Added Threema Messenger. (#1643)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni <matzeton@googlemail.com> 2022-07-06 19:30:10 +0200
committer: GitHub <noreply@github.com> 2022-07-06 19:30:10 +0200
commit: 15042870f94d19d824e5f80c6274690711f72ef7 (patch)
tree: 029aba69902dbe894c5bc413489ff88a8d2a96c8
parent: 105f661e46803a3eb3543dd9bddd251622e878d4 (diff)
9 files changed, 169 insertions, 2 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 599b5be7f..256fd8f24 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -333,6 +333,7 @@ typedef enum {
   NDPI_PROTOCOL_RIOTGAMES             = 302,
   NDPI_PROTOCOL_PSIPHON               = 303,
   NDPI_PROTOCOL_ULTRASURF             = 304,
+  NDPI_PROTOCOL_THREEMA               = 305,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index 98bf36789..9336d08c0 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -231,6 +231,7 @@ void init_collectd_dissector(struct ndpi_detection_module_struct *ndpi_struct, u
 void init_i3d_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_riotgames_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_ultrasurf_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_threema_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 
 /* ndpi_main.c */
 extern u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port);
diff --git a/src/lib/inc_generated/ndpi_asn_threema.c.inc b/src/lib/inc_generated/ndpi_asn_threema.c.inc
new file mode 100644
index 000000000..9795a002d
--- /dev/null
+++ b/src/lib/inc_generated/ndpi_asn_threema.c.inc
@@ -0,0 +1,34 @@
+/*
+ *
+ * This file is generated automatically and part of nDPI
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/* ****************************************************** */
+
+
+static ndpi_network ndpi_protocol_threema_protocol_list[] = {
+ { 0x0594A000 /* 5.148.160.0/19 */, 19, NDPI_PROTOCOL_THREEMA },
+ { 0x2D09A000 /* 45.9.160.0/23 */, 23, NDPI_PROTOCOL_THREEMA },
+ { 0x5C2AB800 /* 92.42.184.0/21 */, 21, NDPI_PROTOCOL_THREEMA },
+ { 0x5EE6D000 /* 94.230.208.0/20 */, 20, NDPI_PROTOCOL_THREEMA },
+ { 0xB2D12000 /* 178.209.32.0/19 */, 19, NDPI_PROTOCOL_THREEMA },
+ { 0xB958EC00 /* 185.88.236.0/22 */, 22, NDPI_PROTOCOL_THREEMA },
+ { 0xC1115500 /* 193.17.85.0/24 */, 24, NDPI_PROTOCOL_THREEMA },
+ { 0xD996F000 /* 217.150.240.0/20 */, 20, NDPI_PROTOCOL_THREEMA },
+ /* End */
+ { 0x0, 0, 0 }
+};
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 2b9f46139..ee338ce76 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -85,6 +85,7 @@
 #include "inc_generated/ndpi_asn_edgecast.c.inc"
 #include "inc_generated/ndpi_asn_goto.c.inc"
 #include "inc_generated/ndpi_asn_riotgames.c.inc"
+#include "inc_generated/ndpi_asn_threema.c.inc"
 
 /* Third party libraries */
 #include "third_party/include/ndpi_patricia.h"
@@ -1944,6 +1945,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
                           "UltraSurf", NDPI_PROTOCOL_CATEGORY_VPN,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_THREEMA,
+                          "Threema", NDPI_PROTOCOL_CATEGORY_CHAT,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -2587,6 +2592,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
       ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_edgecast_protocol_list);
       ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_goto_protocