto: 154/LLMNR][2 pkts/176 bytes][Host: kevin-pc] + 19 UDP [ff02::1:3]:57148 <-> [fe80::4568:efbc:40b1:1346]:5355 [proto: 154/LLMNR][2 pkts/176 bytes][Host: kevin-pc] 20 UDP 192.168.3.95:51451 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes][Host: 小佛專機] 21 UDP 192.168.5.44:51389 <-> 239.255.255.250:1900 [proto: 12/SSDP][13 pkts/2275 bytes] - 22 UDP 192.168.119.1:67 <-> 192.168.5.16:68 [proto: 18/DHCP][4 pkts/1368 bytes][Host: macbook-air] + 22 UDP 192.168.5.16:68 <-> 192.168.119.1:67 [proto: 18/DHCP][4 pkts/1368 bytes][Host: macbook-air] 23 UDP 192.168.5.41:55593 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes][Host: kevin-pc] 24 UDP 192.168.101.33:55485 <-> 239.255.255.250:1900 [proto: 12/SSDP][10 pkts/1750 bytes] 25 UDP 192.168.3.236:56043 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes][Host: isatap] - 26 UDP 8.8.8.8:53 <-> 192.168.115.8:51024 [proto: 5.205/DNS.1kxun][3 pkts/272 bytes][Host: jp.kankan.1kxun.mobi] + 26 UDP 192.168.115.8:51024 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][3 pkts/272 bytes][Host: jp.kankan.1kxun.mobi] 27 UDP 192.168.5.57:55809 <-> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/2450 bytes] 28 UDP 192.168.5.50:57143 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/142 bytes][Host: charming-pc] 29 UDP 192.168.5.37:57325 <-> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1575 bytes] 30 UDP 192.168.3.95:58779 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes][Host: 小佛專機] 31 UDP 192.168.5.44:59571 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: jason-pc] - 32 UDP 8.8.8.8:53 <-> 192.168.115.8:54420 [proto: 5.48/DNS.QQ][3 pkts/266 bytes][Host: vv.video.qq.com] + 32 UDP 192.168.115.8:54420 <-> 8.8.8.8:53 [proto: 5.48/DNS.QQ][3 pkts/266 bytes][Host: vv.video.qq.com] 33 UDP 192.168.5.48:59797 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/140 bytes][Host: kasper-mac] 34 UDP 192.168.5.47:60267 <-> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1432 bytes] 35 UDP 192.168.10.110:60480 <-> 255.255.255.255:62976 [proto: 205/1kxun][5 pkts/1795 bytes] @@ -54,34 +54,34 @@ Lync 2 132 1 37 UDP 192.168.3.236:62069 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: wangs-ltw] 38 UDP 192.168.125.30:62976 <-> 255.255.255.255:62976 [proto: 205/1kxun][2 pkts/718 bytes] 39 UDP 192.168.10.7:62976 <-> 255.255.255.255:62976 [proto: 205/1kxun][2 pkts/718 bytes] - 40 UDP [fe80::e034:7be:d8f9:6197]:5355 <-> [ff02::1:3]:57143 [proto: 154/LLMNR][1 pkts/91 bytes][Host: charming-pc] + 40 UDP [ff02::1:3]:57143 <-> [fe80::e034:7be:d8f9:6197]:5355 [proto: 154/LLMNR][1 pkts/91 bytes][Host: charming-pc] 41 UDP 192.168.140.140:62976 <-> 255.255.255.255:62976 [proto: 205/1kxun][1 pkts/359 bytes] - 42 UDP 8.8.8.8:53 <-> 192.168.115.8:60724 [proto: 5.205/DNS.1kxun][3 pkts/283 bytes][Host: pic.1kxun.com] - 43 UDP [fe80::edf5:240a:c8c0:8312]:5355 <-> [ff02::1:3]:61603 [proto: 154/LLMNR][2 pkts/172 bytes][Host: ro_x1c] + 42 UDP 192.168.115.8:60724 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][3 pkts/283 bytes][Host: pic.1kxun.com] + 43 UDP [ff02::1:3]:61603 <-> [fe80::edf5:240a:c8c0:8312]:5355 [proto: 154/LLMNR][2 pkts/172 bytes][Host: ro_x1c] 44 UDP 192.168.5.49:1900 <-> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/8473 bytes] 45 TCP 192.168.115.8:49609 <-> 42.120.51.152:8080 [proto: 7.205/HTTP.1kxun][33 pkts/11721 bytes][Host: 42.120.51.152:8080] 46 TCP 192.168.5.16:53624 <-> 68.233.253.133:80 [proto: 7.205/HTTP.1kxun][12 pkts/1982 bytes][Host: api.magicansoft.com] - 47 UDP [fe80::e98f:bae2:19f7:6b0f]:5355 <-> [ff02::1:3]:51451 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] + 47 UDP [ff02::1:3]:51451 <-> [fe80::e98f:bae2:19f7:6b0f]:5355 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] 48 TCP 192.168.115.8:49600 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][69 pkts/63429 bytes][Host: pic.1kxun.com] 49 TCP 192.168.115.8:49602 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][65 pkts/48989 bytes][Host: pic.1kxun.com] 50 TCP 192.168.115.8:49604 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][58 pkts/45577 bytes][Host: pic.1kxun.com] 51 TCP 192.168.115.8:49606 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][50 pkts/35747 bytes][Host: jp.kankan.1kxun.mobi] - 52 UDP [fe80::f65c:89ff:fe89:e607]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][1 pkts/98 bytes] - 53 UDP [fe80::e98f:bae2:19f7:6b0f]:5355 <-> [ff02::1:3]:58779 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] + 52 UDP [ff02::1:2]:546 <-> [fe80::f65c:89ff:fe89:e607]:547 [proto: 103/DHCPV6][1 pkts/98 bytes] + 53 UDP [ff02::1:3]:58779 <-> [fe80::e98f:bae2:19f7:6b0f]:5355 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] 54 UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][4 pkts/1368 bytes][Host: shen] 55 UDP 59.120.208.218:50151 <-> 255.255.255.255:1947 [proto: 205/1kxun][2 pkts/164 bytes] - 56 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:49735 [proto: 154/LLMNR][2 pkts/178 bytes][Host: wangs-ltw] + 56 UDP [ff02::1:3]:49735 <-> [fe80::5d92:62a8:ebde:1319]:5355 [proto: 154/LLMNR][2 pkts/178 bytes][Host: wangs-ltw] 57 TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 7.205/HTTP.1kxun][14 pkts/2295 bytes][Host: 183.131.48.145] - 58 UDP 168.95.1.1:53 <-> 192.168.115.8:52723 [proto: 5.205/DNS.1kxun][3 pkts/260 bytes][Host: kankan.1kxun.com] + 58 UDP 192.168.115.8:52723 <-> 168.95.1.1:53 [proto: 5.205/DNS.1kxun][3 pkts/260 bytes][Host: kankan.1kxun.com] 59 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][25 pkts/4950 bytes][Host: vv.video.qq.com] 60 TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/SSL][6 pkts/352 bytes] - 61 UDP [fe80::9bd:81dd:2fdc:5750]:1900 <-> [ff02::c]:1900 [proto: 12/SSDP][16 pkts/8921 bytes] + 61 UDP [ff02::c]:1900 <-> [fe80::9bd:81dd:2fdc:5750]:1900 [proto: 12/SSDP][16 pkts/8921 bytes] 62 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/SSL][2 pkts/120 bytes] 63 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][19 pkts/3210 bytes][client: 1] 64 TCP 192.168.5.16:53628 <-> 203.69.81.73:80 [proto: 7.205/HTTP.1kxun][14 pkts/9158 bytes][Host: dl-obs.official.line.naver.jp] 65 TCP 192.168.115.8:49598 <-> 222.73.254.167:80 [proto: 7.205/HTTP.1kxun][14 pkts/2386 bytes][Host: kankan.1kxun.com] - 66 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:63659 [proto: 154/LLMNR][2 pkts/172 bytes][Host: isatap] - 67 UDP [fe80::406:55a8:6453:25dd]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][5 pkts/490 bytes] + 66 UDP [ff02::1:3]:63659 <-> [fe80::5d92:62a8:ebde:1319]:5355 [proto: 154/LLMNR][2 pkts/172 bytes][Host: isatap] + 67 UDP [ff02::1:2]:546 <-> [fe80::406:55a8:6453:25dd]:547 [proto: 103/DHCPV6][5 pkts/490 bytes] 68 UDP 192.168.5.50:49766 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes][Host: charming-pc] 69 UDP 192.168.5.50:50030 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes][Host: charming-pc] 70 UDP 192.168.115.8:51458 <-> 224.0.0.252:5355 [proto: 154/LLMNR][4 pkts/256 bytes][Host: wpad] @@ -99,14 +99,14 @@ Lync 2 132 1 82 UDP 192.168.3.95:54888 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes][Host: 小佛專機] 83 UDP 192.168.5.41:55312 <-> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1400 bytes] 84 UDP 192.168.5.9:55484 <-> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes] - 85 UDP [fe80::e034:7be:d8f9:6197]:5355 <-> [ff02::1:3]:49766 [proto: 154/LLMNR][2 pkts/182 bytes][Host: charming-pc] + 85 UDP [ff02::1:3]:49766 <-> [fe80::e034:7be:d8f9:6197]:5355 [proto: 154/LLMNR][2 pkts/182 bytes][Host: charming-pc] 86 UDP 192.168.5.37:56366 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: notebook] - 87 UDP 8.8.8.8:53 <-> 192.168.115.8:52723 [proto: 5.205/DNS.1kxun][3 pkts/260 bytes][Host: kankan.1kxun.com] + 87 UDP 192.168.115.8:52723 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][3 pkts/260 bytes][Host: kankan.1kxun.com] 88 UDP 192.168.101.33:58456 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: joanna-pc] 89 UDP 192.168.5.9:58456 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: joanna-pc] 90 UDP 192.168.5.44:58702 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: jason-pc] 91 UDP 192.168.5.44:59062 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes][Host: jason-pc] - 92 UDP [fe80::edf5:240a:c8c0:8312]:5355 <-> [ff02::1:3]:53962 [proto: 154/LLMNR][2 pkts/172 bytes][Host: ro_x1c] + 92 UDP [ff02::1:3]:53962 <-> [fe80::edf5:240a:c8c0:8312]:5355 [proto: 154/LLMNR][2 pkts/172 bytes][Host: ro_x1c] 93 UDP 192.168.3.236:59730 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/67 bytes][Host: sonusav] 94 UDP 192.168.3.95:59468 <-> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes] 95 UDP 192.168.5.49:61548 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/150 bytes][Host: caesar-thinkpad] @@ -124,8 +124,8 @@ Lync 2 132 1 107 UDP 192.168.119.1:67 <-> 255.255.255.255:68 [proto: 18/DHCP][14 pkts/4788 bytes] 108 UDP 192.168.5.9:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes][Host: joanna-pc] 109 UDP 192.168.5.41:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes][Host: kevin-pc] - 110 UDP [fe80::beee:7bff:fe0c:b3de]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][4 pkts/392 bytes] - 111 UDP [fe80::e034:7be:d8f9:6197]:5355 <-> [ff02::1:3]:62756 [proto: 154/LLMNR][1 pkts/91 bytes][Host: charming-pc] + 110 UDP [ff02::1:2]:546 <-> [fe80::beee:7bff:fe0c:b3de]:547 [proto: 103/DHCPV6][4 pkts/392 bytes] + 111 UDP [ff02::1:3]:62756 <-> [fe80::e034:7be:d8f9:6197]:5355 [proto: 154/LLMNR][1 pkts/91 bytes][Host: charming-pc] 112 UDP 59.120.208.212:32768 <-> 255.255.255.255:1947 [proto: 205/1kxun][1 pkts/82 bytes] 113 UDP 192.168.5.64:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/82 bytes] 114 TCP 192.168.5.16:53605 <-> 68.233.253.133:80 [proto: 7/HTTP][2 pkts/126 bytes] @@ -136,14 +136,14 @@ Lync 2 132 1 119 TCP 192.168.115.8:49601 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][61 pkts/51677 bytes][Host: pic.1kxun.com] 120 TCP 192.168.115.8:49603 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][34 pkts/25580 bytes][Host: pic.1kxun.com] 121 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][13 pkts/3410 bytes][Host: jp.kankan.1kxun.mobi] - 122 UDP [fe80::e98f:bae2:19f7:6b0f]:5355 <-> [ff02::1:3]:54888 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] + 122 UDP [ff02::1:3]:54888 <-> [fe80::e98f:bae2:19f7:6b0f]:5355 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] Undetected flows: 1 UDP 192.168.0.100:50925 <-> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes] - 2 UDP [2001:b030:214:100:c2a0:bbff:fe73:eb47]:62976 <-> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes] - 3 UDP [2001:b020:6::c2a0:bbff:fe73:eb57]:62976 <-> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes] + 2 UDP [ff02::1]:62976 <-> [2001:b030:214:100:c2a0:bbff:fe73:eb47]:62976 [proto: 0/Unknown][2 pkts/782 bytes] + 3 UDP [ff02::1]:62976 <-> [2001:b020:6::c2a0:bbff:fe73:eb57]:62976 [proto: 0/Unknown][2 pkts/782 bytes] 4 UDP 192.168.119.1:56861 <-> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/177 bytes] - 5 UDP [fe80::4e5e:cff:fe9a:ec54]:5678 <-> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/185 bytes] - 6 UDP [fe80::4e5e:cff:feea:365]:5678 <-> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/197 bytes] + 5 UDP [ff02::1]:5678 <-> [fe80::4e5e:cff:fe9a:ec54]:5678 [proto: 0/Unknown][1 pkts/185 bytes] + 6 UDP [ff02::1]:5678 <-> [fe80::4e5e:cff:feea:365]:5678 [proto: 0/Unknown][1 pkts/197 bytes] 7 UDP 192.168.119.2:43786 <-> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/163 bytes] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index bc6b7973b..60ff3e343 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -4,13 +4,13 @@ SSL 28 15397 1 ICMPV6 48 7862 3 Facebook 37 14726 3 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 <-> [2a03:2880:1010:6f03:face:b00c::2]:53234 [proto: 91.119/SSL.Facebook][33 pkts/13926 bytes][client: www.facebook.com] + 1 TCP [2a03:2880:1010:6f03:face:b00c::2]:53234 <-> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 [proto: 91.119/SSL.Facebook][33 pkts/13926 bytes][client: www.facebook.com] 2 UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][2 pkts/394 bytes][Host: star.c10r.facebook.com] - 3 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 <-> [2604:a880:1:20::224:b001]:60205 [proto: 91/SSL][28 pkts/15397 bytes][client: mail.tomasu.net][server: mail.tomasu.net] + 3 TCP [2604:a880:1:20::224:b001]:60205 <-> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 [proto: 91/SSL][28 pkts/15397 bytes][client: mail.tomasu.net][server: mail.tomasu.net] 4 ICMPV6 [2001:470:1f16:13f::2]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][1 pkts/200 bytes] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 <-> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][1 pkts/1314 bytes] 6 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:35610 [proto: 51/IMAPS][2 pkts/258 bytes] 7 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][46 pkts/6348 bytes] 8 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:56381 [proto: 51/IMAPS][2 pkts/258 bytes] 9 UDP [2001:470:1f16:13f::2]:53959 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][2 pkts/406 bytes][Host: star.c10r.facebook.com] - 10 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:80 <-> [2604:a880:1:20::224:b001]:41538 [proto: 7/HTTP][10 pkts/1792 bytes][Host: mail.tomasu.net] + 10 TCP [2604:a880:1:20::224:b001]:41538 <-> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:80 [proto: 7/HTTP][10 pkts/1792 bytes][Host: mail.tomasu.net] diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out index 0e2f4620c..edd889471 100644 --- a/tests/result/Instagram.pcap.out +++ b/tests/result/Instagram.pcap.out @@ -7,31 +7,31 @@ Dropbox 5 725 2 Instagram 363 255094 16 1 UDP 192.168.0.106:17500 <-> 192.168.0.255:17500 [proto: 121/Dropbox][1 pkts/145 bytes] - 2 UDP 8.8.8.8:53 <-> 192.168.0.103:26540 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-g-a.akamaihd.net] - 3 UDP 8.8.8.8:53 <-> 192.168.0.103:27124 [proto: 5.211/DNS.Instagram][1 pkts/85 bytes][Host: photos-b.ak.instagram.com] - 4 TCP 31.13.93.52:443 <-> 192.168.0.103:33763 [proto: 91.119/SSL.Facebook][11 pkts/5397 bytes] - 5 TCP 31.13.93.52:443 <-> 192.168.0.103:33935 [proto: 91.119/SSL.Facebook][10 pkts/5299 bytes] + 2 UDP 192.168.0.103:26540 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-g-a.akamaihd.net] + 3 UDP 192.168.0.103:27124 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/85 bytes][Host: photos-b.ak.instagram.com] + 4 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][11 pkts/5397 bytes] + 5 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][10 pkts/5299 bytes] 6 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][49 pkts/38684 bytes] 7 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][52 pkts/58994 bytes][Host: photos-h.ak.instagram.com] - 8 TCP 77.67.29.17:80 <-> 192.168.0.103:33976 [proto: 7/HTTP][34 pkts/29039 bytes] + 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][34 pkts/29039 bytes] 9 TCP 192.168.0.103:37350 <-> 82.85.26.153:80 [proto: 7.211/HTTP.Instagram][1 pkts/324 bytes][Host: photos-a.ak.instagram.com] 10 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][14 pkts/5567 bytes][client: igcdn-photos-a-a.akamaihd.net] 11 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][150 pkts/153558 bytes] 12 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][58 pkts/50220 bytes][Host: photos-g.ak.instagram.com] 13 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][3 pkts/198 bytes] 14 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][75 pkts/57239 bytes][Host: photos-g.ak.instagram.com] - 15 TCP 173.252.107.4:443 <-> 192.168.0.103:56382 [proto: 91.211/SSL.Instagram][17 pkts/2647 bytes][client: telegraph-ash.instagram.com] + 15 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/SSL.Instagram][17 pkts/2647 bytes][client: telegraph-ash.instagram.com] 16 UDP 192.168.0.106:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][4 pkts/580 bytes] - 17 UDP 8.8.8.8:53 <-> 192.168.0.103:33603 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-a-a.akamaihd.net] - 18 TCP 31.13.93.52:443 <-> 192.168.0.103:33936 [proto: 91.119/SSL.Facebook][68 pkts/45688 bytes] + 17 UDP 192.168.0.103:33603 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-a-a.akamaihd.net] + 18 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][68 pkts/45688 bytes] 19 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91.119/SSL.Facebook][12 pkts/6044 bytes] 20 ICMP 192.168.0.103:0 <-> 192.168.0.103:0 [proto: 81/ICMP][5 pkts/510 bytes] 21 TCP 192.168.0.103:38817 <-> 46.33.70.160:80 [proto: 7/HTTP][3 pkts/198 bytes] - 22 TCP 192.168.0.103:40855 <-> 46.33.70.150:80 [proto: 7/HTTP][2 pkts/140 bytes] - 23 UDP 8.8.8.8:53 <-> 192.168.0.103:51219 [proto: 5.211/DNS.Instagram][2 pkts/394 bytes][Host: igcdn-photos-h-a.akamaihd.net] + 22 TCP 46.33.70.150:80 <-> 192.168.0.103:40855 [proto: 7/HTTP][2 pkts/140 bytes] + 23 UDP 192.168.0.103:51219 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][2 pkts/394 bytes][Host: igcdn-photos-h-a.akamaihd.net] 24 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][17 pkts/6369 bytes][client: igcdn-photos-h-a.akamaihd.net] 25 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][14 pkts/5567 bytes][client: igcdn-photos-a-a.akamaihd.net] - 26 TCP 192.168.0.103:41562 <-> 92.122.48.138:80 [proto: 7/HTTP][25 pkts/23525 bytes] + 26 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][25 pkts/23525 bytes] 27 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][81 pkts/53416 bytes][Host: photos-e.ak.instagram.com] 28 TCP 192.168.0.103:58690 <-> 46.33.70.159:443 [proto: 91/SSL][2 pkts/169 bytes] 29 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][19 pkts/9340 bytes][client: igcdn-photos-g-a.akamaihd.net] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 8b1378917..4fee1d276 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -1 +1,48 @@ +DNS 2 217 1 +HTTP 1 56 1 +ICMP 1 147 1 +SSL 29 4579 3 +Facebook 215 51809 12 +Google 16 1031 3 +HTTP_Proxy 26 3926 1 +Amazon 2 181 1 +KakaoTalk 55 9990 15 + 1 UDP 10.24.82.188:56820 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-c.talk.kakao.com] + 2 UDP 10.24.82.188:57816 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/244 bytes][Host: katalk.kakao.com] + 3 UDP 10.24.82.188:58810 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/190 bytes][Host: item.kakao.com] + 4 TCP 120.28.26.242:80 <-> 10.24.82.188:34503 [proto: 7/HTTP][1 pkts/56 bytes] + 5 ICMP 10.188.191.1:0 <-> 10.24.82.188:0 [proto: 81/ICMP][1 pkts/147 bytes] + 6 UDP 10.24.82.188:4017 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][2 pkts/229 bytes][Host: developers.facebook.com] + 7 UDP 10.24.82.188:5929 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-p.talk.kakao.com] + 8 TCP 10.24.82.188:58927 <-> 54.255.253.199:5223 [proto: 178/Amazon][2 pkts/181 bytes] + 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][26 pkts/3926 bytes] + 10 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][27 pkts/7126 bytes][server: *.kakao.com] + 11 UDP 10.24.82.188:25117 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/208 bytes][Host: up-gp.talk.kakao.com] + 12 UDP 10.24.82.188:29029 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-a.talk.kakao.com] + 13 UDP 10.24.82.188:35603 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/215 bytes][Host: ac-talk.kakao.com] + 14 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][10 pkts/1058 bytes][Host: www.facebook.com] + 15 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][11 pkts/1114 bytes][Host: www.facebook.com] + 16 UDP 10.24.82.188:41909 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/214 bytes][Host: booking.loco.kakao.com] + 17 UDP 10.24.82.188:43077 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/178 bytes][Host: dn-l.talk.kakao.com] + 18 UDP 10.24.82.188:61011 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/200 bytes][Host: plus-talk.kakao.com] + 19 UDP 10.24.82.188:61011 <-> 10.188.191.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/200 bytes][Host: plus-talk.kakao.com] + 20 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91/SSL][6 pkts/1890 bytes][server: *.push.samsungosp.com] + 21 UDP 10.24.82.188:9094 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-v.talk.kakao.com] + 22 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][38 pkts/7591 bytes][server: *.facebook.com] + 23 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][36 pkts/7152 bytes][server: *.facebook.com] + 24 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][18 pkts/2409 bytes] + 25 UDP 10.24.82.188:12908 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-m.talk.kakao.com] + 26 TCP 10.24.82.188:34686 <-> 173.194.72.188:5228 [proto: 126/Google][1 pkts/164 bytes] + 27 UDP 10.24.82.188:14650 <-> 10.188.1.1:53 [proto: 5/DNS][2 pkts/217 bytes][Host: 2.97.252.173.in-addr.arpa] + 28 UDP 10.24.82.188:19582 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][2 pkts/218 bytes][Host: graph.facebook.com] + 29 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][14 pkts/784 bytes] + 30 UDP 10.24.82.188:24596 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][2 pkts/196 bytes][Host: api.facebook.com] + 31 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/SSL][5 pkts/280 bytes] + 32 TCP 10.24.82.188:49217 <-> 216.58.220.174:443 [proto: 91.126/SSL.Google][1 pkts/83 bytes] + 33 UDP 10.24.82.188:38448 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][2 pkts/190 bytes][Host: auth.kakao.com] + 34 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][34 pkts/9655 bytes][client: graph.facebook.com] + 35 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][19 pkts/7707 bytes][client: api.facebook.com] + 36 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][29 pkts/9077 bytes][client: developers.facebook.com] + 37 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][28 pkts/7561 bytes][server: *.facebook.com] + 38 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/SSL.Facebook][4 pkts/251 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 8b1378917..ec1315984 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -1 +1,32 @@ +HTTP 5 280 1 +SSL_No_Cert 74 14132 2 +RTP 2991 398751 2 +SSL 5 1198 1 +Facebook 5 377 3 +Google 4 359 4 +HTTP_Proxy 16 1838 2 +Tor 40 10538 1 +Amazon 4 396 1 +KakaoTalk_Voice 44 6196 2 +WeChat 15 1727 1 + 1 TCP 120.28.26.242:80 <-> 10.24.82.188:34533 [proto: 7/HTTP][5 pkts/280 bytes] + 2 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 178/Amazon][4 pkts/396 bytes] + 3 TCP 173.194.117.229:443 <-> 10.24.82.188:38380 [proto: 91.126/SSL.Google][1 pkts/56 bytes] + 4 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][11 pkts/1488 bytes] + 5 UDP 10.24.82.188:25223 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][2 pkts/197 bytes][Host: mqtt.facebook.com] + 6 TCP 173.252.88.128:443 <-> 10.24.82.188:59912 [proto: 91.119/SSL.Facebook][2 pkts/124 bytes] + 7 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 64/SSL_No_Cert][29 pkts/4024 bytes] + 8 TCP 10.24.82.188:53974 <-> 203.205.151.233:8080 [proto: 131/HTTP_Proxy][5 pkts/350 bytes] + 9 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 64/SSL_No_Cert][45 pkts/10108 bytes] + 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][5 pkts/1198 bytes] + 11 TCP 10.24.82.188:34686 <-> 173.194.72.188:5228 [proto: 126/Google][1 pkts/164 bytes] + 12 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 163/Tor][40 pkts/10538 bytes] + 13 TCP 173.252.122.1:443 <-> 10.24.82.188:52123 [proto: 91.119/SSL.Facebook][1 pkts/56 bytes] + 14 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.197/HTTP.WeChat][15 pkts/1727 bytes][Host: hkminorshort.weixin.qq.com] + 15 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][22 pkts/3112 bytes] + 16 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][1488 pkts/198510 bytes] + 17 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][22 pkts/3084 bytes] + 18 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][1503 pkts/200241 bytes] + 19 TCP 10.24.82.188:49217 <-> 216.58.220.174:443 [proto: 91.126/SSL.Google][1 pkts/83 bytes] + 20 TCP 216.58.220.161:443 <-> 10.24.82.188:56697 [proto: 91.126/SSL.Google][1 pkts/56 bytes] diff --git a/tests/result/NTPv2.pcap.out b/tests/result/NTPv2.pcap.out index 960fbe062..8172344ec 100644 --- a/tests/result/NTPv2.pcap.out +++ b/tests/result/NTPv2.pcap.out @@ -1,3 +1,3 @@ NTP 1 410 1 - 1 UDP 78.46.76.2:80 <-> 208.104.95.10:123 [proto: 9/NTP][1 pkts/410 bytes] + 1 UDP 208.104.95.10:123 <-> 78.46.76.2:80 [proto: 9/NTP][1 pkts/410 bytes] diff --git a/tests/result/NTPv3.pcap.out b/tests/result/NTPv3.pcap.out index 91d817e5e..54953afda 100644 --- a/tests/result/NTPv3.pcap.out +++ b/tests/result/NTPv3.pcap.out @@ -1,3 +1,3 @@ NTP 1 90 1 - 1 UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 9/NTP][1 pkts/90 bytes] + 1 UDP 175.144.140.29:123 <-> 78.46.76.2:80 [proto: 9/NTP][1 pkts/90 bytes] diff --git a/tests/result/NTPv4.pcap.out b/tests/result/NTPv4.pcap.out index fba0fd419..3794393bf 100644 --- a/tests/result/NTPv4.pcap.out +++ b/tests/result/NTPv4.pcap.out @@ -1,3 +1,3 @@ NTP 1 90 1 - 1 UDP 78.46.76.11:123 <-> 85.22.62.120:123 [proto: 9/NTP][1 pkts/90 bytes] + 1 UDP 85.22.62.120:123 <-> 78.46.76.11:123 [proto: 9/NTP][1 pkts/90 bytes] diff --git a/tests/result/Viber_session.pcap.out b/tests/result/Viber_session.pcap.out index 7cdc76e4f..81ef39da8 100644 --- a/tests/result/Viber_session.pcap.out +++ b/tests/result/Viber_session.pcap.out @@ -10,44 +10,44 @@ Google 50 4084 5 Viber 4163 392492 4 Amazon 1 66 1 - 1 TCP 74.125.130.188:5228 <-> 192.168.200.222:57999 [proto: 126/Google][10 pkts/757 bytes] - 2 TCP 74.125.130.188:5228 <-> 192.168.200.222:59011 [proto: 126/Google][9 pkts/692 bytes] - 3 TCP 93.184.221.200:80 <-> 192.168.200.222:60828 [proto: 7/HTTP][1 pkts/60 bytes] - 4 TCP 158.85.58.23:443 <-> 192.168.200.222:44058 [proto: 91/SSL][5 pkts/412 bytes] + 1 TCP 192.168.200.222:57999 <-> 74.125.130.188:5228 [proto: 126/Google][10 pkts/757 bytes] + 2 TCP 192.168.200.222:59011 <-> 74.125.130.188:5228 [proto: 126/Google][9 pkts/692 bytes] + 3 TCP 192.168.200.222:60828 <-> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes] + 4 TCP 192.168.200.222:44058 <-> 158.85.58.23:443 [proto: 91/SSL][5 pkts/412 bytes] 5 TCP 222.165.163.117:443 <-> 192.168.200.222:47424 [proto: 91/SSL][5 pkts/385 bytes] 6 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][23 pkts/3345 bytes] 7 TCP 216.58.199.206:443 <-> 192.168.200.222:58663 [proto: 91.126/SSL.Google][2 pkts/132 bytes] - 8 TCP 54.251.141.219:80 <-> 192.168.200.222:38778 [proto: 7.178/HTTP.Amazon][1 pkts/66 bytes] - 9 TCP 54.169.63.186:443 <-> 192.168.200.222:39339 [proto: 91.144/SSL.Viber][6 pkts/412 bytes] - 10 TCP 93.184.221.200:80 <-> 192.168.200.222:33161 [proto: 7/HTTP][1 pkts/60 bytes] + 8 TCP 192.168.200.222:38778 <-> 54.251.141.219:80 [proto: 7.178/HTTP.Amazon][1 pkts/66 bytes] + 9 TCP 192.168.200.222:39339 <-> 54.169.63.186:443 [proto: 91.144/SSL.Viber][6 pkts/412 bytes] + 10 TCP 192.168.200.222:33161 <-> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes] 11 TCP 192.168.200.222:52491 <-> 31.13.79.245:443 [proto: 91.119/SSL.Facebook][6 pkts/599 bytes] - 12 TCP 112.124.219.82:80 <-> 192.168.200.222:36675 [proto: 7/HTTP][1 pkts/60 bytes] - 13 TCP 74.125.68.156:443 <-> 192.168.200.222:51055 [proto: 91.126/SSL.Google][24 pkts/2079 bytes] - 14 TCP 112.124.219.93:80 <-> 192.168.200.222:46761 [proto: 7/HTTP][7 pkts/436 bytes] - 15 TCP 93.184.221.200:80 <-> 192.168.200.222:52977 [proto: 7/HTTP][1 pkts/60 bytes] + 12 TCP 192.168.200.222:36675 <-> 112.124.219.82:80 [proto: 7/HTTP][1 pkts/60 bytes] + 13 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][24 pkts/2079 bytes] + 14 TCP 192.168.200.222:46761 <-> 112.124.219.93:80 [proto: 7/HTTP][7 pkts/436 bytes] + 15 TCP 192.168.200.222:52977 <-> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes] 16 TCP 222.165.163.93:443 <-> 192.168.200.222:52635 [proto: 91/SSL][5 pkts/385 bytes] 17 TCP 222.165.163.93:443 <-> 192.168.200.222:52641 [proto: 91/SSL][5 pkts/385 bytes] 18 TCP 222.165.163.91:443 <-> 192.168.200.222:56243 [proto: 91/SSL][5 pkts/385 bytes] 19 ICMP 192.168.1.1:0 <-> 192.168.200.222:0 [proto: 81/ICMP][2 pkts/196 bytes] - 20 TCP 192.168.200.222:37376 <-> 74.125.68.239:443 [proto: 91.126/SSL.Google][5 pkts/424 bytes] - 21 TCP 52.0.253.46:443 <-> 192.168.200.222:43287 [proto: 64/SSL_No_Cert][34 pkts/4141 bytes] - 22 TCP 23.21.254.189:443 <-> 192.168.200.222:51146 [proto: 91/SSL][15 pkts/1484 bytes][client: e.crashlytics.com] - 23 TCP 52.0.253.46:4244 <-> 192.168.200.222:43454 [proto: 144/Viber][12 pkts/1161 bytes] - 24 TCP 74.125.200.18:443 <-> 192.168.200.222:42040 [proto: 91.122/SSL.GMail][21 pkts/1891 bytes][client: mail.google.com] - 25 TCP 93.184.221.200:80 <-> 192.168.200.222:43646 [proto: 7/HTTP][1 pkts/60 bytes] + 20 TCP 74.125.68.239:443 <-> 192.168.200.222:37376 [proto: 91.126/SSL.Google][5 pkts/424 bytes] + 21 TCP 192.168.200.222:43287 <-> 52.0.253.46:443 [proto: 64/SSL_No_Cert][34 pkts/4141 bytes] + 22 TCP 192.168.200.222:51146 <-> 23.21.254.189:443 [proto: 91/SSL][15 pkts/1484 bytes][client: e.crashlytics.com] + 23 TCP 192.168.200.222:43454 <-> 52.0.253.46:4244 [proto: 144/Viber][12 pkts/1161 bytes] + 24 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][21 pkts/1891 bytes][client: mail.google.com] + 25 TCP 192.168.200.222:43646 <-> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes] 26 TCP 192.168.200.222:40005 <-> 108.168.176.234:443 [proto: 91/SSL][24 pkts/2848 bytes] - 27 UDP 54.169.63.186:7987 <-> 192.168.200.222:48564 [proto: 144/Viber][2 pkts/138 bytes] - 28 UDP 54.169.63.186:7985 <-> 192.168.200.222:48564 [proto: 144/Viber][4143 pkts/390781 bytes] - 29 TCP 93.184.221.200:80 <-> 192.168.200.222:50854 [proto: 7/HTTP][1 pkts/60 bytes] - 30 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.Dropbox][1 pkts/97 bytes] - 31 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][16 pkts/1419 bytes][client: settings.crashlytics.com] + 27 UDP 192.168.200.222:48564 <-> 54.169.63.186:7987 [proto: 144/Viber][2 pkts/138 bytes] + 28 UDP 192.168.200.222:48564 <-> 54.169.63.186:7985 [proto: 144/Viber][4143 pkts/390781 bytes] + 29 TCP 192.168.200.222:50854 <-> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes] + 30 TCP 192.168.200.222:51765 <-> 108.160.172.205:443 [proto: 91.121/SSL.Dropbox][1 pkts/97 bytes] + 31 TCP 192.168.200.222:52269 <-> 107.22.192.179:443 [proto: 91/SSL][16 pkts/1419 bytes][client: settings.crashlytics.com] Undetected flows: - 1 TCP 113.31.80.142:7003 <-> 192.168.200.222:55554 [proto: 0/Unknown][6 pkts/446 bytes] - 2 UDP 175.157.52.135:37299 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 3 UDP 175.157.52.135:37301 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 4 TCP 113.31.80.142:7003 <-> 192.168.200.222:55565 [proto: 0/Unknown][7 pkts/549 bytes] - 5 UDP 10.216.246.82:59027 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 6 UDP 175.157.52.135:37300 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 7 UDP 175.157.52.135:37302 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] + 1 TCP 192.168.200.222:55554 <-> 113.31.80.142:7003 [proto: 0/Unknown][6 pkts/446 bytes] + 2 UDP 192.168.200.222:48564 <-> 175.157.52.135:37299 [proto: 0/Unknown][30 pkts/1800 bytes] + 3 UDP 192.168.200.222:48564 <-> 175.157.52.135:37301 [proto: 0/Unknown][30 pkts/1800 bytes] + 4 TCP 192.168.200.222:55565 <-> 113.31.80.142:7003 [proto: 0/Unknown][7 pkts/549 bytes] + 5 UDP 192.168.200.222:48564 <-> 10.216.246.82:59027 [proto: 0/Unknown][30 pkts/1800 bytes] + 6 UDP 192.168.200.222:48564 <-> 175.157.52.135:37300 [proto: 0/Unknown][30 pkts/1800 bytes] + 7 UDP 192.168.200.222:48564 <-> 175.157.52.135:37302 [proto: 0/Unknown][30 pkts/1800 bytes] diff --git a/tests/result/amqp.pcap.out b/tests/result/amqp.pcap.out new file mode 100644 index 000000000..27b64d3d0 --- /dev/null +++ b/tests/result/amqp.pcap.out @@ -0,0 +1,5 @@ +AMQP 160 23514 3 + + 1 TCP 127.0.0.1:44205 <-> 127.0.1.1:5672 [proto: 192/AMQP][108 pkts/14423 bytes] + 2 TCP 127.0.1.1:5672 <-> 127.0.0.1:44204 [proto: 192/AMQP][22 pkts/5026 bytes] + 3 TCP 127.0.0.1:44206 <-> 127.0.1.1:5672 [proto: 192/AMQP][30 pkts/4065 bytes] diff --git a/tests/result/bittorrent.pcap.out b/tests/result/bittorrent.pcap.out index 415673d20..a0993283b 100644 --- a/tests/result/bittorrent.pcap.out +++ b/tests/result/bittorrent.pcap.out @@ -1,7 +1,7 @@ BitTorrent 299 305728 24 1 TCP 192.168.1.3:52908 <-> 79.55.129.22:12097 [proto: 37/BitTorrent][1 pkts/134 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 2 TCP 79.53.228.2:14627 <-> 192.168.1.3:52896 [proto: 37/BitTorrent][5 pkts/1180 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 2 TCP 192.168.1.3:52896 <-> 79.53.228.2:14627 [proto: 37/BitTorrent][5 pkts/1180 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 3 TCP 192.168.1.3:52922 <-> 95.237.193.34:11321 [proto: 37/BitTorrent][5 pkts/1205 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 4 TCP 192.168.1.3:52925 <-> 93.65.227.100:19116 [proto: 37/BitTorrent][1 pkts/134 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 5 TCP 192.168.1.3:52907 <-> 82.58.216.115:38305 [proto: 37/BitTorrent][4 pkts/1401 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] @@ -17,7 +17,7 @@ BitTorrent 299 305728 24 15 TCP 192.168.1.3:52914 <-> 190.103.195.56:46633 [proto: 37/BitTorrent][7 pkts/1550 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 16 TCP 192.168.1.3:52893 <-> 79.55.129.22:12097 [proto: 37/BitTorrent][1 pkts/134 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 17 TCP 192.168.1.3:52912 <-> 151.72.255.163:59928 [proto: 37/BitTorrent][4 pkts/612 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 18 TCP 79.53.228.2:14627 <-> 192.168.1.3:52909 [proto: 37/BitTorrent][1 pkts/134 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 18 TCP 192.168.1.3:52909 <-> 79.53.228.2:14627 [proto: 37/BitTorrent][1 pkts/134 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 19 TCP 192.168.1.3:52903 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][6 pkts/1261 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 20 TCP 192.168.1.3:52915 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][210 pkts/285139 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 21 TCP 192.168.1.3:52926 <-> 93.65.249.100:31336 [proto: 37/BitTorrent][3 pkts/930 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] diff --git a/tests/result/bittorrent_ip.pcap.out b/tests/result/bittorrent_ip.pcap.out new file mode 100644 index 000000000..93ae22bff --- /dev/null +++ b/tests/result/bittorrent_ip.pcap.out @@ -0,0 +1,4 @@ +BitTorrent 479 508018 2 + + 1 TCP 185.56.20.36:53646 <-> 10.0.0.14:35030 [proto: 37/BitTorrent][48 pkts/37932 bytes] + 2 TCP 77.222.174.20:2866 <-> 10.0.0.14:46610 [proto: 37/BitTorrent][431 pkts/470086 bytes] diff --git a/tests/result/bittorrent_utp.pcap.out b/tests/result/bittorrent_utp.pcap.out index 2078b7210..2b64008b0 100644 --- a/tests/result/bittorrent_utp.pcap.out +++ b/tests/result/bittorrent_utp.pcap.out @@ -1,3 +1,3 @@ BitTorrent 86 41489 1 - 1 UDP 192.168.1.5:40959 <-> 82.243.113.43:64969 [proto: 37/BitTorrent][86 pkts/41489 bytes] + 1 UDP 82.243.113.43:64969 <-> 192.168.1.5:40959 [proto: 37/BitTorrent][86 pkts/41489 bytes] diff --git a/tests/result/coap_mqtt.pcap.out b/tests/result/coap_mqtt.pcap.out index 67e3d3077..6deb36358 100644 --- a/tests/result/coap_mqtt.pcap.out +++ b/tests/result/coap_mqtt.pcap.out @@ -2,19 +2,19 @@ COAP 19 1614 8 Dropbox 800 80676 4 MQTT 7695 668291 4 - 1 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61043 [proto: 27/COAP][1 pkts/86 bytes] - 2 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61045 [proto: 27/COAP][1 pkts/86 bytes] - 3 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61047 [proto: 27/COAP][1 pkts/90 bytes] + 1 UDP [2001:620:8:35d9::10]:61043 <-> [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 [proto: 27/COAP][1 pkts/86 bytes] + 2 UDP [2001:620:8:35d9::10]:61045 <-> [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 [proto: 27/COAP][1 pkts/86 bytes] + 3 UDP [2001:620:8:35d9::10]:61047 <-> [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 [proto: 27/COAP][1 pkts/90 bytes] 4 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20220 bytes] 5 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20194 bytes] 6 TCP 192.168.56.1:53523 <-> 192.168.56.101:17501 [proto: 222/MQTT][1926 pkts/167126 bytes] 7 UDP [bbbb::1]:33499 <-> [bbbb::3]:5683 [proto: 27/COAP][4 pkts/404 bytes] 8 UDP [bbbb::1]:46819 <-> [bbbb::3]:5683 [proto: 27/COAP][6 pkts/467 bytes] - 9 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61044 [proto: 27/COAP][1 pkts/86 bytes] - 10 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61046 [proto: 27/COAP][1 pkts/86 bytes] + 9 UDP [2001:620:8:35d9::10]:61044 <-> [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 [proto: 27/COAP][1 pkts/86 bytes] + 10 UDP [2001:620:8:35d9::10]:61046 <-> [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 [proto: 27/COAP][1 pkts/86 bytes] 11 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20120 bytes] 12 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20142 bytes] 13 TCP 192.168.56.1:53522 <-> 192.168.56.101:17501 [proto: 222/MQTT][1922 pkts/166928 bytes] 14 TCP 192.168.56.1:53528 <-> 192.168.56.101:17501 [proto: 222/MQTT][1928 pkts/167509 bytes] - 15 TCP 192.168.56.1:53524 <-> 192.168.56.101:17501 [proto: 222/MQTT][1919 pkts/166728 bytes] + 15 TCP 192.168.56.101:17501 <-> 192.168.56.1:53524 [proto: 222/MQTT][1919 pkts/166728 bytes] 16 UDP [bbbb::1]:50250 <-> [bbbb::3]:5683 [proto: 27/COAP][4 pkts/309 bytes] diff --git a/tests/result/dnscrypt.pcap.out b/tests/result/dnscrypt.pcap.out new file mode 100644 index 000000000..618d7ef28 --- /dev/null +++ b/tests/result/dnscrypt.pcap.out @@ -0,0 +1,6 @@ +DNScrypt 111 44676 4 + + 1 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][18 pkts/8515 bytes][client: simplednscrypt.org] + 2 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][39 pkts/16368 bytes][client: simplednscrypt.org] + 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][18 pkts/8515 bytes][client: simplednscrypt.org] + 4 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][36 pkts/11278 bytes][client: simplednscrypt.org] diff --git a/tests/result/dropbox.pcap.out b/tests/result/dropbox.pcap.out index 786dc24de..cb9edfe34 100644 --- a/tests/result/dropbox.pcap.out +++ b/tests/result/dropbox.pcap.out @@ -21,11 +21,11 @@ Dropbox 1104 246122 16 17 UDP 192.168.1.101:4974 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] 18 UDP 192.168.1.105:49112 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/774 bytes][Host: client-cf.dropbox.com] 19 UDP 192.168.1.105:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes] - 20 UDP 239.255.255.250:1900 <-> 192.168.1.254:50828 [proto: 12/SSDP][44 pkts/19936 bytes] + 20 UDP 192.168.1.254:50828 <-> 239.255.255.250:1900 [proto: 12/SSDP][44 pkts/19936 bytes] 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20120 bytes] 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20142 bytes] 23 UDP 192.168.1.106:57268 <-> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2632 bytes] - 24 TCP 54.240.174.31:443 <-> 192.168.1.105:44949 [proto: 91.121/SSL.Dropbox][138 pkts/97302 bytes][client: client-cf.dropbox.com] + 24 TCP 192.168.1.105:44949 <-> 54.240.174.31:443 [proto: 91.121/SSL.Dropbox][138 pkts/97302 bytes][client: client-cf.dropbox.com] 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.Dropbox][20 pkts/3928 bytes][Host: log.getdropbox.com] 26 UDP 192.168.1.101:2169 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 27 UDP 192.168.1.101:2141 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] diff --git a/tests/result/git.pcap.out b/tests/result/git.pcap.out index 665dad5a8..77e226d41 100644 --- a/tests/result/git.pcap.out +++ b/tests/result/git.pcap.out @@ -1,3 +1,3 @@ Git 90 74005 1 - 1 TCP 5.153.231.21:9418 <-> 192.168.0.77:47991 [proto: 226/Git][90 pkts/74005 bytes] + 1 TCP 192.168.0.77:47991 <-> 5.153.231.21:9418 [proto: 226/Git][90 pkts/74005 bytes] diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out index 2e69420db..515659d48 100644 --- a/tests/result/google_ssl.pcap.out +++ b/tests/result/google_ssl.pcap.out @@ -1,3 +1,3 @@ Google 28 9108 1 - 1 TCP 216.58.212.100:443 <-> 172.31.3.224:42835 [proto: 91.126/SSL.Google][28 pkts/9108 bytes][server: www.google.com] + 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/SSL.Google][28 pkts/9108 bytes][server: www.google.com] diff --git a/tests/result/hangout.pcap.out b/tests/result/hangout.pcap.out index 7dff4f8e5..1cd3ffc5a 100644 --- a/tests/result/hangout.pcap.out +++ b/tests/result/hangout.pcap.out @@ -1,3 +1,3 @@ GoogleHangout 19 2774 1 - 1 UDP 10.89.61.13:56406 <-> 74.125.134.127:19305 [proto: 201/GoogleHangout][19 pkts/2774 bytes] + 1 UDP 74.125.134.127:19305 <-> 10.89.61.13:56406 [proto: 201/GoogleHangout][19 pkts/2774 bytes] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index 6928e61e4..e3685438d 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -5,17 +5,17 @@ QUIC 3 502 1 ntop 80 36401 4 1 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][2 pkts/172 bytes] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37486 [proto: 91.229/SSL.ntop][19 pkts/7014 bytes][client: www.ntop.org] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37488 [proto: 91.229/SSL.ntop][17 pkts/6842 bytes][client: www.ntop.org] - 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37494 [proto: 91.229/SSL.ntop][18 pkts/6928 bytes][client: www.ntop.org] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37506 [proto: 91.229/SSL.ntop][26 pkts/15617 bytes][client: www.ntop.org] - 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4006:804::200e]:40526 [proto: 91/SSL][2 pkts/172 bytes] - 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:41776 [proto: 91/SSL][14 pkts/2213 bytes] - 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a02:26f0:ad:197::236]:53132 [proto: 91.119/SSL.Facebook][12 pkts/5187 bytes][client: s-static.ak.facebook.com] - 9 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a02:26f0:ad:197::236]:53134 [proto: 91.119/SSL.Facebook][10 pkts/5015 bytes][client: s-static.ak.facebook.com] - 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4006:803::2008]:58660 [proto: 91/SSL][2 pkts/172 bytes] - 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1012]:59690 [proto: 91/SSL][2 pkts/172 bytes] + 2 TCP [2a03:b0c0:3:d0::70:1001]:37486 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91.229/SSL.ntop][19 pkts/7014 bytes][client: www.ntop.org] + 3 TCP [2a03:b0c0:3:d0::70:1001]:37488 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91.229/SSL.ntop][17 pkts/6842 bytes][client: www.ntop.org] + 4 TCP [2a03:b0c0:3:d0::70:1001]:37494 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91.229/SSL.ntop][18 pkts/6928 bytes][client: www.ntop.org] + 5 TCP [2a03:b0c0:3:d0::70:1001]:37506 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91.229/SSL.ntop][26 pkts/15617 bytes][client: www.ntop.org] + 6 TCP [2a00:1450:4006:804::200e]:40526 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91/SSL][2 pkts/172 bytes] + 7 TCP [2a00:1450:4001:803::1017]:41776 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91/SSL][14 pkts/2213 bytes] + 8 TCP [2a02:26f0:ad:197::236]:53132 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91.119/SSL.Facebook][12 pkts/5187 bytes][client: s-static.ak.facebook.com] + 9 TCP [2a02:26f0:ad:197::236]:53134 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91.119/SSL.Facebook][10 pkts/5015 bytes][client: s-static.ak.facebook.com] + 10 TCP [2a00:1450:4006:803::2008]:58660 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91/SSL][2 pkts/172 bytes] + 11 TCP [2a00:1450:4001:803::1012]:59690 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 91/SSL][2 pkts/172 bytes] 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][2 pkts/172 bytes] 13 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40308 <-> [2a03:2880:1010:3f20:face:b00c::25de]:443 [proto: 91/SSL][2 pkts/172 bytes] - 14 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:45931 [proto: 188.126/QUIC.Google][62 pkts/15977 bytes][Host: www.google.it] + 14 UDP [2a00:1450:4001:803::1017]:45931 <-> [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 [proto: 188.126/QUIC.Google][62 pkts/15977 bytes][Host: www.google.it] 15 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][3 pkts/502 bytes] diff --git a/tests/result/mpeg.pcap.out b/tests/result/mpeg.pcap.out index 30cba198f..57c8325b0 100644 --- a/tests/result/mpeg.pcap.out +++ b/tests/result/mpeg.pcap.out @@ -1,3 +1,3 @@ ntop 19 10643 1 - 1 TCP 46.101.157.119:80 <-> 192.168.80.160:55804 [proto: 7.229/HTTP.ntop][19 pkts/10643 bytes][Host: luca.ntop.org] + 1 TCP 192.168.80.160:55804 <-> 46.101.157.119:80 [proto: 7.229/HTTP.ntop][19 pkts/10643 bytes][Host: luca.ntop.org] diff --git a/tests/result/mpegts.pcap.out b/tests/result/mpegts.pcap.out index 7dd94beef..bfa70fd3e 100644 --- a/tests/result/mpegts.pcap.out +++ b/tests/result/mpegts.pcap.out @@ -1,3 +1,3 @@ MPEG_TS 1 1362 1 - 1 UDP 230.200.201.23:1234 <-> 10.1.16.48:40737 [VLAN: 3359][proto: 198/MPEG_TS][1 pkts/1362 bytes] + 1 UDP 10.1.16.48:40737 <-> 230.200.201.23:1234 [VLAN: 3359][proto: 198/MPEG_TS][1 pkts/1362 bytes] diff --git a/tests/result/mssql_tds.pcap.out b/tests/result/mssql_tds.pcap.out index 28c1075ae..ea994e979 100644 --- a/tests/result/mssql_tds.pcap.out +++ b/tests/result/mssql_tds.pcap.out @@ -1,14 +1,14 @@ MsSQL-TDS 38 16260 12 - 1 TCP 10.0.0.1:1433 <-> 10.111.111.111:2222 [proto: 114/MsSQL-TDS][2 pkts/169 bytes] - 2 TCP 10.0.0.1:1433 <-> 10.111.111.111:4444 [proto: 114/MsSQL-TDS][1 pkts/1136 bytes] - 3 TCP 10.0.0.1:1433 <-> 10.111.111.111:6666 [proto: 114/MsSQL-TDS][7 pkts/8717 bytes] - 4 TCP 10.0.0.1:1433 <-> 10.111.111.111:8888 [proto: 114/MsSQL-TDS][1 pkts/142 bytes] - 5 TCP 10.0.0.1:1433 <-> 10.111.111.111:22222 [proto: 114/MsSQL-TDS][1 pkts/322 bytes] - 6 TCP 10.0.0.1:1433 <-> 10.111.111.111:1111 [proto: 114/MsSQL-TDS][4 pkts/1138 bytes] - 7 TCP 10.0.0.1:1433 <-> 10.111.111.111:3333 [proto: 114/MsSQL-TDS][1 pkts/239 bytes] - 8 TCP 10.0.0.1:1433 <-> 10.111.111.111:5555 [proto: 114/MsSQL-TDS][17 pkts/3073 bytes] - 9 TCP 10.0.0.1:1433 <-> 10.111.111.111:7777 [proto: 114/MsSQL-TDS][1 pkts/425 bytes] - 10 TCP 10.0.0.1:1433 <-> 10.111.111.111:9999 [proto: 114/MsSQL-TDS][1 pkts/272 bytes] - 11 TCP 10.0.0.1:1433 <-> 10.111.111.111:11111 [proto: 114/MsSQL-TDS][1 pkts/253 bytes] - 12 TCP 10.0.0.1:1433 <-> 10.111.111.111:33333 [proto: 114/MsSQL-TDS][1 pkts/374 bytes] + 1 TCP 10.111.111.111:2222 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][2 pkts/169 bytes] + 2 TCP 10.111.111.111:4444 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/1136 bytes] + 3 TCP 10.111.111.111:6666 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][7 pkts/8717 bytes] + 4 TCP 10.111.111.111:8888 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/142 bytes] + 5 TCP 10.111.111.111:22222 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/322 bytes] + 6 TCP 10.111.111.111:1111 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][4 pkts/1138 bytes] + 7 TCP 10.111.111.111:3333 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/239 bytes] + 8 TCP 10.111.111.111:5555 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][17 pkts/3073 bytes] + 9 TCP 10.111.111.111:7777 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/425 bytes] + 10 TCP 10.111.111.111:9999 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/272 bytes] + 11 TCP 10.111.111.111:11111 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/253 bytes] + 12 TCP 10.111.111.111:33333 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/374 bytes] diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out index ec6e125c6..df8ae9cd8 100644 --- a/tests/result/netflix.pcap.out +++ b/tests/result/netflix.pcap.out @@ -7,12 +7,12 @@ Amazon 2 126 1 1 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][126 pkts/128603 bytes][Host: art-2.nflximg.net] 2 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][637 pkts/745904 bytes][Host: tp.akam.nflximg.com] 3 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][41 pkts/34971 bytes][Host: art-1.nflximg.net] - 4 UDP 192.168.1.1:53 <-> 192.168.1.7:51543 [proto: 5.133/DNS.NetFlix][4 pkts/806 bytes][Host: ios.nccp.netflix.com] - 5 UDP 192.168.1.1:53 <-> 192.168.1.7:51949 [proto: 5.133/DNS.NetFlix][2 pkts/322 bytes][Host: api-global.latency.prodaa.netflix.com] - 6 UDP 192.168.1.1:53 <-> 192.168.1.7:52095 [proto: 5.133/DNS.NetFlix][2 pkts/322 bytes][Host: api-global.latency.prodaa.netflix.com] - 7 UDP 192.168.1.1:53 <-> 192.168.1.7:52347 [proto: 5.133/DNS.NetFlix][2 pkts/451 bytes][Host: ios.nccp.netflix.com] - 8 UDP 192.168.1.1:53 <-> 192.168.1.7:57093 [proto: 5/DNS][2 pkts/194 bytes][Host: a1907.dscg.akamai.net] - 9 UDP 192.168.1.1:53 <-> 192.168.1.7:57719 [proto: 5.133/DNS.NetFlix][2 pkts/222 bytes][Host: sha2.san.akam.nflximg.net] + 4 UDP 192.168.1.7:51543 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][4 pkts/806 bytes][Host: ios.nccp.netflix.com] + 5 UDP 192.168.1.7:51949 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/322 bytes][Host: api-global.latency.prodaa.netflix.com] + 6 UDP 192.168.1.7:52095 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/322 bytes][Host: api-global.latency.prodaa.netflix.com] + 7 UDP 192.168.1.7:52347 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/451 bytes][Host: ios.nccp.netflix.com] + 8 UDP 192.168.1.7:57093 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/194 bytes][Host: a1907.dscg.akamai.net] + 9 UDP 192.168.1.7:57719 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/222 bytes][Host: sha2.san.akam.nflximg.net] 10 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][53 pkts/45005 bytes] 11 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][55 pkts/47007 bytes] 12 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][49 pkts/32105 bytes] @@ -25,24 +25,24 @@ Amazon 2 126 1 19 IGMP 192.168.1.7:0 <-> 239.255.255.250:0 [proto: 82/IGMP][1 pkts/60 bytes] 20 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][27 pkts/16505 bytes][Host: api-global.netflix.com] 21 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][148 pkts/73954 bytes][client: api-global.netflix.com] - 22 TCP 52.41.30.5:443 <-> 192.168.1.7:53239 [proto: 91.133/SSL.NetFlix][48 pkts/29661 bytes][client: api-global.netflix.com] + 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][48 pkts/29661 bytes][client: api-global.netflix.com] 23 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][69 pkts/43938 bytes][client: api-global.netflix.com] 24 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][45 pkts/27952 bytes][client: ichnaea.netflix.com] 25 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][31 pkts/10934 bytes][client: ios.nccp.netflix.com] 26 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][22 pkts/10239 bytes][client: ios.nccp.netflix.com] - 27 TCP 52.41.30.5:443 <-> 192.168.1.7:53249 [proto: 91.133/SSL.NetFlix][52 pkts/25886 bytes][client: api-global.netflix.com] + 27 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][52 pkts/25886 bytes][client: api-global.netflix.com] 28 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][37 pkts/9285 bytes][client: ichnaea.netflix.com] 29 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][36 pkts/12874 bytes][client: ichnaea.netflix.com] 30 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][71 pkts/58161 bytes][client: ios.nccp.netflix.com] 31 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][63 pkts/47005 bytes][Host: art-2.nflximg.net] 32 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][21 pkts/13259 bytes][Host: art-2.nflximg.net] 33 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][41 pkts/42239 bytes][Host: art-1.nflximg.net] - 34 UDP 192.168.1.1:53 <-> 192.168.1.7:51622 [proto: 5.133/DNS.NetFlix][4 pkts/806 bytes][Host: ios.nccp.netflix.com] - 35 UDP 192.168.1.1:53 <-> 192.168.1.7:51728 [proto: 5/DNS][2 pkts/192 bytes][Host: a803.dscg.akamai.net] - 36 UDP 192.168.1.1:53 <-> 192.168.1.7:52116 [proto: 5.133/DNS.NetFlix][2 pkts/320 bytes][Host: ichnaea.us-west-2.prodaa.netflix.com] - 37 UDP 192.168.1.1:53 <-> 192.168.1.7:58102 [proto: 5.133/DNS.NetFlix][2 pkts/271 bytes][Host: appboot.netflix.com] - 38 UDP 192.168.1.1:53 <-> 192.168.1.7:59180 [proto: 5.133/DNS.NetFlix][2 pkts/232 bytes][Host: artwork.akam.nflximg.net] - 39 UDP 192.168.1.1:53 <-> 192.168.1.7:60962 [proto: 5.133/DNS.NetFlix][2 pkts/331 bytes][Host: ichnaea.geo.netflix.com] + 34 UDP 192.168.1.7:51622 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][4 pkts/806 bytes][Host: ios.nccp.netflix.com] + 35 UDP 192.168.1.7:51728 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/192 bytes][Host: a803.dscg.akamai.net] + 36 UDP 192.168.1.7:52116 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/320 bytes][Host: ichnaea.us-west-2.prodaa.netflix.com] + 37 UDP 192.168.1.7:58102 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/271 bytes][Host: appboot.netflix.com] + 38 UDP 192.168.1.7:59180 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/232 bytes][Host: artwork.akam.nflximg.net] + 39 UDP 192.168.1.7:60962 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/331 bytes][Host: ichnaea.geo.netflix.com] 40 UDP 192.168.1.7:53776 <-> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2648 bytes] 41 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][58 pkts/47176 bytes] 42 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][50 pkts/25032 bytes] @@ -53,13 +53,13 @@ Amazon 2 126 1 47 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][58 pkts/32796 bytes] 48 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][178 pkts/157382 bytes][Host: 23.246.11.141] 49 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][788 pkts/759283 bytes][Host: 23.246.11.133] - 50 TCP 52.24.87.6:443 <-> 192.168.1.7:52929 [proto: 91.178/SSL.Amazon][2 pkts/126 bytes] + 50 TCP 192.168.1.7:52929 <-> 52.24.87.6:443 [proto: 91.178/SSL.Amazon][2 pkts/126 bytes] 51 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][28 pkts/6662 bytes][client: api-global.netflix.com] 52 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][20 pkts/3017 bytes][client: api-global.netflix.com] 53 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][40 pkts/13487 bytes][client: api-global.netflix.com] 54 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][25 pkts/8201 bytes][client: api-global.netflix.com] 55 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][41 pkts/33170 bytes][Host: appboot.netflix.com] - 56 TCP 52.41.30.5:443 <-> 192.168.1.7:53250 [proto: 91.133/SSL.NetFlix][17 pkts/5314 bytes][client: api-global.netflix.com] + 56 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][17 pkts/5314 bytes][client: api-global.netflix.com] 57 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][25 pkts/8228 bytes][client: ios.nccp.netflix.com] 58 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][34 pkts/12728 bytes][client: ichnaea.netflix.com] 59 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][31 pkts/14720 bytes][client: ios.nccp.netflix.com] diff --git a/tests/result/ookla.pcap.out b/tests/result/ookla.pcap.out new file mode 100644 index 000000000..8064e5dfb --- /dev/null +++ b/tests/result/ookla.pcap.out @@ -0,0 +1,4 @@ +Ookla 5086 4689745 2 + + 1 TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 7.191/HTTP.Ookla][20 pkts/4320 bytes] + 2 TCP 192.168.1.7:51215 <-> 46.44.253.187:8080 [proto: 191/Ookla][5066 pkts/4685425 bytes] diff --git a/tests/result/pps.pcap.out b/tests/result/pps.pcap.out index a55361d5a..8a5eb8fd6 100644 --- a/tests/result/pps.pcap.out +++ b/tests/result/pps.pcap.out @@ -5,7 +5,7 @@ Google 2 1093 1 UPnP 1 130 1 iQIYI 1490 1845116 56 - 1 TCP 192.168.115.8:50443 <-> 117.79.81.135:80 [proto: 7/HTTP][1 pkts/347 bytes] + 1 TCP 117.79.81.135:80 <-> 192.168.115.8:50443 [proto: 7/HTTP][1 pkts/347 bytes] 2 TCP 192.168.115.8:50490 <-> 119.188.13.188:80 [proto: 7.206/HTTP.iQIYI][2 pkts/836 bytes][Host: pdata.video.qiyi.com] 3 TCP 192.168.115.8:50497 <-> 123.125.112.49:80 [proto: 7.206/HTTP.iQIYI][3 pkts/1305 bytes][Host: click.hm.baidu.com] 4 TCP 192.168.115.8:50775 <-> 123.125.111.70:80 [proto: 7.206/HTTP.iQIYI][2 pkts/674 bytes][Host: nl.rcd.iqiyi.com] @@ -17,7 +17,7 @@ iQIYI 1490 1845116 56 10 TCP 192.168.115.8:50484 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][2 pkts/821 bytes][Host: msg.71.am] 11 TCP 192.168.115.8:50502 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1146 bytes][Host: msg.71.am] 12 TCP 192.168.115.8:50504 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/946 bytes][Host: msg.71.am] - 13 TCP 192.168.115.8:50506 <-> 202.108.14.219:80 [proto: 7/HTTP][1 pkts/199 bytes] + 13 TCP 202.108.14.219:80 <-> 192.168.115.8:50506 [proto: 7/HTTP][1 pkts/199 bytes] 14 TCP 192.168.115.8:50466 <-> 203.66.182.24:80 [proto: 7.126/HTTP.Google][2 pkts/1093 bytes][Host: clients1.google.com] 15 TCP 192.168.115.8:50774 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][2 pkts/786 bytes][Host: msg.71.am] 16 UDP 192.168.5.63:39383 <-> 239.255.255.250:1900 [proto: 153/UPnP][1 pkts/130 bytes] @@ -46,7 +46,7 @@ iQIYI 1490 1845116 56 39 TCP 192.168.115.8:50772 <-> 123.125.111.70:80 [proto: 7.206/HTTP.iQIYI][2 pkts/674 bytes][Host: nl.rcd.iqiyi.com] 40 TCP 192.168.5.15:65128 <-> 68.233.253.133:80 [proto: 7.206/HTTP.iQIYI][2 pkts/721 bytes][Host: api.magicansoft.com] 41 TCP 192.168.115.8:50482 <-> 140.205.243.64:80 [proto: 7.206/HTTP.iQIYI][2 pkts/727 bytes][Host: cmc.tanx.com] - 42 TCP 192.168.115.8:50295 <-> 202.108.14.219:80 [proto: 7/HTTP][2 pkts/398 bytes] + 42 TCP 202.108.14.219:80 <-> 192.168.115.8:50295 [proto: 7/HTTP][2 pkts/398 bytes] 43 TCP 192.168.115.8:50467 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][2 pkts/828 bytes][Host: msg.71.am] 44 TCP 192.168.115.8:50469 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][2 pkts/772 bytes][Host: msg.71.am] 45 TCP 192.168.115.8:50471 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][4 pkts/2296 bytes][Host: msg.71.am] @@ -72,18 +72,18 @@ iQIYI 1490 1845116 56 65 UDP 192.168.5.57:59648 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1050 bytes] 66 UDP 192.168.5.63:60976 <-> 239.255.255.250:1900 [proto: 12/SSDP][1 pkts/165 bytes] 67 UDP 192.168.5.48:63930 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/358 bytes] - 68 TCP 192.168.115.8:49174 <-> 77.234.41.35:80 [proto: 7/HTTP][5 pkts/3309 bytes] + 68 TCP 77.234.41.35:80 <-> 192.168.115.8:49174 [proto: 7/HTTP][5 pkts/3309 bytes] 69 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7.206/HTTP.iQIYI][23 pkts/25892 bytes][Host: bcu.ff.avast.com] 70 TCP 192.168.115.8:50463 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][3 pkts/1861 bytes][Host: api.cupid.iqiyi.com] 71 TCP 192.168.115.8:50769 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][2 pkts/895 bytes][Host: api.cupid.iqiyi.com] - 72 TCP 111.206.13.3:80 <-> 192.168.115.8:50492 [proto: 7.206/HTTP.iQIYI][3 pkts/1423 bytes][Host: pdata.video.qiyi.com] + 72 TCP 192.168.115.8:50492 <-> 111.206.13.3:80 [proto: 7.206/HTTP.iQIYI][3 pkts/1423 bytes][Host: pdata.video.qiyi.com] 73 TCP 192.168.115.8:50776 <-> 111.206.22.77:80 [proto: 7.206/HTTP.iQIYI][2 pkts/588 bytes][Host: msg.iqiyi.com] Undetected flows: 1 UDP 192.168.115.8:22793 <-> 222.26.74.190:1037 [proto: 0/Unknown][2 pkts/132 bytes] 2 UDP 192.168.115.8:22793 <-> 115.157.62.243:29006 [proto: 0/Unknown][2 pkts/132 bytes] - 3 UDP 192.168.115.8:22793 <-> 183.228.182.44:13913 [proto: 0/Unknown][3 pkts/257 bytes] + 3 UDP 183.228.182.44:13913 <-> 192.168.115.8:22793 [proto: 0/Unknown][3 pkts/257 bytes] 4 UDP 192.168.115.8:22793 <-> 222.197.138.12:6956 [proto: 0/Unknown][40 pkts/12412 bytes] 5 UDP 192.168.115.8:22793 <-> 222.26.193.119:7133 [proto: 0/Unknown][2 pkts/132 bytes] 6 UDP 192.168.115.8:22793 <-> 183.61.167.82:17788 [proto: 0/Unknown][2 pkts/188 bytes] @@ -104,13 +104,13 @@ Undetected flows: 21 UDP 192.168.115.8:22793 <-> 210.44.232.243:21044 [proto: 0/Unknown][2 pkts/132 bytes] 22 UDP 192.168.115.8:22793 <-> 36.237.154.69:4316 [proto: 0/Unknown][2 pkts/132 bytes] 23 UDP 192.168.115.8:22793 <-> 202.112.31.89:29072 [proto: 0/Unknown][2 pkts/132 bytes] - 24 UDP 210.44.171.1:29702 <-> 192.168.115.8:22793 [proto: 0/Unknown][2 pkts/132 bytes] - 25 UDP 192.168.115.8:22793 <-> 1.173.5.226:22636 [proto: 0/Unknown][400 pkts/165246 bytes] + 24 UDP 192.168.115.8:22793 <-> 210.44.171.1:29702 [proto: 0/Unknown][2 pkts/132 bytes] + 25 UDP 1.173.5.226:22636 <-> 192.168.115.8:22793 [proto: 0/Unknown][400 pkts/165246 bytes] 26 UDP 192.168.115.8:22793 <-> 61.223.204.67:11102 [proto: 0/Unknown][2 pkts/132 bytes] 27 UDP 192.168.115.8:22793 <-> 36.233.39.81:18590 [proto: 0/Unknown][2 pkts/132 bytes] 28 UDP 192.168.115.8:22793 <-> 111.250.102.66:1107 [proto: 0/Unknown][2 pkts/132 bytes] 29 UDP 192.168.115.8:22793 <-> 114.37.142.173:1074 [proto: 0/Unknown][2 pkts/132 bytes] - 30 UDP 192.168.115.8:22793 <-> 118.171.15.56:5544 [proto: 0/Unknown][101 pkts/38819 bytes] + 30 UDP 118.171.15.56:5544 <-> 192.168.115.8:22793 [proto: 0/Unknown][101 pkts/38819 bytes] 31 UDP 192.168.115.8:22793 <-> 111.117.101.81:10162 [proto: 0/Unknown][2 pkts/132 bytes] 32 UDP 192.168.115.8:22793 <-> 114.41.144.153:10492 [proto: 0/Unknown][4 pkts/512 bytes] 33 UDP 192.168.115.8:22793 <-> 121.248.133.93:12757 [proto: 0/Unknown][2 pkts/132 bytes] diff --git a/tests/result/quic.pcap.out b/tests/result/quic.pcap.out index b79529833..c1eed4b8e 100644 --- a/tests/result/quic.pcap.out +++ b/tests/result/quic.pcap.out @@ -6,9 +6,9 @@ QUIC 3 364 1 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188.124/QUIC.YouTube][3 pkts/2863 bytes][Host: i.ytimg.com] 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.124/QUIC.YouTube][2 pkts/2784 bytes][Host: yt3.ggpht.com] - 3 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188.122/QUIC.GMail][413 pkts/254874 bytes][Host: mail.google.com] - 4 UDP 172.217.16.3:443 <-> 192.168.1.105:40461 [proto: 188/QUIC][3 pkts/364 bytes] - 5 UDP 172.217.16.4:443 <-> 192.168.1.105:45669 [proto: 188.126/QUIC.Google][5 pkts/4334 bytes][Host: www.google.com] + 3 UDP 192.168.1.109:57833 <-> 216.58.212.101:443 [proto: 188.122/QUIC.GMail][413 pkts/254874 bytes][Host: mail.google.com] + 4 UDP 192.168.1.105:40461 <-> 172.217.16.3:443 [proto: 188/QUIC][3 pkts/364 bytes] + 5 UDP 192.168.1.105:45669 <-> 172.217.16.4:443 [proto: 188.126/QUIC.Google][5 pkts/4334 bytes][Host: www.google.com] 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188.124/QUIC.YouTube][7 pkts/6545 bytes][Host: www.youtube.com] 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188.124/QUIC.YouTube][69 pkts/58433 bytes][Host: www.youtube.com] 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188.126/QUIC.Google][6 pkts/5729 bytes][Host: fonts.gstatic.com] @@ -16,4 +16,4 @@ QUIC 3 364 1 Undetected flows: - 1 UDP 10.0.0.3:6121 <-> 10.0.0.4:40134 [proto: 0/Unknown][6 pkts/7072 bytes] + 1 UDP 10.0.0.4:40134 <-> 10.0.0.3:6121 [proto: 0/Unknown][6 pkts/7072 bytes] diff --git a/tests/result/quickplay.pcap.out b/tests/result/quickplay.pcap.out index 8b1378917..d54b359fc 100644 --- a/tests/result/quickplay.pcap.out +++ b/tests/result/quickplay.pcap.out @@ -1 +1,27 @@ +Facebook 6 1740 3 +Google 2 378 1 +Amazon 2 1469 1 +QuickPlay 133 96179 11 +WeChat 12 4781 5 + 1 TCP 10.54.169.250:33277 <-> 120.28.26.231:80 [proto: 7.126/HTTP.Google][2 pkts/378 bytes][Host: clients3.google.com] + 2 TCP 10.54.169.250:50669 <-> 120.28.35.41:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/3680 bytes][Host: api-singtelhawk.quickplay.com] + 3 TCP 10.54.169.250:52007 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/2735 bytes][Host: vod-singtelhawk.quickplay.com] + 4 TCP 10.54.169.250:52009 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][65 pkts/45902 bytes][Host: vod-singtelhawk.quickplay.com] + 5 TCP 10.54.169.250:52017 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][8 pkts/6032 bytes][Host: vod-singtelhawk.quickplay.com] + 6 TCP 10.54.169.250:52019 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][25 pkts/19606 bytes][Host: vod-singtelhawk.quickplay.com] + 7 TCP 10.54.169.250:52021 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/2754 bytes][Host: vod-singtelhawk.quickplay.com] + 8 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 7.197/HTTP.WeChat][2 pkts/943 bytes][Host: hkminorshort.weixin.qq.com] + 9 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 7.197/HTTP.WeChat][2 pkts/877 bytes][Host: hkextshort.weixin.qq.com] + 10 TCP 10.54.169.250:52285 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] + 11 TCP 10.54.169.250:44793 <-> 31.13.68.49:80 [proto: 7.119/HTTP.Facebook][2 pkts/576 bytes][Host: www.facebook.com] + 12 TCP 10.54.169.250:33064 <-> 120.28.5.18:80 [proto: 7.196/HTTP.QuickPlay][2 pkts/467 bytes][Host: api-singtelhawk.quickplay.com] + 13 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.178/HTTP.Amazon][2 pkts/1469 bytes][Host: api.account.xiaomi.com] + 14 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7.196/HTTP.QuickPlay][3 pkts/2311 bytes][Host: play-singtelhawk.quickplay.com] + 15 TCP 10.54.169.250:50668 <-> 120.28.35.41:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/3360 bytes][Host: api-singtelhawk.quickplay.com] + 16 TCP 10.54.169.250:52018 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][7 pkts/5048 bytes][Host: vod-singtelhawk.quickplay.com] + 17 TCP 10.54.169.250:52022 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][7 pkts/4284 bytes][Host: vod-singtelhawk.quickplay.com] + 18 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 7.197/HTTP.WeChat][2 pkts/641 bytes][Host: hkextshort.weixin.qq.com] + 19 TCP 10.54.169.250:52288 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] + 20 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 7.197/HTTP.WeChat][3 pkts/1337 bytes][Host: hkextshort.weixin.qq.com] + 21 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 7.197/HTTP.WeChat][3 pkts/983 bytes][Host: hkextshort.weixin.qq.com] diff --git a/tests/result/rx.pcap.out b/tests/result/rx.pcap.out index 1339732cb..42f9ebf1a 100644 --- a/tests/result/rx.pcap.out +++ b/tests/result/rx.pcap.out @@ -1,7 +1,7 @@ RX 132 26475 5 - 1 UDP 192.167.206.124:7002 <-> 131.114.219.168:38331 [proto: 223/RX][3 pkts/519 bytes] - 2 UDP 192.167.206.124:7002 <-> 131.114.219.168:41559 [proto: 223/RX][3 pkts/519 bytes] - 3 UDP 192.167.206.124:7003 <-> 131.114.219.168:7001 [proto: 223/RX][27 pkts/9919 bytes] + 1 UDP 131.114.219.168:38331 <-> 192.167.206.124:7002 [proto: 223/RX][3 pkts/519 bytes] + 2 UDP 131.114.219.168:41559 <-> 192.167.206.124:7002 [proto: 223/RX][3 pkts/519 bytes] + 3 UDP 131.114.219.168:7001 <-> 192.167.206.124:7003 [proto: 223/RX][27 pkts/9919 bytes] 4 UDP 131.114.219.168:7001 <-> 192.167.206.241:7000 [proto: 223/RX][79 pkts/12376 bytes] - 5 UDP 192.167.206.124:7000 <-> 131.114.219.168:7001 [proto: 223/RX][20 pkts/3142 bytes] + 5 UDP 131.114.219.168:7001 <-> 192.167.206.124:7000 [proto: 223/RX][20 pkts/3142 bytes] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index e781f27df..69fff20f5 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -14,16 +14,16 @@ Spotify 5 430 1 MS_OneDrive 387 198090 1 1 TCP 192.168.1.34:50114 <-> 5.248.186.221:31010 [proto: 125/Skype][18 pkts/1402 bytes] - 2 UDP 111.221.74.15:40024 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 2 UDP 192.168.1.34:13021 <-> 111.221.74.15:40024 [proto: 125/Skype][1 pkts/77 bytes] 3 UDP 192.168.1.34:13021 <-> 111.221.77.160:40028 [proto: 125/Skype][1 pkts/68 bytes] 4 UDP 192.168.1.34:13021 <-> 111.221.74.48:40008 [proto: 125/Skype][1 pkts/75 bytes] 5 UDP 192.168.1.34:13021 <-> 111.221.74.42:40024 [proto: 125/Skype][1 pkts/70 bytes] - 6 UDP 111.221.74.25:40028 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] - 7 UDP 111.221.74.17:40022 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 8 UDP 111.221.74.16:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 9 UDP 111.221.74.28:40014 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/78 bytes] + 6 UDP 192.168.1.34:13021 <-> 111.221.74.25:40028 [proto: 125/Skype][1 pkts/66 bytes] + 7 UDP 192.168.1.34:13021 <-> 111.221.74.17:40022 [proto: 125/Skype][1 pkts/70 bytes] + 8 UDP 192.168.1.34:13021 <-> 111.221.74.16:40032 [proto: 125/Skype][1 pkts/67 bytes] + 9 UDP 192.168.1.34:13021 <-> 111.221.74.28:40014 [proto: 125/Skype][1 pkts/78 bytes] 10 UDP 192.168.1.34:13021 <-> 111.221.74.40:40018 [proto: 125/Skype][1 pkts/74 bytes] - 11 UDP 111.221.74.29:40024 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/73 bytes] + 11 UDP 192.168.1.34:13021 <-> 111.221.74.29:40024 [proto: 125/Skype][1 pkts/73 bytes] 12 UDP 192.168.1.34:13021 <-> 111.221.77.153:40024 [proto: 125/Skype][1 pkts/71 bytes] 13 UDP 192.168.1.34:13021 <-> 111.221.77.141:40020 [proto: 125/Skype][1 pkts/67 bytes] 14 UDP 192.168.1.34:13021 <-> 111.221.77.143:40022 [proto: 125/Skype][1 pkts/66 bytes] @@ -33,13 +33,13 @@ MS_OneDrive 387 198090 1 18 UDP 192.168.1.34:13021 <-> 111.221.77.165:40020 [proto: 125/Skype][1 pkts/75 bytes] 19 UDP 192.168.1.34:13021 <-> 111.221.77.176:40020 [proto: 125/Skype][1 pkts/73 bytes] 20 TCP 192.168.1.34:50110 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/377 bytes] - 21 TCP 91.190.216.23:12350 <-> 192.168.1.34:50126 [proto: 125/Skype][20 pkts/5160 bytes] + 21 TCP 192.168.1.34:50126 <-> 91.190.216.23:12350 [proto: 125/Skype][20 pkts/5160 bytes] 22 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] 23 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] 24 TCP 192.168.1.34:50113 <-> 71.238.7.203:18767 [proto: 125/Skype][14 pkts/1152 bytes] 25 TCP 192.168.1.34:50116 <-> 81.83.77.141:17639 [proto: 125/Skype][19 pkts/1510 bytes] - 26 UDP 157.56.52.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] - 27 TCP 76.167.161.6:20274 <-> 192.168.1.34:50135 [proto: 125/Skype][14 pkts/1108 bytes] + 26 UDP 192.168.1.34:13021 <-> 157.56.52.18:33033 [proto: 125/Skype][1 pkts/71 bytes] + 27 TCP 192.168.1.34:50135 <-> 76.167.161.6:20274 [proto: 125/Skype][14 pkts/1108 bytes] 28 TCP 192.168.1.34:50038 <-> 157.55.130.140:443 [proto: 91.125/SSL.Skype][15 pkts/1262 bytes] 29 TCP 192.168.1.34:50048 <-> 157.55.130.150:443 [proto: 91.125/SSL.Skype][15 pkts/1345 bytes] 30 TCP 192.168.1.34:50056 <-> 157.55.56.146:443 [proto: 91.125/SSL.Skype][15 pkts/1265 bytes] @@ -48,12 +48,12 @@ MS_OneDrive 387 198090 1 33 TCP 192.168.1.34:50080 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][15 pkts/1534 bytes] 34 TCP 192.168.1.34:50094 <-> 157.55.130.155:443 [proto: 91.125/SSL.Skype][15 pkts/1306 bytes] 35 UDP 192.168.1.34:13021 <-> 157.55.130.155:40020 [proto: 125/Skype][1 pkts/70 bytes] - 36 UDP 157.56.52.28:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/78 bytes] - 37 UDP 157.56.52.15:40027 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/68 bytes] - 38 UDP 157.56.52.24:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 39 UDP 157.56.52.17:40013 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 40 UDP 157.56.52.27:40027 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/78 bytes] - 41 UDP 157.56.52.33:40011 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 36 UDP 192.168.1.34:13021 <-> 157.56.52.28:40009 [proto: 125/Skype][1 pkts/78 bytes] + 37 UDP 192.168.1.34:13021 <-> 157.56.52.15:40027 [proto: 125/Skype][1 pkts/68 bytes] + 38 UDP 192.168.1.34:13021 <-> 157.56.52.24:40001 [proto: 125/Skype][1 pkts/64 bytes] + 39 UDP 192.168.1.34:13021 <-> 157.56.52.17:40013 [proto: 125/Skype][1 pkts/77 bytes] + 40 UDP 192.168.1.34:13021 <-> 157.56.52.27:40027 [proto: 125/Skype][1 pkts/78 bytes] + 41 UDP 192.168.1.34:13021 <-> 157.56.52.33:40011 [proto: 125/Skype][1 pkts/70 bytes] 42 UDP 192.168.1.34:13021 <-> 157.55.235.143:40030 [proto: 125/Skype][1 pkts/69 bytes] 43 UDP 192.168.1.34:13021 <-> 157.56.52.47:40029 [proto: 125/Skype][1 pkts/64 bytes] 44 UDP 192.168.1.34:13021 <-> 157.55.130.144:40034 [proto: 125/Skype][1 pkts/66 bytes] @@ -76,30 +76,30 @@ MS_OneDrive 387 198090 1 61 UDP 192.168.1.34:13021 <-> 157.55.235.175:40008 [proto: 125/Skype][1 pkts/76 bytes] 62 UDP 192.168.1.34:13021 <-> 65.55.223.39:443 [proto: 125/Skype][1 pkts/60 bytes] 63 TCP 192.168.1.34:50143 <-> 78.202.226.115:29059 [proto: 125/Skype][14 pkts/1132 bytes] - 64 UDP 192.168.1.1:53 <-> 192.168.1.34:49163 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 65 UDP 192.168.1.1:53 <-> 192.168.1.34:49793 [proto: 5.125/DNS.Skype][7 pkts/532 bytes][Host: dsn4.d.skype.net] - 66 UDP 192.168.1.1:53 <-> 192.168.1.34:49903 [proto: 5.125/DNS.Skype][9 pkts/648 bytes][Host: ui.skype.com] + 64 UDP 192.168.1.34:49163 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 65 UDP 192.168.1.34:49793 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/532 bytes][Host: dsn4.d.skype.net] + 66 UDP 192.168.1.34:49903 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][9 pkts/648 bytes][Host: ui.skype.com] 67 TCP 192.168.1.34:50134 <-> 157.56.53.47:12350 [proto: 125/Skype][15 pkts/1920 bytes] - 68 UDP 192.168.1.1:53 <-> 192.168.1.34:51879 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] - 69 UDP 192.168.1.1:53 <-> 192.168.1.34:54343 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] - 70 UDP 192.168.1.1:53 <-> 192.168.1.34:55159 [proto: 5.125/DNS.Skype][7 pkts/651 bytes][Host: a.config.skype.trafficmanager.net] - 71 UDP 192.168.1.1:53 <-> 192.168.1.34:55711 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] - 72 UDP 192.168.1.1:53 <-> 192.168.1.34:55893 [proto: 5.125/DNS.Skype][5 pkts/360 bytes][Host: ui.skype.com] - 73 UDP 192.168.1.1:53 <-> 192.168.1.34:56387 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] + 68 UDP 192.168.1.34:51879 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] + 69 UDP 192.168.1.34:54343 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] + 70 UDP 192.168.1.34:55159 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/651 bytes][Host: a.config.skype.trafficmanager.net] + 71 UDP 192.168.1.34:55711 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] + 72 UDP 192.168.1.34:55893 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][5 pkts/360 bytes][Host: ui.skype.com] + 73 UDP 192.168.1.34:56387 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] 74 UDP 192.168.1.34:13021 <-> 213.199.179.150:40004 [proto: 125/Skype][1 pkts/76 bytes] 75 UDP 192.168.1.34:13021 <-> 213.199.179.146:40030 [proto: 125/Skype][1 pkts/67 bytes] 76 UDP 192.168.1.34:13021 <-> 213.199.179.143:40022 [proto: 125/Skype][1 pkts/75 bytes] 77 UDP 192.168.1.34:13021 <-> 213.199.179.155:40004 [proto: 125/Skype][1 pkts/79 bytes] 78 UDP 192.168.1.34:13021 <-> 213.199.179.154:40034 [proto: 125/Skype][1 pkts/75 bytes] 79 UDP 192.168.1.34:13021 <-> 213.199.179.168:40006 [proto: 125/Skype][1 pkts/73 bytes] - 80 UDP 192.168.1.1:53 <-> 192.168.1.34:58681 [proto: 5/DNS][2 pkts/267 bytes][Host: db3msgr5011709.gateway.messenger.live.com] + 80 UDP 192.168.1.34:58681 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/267 bytes][Host: db3msgr5011709.gateway.messenger.live.com] 81 TCP 192.168.1.34:50122 <-> 81.133.19.185:44431 [proto: 125/Skype][20 pkts/1624 bytes] - 82 UDP 192.168.1.1:53 <-> 192.168.1.34:63321 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] + 82 UDP 192.168.1.34:63321 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] 83 UDP 192.168.1.34:49485 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] - 84 UDP 192.168.1.1:53 <-> 192.168.1.34:63421 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 85 UDP 192.168.1.1:53 <-> 192.168.1.34:64085 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e7768.b.akamaiedge.net] - 86 UDP 192.168.1.1:53 <-> 192.168.1.34:65045 [proto: 5.125/DNS.Skype][7 pkts/532 bytes][Host: dsn4.d.skype.net] - 87 UDP 192.168.1.1:53 <-> 192.168.1.34:65037 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 84 UDP 192.168.1.34:63421 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 85 UDP 192.168.1.34:64085 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e7768.b.akamaiedge.net] + 86 UDP 192.168.1.34:65045 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/532 bytes][Host: dsn4.d.skype.net] + 87 UDP 192.168.1.34:65037 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] 88 TCP 192.168.1.34:50055 <-> 111.221.74.47:40030 [proto: 125/Skype][16 pkts/1262 bytes] 89 TCP 192.168.1.34:50086 <-> 111.221.77.142:40023 [proto: 125/Skype][16 pkts/1270 bytes] 90 TCP 192.168.1.34:50096 <-> 111.221.74.46:40027 [proto: 125/Skype][15 pkts/1212 bytes] @@ -121,7 +121,7 @@ MS_OneDrive 387 198090 1 106 TCP 192.168.1.34:50074 <-> 157.55.130.173:40003 [proto: 125/Skype][17 pkts/1327 bytes] 107 TCP 192.168.1.34:50077 <-> 157.55.130.176:40022 [proto: 125/Skype][17 pkts/1338 bytes] 108 TCP 192.168.1.34:50097 <-> 157.55.235.176:40022 [proto: 125/Skype][17 pkts/1371 bytes] - 109 UDP 65.55.223.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/69 bytes] + 109 UDP 192.168.1.34:13021 <-> 65.55.223.18:33033 [proto: 125/Skype][1 pkts/69 bytes] 110 UDP 192.168.1.34:13021 <-> 64.4.23.166:40022 [proto: 125/Skype][1 pkts/76 bytes] 111 UDP 192.168.1.34:13021 <-> 64.4.23.165:40020 [proto: 125/Skype][1 pkts/72 bytes] 112 UDP 192.168.1.34:13021 <-> 64.4.23.140:40012 [proto: 125/Skype][1 pkts/68 bytes] @@ -133,27 +133,27 @@ MS_OneDrive 387 198090 1 118 UDP 192.168.1.34:13021 <-> 64.4.23.155:40004 [proto: 125/Skype][1 pkts/77 bytes] 119 UDP 192.168.1.34:13021 <-> 64.4.23.168:40006 [proto: 125/Skype][1 pkts/71 bytes] 120 UDP 192.168.1.34:13021 <-> 65.55.223.38:40015 [proto: 125/Skype][1 pkts/66 bytes] - 121 UDP 65.55.223.20:40033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 122 UDP 65.55.223.33:40011 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/79 bytes] - 123 UDP 65.55.223.21:40027 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] + 121 UDP 192.168.1.34:13021 <-> 65.55.223.20:40033 [proto: 125/Skype][1 pkts/64 bytes] + 122 UDP 192.168.1.34:13021 <-> 65.55.223.33:40011 [proto: 125/Skype][1 pkts/79 bytes] + 123 UDP 192.168.1.34:13021 <-> 65.55.223.21:40027 [proto: 125/Skype][1 pkts/71 bytes] 124 UDP 192.168.1.34:13021 <-> 65.55.223.44:40013 [proto: 125/Skype][1 pkts/66 bytes] 125 UDP 192.168.1.34:13021 <-> 65.55.223.41:40027 [proto: 125/Skype][1 pkts/69 bytes] - 126 UDP 111.221.74.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 126 UDP 192.168.1.34:13021 <-> 111.221.74.18:33033 [proto: 125/Skype][1 pkts/70 bytes] 127 UDP 192.168.1.34:13021 <-> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/78 bytes] 128 TCP 192.168.1.34:50063 <-> 111.221.74.38:443 [proto: 91.125/SSL.Skype][13 pkts/1287 bytes] 129 TCP 192.168.1.34:50087 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][12 pkts/1107 bytes] - 130 UDP 76.185.207.12:45493 <-> 192.168.1.34:13021 [proto: 125/Skype][5 pkts/300 bytes] + 130 UDP 192.168.1.34:13021 <-> 76.185.207.12:45493 [proto: 125/Skype][5 pkts/300 bytes] 131 TCP 192.168.1.34:50137 <-> 5.248.186.221:31010 [proto: 125/Skype][18 pkts/1445 bytes] 132 TCP 192.168.1.34:50139 <-> 5.248.186.221:31010 [proto: 125/Skype][23 pkts/4119 bytes] 133 UDP 192.168.1.34:13021 <-> 111.221.77.142:40023 [proto: 125/Skype][1 pkts/72 bytes] 134 UDP 192.168.1.34:13021 <-> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/71 bytes] - 135 UDP 111.221.74.24:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 136 UDP 111.221.74.19:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/68 bytes] - 137 UDP 111.221.74.12:40031 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/75 bytes] + 135 UDP 192.168.1.34:13021 <-> 111.221.74.24:40001 [proto: 125/Skype][1 pkts/64 bytes] + 136 UDP 192.168.1.34:13021 <-> 111.221.74.19:40001 [proto: 125/Skype][1 pkts/68 bytes] + 137 UDP 192.168.1.34:13021 <-> 111.221.74.12:40031 [proto: 125/Skype][1 pkts/75 bytes] 138 UDP 192.168.1.34:13021 <-> 111.221.74.44:40031 [proto: 125/Skype][1 pkts/71 bytes] 139 UDP 192.168.1.34:13021 <-> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/76 bytes] - 140 UDP 111.221.74.32:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 141 UDP 111.221.74.31:40021 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/73 bytes] + 140 UDP 192.168.1.34:13021 <-> 111.221.74.32:40009 [proto: 125/Skype][1 pkts/70 bytes] + 141 UDP 192.168.1.34:13021 <-> 111.221.74.31:40021 [proto: 125/Skype][1 pkts/73 bytes] 142 UDP 192.168.1.34:13021 <-> 111.221.77.140:40003 [proto: 125/Skype][1 pkts/64 bytes] 143 UDP 192.168.1.34:13021 <-> 111.221.77.145:40027 [proto: 125/Skype][1 pkts/77 bytes] 144 UDP 192.168.1.34:13021 <-> 111.221.77.151:40027 [proto: 125/Skype][1 pkts/76 bytes] @@ -170,7 +170,7 @@ MS_OneDrive 387 198090 1 155 UDP 192.168.1.34:13021 <-> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/66 bytes] 156 UDP 192.168.1.34:13021 <-> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes] 157 UDP 192.168.1.34:13021 <-> 157.55.56.146:33033 [proto: 125/Skype][1 pkts/70 bytes] - 158 TCP 76.167.161.6:20274 <-> 192.168.1.34:50112 [proto: 125/Skype][15 pkts/1254 bytes] + 158 TCP 192.168.1.34:50112 <-> 76.167.161.6:20274 [proto: 125/Skype][15 pkts/1254 bytes] 159 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][387 pkts/198090 bytes][server: *.gateway.messenger.live.com] 160 TCP 192.168.1.34:50036 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][14 pkts/1328 bytes] 161 TCP 192.168.1.34:50037 <-> 157.55.56.170:443 [proto: 91.125/SSL.Skype][15 pkts/1569 bytes] @@ -185,8 +185,8 @@ MS_OneDrive 387 198090 1 170 UDP 192.168.1.34:13021 <-> 157.55.130.160:40029 [proto: 125/Skype][1 pkts/67 bytes] 171 UDP 192.168.1.34:13021 <-> 157.55.130.154:40005 [proto: 125/Skype][1 pkts/79 bytes] 172 UDP 192.168.1.34:13021 <-> 157.56.52.45:40012 [proto: 125/Skype][1 pkts/67 bytes] - 173 UDP 157.56.52.21:40004 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 174 UDP 157.56.52.26:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] + 173 UDP 192.168.1.34:13021 <-> 157.56.52.21:40004 [proto: 125/Skype][1 pkts/64 bytes] + 174 UDP 192.168.1.34:13021 <-> 157.56.52.26:40026 [proto: 125/Skype][1 pkts/74 bytes] 175 UDP 192.168.1.34:13021 <-> 157.56.52.37:40032 [proto: 125/Skype][1 pkts/69 bytes] 176 UDP 192.168.1.34:13021 <-> 157.55.235.142:40025 [proto: 125/Skype][1 pkts/70 bytes] 177 UDP 192.168.1.34:13021 <-> 157.55.56.142:40023 [proto: 125/Skype][1 pkts/77 bytes] @@ -207,42 +207,42 @@ MS_OneDrive 387 198090 1 192 UDP 192.168.1.34:13021 <-> 157.55.235.160:40027 [proto: 125/Skype][1 pkts/69 bytes] 193 UDP 192.168.1.34:13021 <-> 157.55.130.172:40019 [proto: 125/Skype][1 pkts/67 bytes] 194 UDP 192.168.1.34:13021 <-> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/69 bytes] - 195 UDP 192.168.1.1:53 <-> 192.168.1.34:49360 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 196 TCP 149.13.32.15:13392 <-> 192.168.1.34:50132 [proto: 125/Skype][18 pkts/1412 bytes] + 195 UDP 192.168.1.34:49360 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 196 TCP 192.168.1.34:50132 <-> 149.13.32.15:13392 [proto: 125/Skype][18 pkts/1412 bytes] 197 UDP 192.168.1.92:57621 <-> 192.168.1.255:57621 [proto: 156/Spotify][5 pkts/430 bytes] - 198 UDP 192.168.1.1:53 <-> 192.168.1.34:49990 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] + 198 UDP 192.168.1.34:49990 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] 199 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] 200 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] 201 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/67 bytes] - 202 UDP 192.168.1.1:53 <-> 192.168.1.34:51802 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 203 UDP 192.168.1.1:53 <-> 192.168.1.34:52714 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 204 UDP 192.168.1.1:53 <-> 192.168.1.34:52850 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] - 205 UDP 192.168.1.1:53 <-> 192.168.1.34:52742 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] + 202 UDP 192.168.1.34:51802 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 203 UDP 192.168.1.34:52714 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 204 UDP 192.168.1.34:52850 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] + 205 UDP 192.168.1.34:52742 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] 206 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/SSL][16 pkts/1592 bytes] 207 TCP 192.168.1.34:50079 <-> 213.199.179.142:443 [proto: 91/SSL][16 pkts/1376 bytes] - 208 UDP 192.168.1.1:53 <-> 192.168.1.34:54396 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 208 UDP 192.168.1.34:54396 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] 209 TCP 192.168.1.34:50099 <-> 64.4.23.166:40022 [proto: 125/Skype][16 pkts/1355 bytes] - 210 TCP 65.55.223.33:40002 <-> 192.168.1.34:50026 [proto: 125/Skype][17 pkts/1370 bytes] - 211 TCP 65.55.223.12:40031 <-> 192.168.1.34:50065 [proto: 125/Skype][17 pkts/1401 bytes] - 212 TCP 65.55.223.15:40026 <-> 192.168.1.34:50098 [proto: 125/Skype][17 pkts/1381 bytes] - 213 UDP 192.168.1.1:53 <-> 192.168.1.34:57288 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] - 214 UDP 192.168.1.1:53 <-> 192.168.1.34:57406 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 215 UDP 192.168.1.1:53 <-> 192.168.1.34:57726 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 210 TCP 192.168.1.34:50026 <-> 65.55.223.33:40002 [proto: 125/Skype][17 pkts/1370 bytes] + 211 TCP 192.168.1.34:50065 <-> 65.55.223.12:40031 [proto: 125/Skype][17 pkts/1401 bytes] + 212 TCP 192.168.1.34:50098 <-> 65.55.223.15:40026 [proto: 125/Skype][17 pkts/1381 bytes] + 213 UDP 192.168.1.34:57288 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] + 214 UDP 192.168.1.34:57406 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 215 UDP 192.168.1.34:57726 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] 216 UDP 192.168.1.34:13021 <-> 213.199.179.165:40007 [proto: 125/Skype][1 pkts/74 bytes] 217 UDP 192.168.1.34:13021 <-> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/75 bytes] 218 UDP 192.168.1.34:13021 <-> 213.199.179.162:40029 [proto: 125/Skype][1 pkts/70 bytes] 219 UDP 192.168.1.34:13021 <-> 213.199.179.152:40023 [proto: 125/Skype][1 pkts/64 bytes] 220 UDP 192.168.1.34:13021 <-> 213.199.179.145:40027 [proto: 125/Skype][1 pkts/66 bytes] 221 UDP 192.168.1.34:13021 <-> 213.199.179.170:40011 [proto: 125/Skype][1 pkts/71 bytes] - 222 UDP 192.168.1.1:53 <-> 192.168.1.34:58458 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 223 UDP 192.168.1.1:53 <-> 192.168.1.34:58368 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] - 224 UDP 192.168.1.1:53 <-> 192.168.1.34:60288 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 222 UDP 192.168.1.34:58458 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 223 UDP 192.168.1.34:58368 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] + 224 UDP 192.168.1.34:60288 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] 225 ICMP 192.168.1.1:0 <-> 192.168.1.34:0 [proto: 81/ICMP][8 pkts/656 bytes] - 226 UDP 192.168.1.1:53 <-> 192.168.1.34:62454 [proto: 5.143/DNS.AppleiCloud][2 pkts/234 bytes][Host: p05-keyvalueservice.icloud.com.akadns.net] - 227 UDP 192.168.1.1:53 <-> 192.168.1.34:63108 [proto: 5.125/DNS.Skype][7 pkts/651 bytes][Host: a.config.skype.trafficmanager.net] + 226 UDP 192.168.1.34:62454 <-> 192.168.1.1:53 [proto: 5.143/DNS.AppleiCloud][2 pkts/234 bytes][Host: p05-keyvalueservice.icloud.com.akadns.net] + 227 UDP 192.168.1.34:63108 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/651 bytes][Host: a.config.skype.trafficmanager.net] 228 UDP 192.168.1.92:50084 <-> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/7281 bytes] 229 UDP 192.168.1.34:51066 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] - 230 UDP 192.168.1.1:53 <-> 192.168.1.34:65426 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 230 UDP 192.168.1.34:65426 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] 231 TCP 192.168.1.34:50130 <-> 212.161.8.36:13392 [proto: 125/Skype][17 pkts/1380 bytes] 232 TCP 192.168.1.34:50059 <-> 111.221.74.38:40015 [proto: 125/Skype][16 pkts/1236 bytes] 233 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][17 pkts/3535 bytes][client: apps.skype.com] @@ -252,7 +252,7 @@ MS_OneDrive 387 198090 1 237 IGMP 192.168.1.34:0 <-> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/46 bytes] 238 UDP 192.168.1.34:56886 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] 239 TCP 192.168.1.34:50033 <-> 157.55.56.170:40015 [proto: 125/Skype][17 pkts/1361 bytes] - 240 TCP 157.56.52.28:40009 <-> 192.168.1.34:50108 [proto: 125/Skype][472 pkts/164627 bytes] + 240 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][472 pkts/164627 bytes] 241 TCP 192.168.1.34:50049 <-> 157.55.130.166:40021 [proto: 125/Skype][16 pkts/1278 bytes] 242 TCP 192.168.1.34:50067 <-> 157.55.56.160:40027 [proto: 125/Skype][17 pkts/1305 bytes] 243 TCP 192.168.1.34:50070 <-> 157.55.130.170:40018 [proto: 125/Skype][17 pkts/1312 bytes] @@ -260,52 +260,52 @@ MS_OneDrive 387 198090 1 245 TCP 192.168.1.34:50092 <-> 157.55.130.155:40020 [proto: 125/Skype][17 pkts/1387 bytes] 246 UDP 192.168.1.34:64560 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] 247 UDP 192.168.1.34:13021 <-> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes] - 248 TCP 86.31.35.30:59621 <-> 192.168.1.34:50115 [proto: 125/Skype][17 pkts/1386 bytes] + 248 TCP 192.168.1.34:50115 <-> 86.31.35.30:59621 [proto: 125/Skype][17 pkts/1386 bytes] 249 TCP 192.168.1.34:50103 <-> 64.4.23.166:443 [proto: 91/SSL][12 pkts/1147 bytes] - 250 TCP 65.55.223.33:443 <-> 192.168.1.34:50030 [proto: 91/SSL][15 pkts/1311 bytes] - 251 TCP 65.55.223.12:443 <-> 192.168.1.34:50066 [proto: 91/SSL][15 pkts/1452 bytes] - 252 TCP 65.55.223.15:443 <-> 192.168.1.34:50102 [proto: 91/SSL][14 pkts/1390 bytes] - 253 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][79 pkts/29479 bytes] + 250 TCP 192.168.1.34:50030 <-> 65.55.223.33:443 [proto: 91/SSL][15 pkts/1311 bytes] + 251 TCP 192.168.1.34:50066 <-> 65.55.223.12:443 [proto: 91/SSL][15 pkts/1452 bytes] + 252 TCP 192.168.1.34:50102 <-> 65.55.223.15:443 [proto: 91/SSL][14 pkts/1390 bytes] + 253 UDP 192.168.0.254:1025 <-> 239.255.255.250:1900 [proto: 12/SSDP][79 pkts/29479 bytes] 254 UDP 192.168.1.34:13021 <-> 71.62.0.85:33647 [proto: 125/Skype][1 pkts/60 bytes] 255 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][4 pkts/828 bytes] 256 UDP 192.168.1.34:13021 <-> 64.4.23.159:40009 [proto: 125/Skype][1 pkts/70 bytes] 257 UDP 192.168.1.34:13021 <-> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/72 bytes] 258 UDP 192.168.1.34:13021 <-> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/68 bytes] 259 UDP 192.168.1.34:13021 <-> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/66 bytes] - 260 UDP 65.55.223.15:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] + 260 UDP 192.168.1.34:13021 <-> 65.55.223.15:40026 [proto: 125/Skype][1 pkts/66 bytes] 261 UDP 192.168.1.34:13021 <-> 65.55.223.43:40002 [proto: 125/Skype][1 pkts/76 bytes] - 262 UDP 65.55.223.17:40022 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 263 UDP 65.55.223.25:40028 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] - 264 UDP 65.55.223.24:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 265 UDP 65.55.223.28:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 266 UDP 65.55.223.26:40004 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/79 bytes] - 267 UDP 65.55.223.29:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 262 UDP 192.168.1.34:13021 <-> 65.55.223.17:40022 [proto: 125/Skype][1 pkts/70 bytes] + 263 UDP 192.168.1.34:13021 <-> 65.55.223.25:40028 [proto: 125/Skype][1 pkts/76 bytes] + 264 UDP 192.168.1.34:13021 <-> 65.55.223.24:40032 [proto: 125/Skype][1 pkts/67 bytes] + 265 UDP 192.168.1.34:13021 <-> 65.55.223.28:40026 [proto: 125/Skype][1 pkts/74 bytes] + 266 UDP 192.168.1.34:13021 <-> 65.55.223.26:40004 [proto: 125/Skype][1 pkts/79 bytes] + 267 UDP 192.168.1.34:13021 <-> 65.55.223.29:40010 [proto: 125/Skype][1 pkts/77 bytes] 268 UDP 192.168.1.34:13021 <-> 65.55.223.45:40012 [proto: 125/Skype][1 pkts/71 bytes] 269 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][2 pkts/180 bytes] 270 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][20 pkts/1516 bytes] 271 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125/Skype][18 pkts/1506 bytes] 272 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125/Skype][15 pkts/1237 bytes] - 273 TCP 192.168.1.34:49445 <-> 108.160.170.46:443 [proto: 91.121/SSL.Dropbox][16 pkts/5980 bytes] + 273 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 91.121/SSL.Dropbox][16 pkts/5980 bytes] 274 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 91.125/SSL.Skype][14 pkts/1208 bytes] 275 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 91.125/SSL.Skype][13 pkts/1109 bytes] 276 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125/Skype][17 pkts/1304 bytes] 277 TCP 192.168.1.34:50075 <-> 213.199.179.142:40003 [proto: 125/Skype][19 pkts/1495 bytes] - 278 UDP [fe80::c62c:3ff:fe06:49fe]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][4 pkts/908 bytes] + 278 UDP [ff02::fb]:5353 <-> [fe80::c62c:3ff:fe06:49fe]:5353 [proto: 8/MDNS][4 pkts/908 bytes] Undetected flows: 1 TCP 192.168.1.34:50118 <-> 5.248.186.221:31010 [proto: 0/Unknown][31 pkts/4688 bytes] 2 TCP 192.168.1.34:50117 <-> 71.238.7.203:18767 [proto: 0/Unknown][43 pkts/5754 bytes] - 3 TCP 149.13.32.15:13392 <-> 192.168.1.34:50133 [proto: 0/Unknown][16 pkts/2600 bytes] - 4 UDP 192.168.1.1:5351 <-> 192.168.1.34:49511 [proto: 0/Unknown][4 pkts/216 bytes] - 5 UDP 192.168.1.1:5351 <-> 192.168.1.34:54067 [proto: 0/Unknown][4 pkts/216 bytes] + 3 TCP 192.168.1.34:50133 <-> 149.13.32.15:13392 [proto: 0/Unknown][16 pkts/2600 bytes] + 4 UDP 192.168.1.34:49511 <-> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes] + 5 UDP 192.168.1.34:54067 <-> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes] 6 TCP 192.168.1.34:50124 <-> 81.133.19.185:44431 [proto: 0/Unknown][22 pkts/1636 bytes] 7 TCP 192.168.1.34:50131 <-> 212.161.8.36:13392 [proto: 0/Unknown][19 pkts/5111 bytes] 8 TCP 192.168.1.34:50142 <-> 80.14.46.121:4415 [proto: 0/Unknown][18 pkts/1474 bytes] 9 TCP 192.168.1.34:50138 <-> 71.238.7.203:18767 [proto: 0/Unknown][32 pkts/4972 bytes] 10 TCP 192.168.1.34:50121 <-> 81.83.77.141:17639 [proto: 0/Unknown][40 pkts/5609 bytes] - 11 TCP 76.167.161.6:20274 <-> 192.168.1.34:50140 [proto: 0/Unknown][3 pkts/206 bytes] + 11 TCP 192.168.1.34:50140 <-> 76.167.161.6:20274 [proto: 0/Unknown][3 pkts/206 bytes] 12 TCP 192.168.1.34:50144 <-> 78.202.226.115:29059 [proto: 0/Unknown][14 pkts/1139 bytes] 13 TCP 192.168.1.34:50145 <-> 157.56.53.51:12350 [proto: 0/Unknown][8 pkts/608 bytes] - 14 TCP 86.31.35.30:59621 <-> 192.168.1.34:50119 [proto: 0/Unknown][100 pkts/12266 bytes] + 14 TCP 192.168.1.34:50119 <-> 86.31.35.30:59621 [proto: 0/Unknown][100 pkts/12266 bytes] 15 TCP 192.168.1.34:50127 <-> 80.14.46.121:4415 [proto: 0/Unknown][27 pkts/2098 bytes] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index e7cbd2a82..3e631832f 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -13,11 +13,11 @@ MS_OneDrive 348 181687 1 1 UDP 192.168.1.34:13021 <-> 189.138.161.88:19521 [proto: 125/Skype][1 pkts/60 bytes] 2 TCP 192.168.1.34:51290 <-> 5.248.186.221:31010 [proto: 125/Skype][18 pkts/1490 bytes] - 3 UDP 111.221.74.15:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] + 3 UDP 192.168.1.34:13021 <-> 111.221.74.15:40026 [proto: 125/Skype][1 pkts/71 bytes] 4 UDP 192.168.1.34:13021 <-> 111.221.77.143:40022 [proto: 125/Skype][1 pkts/67 bytes] 5 UDP 192.168.1.34:13021 <-> 111.221.74.42:40006 [proto: 125/Skype][1 pkts/67 bytes] - 6 UDP 111.221.74.24:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/72 bytes] - 7 UDP 111.221.74.28:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/78 bytes] + 6 UDP 192.168.1.34:13021 <-> 111.221.74.24:40032 [proto: 125/Skype][1 pkts/72 bytes] + 7 UDP 192.168.1.34:13021 <-> 111.221.74.28:40026 [proto: 125/Skype][1 pkts/78 bytes] 8 UDP 192.168.1.34:13021 <-> 111.221.77.145:40024 [proto: 125/Skype][1 pkts/68 bytes] 9 UDP 192.168.1.34:13021 <-> 111.221.77.165:40004 [proto: 125/Skype][1 pkts/76 bytes] 10 UDP 192.168.1.34:13021 <-> 111.221.77.160:40016 [proto: 125/Skype][1 pkts/70 bytes] @@ -29,7 +29,7 @@ MS_OneDrive 348 181687 1 16 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 17 TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/479 bytes] 18 TCP 192.168.1.34:51289 <-> 71.238.7.203:18767 [proto: 125/Skype][17 pkts/1369 bytes] - 19 UDP 157.56.52.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 19 UDP 192.168.1.34:13021 <-> 157.56.52.18:33033 [proto: 125/Skype][1 pkts/77 bytes] 20 TCP 192.168.1.34:51311 <-> 93.79.224.176:14506 [proto: 125/Skype][14 pkts/1134 bytes] 21 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/SSL.Skype][17 pkts/1712 bytes] 22 TCP 192.168.1.34:51247 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][14 pkts/1428 bytes] @@ -37,12 +37,12 @@ MS_OneDrive 348 181687 1 24 TCP 192.168.1.34:51274 <-> 157.55.235.152:443 [proto: 91.125/SSL.Skype][15 pkts/1520 bytes] 25 TCP 192.168.1.34:51280 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][15 pkts/1415 bytes] 26 UDP 192.168.1.34:13021 <-> 157.55.130.165:40028 [proto: 125/Skype][1 pkts/76 bytes] - 27 UDP 157.56.52.27:40025 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/72 bytes] - 28 UDP 157.56.52.12:40031 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 29 UDP 157.56.52.15:40027 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/79 bytes] - 30 UDP 157.56.52.13:40021 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/75 bytes] - 31 UDP 157.56.52.20:40033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 32 UDP 157.56.52.17:40013 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] + 27 UDP 192.168.1.34:13021 <-> 157.56.52.27:40025 [proto: 125/Skype][1 pkts/72 bytes] + 28 UDP 192.168.1.34:13021 <-> 157.56.52.12:40031 [proto: 125/Skype][1 pkts/67 bytes] + 29 UDP 192.168.1.34:13021 <-> 157.56.52.15:40027 [proto: 125/Skype][1 pkts/79 bytes] + 30 UDP 192.168.1.34:13021 <-> 157.56.52.13:40021 [proto: 125/Skype][1 pkts/75 bytes] + 31 UDP 192.168.1.34:13021 <-> 157.56.52.20:40033 [proto: 125/Skype][1 pkts/77 bytes] + 32 UDP 192.168.1.34:13021 <-> 157.56.52.17:40013 [proto: 125/Skype][1 pkts/66 bytes] 33 UDP 192.168.1.34:13021 <-> 157.55.235.143:40030 [proto: 125/Skype][1 pkts/71 bytes] 34 UDP 192.168.1.34:13021 <-> 157.56.52.39:40031 [proto: 125/Skype][1 pkts/78 bytes] 35 UDP 192.168.1.34:13021 <-> 157.56.52.38:40015 [proto: 125/Skype][1 pkts/75 bytes] @@ -66,27 +66,27 @@ MS_OneDrive 348 181687 1 53 UDP 192.168.1.34:13021 <-> 157.55.235.172:40020 [proto: 125/Skype][1 pkts/69 bytes] 54 UDP 192.168.1.34:13021 <-> 157.55.235.171:40006 [proto: 125/Skype][1 pkts/66 bytes] 55 UDP 192.168.1.34:13021 <-> 157.55.130.175:40006 [proto: 125/Skype][1 pkts/68 bytes] - 56 UDP 133.236.67.25:49195 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/60 bytes] - 57 UDP 192.168.1.1:53 <-> 192.168.1.34:50055 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 58 TCP 149.13.32.15:13392 <-> 192.168.1.34:51305 [proto: 125/Skype][18 pkts/1426 bytes] - 59 TCP 149.13.32.15:13392 <-> 192.168.1.34:51309 [proto: 125/Skype][15 pkts/1197 bytes] - 60 UDP 192.168.1.1:53 <-> 192.168.1.34:51753 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 56 UDP 192.168.1.34:13021 <-> 133.236.67.25:49195 [proto: 125/Skype][1 pkts/60 bytes] + 57 UDP 192.168.1.34:50055 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 58 TCP 192.168.1.34:51305 <-> 149.13.32.15:13392 [proto: 125/Skype][18 pkts/1426 bytes] + 59 TCP 192.168.1.34:51309 <-> 149.13.32.15:13392 [proto: 125/Skype][15 pkts/1197 bytes] + 60 UDP 192.168.1.34:51753 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] 61 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/SSL][16 pkts/1637 bytes] 62 TCP 192.168.1.34:51251 <-> 64.4.23.166:40029 [proto: 125/Skype][16 pkts/1297 bytes] - 63 UDP 111.221.74.14:443 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/60 bytes] + 63 UDP 192.168.1.34:13021 <-> 111.221.74.14:443 [proto: 125/Skype][1 pkts/60 bytes] 64 UDP 192.168.1.34:13021 <-> 213.199.179.160:40030 [proto: 125/Skype][1 pkts/77 bytes] 65 UDP 192.168.1.34:13021 <-> 213.199.179.143:40018 [proto: 125/Skype][1 pkts/78 bytes] 66 UDP 192.168.1.34:13021 <-> 213.199.179.145:40024 [proto: 125/Skype][1 pkts/64 bytes] 67 UDP 192.168.1.34:13021 <-> 213.199.179.146:40030 [proto: 125/Skype][1 pkts/68 bytes] 68 UDP 192.168.1.34:13021 <-> 213.199.179.149:40030 [proto: 125/Skype][1 pkts/73 bytes] 69 UDP 192.168.1.34:13021 <-> 213.199.179.165:40004 [proto: 125/Skype][1 pkts/78 bytes] - 70 UDP 192.168.1.1:53 <-> 192.168.1.34:58631 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] - 71 UDP 192.168.1.1:53 <-> 192.168.1.34:59113 [proto: 5.125/DNS.Skype][7 pkts/539 bytes][Host: dsn13.d.skype.net] - 72 UDP 192.168.1.1:53 <-> 192.168.1.34:60413 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] - 73 UDP 192.168.1.1:53 <-> 192.168.1.34:61095 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 74 UDP 192.168.1.1:53 <-> 192.168.1.34:62875 [proto: 5.125/DNS.Skype][7 pkts/539 bytes][Host: dsn13.d.skype.net] - 75 UDP 192.168.1.1:53 <-> 192.168.1.34:63661 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] - 76 UDP 192.168.1.1:53 <-> 192.168.1.34:64971 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: a.config.skype.com] + 70 UDP 192.168.1.34:58631 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] + 71 UDP 192.168.1.34:59113 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/539 bytes][Host: dsn13.d.skype.net] + 72 UDP 192.168.1.34:60413 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] + 73 UDP 192.168.1.34:61095 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 74 UDP 192.168.1.34:62875 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/539 bytes][Host: dsn13.d.skype.net] + 75 UDP 192.168.1.34:63661 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] + 76 UDP 192.168.1.34:64971 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: a.config.skype.com] 77 TCP 192.168.1.34:51313 <-> 212.161.8.36:13392 [proto: 125/Skype][14 pkts/1142 bytes] 78 TCP 192.168.1.34:51256 <-> 111.221.77.142:40013 [proto: 125/Skype][16 pkts/1238 bytes] 79 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][199 pkts/90615 bytes] @@ -94,11 +94,11 @@ MS_OneDrive 348 181687 1 81 UDP 192.168.1.34:58061 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] 82 IGMP 233.89.188.1:0 <-> 192.168.1.219:0 [proto: 82/IGMP][1 pkts/60 bytes] 83 UDP 192.168.1.34:59237 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] - 84 TCP 192.168.1.34:50407 <-> 17.143.160.149:5223 [proto: 140/Apple][8 pkts/1118 bytes] + 84 TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 140/Apple][8 pkts/1118 bytes] 85 UDP 192.168.1.34:13021 <-> 83.31.12.173:23939 [proto: 125/Skype][5 pkts/300 bytes] - 86 UDP 65.55.223.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] + 86 UDP 192.168.1.34:13021 <-> 65.55.223.18:33033 [proto: 125/Skype][1 pkts/67 bytes] 87 UDP 192.168.1.34:13021 <-> 65.55.223.65:33033 [proto: 125/Skype][1 pkts/70 bytes] - 88 TCP 157.56.52.28:40009 <-> 192.168.1.34:51229 [proto: 125/Skype][16 pkts/1292 bytes] + 88 TCP 192.168.1.34:51229 <-> 157.56.52.28:40009 [proto: 125/Skype][16 pkts/1292 bytes] 89 TCP 192.168.1.34:51234 <-> 157.55.235.147:40001 [proto: 125/Skype][18 pkts/1454 bytes] 90 TCP 192.168.1.34:51237 <-> 157.55.130.176:40022 [proto: 125/Skype][17 pkts/1330 bytes] 91 TCP 192.168.1.34:51246 <-> 157.56.52.44:40020 [proto: 125/Skype][16 pkts/1265 bytes] @@ -113,28 +113,28 @@ MS_OneDrive 348 181687 1 100 UDP 192.168.1.34:13021 <-> 64.4.23.154:40032 [proto: 125/Skype][1 pkts/70 bytes] 101 UDP 192.168.1.34:13021 <-> 64.4.23.149:40030 [proto: 125/Skype][1 pkts/71 bytes] 102 UDP 192.168.1.34:13021 <-> 64.4.23.155:40004 [proto: 125/Skype][1 pkts/74 bytes] - 103 UDP 65.55.223.17:40025 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 104 UDP 65.55.223.13:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] - 105 UDP 65.55.223.22:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 106 UDP 65.55.223.20:40023 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] - 107 UDP 65.55.223.18:40025 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 108 UDP 65.55.223.27:40029 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/79 bytes] - 109 UDP 65.55.223.24:40029 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 103 UDP 192.168.1.34:13021 <-> 65.55.223.17:40025 [proto: 125/Skype][1 pkts/70 bytes] + 104 UDP 192.168.1.34:13021 <-> 65.55.223.13:40009 [proto: 125/Skype][1 pkts/71 bytes] + 105 UDP 192.168.1.34:13021 <-> 65.55.223.22:40009 [proto: 125/Skype][1 pkts/74 bytes] + 106 UDP 192.168.1.34:13021 <-> 65.55.223.20:40023 [proto: 125/Skype][1 pkts/66 bytes] + 107 UDP 192.168.1.34:13021 <-> 65.55.223.18:40025 [proto: 125/Skype][1 pkts/67 bytes] + 108 UDP 192.168.1.34:13021 <-> 65.55.223.27:40029 [proto: 125/Skype][1 pkts/79 bytes] + 109 UDP 192.168.1.34:13021 <-> 65.55.223.24:40029 [proto: 125/Skype][1 pkts/77 bytes] 110 TCP 192.168.1.34:51286 <-> 91.190.218.125:443 [proto: 91.125/SSL.Skype][6 pkts/377 bytes] 111 TCP 192.168.1.34:51302 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][10 pkts/599 bytes] 112 UDP 192.168.1.34:13021 <-> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/70 bytes] - 113 UDP 111.221.74.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 114 TCP 192.168.1.34:51222 <-> 108.160.163.108:443 [proto: 91.121/SSL.Dropbox][8 pkts/2990 bytes] + 113 UDP 192.168.1.34:13021 <-> 111.221.74.18:33033 [proto: 125/Skype][1 pkts/67 bytes] + 114 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/SSL.Dropbox][8 pkts/2990 bytes] 115 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][14 pkts/1253 bytes] 116 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/SSL.Skype][3 pkts/206 bytes] 117 TCP 192.168.1.34:51258 <-> 213.199.179.176:40021 [proto: 125/Skype][19 pkts/1496 bytes] 118 TCP 192.168.1.34:51293 <-> 5.248.186.221:31010 [proto: 125/Skype][20 pkts/3905 bytes] 119 UDP 192.168.1.34:13021 <-> 111.221.74.34:40027 [proto: 125/Skype][1 pkts/73 bytes] - 120 UDP 111.221.74.33:40011 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] - 121 UDP 111.221.74.13:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 122 UDP 111.221.74.27:40027 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 123 UDP 111.221.74.20:40033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 124 UDP 111.221.74.19:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/73 bytes] + 120 UDP 192.168.1.34:13021 <-> 111.221.74.33:40011 [proto: 125/Skype][1 pkts/76 bytes] + 121 UDP 192.168.1.34:13021 <-> 111.221.74.13:40009 [proto: 125/Skype][1 pkts/64 bytes] + 122 UDP 192.168.1.34:13021 <-> 111.221.74.27:40027 [proto: 125/Skype][1 pkts/70 bytes] + 123 UDP 192.168.1.34:13021 <-> 111.221.74.20:40033 [proto: 125/Skype][1 pkts/77 bytes] + 124 UDP 192.168.1.34:13021 <-> 111.221.74.19:40001 [proto: 125/Skype][1 pkts/73 bytes] 125 UDP 192.168.1.34:13021 <-> 111.221.74.44:40019 [proto: 125/Skype][1 pkts/70 bytes] 126 UDP 192.168.1.34:13021 <-> 111.221.74.38:40015 [proto: 125/Skype][1 pkts/64 bytes] 127 UDP 192.168.1.34:13021 <-> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/67 bytes] @@ -146,29 +146,29 @@ MS_OneDrive 348 181687 1 133 UDP 192.168.1.34:13021 <-> 111.221.77.170:40021 [proto: 125/Skype][1 pkts/78 bytes] 134 UDP 192.168.1.34:13021 <-> 189.188.134.174:22436 [proto: 125/Skype][1 pkts/60 bytes] 135 TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/377 bytes] - 136 TCP 91.190.216.24:12350 <-> 192.168.1.34:51297 [proto: 125/Skype][15 pkts/3532 bytes] + 136 TCP 192.168.1.34:51297 <-> 91.190.216.24:12350 [proto: 125/Skype][15 pkts/3532 bytes] 137 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 125/Skype][11 pkts/659 bytes] 138 UDP 192.168.1.34:13021 <-> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/76 bytes] 139 UDP 192.168.1.34:13021 <-> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes] 140 TCP 192.168.1.34:51291 <-> 81.83.77.141:17639 [proto: 125/Skype][15 pkts/1226 bytes] - 141 TCP 76.167.161.6:20274 <-> 192.168.1.34:51288 [proto: 125/Skype][15 pkts/1258 bytes] + 141 TCP 192.168.1.34:51288 <-> 76.167.161.6:20274 [proto: 125/Skype][15 pkts/1258 bytes] 142 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][348 pkts/181687 bytes][server: *.gateway.messenger.live.com] - 143 TCP 157.56.52.28:443 <-> 192.168.1.34:51232 [proto: 125/Skype][13 pkts/1157 bytes] + 143 TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 125/Skype][13 pkts/1157 bytes] 144 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][15 pkts/1584 bytes] 145 TCP 192.168.1.34:51261 <-> 157.55.235.170:443 [proto: 91.125/SSL.Skype][15 pkts/1569 bytes] 146 TCP 192.168.1.34:51281 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][15 pkts/1380 bytes] 147 UDP 192.168.1.34:13021 <-> 174.49.171.224:32011 [proto: 125/Skype][5 pkts/300 bytes] 148 UDP 192.168.1.34:13021 <-> 157.55.56.170:40015 [proto: 125/Skype][1 pkts/76 bytes] - 149 UDP 157.56.52.19:40020 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/68 bytes] - 150 UDP 157.56.52.16:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] - 151 UDP 157.56.52.25:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] - 152 UDP 157.56.52.24:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 149 UDP 192.168.1.34:13021 <-> 157.56.52.19:40020 [proto: 125/Skype][1 pkts/68 bytes] + 150 UDP 192.168.1.34:13021 <-> 157.56.52.16:40032 [proto: 125/Skype][1 pkts/66 bytes] + 151 UDP 192.168.1.34:13021 <-> 157.56.52.25:40010 [proto: 125/Skype][1 pkts/76 bytes] + 152 UDP 192.168.1.34:13021 <-> 157.56.52.24:40032 [proto: 125/Skype][1 pkts/70 bytes] 153 UDP 192.168.1.34:13021 <-> 157.55.130.154:40013 [proto: 125/Skype][1 pkts/66 bytes] 154 UDP 192.168.1.34:13021 <-> 157.55.130.150:40007 [proto: 125/Skype][1 pkts/71 bytes] 155 UDP 192.168.1.34:13021 <-> 157.55.130.149:40011 [proto: 125/Skype][1 pkts/77 bytes] 156 UDP 192.168.1.34:13021 <-> 157.55.56.142:40013 [proto: 125/Skype][1 pkts/72 bytes] - 157 UDP 157.56.52.33:40002 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] - 158 UDP 157.56.52.29:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] + 157 UDP 192.168.1.34:13021 <-> 157.56.52.33:40002 [proto: 125/Skype][1 pkts/71 bytes] + 158 UDP 192.168.1.34:13021 <-> 157.56.52.29:40010 [proto: 125/Skype][1 pkts/67 bytes] 159 UDP 192.168.1.34:13021 <-> 157.55.56.140:40003 [proto: 125/Skype][1 pkts/76 bytes] 160 UDP 192.168.1.34:13021 <-> 157.56.52.43:40006 [proto: 125/Skype][1 pkts/78 bytes] 161 UDP 192.168.1.34:13021 <-> 157.55.130.140:40011 [proto: 125/Skype][1 pkts/72 bytes] @@ -188,20 +188,20 @@ MS_OneDrive 348 181687 1 175 UDP 192.168.1.34:13021 <-> 157.55.130.173:40003 [proto: 125/Skype][1 pkts/72 bytes] 176 UDP 192.168.1.34:13021 <-> 157.55.235.176:40031 [proto: 125/Skype][1 pkts/73 bytes] 177 UDP 192.168.1.34:13021 <-> 157.55.235.175:40023 [proto: 125/Skype][1 pkts/74 bytes] - 178 UDP 192.168.1.1:53 <-> 192.168.1.34:49864 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] - 179 TCP 149.13.32.15:13392 <-> 192.168.1.34:51316 [proto: 125/Skype][14 pkts/1176 bytes] + 178 UDP 192.168.1.34:49864 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 179 TCP 192.168.1.34:51316 <-> 149.13.32.15:13392 [proto: 125/Skype][14 pkts/1176 bytes] 180 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 181 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 182 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/75 bytes] - 183 UDP 192.168.1.1:53 <-> 192.168.1.34:53372 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] + 183 UDP 192.168.1.34:53372 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] 184 UDP 192.168.1.92:53826 <-> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] 185 TCP 192.168.1.34:51271 <-> 213.199.179.175:443 [proto: 91/SSL][15 pkts/1415 bytes] - 186 UDP 192.168.1.1:53 <-> 192.168.1.34:55028 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: a.config.skype.com] + 186 UDP 192.168.1.34:55028 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: a.config.skype.com] 187 TCP 192.168.1.34:51278 <-> 64.4.23.159:40009 [proto: 125/Skype][15 pkts/1219 bytes] 188 TCP 192.168.1.34:51235 <-> 65.55.223.45:40009 [proto: 125/Skype][17 pkts/1341 bytes] - 189 UDP 192.168.1.1:53 <-> 192.168.1.34:55866 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 190 UDP 192.168.1.1:53 <-> 192.168.1.34:57592 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] - 191 UDP 192.168.1.1:53 <-> 192.168.1.34:57694 [proto: 5/DNS][2 pkts/267 bytes][Host: db3msgr5011709.gateway.messenger.live.com] + 189 UDP 192.168.1.34:55866 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 190 UDP 192.168.1.34:57592 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] + 191 UDP 192.168.1.34:57694 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/267 bytes][Host: db3msgr5011709.gateway.messenger.live.com] 192 UDP 192.168.1.34:13021 <-> 213.199.179.173:40013 [proto: 125/Skype][1 pkts/72 bytes] 193 UDP 192.168.1.34:13021 <-> 213.199.179.140:40003 [proto: 125/Skype][1 pkts/70 bytes] 194 UDP 192.168.1.34:13021 <-> 213.199.179.154:40017 [proto: 125/Skype][1 pkts/78 bytes] @@ -211,15 +211,15 @@ MS_OneDrive 348 181687 1 198 UDP 192.168.1.34:13021 <-> 213.199.179.172:40011 [proto: 125/Skype][1 pkts/76 bytes] 199 UDP 192.168.1.34:13021 <-> 213.199.179.174:40025 [proto: 125/Skype][1 pkts/71 bytes] 200 TCP 192.168.1.34:51298 <-> 82.224.110.241:38895 [proto: 125/Skype][14 pkts/1150 bytes] - 201 UDP 192.168.1.1:53 <-> 192.168.1.34:59788 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] - 202 UDP 192.168.1.1:53 <-> 192.168.1.34:60688 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] - 203 UDP 192.168.1.1:53 <-> 192.168.1.34:61016 [proto: 5.125/DNS.Skype][1 pkts/80 bytes][Host: apps.skypeassets.com] + 201 UDP 192.168.1.34:59788 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] + 202 UDP 192.168.1.34:60688 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] + 203 UDP 192.168.1.34:61016 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/80 bytes][Host: apps.skypeassets.com] 204 ICMP 192.168.1.1:0 <-> 192.168.1.34:0 [proto: 81/ICMP][4 pkts/328 bytes] - 205 UDP 192.168.1.1:53 <-> 192.168.1.34:63342 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 206 UDP 192.168.1.1:53 <-> 192.168.1.34:63514 [proto: 5.125/DNS.Skype][8 pkts/576 bytes][Host: ui.skype.com] - 207 UDP 192.168.1.1:53 <-> 192.168.1.34:64240 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] - 208 UDP 192.168.1.1:53 <-> 192.168.1.34:64258 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 209 UDP 192.168.1.1:53 <-> 192.168.1.34:64364 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] + 205 UDP 192.168.1.34:63342 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 206 UDP 192.168.1.34:63514 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/576 bytes][Host: ui.skype.com] + 207 UDP 192.168.1.34:64240 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 208 UDP 192.168.1.34:64258 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 209 UDP 192.168.1.34:64364 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] 210 UDP 192.168.1.34:137 <-> 192.168.1.255:137 [proto: 10/NetBIOS][7 pkts/680 bytes] 211 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][8 pkts/1142 bytes] 212 UDP 192.168.1.1:138 <-> 192.168.1.34:138 [proto: 10/NetBIOS][2 pkts/452 bytes] @@ -228,7 +228,7 @@ MS_OneDrive 348 181687 1 215 UDP 192.168.1.92:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/216 bytes] 216 TCP 192.168.1.34:51318 <-> 212.161.8.36:13392 [proto: 125/Skype][10 pkts/857 bytes] 217 TCP 192.168.1.34:51236 <-> 111.221.74.45:40008 [proto: 125/Skype][16 pkts/1257 bytes] - 218 TCP 111.221.74.18:40025 <-> 192.168.1.34:51267 [proto: 125/Skype][14 pkts/1163 bytes] + 218 TCP 192.168.1.34:51267 <-> 111.221.74.18:40025 [proto: 125/Skype][14 pkts/1163 bytes] 219 TCP 192.168.1.34:51248 <-> 111.221.77.175:40030 [proto: 125/Skype][16 pkts/1284 bytes] 220 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][76 pkts/19581 bytes] 221 IGMP 224.0.0.22:0 <-> 192.168.1.219:0 [proto: 82/IGMP][1 pkts/60 bytes] @@ -238,7 +238,7 @@ MS_OneDrive 348 181687 1 225 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][12 pkts/2148 bytes][client: apps.skype.com] 226 UDP 192.168.1.34:13021 <-> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes] 227 TCP 192.168.1.34:51255 <-> 157.55.130.142:40005 [proto: 125/Skype][17 pkts/1322 bytes] - 228 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][36 pkts/13402 bytes] + 228 UDP 192.168.0.254:1025 <-> 239.255.255.250:1900 [proto: 12/SSDP][36 pkts/13402 bytes] 229 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][14 pkts/1432 bytes] 230 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes][Lucas-iMac.local] 231 UDP 192.168.1.34:13021 <-> 64.4.23.145:40027 [proto: 125/Skype][1 pkts/73 bytes] @@ -252,32 +252,32 @@ MS_OneDrive 348 181687 1 239 UDP 192.168.1.34:13021 <-> 64.4.23.158:40021 [proto: 125/Skype][1 pkts/76 bytes] 240 UDP 192.168.1.34:13021 <-> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/66 bytes] 241 UDP 192.168.1.34:13021 <-> 64.4.23.176:40001 [proto: 125/Skype][1 pkts/69 bytes] - 242 UDP 65.55.223.33:40002 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 243 UDP 65.55.223.32:40022 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 244 UDP 65.55.223.28:40014 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 245 UDP 65.55.223.16:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 246 UDP 65.55.223.15:40030 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 242 UDP 192.168.1.34:13021 <-> 65.55.223.33:40002 [proto: 125/Skype][1 pkts/74 bytes] + 243 UDP 192.168.1.34:13021 <-> 65.55.223.32:40022 [proto: 125/Skype][1 pkts/77 bytes] + 244 UDP 192.168.1.34:13021 <-> 65.55.223.28:40014 [proto: 125/Skype][1 pkts/74 bytes] + 245 UDP 192.168.1.34:13021 <-> 65.55.223.16:40032 [proto: 125/Skype][1 pkts/70 bytes] + 246 UDP 192.168.1.34:13021 <-> 65.55.223.15:40030 [proto: 125/Skype][1 pkts/77 bytes] 247 UDP 192.168.1.34:13021 <-> 65.55.223.44:40020 [proto: 125/Skype][1 pkts/76 bytes] 248 UDP 192.168.1.34:13021 <-> 65.55.223.42:40024 [proto: 125/Skype][1 pkts/76 bytes] 249 UDP 192.168.1.34:13021 <-> 65.55.223.43:40006 [proto: 125/Skype][1 pkts/77 bytes] - 250 UDP [fe80::c62c:3ff:fe06:49fe]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes] + 250 UDP [ff02::fb]:5353 <-> [fe80::c62c:3ff:fe06:49fe]:5353 [proto: 8/MDNS][2 pkts/258 bytes] 251 TCP 192.168.1.34:51240 <-> 111.221.74.45:443 [proto: 91.125/SSL.Skype][14 pkts/1373 bytes] - 252 TCP 111.221.74.18:443 <-> 192.168.1.34:51268 [proto: 125/Skype][14 pkts/1203 bytes] + 252 TCP 192.168.1.34:51268 <-> 111.221.74.18:443 [proto: 125/Skype][14 pkts/1203 bytes] 253 TCP 192.168.1.34:51250 <-> 111.221.77.175:443 [proto: 91.125/SSL.Skype][14 pkts/1363 bytes] 254 TCP 192.168.1.34:51269 <-> 213.199.179.175:40029 [proto: 125/Skype][19 pkts/1491 bytes] Undetected flows: 1 TCP 192.168.1.34:51294 <-> 81.83.77.141:17639 [proto: 0/Unknown][33 pkts/5097 bytes] - 2 TCP 149.13.32.15:13392 <-> 192.168.1.34:51307 [proto: 0/Unknown][26 pkts/17499 bytes] - 3 TCP 149.13.32.15:13392 <-> 192.168.1.34:51317 [proto: 0/Unknown][20 pkts/6208 bytes] + 2 TCP 192.168.1.34:51307 <-> 149.13.32.15:13392 [proto: 0/Unknown][26 pkts/17499 bytes] + 3 TCP 192.168.1.34:51317 <-> 149.13.32.15:13392 [proto: 0/Unknown][20 pkts/6208 bytes] 4 TCP 192.168.1.34:51301 <-> 82.224.110.241:38895 [proto: 0/Unknown][18 pkts/1482 bytes] 5 TCP 192.168.1.34:51315 <-> 212.161.8.36:13392 [proto: 0/Unknown][23 pkts/12290 bytes] 6 TCP 192.168.1.34:51319 <-> 212.161.8.36:13392 [proto: 0/Unknown][1 pkts/78 bytes] 7 TCP 192.168.1.34:51306 <-> 80.121.84.93:62381 [proto: 0/Unknown][6 pkts/468 bytes] 8 TCP 192.168.1.34:51292 <-> 71.238.7.203:18767 [proto: 0/Unknown][30 pkts/4904 bytes] 9 TCP 192.168.1.34:51314 <-> 93.79.224.176:14506 [proto: 0/Unknown][20 pkts/2059 bytes] - 10 TCP 76.167.161.6:20274 <-> 192.168.1.34:51300 [proto: 0/Unknown][3 pkts/206 bytes] - 11 TCP 149.13.32.15:13392 <-> 192.168.1.34:51312 [proto: 0/Unknown][25 pkts/15642 bytes] - 12 UDP 192.168.1.1:5351 <-> 192.168.1.34:59052 [proto: 0/Unknown][4 pkts/216 bytes] + 10 TCP 192.168.1.34:51300 <-> 76.167.161.6:20274 [proto: 0/Unknown][3 pkts/206 bytes] + 11 TCP 192.168.1.34:51312 <-> 149.13.32.15:13392 [proto: 0/Unknown][25 pkts/15642 bytes] + 12 UDP 192.168.1.34:59052 <-> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes] 13 TCP 192.168.1.34:51303 <-> 80.121.84.93:62381 [proto: 0/Unknown][7 pkts/546 bytes] diff --git a/tests/result/smpp_in_general.pcap.out b/tests/result/smpp_in_general.pcap.out index 1ec966e82..e7c0293d6 100644 --- a/tests/result/smpp_in_general.pcap.out +++ b/tests/result/smpp_in_general.pcap.out @@ -1,3 +1,3 @@ SMPP 17 1144 1 - 1 TCP 10.226.202.53:9000 <-> 10.226.202.118:1770 [proto: 207/SMPP][17 pkts/1144 bytes] + 1 TCP 10.226.202.118:1770 <-> 10.226.202.53:9000 [proto: 207/SMPP][17 pkts/1144 bytes] diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out index 2056ea4f4..f2d26ea0a 100644 --- a/tests/result/starcraft_battle.pcap.out +++ b/tests/result/starcraft_battle.pcap.out @@ -1,7 +1,7 @@ DNS 26 2848 7 HTTP 271 160676 18 SSDP 11 4984 1 -HTTPDownload 179 134204 1 +HTTP_Download 179 134204 1 WorldOfWarcraft 9 880 1 IGMP 2 120 1 SSL 38 2548 11 @@ -10,13 +10,13 @@ QUIC 6 475 1 Github 3 234 1 Starcraft 236 51494 6 - 1 TCP 80.239.186.21:80 <-> 192.168.1.100:3516 [proto: 7/HTTP][12 pkts/3680 bytes][Host: eu.launcher.battle.net] - 2 TCP 80.239.186.26:80 <-> 192.168.1.100:3518 [proto: 7/HTTP][10 pkts/1226 bytes][Host: nydus.battle.net] - 3 TCP 80.239.186.21:80 <-> 192.168.1.100:3522 [proto: 7/HTTP][11 pkts/3620 bytes][Host: eu.launcher.battle.net] - 4 TCP 80.239.186.26:80 <-> 192.168.1.100:3524 [proto: 7/HTTP][10 pkts/1214 bytes][Host: nydus.battle.net] - 5 TCP 80.239.186.40:80 <-> 192.168.1.100:3526 [proto: 7/HTTP][11 pkts/3686 bytes][Host: eu.battle.net] + 1 TCP 192.168.1.100:3516 <-> 80.239.186.21:80 [proto: 7/HTTP][12 pkts/3680 bytes][Host: eu.launcher.battle.net] + 2 TCP 192.168.1.100:3518 <-> 80.239.186.26:80 [proto: 7/HTTP][10 pkts/1226 bytes][Host: nydus.battle.net] + 3 TCP 192.168.1.100:3522 <-> 80.239.186.21:80 [proto: 7/HTTP][11 pkts/3620 bytes][Host: eu.launcher.battle.net] + 4 TCP 192.168.1.100:3524 <-> 80.239.186.26:80 [proto: 7/HTTP][10 pkts/1214 bytes][Host: nydus.battle.net] + 5 TCP 192.168.1.100:3526 <-> 80.239.186.40:80 [proto: 7/HTTP][11 pkts/3686 bytes][Host: eu.battle.net] 6 TCP 192.168.1.100:3427 <-> 80.239.208.193:1119 [proto: 213/Starcraft][13 pkts/902 bytes] - 7 UDP 239.255.255.250:1900 <-> 192.168.1.254:38605 [proto: 12/SSDP][11 pkts/4984 bytes] + 7 UDP 192.168.1.254:38605 <-> 239.255.255.250:1900 [proto: 12/SSDP][11 pkts/4984 bytes] 8 UDP 192.168.1.100:53145 <-> 192.168.1.254:53 [proto: 5/DNS][4 pkts/336 bytes][Host: nydus.battle.net] 9 UDP 192.168.1.100:58831 <-> 192.168.1.254:53 [proto: 5/DNS][4 pkts/417 bytes][Host: 254.1.168.192.in-addr.arpa] 10 UDP 192.168.1.100:58851 <-> 192.168.1.254:53 [proto: 5/DNS][4 pkts/455 bytes][Host: 22.40.194.173.in-addr.arpa] @@ -32,15 +32,15 @@ Starcraft 236 51494 6 20 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 21 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 22 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] - 23 TCP 80.239.186.26:80 <-> 192.168.1.100:3515 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] - 24 TCP 80.239.186.21:80 <-> 192.168.1.100:3519 [proto: 7/HTTP][9 pkts/979 bytes][Host: eu.launcher.battle.net] - 25 TCP 80.239.186.26:80 <-> 192.168.1.100:3521 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] - 26 TCP 80.239.186.26:80 <-> 192.168.1.100:3523 [proto: 7/HTTP][10 pkts/1208 bytes][Host: nydus.battle.net] - 27 TCP 80.239.186.40:80 <-> 192.168.1.100:3525 [proto: 7/HTTP][12 pkts/3933 bytes][Host: eu.battle.net] + 23 TCP 192.168.1.100:3515 <-> 80.239.186.26:80 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] + 24 TCP 192.168.1.100:3519 <-> 80.239.186.21:80 [proto: 7/HTTP][9 pkts/979 bytes][Host: eu.launcher.battle.net] + 25 TCP 192.168.1.100:3521 <-> 80.239.186.26:80 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] + 26 TCP 192.168.1.100:3523 <-> 80.239.186.26:80 [proto: 7/HTTP][10 pkts/1208 bytes][Host: nydus.battle.net] + 27 TCP 192.168.1.100:3525 <-> 80.239.186.40:80 [proto: 7/HTTP][12 pkts/3933 bytes][Host: eu.battle.net] 28 TCP 80.239.186.26:443 <-> 192.168.1.100:3476 [proto: 91/SSL][1 pkts/60 bytes] 29 TCP 80.239.186.40:443 <-> 192.168.1.100:3478 [proto: 91/SSL][1 pkts/60 bytes] 30 TCP 192.168.1.100:2759 <-> 64.233.184.188:5228 [proto: 126/Google][2 pkts/121 bytes] - 31 TCP 192.168.1.100:3508 <-> 87.248.221.254:80 [proto: 7.60/HTTP.HTTPDownload][179 pkts/134204 bytes][Host: llnw.blizzard.com] + 31 TCP 192.168.1.100:3508 <-> 87.248.221.254:80 [proto: 7.60/HTTP.HTTP_Download][179 pkts/134204 bytes][Host: llnw.blizzard.com] 32 UDP 173.194.40.22:443 <-> 192.168.1.100:53568 [proto: 188/QUIC][6 pkts/475 bytes] 33 UDP 192.168.1.100:55468 <-> 192.168.1.254:53 [proto: 5/DNS][4 pkts/556 bytes][Host: bnetcmsus-a.akamaihd.net] 34 UDP 192.168.1.100:58818 <-> 192.168.1.254:53 [proto: 5/DNS][4 pkts/432 bytes][Host: 91.252.30.192.in-addr.arpa] @@ -60,5 +60,5 @@ Starcraft 236 51494 6 48 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] 49 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 50 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] - 51 TCP 12.129.222.54:80 <-> 192.168.1.100:3512 [proto: 7.76/HTTP.WorldOfWarcraft][9 pkts/880 bytes][Host: us.scan.worldofwarcraft.com] - 52 UDP 62.115.246.51:1119 <-> 192.168.1.100:53146 [proto: 213/Starcraft][2 pkts/104 bytes] + 51 TCP 192.168.1.100:3512 <-> 12.129.222.54:80 [proto: 7.76/HTTP.WorldOfWarcraft][9 pkts/880 bytes][Host: us.scan.worldofwarcraft.com] + 52 UDP 192.168.1.100:53146 <-> 62.115.246.51:1119 [proto: 213/Starcraft][2 pkts/104 bytes] diff --git a/tests/result/teredo.pcap.out b/tests/result/teredo.pcap.out index 6c65bc313..d73d8c080 100644 --- a/tests/result/teredo.pcap.out +++ b/tests/result/teredo.pcap.out @@ -1,7 +1,7 @@ Teredo 24 2574 5 - 1 UDP 194.136.28.76:3544 <-> 10.112.16.106:52513 [proto: 214/Teredo][4 pkts/508 bytes] - 2 UDP 194.136.28.76:3544 <-> 10.112.16.89:60381 [proto: 214/Teredo][2 pkts/254 bytes] + 1 UDP 10.112.16.106:52513 <-> 194.136.28.76:3544 [proto: 214/Teredo][4 pkts/508 bytes] + 2 UDP 10.112.16.89:60381 <-> 194.136.28.76:3544 [proto: 214/Teredo][2 pkts/254 bytes] 3 UDP 10.112.16.67:51812 <-> 194.136.28.76:3544 [proto: 214/Teredo][14 pkts/1304 bytes] 4 UDP 10.112.16.64:56154 <-> 194.136.28.76:3544 [proto: 214/Teredo][2 pkts/254 bytes] - 5 UDP 194.136.28.76:3544 <-> 10.112.16.92:63448 [proto: 214/Teredo][2 pkts/254 bytes] + 5 UDP 10.112.16.92:63448 <-> 194.136.28.76:3544 [proto: 214/Teredo][2 pkts/254 bytes] diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out index 134965393..f733c4f84 100644 --- a/tests/result/tor.pcap.out +++ b/tests/result/tor.pcap.out @@ -5,13 +5,13 @@ Dropbox 10 1860 1 Tor 3676 3014362 7 1 UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][10 pkts/1860 bytes] - 2 UDP [fe80::c583:1972:5728:7323]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][6 pkts/906 bytes] - 3 TCP 212.83.155.250:443 <-> 192.168.1.252:51174 [proto: 163/Tor][32 pkts/10431 bytes] - 4 TCP 46.59.52.31:443 <-> 192.168.1.252:51111 [proto: 163/Tor][34 pkts/11142 bytes] - 5 TCP 91.143.93.242:443 <-> 192.168.1.252:51175 [proto: 163/Tor][38 pkts/12520 bytes] - 6 TCP 157.56.30.46:443 <-> 192.168.1.252:51104 [proto: 91/SSL][1 pkts/60 bytes] + 2 UDP [ff02::1:2]:546 <-> [fe80::c583:1972:5728:7323]:547 [proto: 103/DHCPV6][6 pkts/906 bytes] + 3 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 163/Tor][32 pkts/10431 bytes] + 4 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 163/Tor][34 pkts/11142 bytes] + 5 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 163/Tor][38 pkts/12520 bytes] + 6 TCP 192.168.1.252:51104 <-> 157.56.30.46:443 [proto: 91/SSL][1 pkts/60 bytes] 7 UDP 192.168.1.252:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes] - 8 TCP 38.229.70.53:443 <-> 192.168.1.252:51112 [proto: 163/Tor][1576 pkts/1388792 bytes] - 9 TCP 38.229.70.53:443 <-> 192.168.1.252:51176 [proto: 163/Tor][1826 pkts/1513278 bytes] - 10 TCP 62.210.137.230:443 <-> 192.168.1.252:51185 [proto: 163/Tor][29 pkts/9661 bytes] - 11 TCP 91.143.93.242:443 <-> 192.168.1.252:51110 [proto: 163/Tor][141 pkts/68538 bytes] + 8 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 163/Tor][1576 pkts/1388792 bytes] + 9 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 163/Tor][1826 pkts/1513278 bytes] + 10 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][29 pkts/9661 bytes] + 11 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 163/Tor][141 pkts/68538 bytes] diff --git a/tests/result/viber_mobile.pcap.out b/tests/result/viber_mobile.pcap.out index 51b426378..c311e74b3 100644 --- a/tests/result/viber_mobile.pcap.out +++ b/tests/result/viber_mobile.pcap.out @@ -13,85 +13,85 @@ WhatsApp 31 6224 2 Viber 10081 1413446 4 Amazon 8 528 1 - 1 TCP 74.125.130.188:5228 <-> 192.168.200.222:57999 [proto: 91.126/SSL.Google][15 pkts/2458 bytes][client: mtalk.google.com] - 2 UDP 122.146.250.88:9415 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][1 pkts/146 bytes] - 3 TCP 74.125.130.188:5228 <-> 192.168.200.222:59011 [proto: 126/Google][16 pkts/5838 bytes] + 1 TCP 192.168.200.222:57999 <-> 74.125.130.188:5228 [proto: 91.126/SSL.Google][15 pkts/2458 bytes][client: mtalk.google.com] + 2 UDP 192.168.200.222:39413 <-> 122.146.250.88:9415 [proto: 37/BitTorrent][1 pkts/146 bytes] + 3 TCP 192.168.200.222:59011 <-> 74.125.130.188:5228 [proto: 126/Google][16 pkts/5838 bytes] 4 UDP 192.168.200.222:39413 <-> 134.249.176.227:7108 [proto: 37/BitTorrent][2 pkts/475 bytes] - 5 TCP 93.184.221.200:80 <-> 192.168.200.222:60828 [proto: 7/HTTP][5 pkts/300 bytes] - 6 TCP 158.85.58.23:443 <-> 192.168.200.222:44058 [proto: 91/SSL][7 pkts/532 bytes] - 7 UDP 8.8.8.8:53 <-> 192.168.200.222:15836 [proto: 5.122/DNS.GMail][2 pkts/241 bytes][Host: mail.google.com] - 8 UDP 84.202.23.122:22737 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 9 UDP 178.57.5.53:64731 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/498 bytes] - 10 UDP 60.71.113.134:37764 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 11 UDP 23.113.222.89:49548 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/503 bytes] - 12 UDP 1.163.234.205:58738 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/471 bytes] + 5 TCP 192.168.200.222:60828 <-> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes] + 6 TCP 192.168.200.222:44058 <-> 158.85.58.23:443 [proto: 91/SSL][7 pkts/532 bytes] + 7 UDP 192.168.200.222:15836 <-> 8.8.8.8:53 [proto: 5.122/DNS.GMail][2 pkts/241 bytes][Host: mail.google.com] + 8 UDP 192.168.200.222:39413 <-> 84.202.23.122:22737 [proto: 37/BitTorrent][2 pkts/505 bytes] + 9 UDP 192.168.200.222:39413 <-> 178.57.5.53:64731 [proto: 37/BitTorrent][2 pkts/498 bytes] + 10 UDP 192.168.200.222:39413 <-> 60.71.113.134:37764 [proto: 37/BitTorrent][2 pkts/505 bytes] + 11 UDP 192.168.200.222:39413 <-> 23.113.222.89:49548 [proto: 37/BitTorrent][2 pkts/503 bytes] + 12 UDP 192.168.200.222:39413 <-> 1.163.234.205:58738 [proto: 37/BitTorrent][2 pkts/471 bytes] 13 TCP 222.165.163.117:443 <-> 192.168.200.222:47424 [proto: 91/SSL][5 pkts/385 bytes] - 14 UDP 90.19.187.56:40500 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][1 pkts/146 bytes] - 15 UDP 80.47.129.1:44420 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 16 UDP 70.112.231.62:51413 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][3 pkts/438 bytes] + 14 UDP 192.168.200.222:39413 <-> 90.19.187.56:40500 [proto: 37/BitTorrent][1 pkts/146 bytes] + 15 UDP 192.168.200.222:39413 <-> 80.47.129.1:44420 [proto: 37/BitTorrent][2 pkts/505 bytes] + 16 UDP 192.168.200.222:39413 <-> 70.112.231.62:51413 [proto: 37/BitTorrent][3 pkts/438 bytes] 17 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][37 pkts/16168 bytes][client: graph.facebook.com] - 18 UDP 94.6.33.9:46735 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] + 18 UDP 192.168.200.222:39413 <-> 94.6.33.9:46735 [proto: 37/BitTorrent][2 pkts/505 bytes] 19 TCP 216.58.199.206:443 <-> 192.168.200.222:58663 [proto: 91.126/SSL.Google][2 pkts/132 bytes] - 20 UDP 88.176.55.218:51413 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][1 pkts/146 bytes] + 20 UDP 192.168.200.222:39413 <-> 88.176.55.218:51413 [proto: 37/BitTorrent][1 pkts/146 bytes] 21 UDP 192.168.200.222:39413 <-> 182.57.65.243:27736 [proto: 37/BitTorrent][2 pkts/292 bytes] - 22 TCP 54.251.141.219:80 <-> 192.168.200.222:38778 [proto: 7.178/HTTP.Amazon][8 pkts/528 bytes] - 23 UDP 8.8.8.8:53 <-> 192.168.200.222:47874 [proto: 5.126/DNS.Google][2 pkts/197 bytes][Host: mtalk.google.com] - 24 TCP 54.169.63.186:443 <-> 192.168.200.222:39339 [proto: 91.144/SSL.Viber][6 pkts/412 bytes] - 25 UDP 92.249.148.218:53810 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 26 TCP 93.184.221.200:80 <-> 192.168.200.222:33161 [proto: 7/HTTP][5 pkts/300 bytes] + 22 TCP 192.168.200.222:38778 <-> 54.251.141.219:80 [proto: 7.178/HTTP.Amazon][8 pkts/528 bytes] + 23 UDP 192.168.200.222:47874 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][2 pkts/197 bytes][Host: mtalk.google.com] + 24 TCP 192.168.200.222:39339 <-> 54.169.63.186:443 [proto: 91.144/SSL.Viber][6 pkts/412 bytes] + 25 UDP 192.168.200.222:39413 <-> 92.249.148.218:53810 [proto: 37/BitTorrent][2 pkts/505 bytes] + 26 TCP 192.168.200.222:33161 <-> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes] 27 TCP 192.168.200.222:52491 <-> 31.13.79.245:443 [proto: 91.119/SSL.Facebook][11 pkts/1073 bytes] - 28 UDP 8.8.8.8:53 <-> 192.168.200.222:55854 [proto: 5/DNS][2 pkts/236 bytes][Host: s.jpush.cn] - 29 UDP 8.8.8.8:53 <-> 192.168.200.222:58434 [proto: 5/DNS][2 pkts/349 bytes][Host: e.crashlytics.com] - 30 UDP 2.85.108.0:21241 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 31 TCP 112.124.219.82:80 <-> 192.168.200.222:36675 [proto: 7/HTTP][9 pkts/2188 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] - 32 UDP 8.8.8.8:53 <-> 192.168.200.222:60474 [proto: 5/DNS][2 pkts/218 bytes][Host: easytomessage.com] - 33 UDP 24.43.1.206:17193 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][8 pkts/1992 bytes] + 28 UDP 192.168.200.222:55854 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/236 bytes][Host: s.jpush.cn] + 29 UDP 192.168.200.222:58434 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/349 bytes][Host: e.crashlytics.com] + 30 UDP 192.168.200.222:39413 <-> 2.85.108.0:21241 [proto: 37/BitTorrent][2 pkts/505 bytes] + 31 TCP 192.168.200.222:36675 <-> 112.124.219.82:80 [proto: 7/HTTP][9 pkts/2188 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] + 32 UDP 192.168.200.222:60474 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/218 bytes][Host: easytomessage.com] + 33 UDP 192.168.200.222:39413 <-> 24.43.1.206:17193 [proto: 37/BitTorrent][8 pkts/1992 bytes] 34 ICMP 8.8.8.8:0 <-> 192.168.200.222:0 [proto: 81.126/ICMP.Google][1 pkts/148 bytes] 35 UDP 192.168.200.222:39413 <-> 186.220.157.231:45235 [proto: 37/BitTorrent][2 pkts/505 bytes] - 36 TCP 74.125.68.156:443 <-> 192.168.200.222:51055 [proto: 91.126/SSL.Google][31 pkts/7607 bytes][client: googleads.g.doubleclick.net] + 36 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][31 pkts/7607 bytes][client: googleads.g.doubleclick.net] 37 ICMP 37.214.167.82:0 <-> 192.168.200.222:0 [proto: 81/ICMP][1 pkts/174 bytes] - 38 UDP 80.234.25.211:12624 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 39 TCP 112.124.219.93:80 <-> 192.168.200.222:46761 [proto: 7/HTTP][9 pkts/1083 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] - 40 TCP 93.184.221.200:80 <-> 192.168.200.222:52977 [proto: 7/HTTP][5 pkts/300 bytes] + 38 UDP 192.168.200.222:39413 <-> 80.234.25.211:12624 [proto: 37/BitTorrent][2 pkts/505 bytes] + 39 TCP 192.168.200.222:46761 <-> 112.124.219.93:80 [proto: 7/HTTP][9 pkts/1083 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] + 40 TCP 192.168.200.222:52977 <-> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes] 41 UDP 192.168.200.222:39413 <-> 120.57.18.255:10201 [proto: 37/BitTorrent][2 pkts/505 bytes] - 42 UDP 8.8.8.8:53 <-> 192.168.200.222:16965 [proto: 5/DNS][2 pkts/366 bytes][Host: settings.crashlytics.com] - 43 UDP 24.43.1.206:40959 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][4 pkts/996 bytes] - 44 UDP 46.181.170.37:36237 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 45 UDP 8.8.8.8:53 <-> 192.168.200.222:22761 [proto: 5/DNS][2 pkts/246 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] - 46 UDP 188.165.225.138:6881 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/480 bytes] - 47 UDP 8.8.8.8:53 <-> 192.168.200.222:39149 [proto: 5/DNS][2 pkts/192 bytes][Host: sis.jpush.io] + 42 UDP 192.168.200.222:16965 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/366 bytes][Host: settings.crashlytics.com] + 43 UDP 192.168.200.222:39413 <-> 24.43.1.206:40959 [proto: 37/BitTorrent][4 pkts/996 bytes] + 44 UDP 192.168.200.222:39413 <-> 46.181.170.37:36237 [proto: 37/BitTorrent][2 pkts/505 bytes] + 45 UDP 192.168.200.222:22761 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/246 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] + 46 UDP 192.168.200.222:39413 <-> 188.165.225.138:6881 [proto: 37/BitTorrent][2 pkts/480 bytes] + 47 UDP 192.168.200.222:39149 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/192 bytes][Host: sis.jpush.io] 48 TCP 222.165.163.93:443 <-> 192.168.200.222:52635 [proto: 91/SSL][7 pkts/529 bytes] 49 TCP 222.165.163.93:443 <-> 192.168.200.222:52641 [proto: 91/SSL][5 pkts/385 bytes] - 50 UDP 178.157.199.144:22133 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][1 pkts/146 bytes] - 51 UDP 8.8.8.8:53 <-> 192.168.200.222:39695 [proto: 5.119/DNS.Facebook][2 pkts/214 bytes][Host: graph.facebook.com] + 50 UDP 192.168.200.222:39413 <-> 178.157.199.144:22133 [proto: 37/BitTorrent][1 pkts/146 bytes] + 51 UDP 192.168.200.222:39695 <-> 8.8.8.8:53 [proto: 5.119/DNS.Facebook][2 pkts/214 bytes][Host: graph.facebook.com] 52 TCP 222.165.163.91:443 <-> 192.168.200.222:56243 [proto: 91/SSL][7 pkts/529 bytes] 53 ICMP 192.168.1.1:0 <-> 192.168.200.222:0 [proto: 81/ICMP][2 pkts/196 bytes] - 54 UDP 8.8.8.8:53 <-> 192.168.200.222:43901 [proto: 5.126/DNS.Google][2 pkts/263 bytes][Host: googleads.g.doubleclick.net] - 55 TCP 192.168.200.222:37376 <-> 74.125.68.239:443 [proto: 91.126/SSL.Google][7 pkts/532 bytes] - 56 TCP 52.0.253.46:443 <-> 192.168.200.222:43287 [proto: 64/SSL_No_Cert][36 pkts/5874 bytes] - 57 UDP 8.8.8.8:53 <-> 192.168.200.222:52263 [proto: 5.142/DNS.WhatsApp][2 pkts/278 bytes][Host: e9.whatsapp.net] - 58 TCP 23.21.254.189:443 <-> 192.168.200.222:51146 [proto: 91/SSL][22 pkts/9241 bytes][client: e.crashlytics.com][server: *.crashlytics.com] + 54 UDP 192.168.200.222:43901 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][2 pkts/263 bytes][Host: googleads.g.doubleclick.net] + 55 TCP 74.125.68.239:443 <-> 192.168.200.222:37376 [proto: 91.126/SSL.Google][7 pkts/532 bytes] + 56 TCP 192.168.200.222:43287 <-> 52.0.253.46:443 [proto: 64/SSL_No_Cert][36 pkts/5874 bytes] + 57 UDP 192.168.200.222:52263 <-> 8.8.8.8:53 [proto: 5.142/DNS.WhatsApp][2 pkts/278 bytes][Host: e9.whatsapp.net] + 58 TCP 192.168.200.222:51146 <-> 23.21.254.189:443 [proto: 91/SSL][22 pkts/9241 bytes][client: e.crashlytics.com][server: *.crashlytics.com] 59 TCP 52.0.253.46:4244 <-> 192.168.200.222:43454 [proto: 144/Viber][16 pkts/2043 bytes] - 60 TCP 74.125.200.18:443 <-> 192.168.200.222:42040 [proto: 91.122/SSL.GMail][33 pkts/14532 bytes][client: mail.google.com] - 61 UDP 37.214.167.82:11905 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][1 pkts/146 bytes] - 62 UDP 8.8.8.8:53 <-> 192.168.200.222:58921 [proto: 5/DNS][4 pkts/336 bytes][Host: sis.jpush.io] - 63 TCP 93.184.221.200:80 <-> 192.168.200.222:43646 [proto: 7/HTTP][5 pkts/300 bytes] + 60 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][33 pkts/14532 bytes][client: mail.google.com] + 61 UDP 192.168.200.222:39413 <-> 37.214.167.82:11905 [proto: 37/BitTorrent][1 pkts/146 bytes] + 62 UDP 192.168.200.222:58921 <-> 8.8.8.8:53 [proto: 5/DNS][4 pkts/336 bytes][Host: sis.jpush.io] + 63 TCP 192.168.200.222:43646 <-> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes] 64 TCP 192.168.200.222:40005 <-> 108.168.176.234:443 [proto: 142/WhatsApp][29 pkts/5946 bytes] - 65 UDP 93.100.186.199:6881 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/498 bytes] - 66 UDP 54.169.63.186:7985 <-> 192.168.200.222:48564 [proto: 144/Viber][10057 pkts/1410853 bytes] - 67 UDP 54.169.63.186:7987 <-> 192.168.200.222:48564 [proto: 144/Viber][2 pkts/138 bytes] - 68 TCP 93.184.221.200:80 <-> 192.168.200.222:50854 [proto: 7/HTTP][5 pkts/300 bytes] + 65 UDP 192.168.200.222:39413 <-> 93.100.186.199:6881 [proto: 37/BitTorrent][2 pkts/498 bytes] + 66 UDP 192.168.200.222:48564 <-> 54.169.63.186:7985 [proto: 144/Viber][10057 pkts/1410853 bytes] + 67 UDP 192.168.200.222:48564 <-> 54.169.63.186:7987 [proto: 144/Viber][2 pkts/138 bytes] + 68 TCP 192.168.200.222:50854 <-> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes] 69 UDP 192.168.200.222:39413 <-> 81.192.42.247:15057 [proto: 37/BitTorrent][1 pkts/146 bytes] - 70 UDP 92.245.59.202:12998 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 71 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.Dropbox][2 pkts/163 bytes] - 72 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][26 pkts/10057 bytes][client: settings.crashlytics.com][server: *.crashlytics.com] + 70 UDP 192.168.200.222:39413 <-> 92.245.59.202:12998 [proto: 37/BitTorrent][2 pkts/505 bytes] + 71 TCP 192.168.200.222:51765 <-> 108.160.172.205:443 [proto: 91.121/SSL.Dropbox][2 pkts/163 bytes] + 72 TCP 192.168.200.222:52269 <-> 107.22.192.179:443 [proto: 91/SSL][26 pkts/10057 bytes][client: settings.crashlytics.com][server: *.crashlytics.com] Undetected flows: - 1 TCP 113.31.80.142:7003 <-> 192.168.200.222:55554 [proto: 0/Unknown][6 pkts/446 bytes] - 2 UDP 175.157.52.135:37299 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 3 UDP 175.157.52.135:37301 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 4 TCP 113.31.80.142:7003 <-> 192.168.200.222:55565 [proto: 0/Unknown][7 pkts/549 bytes] - 5 UDP 10.216.246.82:59027 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 6 UDP 175.157.52.135:37300 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] - 7 UDP 175.157.52.135:37302 <-> 192.168.200.222:48564 [proto: 0/Unknown][30 pkts/1800 bytes] + 1 TCP 192.168.200.222:55554 <-> 113.31.80.142:7003 [proto: 0/Unknown][6 pkts/446 bytes] + 2 UDP 192.168.200.222:48564 <-> 175.157.52.135:37299 [proto: 0/Unknown][30 pkts/1800 bytes] + 3 UDP 192.168.200.222:48564 <-> 175.157.52.135:37301 [proto: 0/Unknown][30 pkts/1800 bytes] + 4 TCP 192.168.200.222:55565 <-> 113.31.80.142:7003 [proto: 0/Unknown][7 pkts/549 bytes] + 5 UDP 192.168.200.222:48564 <-> 10.216.246.82:59027 [proto: 0/Unknown][30 pkts/1800 bytes] + 6 UDP 192.168.200.222:48564 <-> 175.157.52.135:37300 [proto: 0/Unknown][30 pkts/1800 bytes] + 7 UDP 192.168.200.222:48564 <-> 175.157.52.135:37302 [proto: 0/Unknown][30 pkts/1800 bytes] diff --git a/tests/result/vnc.pcap.out b/tests/result/vnc.pcap.out index ad20b1441..03faca104 100644 --- a/tests/result/vnc.pcap.out +++ b/tests/result/vnc.pcap.out @@ -1,4 +1,4 @@ VNC 4551 329158 2 - 1 TCP 192.168.2.110:6900 <-> 95.237.48.208:51559 [proto: 89/VNC][1008 pkts/72613 bytes] - 2 TCP 192.168.2.110:6900 <-> 95.237.48.208:59791 [proto: 89/VNC][3543 pkts/256545 bytes] + 1 TCP 95.237.48.208:51559 <-> 192.168.2.110:6900 [proto: 89/VNC][1008 pkts/72613 bytes] + 2 TCP 95.237.48.208:59791 <-> 192.168.2.110:6900 [proto: 89/VNC][3543 pkts/256545 bytes] diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index b74ec7a15..f73d020a8 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -1,7 +1,7 @@ Unknown 10 786 1 HTTP 28 1572 7 NTP 2 180 1 -HTTPDownload 37 63205 1 +HTTP_Download 37 63205 1 SSL_No_Cert 13 2142 1 SSL 8 432 2 Waze 484 289335 19 @@ -11,12 +11,12 @@ WhatsApp 15 1341 1 2 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][32 pkts/44619 bytes][server: *.world.waze.com] 3 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][20 pkts/5673 bytes][server: *.world.waze.com] 4 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][28 pkts/27886 bytes][server: *.world.waze.com] - 5 TCP 200.160.4.49:80 <-> 10.16.37.157:41823 [proto: 7/HTTP][4 pkts/228 bytes] - 6 TCP 200.160.4.31:80 <-> 10.16.37.157:43991 [proto: 7/HTTP][4 pkts/228 bytes] + 5 TCP 10.16.37.157:41823 <-> 200.160.4.49:80 [proto: 7/HTTP][4 pkts/228 bytes] + 6 TCP 10.16.37.157:43991 <-> 200.160.4.31:80 [proto: 7/HTTP][4 pkts/228 bytes] 7 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][18 pkts/5553 bytes][server: *.waze.com] 8 TCP 10.8.0.1:45169 <-> 200.160.4.198:80 [proto: 7/HTTP][4 pkts/216 bytes] - 9 TCP 200.160.4.49:80 <-> 10.16.37.157:46473 [proto: 7/HTTP][4 pkts/228 bytes] - 10 TCP 200.160.4.49:80 <-> 10.16.37.157:52953 [proto: 7/HTTP][4 pkts/228 bytes] + 9 TCP 10.16.37.157:46473 <-> 200.160.4.49:80 [proto: 7/HTTP][4 pkts/228 bytes] + 10 TCP 10.16.37.157:52953 <-> 200.160.4.49:80 [proto: 7/HTTP][4 pkts/228 bytes] 11 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][107 pkts/85712 bytes][server: *.world.waze.com] 12 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][37 pkts/11984 bytes][server: *.world.waze.com] 13 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][24 pkts/6585 bytes][server: *.world.waze.com] @@ -27,13 +27,13 @@ WhatsApp 15 1341 1 18 TCP 10.8.0.1:45546 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][14 pkts/1328 bytes][Host: cres.waze.com] 19 TCP 10.8.0.1:45552 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][14 pkts/1323 bytes][Host: cres.waze.com] 20 TCP 10.8.0.1:45554 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][14 pkts/1319 bytes][Host: cres.waze.com] - 21 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7.60/HTTP.HTTPDownload][37 pkts/63205 bytes][Host: xtra1.gpsonextra.net] + 21 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7.60/HTTP.HTTP_Download][37 pkts/63205 bytes][Host: xtra1.gpsonextra.net] 22 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 64/SSL_No_Cert][13 pkts/2142 bytes] 23 TCP 10.8.0.1:43089 <-> 200.160.4.198:443 [proto: 91/SSL][4 pkts/216 bytes] 24 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][23 pkts/7823 bytes][server: *.waze.com] 25 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][21 pkts/7715 bytes][server: *.waze.com] 26 UDP 10.8.0.1:46214 <-> 200.89.75.198:123 [proto: 9/NTP][2 pkts/180 bytes] - 27 TCP 200.160.4.49:80 <-> 10.16.37.157:52746 [proto: 7/HTTP][4 pkts/228 bytes] + 27 TCP 10.16.37.157:52746 <-> 200.160.4.49:80 [proto: 7/HTTP][4 pkts/228 bytes] 28 TCP 10.8.0.1:60574 <-> 200.160.4.49:80 [proto: 7/HTTP][4 pkts/216 bytes] 29 TCP 10.8.0.1:60479 <-> 200.160.4.49:443 [proto: 91/SSL][4 pkts/216 bytes] 30 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][23 pkts/5742 bytes][server: *.world.waze.com] @@ -42,4 +42,4 @@ WhatsApp 15 1341 1 Undetected flows: - 1 TCP 174.37.231.81:5222 <-> 10.16.37.157:42256 [proto: 0/Unknown][10 pkts/786 bytes] + 1 TCP 10.16.37.157:42256 <-> 174.37.231.81:5222 [proto: 0/Unknown][10 pkts/786 bytes] diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index 2bca4171c..3d17c6a68 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -19,7 +19,7 @@ Amazon 3 174 1 11 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][11 pkts/4584 bytes][server: *.webex.com] 12 UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 141/Webex][16 pkts/1171 bytes] 13 TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][10 pkts/1391 bytes][Host: cp.pushwoosh.com] - 14 TCP 107.20.242.44:443 <-> 10.133.206.47:59447 [proto: 91.178/SSL.Amazon][3 pkts/174 bytes] + 14 TCP 10.133.206.47:59447 <-> 107.20.242.44:443 [proto: 91.178/SSL.Amazon][3 pkts/174 bytes] 15 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][server: *.webex.com] 16 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][23 pkts/6641 bytes][server: *.webex.com] 17 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][server: *.webex.com] @@ -48,7 +48,7 @@ Amazon 3 174 1 40 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][17 pkts/7990 bytes][server: *.webex.com] 41 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][17 pkts/6375 bytes][client: ssl.google-analytics.com] 42 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][14 pkts/7796 bytes][server: *.webex.com] - 43 TCP 185.63.147.10:443 <-> 10.133.206.47:54651 [proto: 91/SSL][3 pkts/174 bytes] + 43 TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 91/SSL][3 pkts/174 bytes] 44 UDP 10.8.0.1:64538 <-> 172.16.1.75:5060 [proto: 100/SIP][22 pkts/15356 bytes] 45 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/SSL][5 pkts/317 bytes] 46 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][18 pkts/1972 bytes] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out new file mode 100644 index 000000000..ed61d910e --- /dev/null +++ b/tests/result/wechat.pcap.out @@ -0,0 +1,120 @@ +Unknown 1 110 1 +DNS 6 494 3 +HTTP 70 4620 8 +MDNS 116 10672 4 +NTP 1 90 1 +NetBIOS 12 1579 2 +DHCP 1 342 1 +IGMP 24 1280 4 +SSL 21 1209 3 +ICMPV6 3 218 2 +Google 128 29925 17 +LLMNR 12 944 6 +WeChat 1277 615827 51 + + 1 UDP 192.168.1.103:33915 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes][Host: webpush.web.wechat.com] + 2 TCP 192.168.1.103:40740 <-> 203.205.151.211:443 [proto: 91/SSL][8 pkts/469 bytes] + 3 UDP 192.168.1.103:41759 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/162 bytes][Host: 2.debian.pool.ntp.org] + 4 UDP 192.168.1.103:42589 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes][Host: ssl.gstatic.com] + 5 UDP 192.168.1.103:43317 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes][Host: webpush.web.wechat.com] + 6 UDP 192.168.1.103:43705 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/172 bytes][Host: webpush.web.wechat.com.lan] + 7 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.197/SSL.WeChat][24 pkts/8792 bytes][client: res.wx.qq.com] + 8 UDP 192.168.1.103:44063 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/162 bytes][Host: 1.debian.pool.ntp.org] + 9 UDP [fe80::91f9:3df3:7436:6cd6]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][14 pkts/1428 bytes] + 10 TCP 192.168.1.103:53220 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][8 pkts/583 bytes] + 11 TCP 192.168.1.103:47627 <-> 216.58.205.78:443 [proto: 91.126/SSL.Google][7 pkts/517 bytes] + 12 TCP 192.168.1.103:49787 <-> 216.58.205.142:443 [proto: 91.126/SSL.Google][6 pkts/396 bytes] + 13 UDP 192.168.1.103:53515 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/86 bytes][Host: webpush.web.wechat.com.lan] + 14 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/SSL.WeChat][6 pkts/1000 bytes] + 15 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 91.197/SSL.WeChat][179 pkts/76956 bytes] + 16 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][17 pkts/4669 bytes][client: web.wechat.com] + 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][26 pkts/11506 bytes][client: web.wechat.com] + 18 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][40 pkts/18455 bytes][client: web.wechat.com] + 19 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][17 pkts/4669 bytes][client: web.wechat.com] + 20 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][38 pkts/15082 bytes][client: web.wechat.com] + 21 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][27 pkts/10532 bytes][client: web.wechat.com] + 22 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][28 pkts/18041 bytes][client: web.wechat.com] + 23 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][17 pkts/4669 bytes][client: web.wechat.com] + 24 TCP 192.168.1.103:54110 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes] + 25 TCP 192.168.1.103:54106 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes] + 26 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][9 pkts/618 bytes] + 27 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][9 pkts/618 bytes] + 28 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][18 pkts/4735 bytes][client: web.wechat.com] + 29 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][18 pkts/4743 bytes][client: web.wechat.com] + 30 UDP 192.168.1.103:56367 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/164 bytes][Host: webpush.web.wechat.com] + 31 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][26 pkts/11518 bytes][client: web.wechat.com] + 32 UDP 192.168.1.103:58165 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes][Host: webpush.web.wechat.com] + 33 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][59 pkts/29728 bytes][client: web.wechat.com] + 34 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][49 pkts/24468 bytes][client: web.wechat.com] + 35 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][22 pkts/9520 bytes][client: web.wechat.com] + 36 TCP 192.168.1.103:58226 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][6 pkts/396 bytes] + 37 UDP 192.168.1.103:59567 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/79 bytes][Host: ssl.gstatic.com.lan] + 38 TCP 192.168.1.103:58143 <-> 216.58.205.131:443 [proto: 91.126/SSL.Google][3 pkts/1078 bytes] + 39 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.126/QUIC.Google][13 pkts/4812 bytes][Host: docs.google.com] + 40 UDP 192.168.1.100:57401 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: mcztmpkc] + 41 TCP 192.168.1.103:34996 <-> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes] + 42 TCP 192.168.1.103:35000 <-> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes] + 43 UDP [fe80::7a92:9cff:fe0f:a88e]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][44 pkts/4488 bytes] + 44 TCP 192.168.1.103:54205 <-> 64.233.167.188:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes] + 45 ICMPV6 [fe80::842:a3f3:a286:6c5b]:0 <-> [ff02::2]:0 [proto: 102/ICMPV6][2 pkts/132 bytes] + 46 UDP [ff02::1:3]:50440 <-> [fe80::91f9:3df3:7436:6cd6]:5355 [proto: 154/LLMNR][2 pkts/180 bytes][Host: lbjamwptxz] + 47 TCP 192.168.1.103:52020 <-> 95.101.180.179:80 [proto: 7/HTTP][8 pkts/528 bytes] + 48 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][10 pkts/3972 bytes][Host: ssl.gstatic.com] + 49 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/SSL.Google][34 pkts/8681 bytes][client: safebrowsing.googleusercontent.com] + 50 UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes][Host: iphonedimonica] + 51 UDP 192.168.1.103:37578 <-> 193.204.114.233:123 [proto: 9/NTP][1 pkts/90 bytes] + 52 TCP 192.168.1.103:40741 <-> 203.205.151.211:443 [proto: 91/SSL][4 pkts/216 bytes] + 53 UDP 192.168.1.103:42074 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][2 pkts/158 bytes][Host: ssl.gstatic.com.lan] + 54 UDP 192.168.1.103:42856 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/170 bytes][Host: 1.debian.pool.ntp.org.lan] + 55 ICMPV6 [::]:0 <-> [ff02::1:ff86:6c5b]:0 [proto: 102/ICMPV6][1 pkts/86 bytes] + 56 TCP 192.168.1.103:43851 <-> 203.205.158.34:443 [proto: 91/SSL][9 pkts/524 bytes] + 57 UDP 192.168.1.103:44346 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/86 bytes][Host: webpush.web.wechat.com.lan] + 58 UDP 192.168.1.103:45366 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/164 bytes][Host: webpush.web.wechat.com] + 59 UDP 192.168.1.103:46078 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][2 pkts/309 bytes][Host: ssl.gstatic.com] + 60 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][13 pkts/6836 bytes][Host: ssl.gstatic.com] + 61 UDP 192.168.1.103:53734 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][2 pkts/366 bytes][Host: safebrowsing.googleusercontent.com] + 62 TCP 192.168.1.103:54085 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][3 pkts/198 bytes] + 63 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][41 pkts/26587 bytes][client: web.wechat.com] + 64 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/4537 bytes][client: web.wechat.com] + 65 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][8 pkts/552 bytes] + 66 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][39 pkts/25723 bytes][client: web.wechat.com] + 67 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][44 pkts/19995 bytes][client: web.wechat.com] + 68 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][54 pkts/36453 bytes][client: web.wechat.com] + 69 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][86 pkts/65999 bytes][client: web.wechat.com] + 70 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][96 pkts/63642 bytes][client: web.wechat.com] + 71 TCP 192.168.1.103:54109 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes] + 72 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][26 pkts/9761 bytes][client: web.wechat.com] + 73 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][73 pkts/44045 bytes][client: web.wechat.com] + 74 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][36 pkts/14963 bytes][client: web.wechat.com] + 75 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][50 pkts/30965 bytes][client: web.wechat.com] + 76 TCP 192.168.1.103:54183 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/2508 bytes] + 77 UDP 192.168.1.103:55862 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][2 pkts/302 bytes][Host: docs.google.com] + 78 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][8 pkts/552 bytes] + 79 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][17 pkts/1146 bytes] + 80 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][18 pkts/4743 bytes][client: web.wechat.com] + 81 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][5 pkts/354 bytes] + 82 UDP 192.168.1.103:60356 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/465 bytes][Host: web.wechat.com] + 83 UDP 192.168.1.103:60562 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][2 pkts/309 bytes][Host: ssl.gstatic.com] + 84 UDP 192.168.1.100:49832 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: cansaqcq] + 85 UDP 192.168.1.100:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][3 pkts/751 bytes] + 86 UDP 192.168.1.100:137 <-> 192.168.1.255:137 [proto: 10/NetBIOS][9 pkts/828 bytes] + 87 UDP 192.168.1.100:54124 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/140 bytes][Host: lbjamwptxz] + 88 IGMP 224.0.0.1:0 <-> 192.168.1.254:0 [proto: 82/IGMP][4 pkts/200 bytes] + 89 IGMP 224.0.0.22:0 <-> 192.168.1.100:0 [proto: 82/IGMP][15 pkts/810 bytes] + 90 IGMP 224.0.0.22:0 <-> 192.168.1.103:0 [proto: 82/IGMP][4 pkts/216 bytes] + 91 IGMP 224.0.0.22:0 <-> 192.168.1.108:0 [proto: 82/IGMP][1 pkts/54 bytes] + 92 TCP 192.168.1.103:36017 <-> 64.233.167.188:5228 [proto: 126/Google][20 pkts/1320 bytes] + 93 TCP 192.168.1.103:34999 <-> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes] + 94 TCP 192.168.1.103:34981 <-> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes] + 95 TCP 192.168.1.103:39207 <-> 95.101.34.34:80 [proto: 7/HTTP][9 pkts/594 bytes] + 96 TCP 192.168.1.103:39195 <-> 95.101.34.34:80 [proto: 7/HTTP][8 pkts/528 bytes] + 97 TCP 192.168.1.103:39231 <-> 95.101.34.34:80 [proto: 7/HTTP][9 pkts/594 bytes] + 98 UDP 192.168.1.103:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][44 pkts/3608 bytes] + 99 UDP 192.168.1.100:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][14 pkts/1148 bytes] + 100 UDP 192.168.1.103:19041 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/610 bytes][Host: res.wx.qq.com] + 101 UDP [ff02::1:3]:49195 <-> [fe80::91f9:3df3:7436:6cd6]:5355 [proto: 154/LLMNR][2 pkts/176 bytes][Host: cansaqcq] + 102 UDP [ff02::1:3]:50577 <-> [fe80::91f9:3df3:7436:6cd6]:5355 [proto: 154/LLMNR][2 pkts/176 bytes][Host: mcztmpkc] + + +Undetected flows: + 1 0 [fe80::842:a3f3:a286:6c5b]:0 <-> [ff02::16]:0 [proto: 0/Unknown][1 pkts/110 bytes] diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out index c1d4bc2b7..0114702b8 100644 --- a/tests/result/weibo.pcap.out +++ b/tests/result/weibo.pcap.out @@ -6,16 +6,16 @@ Amazon 2 132 1 QUIC 23 4118 2 Sina(Weibo) 418 258007 15 - 1 TCP 140.205.174.1:443 <-> 192.168.1.105:48352 [proto: 91/SSL][1 pkts/74 bytes] - 2 TCP 140.205.174.1:443 <-> 192.168.1.105:48356 [proto: 91/SSL][1 pkts/74 bytes] + 1 TCP 192.168.1.105:48352 <-> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes] + 2 TCP 192.168.1.105:48356 <-> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes] 3 TCP 192.168.1.105:59120 <-> 114.134.80.162:80 [proto: 7/HTTP][3 pkts/194 bytes] - 4 TCP 216.58.212.65:443 <-> 192.168.1.105:34699 [proto: 91.126/SSL.Google][2 pkts/132 bytes] - 5 TCP 222.73.28.96:80 <-> 192.168.1.105:42275 [proto: 7.200/HTTP.Sina(Weibo)][4 pkts/676 bytes][Host: u1.img.mobile.sina.cn] - 6 UDP 192.168.1.1:53 <-> 192.168.1.105:50533 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/74 bytes][Host: data.weibo.com] - 7 UDP 192.168.1.1:53 <-> 192.168.1.105:53543 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/266 bytes][Host: img.t.sinajs.cn] + 4 TCP 192.168.1.105:34699 <-> 216.58.212.65:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes] + 5 TCP 192.168.1.105:42275 <-> 222.73.28.96:80 [proto: 7.200/HTTP.Sina(Weibo)][4 pkts/676 bytes][Host: u1.img.mobile.sina.cn] + 6 UDP 192.168.1.105:50533 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/74 bytes][Host: data.weibo.com] + 7 UDP 192.168.1.105:53543 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/266 bytes][Host: img.t.sinajs.cn] 8 UDP 216.58.210.14:443 <-> 192.168.1.105:49361 [proto: 188/QUIC][9 pkts/1944 bytes] - 9 TCP 216.58.214.78:443 <-> 192.168.1.105:58481 [proto: 91.126/SSL.Google][2 pkts/132 bytes] - 10 UDP 192.168.1.1:53 <-> 192.168.1.105:7148 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/215 bytes][Host: www.weibo.com] + 9 TCP 192.168.1.105:58481 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes] + 10 UDP 192.168.1.105:7148 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/215 bytes][Host: www.weibo.com] 11 TCP 192.168.1.105:35803 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][106 pkts/76903 bytes][Host: img.t.sinajs.cn] 12 TCP 192.168.1.105:35805 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][41 pkts/23245 bytes][Host: img.t.sinajs.cn] 13 TCP 192.168.1.105:35807 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][53 pkts/36468 bytes][Host: img.t.sinajs.cn] @@ -23,30 +23,30 @@ Sina(Weibo) 418 258007 15 15 TCP 192.168.1.105:35811 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][5 pkts/744 bytes][Host: js.t.sinajs.cn] 16 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/SSL][4 pkts/448 bytes][client: g.alicdn.com] 17 TCP 192.168.1.105:50831 <-> 47.89.65.229:443 [proto: 91/SSL][3 pkts/194 bytes] - 18 TCP 42.156.184.19:443 <-> 192.168.1.105:52272 [proto: 91/SSL][1 pkts/74 bytes] - 19 TCP 42.156.184.19:443 <-> 192.168.1.105:52274 [proto: 91/SSL][1 pkts/74 bytes] - 20 UDP 192.168.1.1:53 <-> 192.168.1.105:11798 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/77 bytes][Host: account.weibo.com] - 21 UDP 192.168.1.1:53 <-> 192.168.1.105:16804 [proto: 5/DNS][1 pkts/70 bytes][Host: c.weibo.cn] - 22 TCP 140.205.170.63:443 <-> 192.168.1.105:47721 [proto: 91/SSL][1 pkts/74 bytes] - 23 TCP 140.205.170.63:443 <-> 192.168.1.105:47723 [proto: 91/SSL][1 pkts/74 bytes] - 24 TCP 140.205.174.1:443 <-> 192.168.1.105:48353 [proto: 91/SSL][1 pkts/74 bytes] - 25 UDP 192.168.1.1:53 <-> 192.168.1.105:33822 [proto: 5/DNS][2 pkts/242 bytes][Host: login.taobao.com] + 18 TCP 192.168.1.105:52272 <-> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes] + 19 TCP 192.168.1.105:52274 <-> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes] + 20 UDP 192.168.1.105:11798 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/77 bytes][Host: account.weibo.com] + 21 UDP 192.168.1.105:16804 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/70 bytes][Host: c.weibo.cn] + 22 TCP 192.168.1.105:47721 <-> 140.205.170.63:443 [proto: 91/SSL][1 pkts/74 bytes] + 23 TCP 192.168.1.105:47723 <-> 140.205.170.63:443 [proto: 91/SSL][1 pkts/74 bytes] + 24 TCP 192.168.1.105:48353 <-> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes] + 25 UDP 192.168.1.105:33822 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/242 bytes][Host: login.taobao.com] 26 TCP 192.168.1.105:59119 <-> 114.134.80.162:80 [proto: 7/HTTP][9 pkts/1599 bytes][Host: weibo.com] 27 TCP 192.168.1.105:59121 <-> 114.134.80.162:80 [proto: 7/HTTP][3 pkts/194 bytes] 28 TCP 192.168.1.105:35154 <-> 216.58.210.206:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes] - 29 TCP 216.58.212.69:443 <-> 192.168.1.105:37802 [proto: 91.126/SSL.Google][2 pkts/132 bytes] - 30 UDP 192.168.1.1:53 <-> 192.168.1.105:41352 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/264 bytes][Host: js.t.sinajs.cn] - 31 TCP 222.73.28.96:80 <-> 192.168.1.105:42280 [proto: 7/HTTP][1 pkts/74 bytes] - 32 UDP 192.168.1.1:53 <-> 192.168.1.105:50640 [proto: 5/DNS][2 pkts/234 bytes][Host: acjstb.aliyun.com] - 33 UDP 192.168.1.1:53 <-> 192.168.1.105:51440 [proto: 5/DNS][2 pkts/243 bytes][Host: g.alicdn.com] - 34 UDP 192.168.1.1:53 <-> 192.168.1.105:53466 [proto: 5/DNS][2 pkts/186 bytes][Host: log.mmstat.com] - 35 UDP 192.168.1.1:53 <-> 192.168.1.105:54988 [proto: 5/DNS][2 pkts/154 bytes][Host: weibo.com] + 29 TCP 192.168.1.105:37802 <-> 216.58.212.69:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes] + 30 UDP 192.168.1.105:41352 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/264 bytes][Host: js.t.sinajs.cn] + 31 TCP 192.168.1.105:42280 <-> 222.73.28.96:80 [proto: 7/HTTP][1 pkts/74 bytes] + 32 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/234 bytes][Host: acjstb.aliyun.com] + 33 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/243 bytes][Host: g.alicdn.com] + 34 UDP 192.168.1.105:53466 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/186 bytes][Host: log.mmstat.com] + 35 UDP 192.168.1.105:54988 <-> 192.168.1.1:53 [proto: 5/DNS][2 pkts/154 bytes][Host: weibo.com] 36 UDP 192.168.1.105:53656 <-> 216.58.210.227:443 [proto: 188/QUIC][14 pkts/2174 bytes] - 37 TCP 216.58.214.78:443 <-> 192.168.1.105:58480 [proto: 91.126/SSL.Google][2 pkts/132 bytes] + 37 TCP 192.168.1.105:58480 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes] 38 TCP 192.168.1.105:40440 <-> 54.225.163.210:443 [proto: 91.178/SSL.Amazon][2 pkts/132 bytes] 39 TCP 192.168.1.105:35804 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][72 pkts/54281 bytes][Host: img.t.sinajs.cn] 40 TCP 192.168.1.105:35806 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][13 pkts/4701 bytes][Host: img.t.sinajs.cn] 41 TCP 192.168.1.105:35808 <-> 93.188.134.246:80 [proto: 7/HTTP][3 pkts/214 bytes] - 42 TCP 42.156.184.19:443 <-> 192.168.1.105:52271 [proto: 91/SSL][1 pkts/74 bytes] - 43 UDP 192.168.1.1:53 <-> 192.168.1.105:18035 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/240 bytes][Host: u1.img.mobile.sina.cn] + 42 TCP 192.168.1.105:52271 <-> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes] + 43 UDP 192.168.1.105:18035 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][2 pkts/240 bytes][Host: u1.img.mobile.sina.cn] 44 TCP 192.168.1.105:51698 <-> 93.188.134.137:80 [proto: 7.200/HTTP.Sina(Weibo)][79 pkts/37492 bytes][Host: www.weibo.com] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 50231ba14..f689282ed 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -16,8 +16,8 @@ WhatsAppVoice 706 91156 4 2 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/Dropbox][4 pkts/2176 bytes] 3 ICMP 192.168.2.4:0 <-> 91.253.176.65:0 [proto: 81/ICMP][10 pkts/700 bytes] 4 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 189/WhatsAppVoice][198 pkts/30418 bytes] - 5 UDP 173.252.114.1:3478 <-> 192.168.2.4:52794 [proto: 78.119/STUN.Facebook][5 pkts/676 bytes] - 6 UDP 192.168.2.1:53 <-> 192.168.2.4:51897 [proto: 5.140/DNS.Apple][2 pkts/330 bytes][Host: query.ess.apple.com] + 5 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.119/STUN.Facebook][5 pkts/676 bytes] + 6 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][2 pkts/330 bytes][Host: query.ess.apple.com] 7 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.119/STUN.Facebook][5 pkts/676 bytes] 8 UDP 192.168.2.4:51518 <-> 1.194.90.191:60312 [proto: 78/STUN][15 pkts/1290 bytes] 9 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] @@ -48,7 +48,7 @@ WhatsAppVoice 706 91156 4 34 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][464 pkts/52920 bytes] 35 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][180 pkts/24874 bytes] 36 UDP 192.168.2.1:57621 <-> 192.168.2.255:57621 [proto: 156/Spotify][3 pkts/258 bytes] - 37 UDP 192.168.2.1:53 <-> 192.168.2.4:52190 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e13.whatsapp.net] + 37 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e13.whatsapp.net] 38 UDP 192.168.2.4:52794 <-> 1.194.90.191:51727 [proto: 78/STUN][12 pkts/1032 bytes] 39 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][3 pkts/198 bytes] 40 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 6f873ed4a..ea3c32a15 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -7,10 +7,10 @@ Spotify 1 86 1 1 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 2 UDP [fe80::189c:c31b:1298:224]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][1 pkts/111 bytes] - 3 UDP 192.168.2.1:53 <-> 192.168.2.4:61697 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e12.whatsapp.net] + 3 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e12.whatsapp.net] 4 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][44 pkts/21371 bytes] 5 UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][6 pkts/2052 bytes][Host: lucas-imac] 6 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][30 pkts/2963 bytes] 7 UDP 192.168.2.1:57621 <-> 192.168.2.255:57621 [proto: 156/Spotify][1 pkts/86 bytes] - 8 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 140/Apple][6 pkts/2095 bytes] + 8 TCP 17.110.229.14:5223 <-> 192.168.2.4:49193 [proto: 140/Apple][6 pkts/2095 bytes] 9 UDP 192.168.2.4:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/91 bytes] diff --git a/wireshark/README.md b/wireshark/README.md new file mode 100644 index 000000000..1811c663e --- /dev/null +++ b/wireshark/README.md @@ -0,0 +1,20 @@ +# nDPI Wireshark Plugin + +## Introduction + +nDPI can provide Wireshark protocol dissection to complement internal protocol decoding. In order to do this, the ndpiReader application is used to provide Wireshark nDPI protocol dissection, and a Wireshark plugin interprets nDPI information. + +## Installation + +- Copy the ndpiReader application (it is located under nDPI/example) to the Extcap path. See Wireshark -> About menu for identifying the extcap directory. Under OSX it is usually /Applications/Wireshark.app/Contents/MacOS/extcap +- Copy the ndpi.lua plugin under ~/.wireshark/plugins (or in the global Wireshark plugins directory) + +## Usage + +At Wireshark startup you will find a new extcap interface named "nDPI interface". Select that interface and specify an interface name (for live capture) or a pcap file path (for reading packets from a pcap file). You can choose a nDPI protocol list from the dropdown menu in case you want Wireshark to dissect only protocols of the specified nDPI application protocol. + +During capture the ndpiReader plugin will pass Wireshark the nDPI protocol information adding an ethernet packet trailer that contains nDPI information. The lua plugin interprets this information and it displays it in the Wireshark GUI. + +## nDPI Packet Filtering + +As nDPI is natively integrated into Wireshark, you can filter packets using the usual filtering mechanism. Example use "ndpi.protocol.name==BitTorrent" to filter all BitTorrent traffic. diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua new file mode 100644 index 000000000..3d35c9083 --- /dev/null +++ b/wireshark/ndpi.lua @@ -0,0 +1,174 @@ +-- +-- (C) 2017 - ntop.org +-- +-- This plugin is part of nDPI (https://github.com/ntop/nDPI) +-- +-- +local ndpi_proto = Proto("ndpi", "nDPI", "nDPI Protocol Interpreter") + +ndpi_proto.fields = {} +local fds = ndpi_proto.fields + +fds.network_protocol = ProtoField.new("nDPI Network Protocol", "ndpi.protocol.network", ftypes.UINT8, nil, base.DEC) +fds.application_protocol = ProtoField.new("nDPI Application Protocol", "ndpi.protocol.application", ftypes.UINT8, nil, base.DEC) +fds.name = ProtoField.new("nDPI Protocol Name", "ndpi.protocol.name", ftypes.STRING) + +local f_eth_trailer = Field.new("eth.trailer") + +local ndpi_protos = {} +local ndpi_flows = {} +local compute_flows_stats = true + +-- ############################################### + +function ndpi_proto.init() + ndpi_protos = {} + ndpi_flows = {} +end + +function slen(str) + local i = 1 + local len = 0 + local zero = string.char(0) + + for i = 1, 16 do + local c = str:sub(i,i) + + if(c ~= zero) then + len = len + 1 + else + break + end + end + + return(str:sub(1, len)) +end + +-- the dissector function callback +function ndpi_proto.dissector(tvb, pinfo, tree) + local pktlen = tvb:len() + local eth_trailer = f_eth_trailer() + local magic = tostring(tvb(pktlen-28,4)) + + if(magic == "19680924") then + local ndpi_subtree = tree:add(ndpi_proto, tvb(), "nDPI Protocol") + local network_protocol = tvb(pktlen-24,2) + local application_protocol = tvb(pktlen-22,2) + local name = tvb(pktlen-20,16) + local name_str = name:string(ENC_ASCII) + local ndpikey, srckey, dstkey, flowkey + + ndpi_subtree:add(fds.network_protocol, network_protocol) + ndpi_subtree:add(fds.application_protocol, application_protocol) + ndpi_subtree:add(fds.name, name) + + local pname = ""..application_protocol + if(pname ~= "0000") then + -- Set protocol name in the wireshark protocol column (if not Unknown) + pinfo.cols.protocol = name_str + end + + if(compute_flows_stats) then + ndpikey = tostring(slen(name_str)) + + if(ndpi_protos[ndpikey] == nil) then ndpi_protos[ndpikey] = 0 end + ndpi_protos[ndpikey] = ndpi_protos[ndpikey] + pinfo.len + + srckey = tostring(pinfo.src) + dstkey = tostring(pinfo.dst) + + flowkey = srckey.." / "..dstkey.." ["..ndpikey.."]" + if(ndpi_flows[flowkey] == nil) then + ndpi_flows[flowkey] = 0 + end + + ndpi_flows[flowkey] = ndpi_flows[flowkey] + pinfo.len + end + end +end + +register_postdissector(ndpi_proto) + +-- ############################################### + +function round(num, idp) return tonumber(string.format("%." .. (idp or 0) .. "f", num)) end + +-- Convert bytes to human readable format +function bytesToSize(bytes) + if(bytes == nil) then + return("0") + else + precision = 2 + kilobyte = 1024; + megabyte = kilobyte * 1024; + gigabyte = megabyte * 1024; + terabyte = gigabyte * 1024; + + bytes = tonumber(bytes) + if((bytes >= 0) and (bytes < kilobyte)) then + return round(bytes, precision) .. " Bytes"; + elseif((bytes >= kilobyte) and (bytes < megabyte)) then + return round(bytes / kilobyte, precision) .. ' KB'; + elseif((bytes >= megabyte) and (bytes < gigabyte)) then + return round(bytes / megabyte, precision) .. ' MB'; + elseif((bytes >= gigabyte) and (bytes < terabyte)) then + return round(bytes / gigabyte, precision) .. ' GB'; + elseif(bytes >= terabyte) then + return round(bytes / terabyte, precision) .. ' TB'; + else + return round(bytes, precision) .. ' Bytes'; + end + end +end + +function pairsByValues(t, f) + local a = {} + for n in pairs(t) do table.insert(a, n) end + table.sort(a, function(x, y) return f(t[x], t[y]) end) + local i = 0 -- iterator variable + local iter = function () -- iterator function + i = i + 1 + if a[i] == nil then return nil + else return a[i], t[a[i]] + end + end + return iter +end + +function asc(a,b) return (a < b) end +function rev(a,b) return (a > b) end + +local function ndpi_dialog_menu() + local win = TextWindow.new("nDPI Protocol Statistics"); + local label = "" + local i + local max_i = 10 + + if(ndpi_protos ~= {}) then + label = "nDPI Protocol Breakdown\n" + label = label .. "-----------------------\n" + + i = 0 + for k,v in pairsByValues(ndpi_protos, rev) do + -- label = label .. k .. "\t".. bytesToSize(v) .. "\n" + label = label .. string.format("%-32s\t%s\n", k, bytesToSize(v)) + if(i == max_i) then break else i = i + 1 end + end + + -- ####### + + label = label .. "\nTop nDPI Flows\n" + label = label .. "-----------\n" + i = 0 + for k,v in pairsByValues(ndpi_flows, rev) do + label = label .. string.format("%-32s\t%s\n", k, bytesToSize(v)) + if(i == max_i) then break else i = i + 1 end + end + + win:set(label) + end +end + +if(compute_flows_stats) then + register_menu("nDPI", ndpi_dialog_menu, MENU_STAT_UNSORTED) +end |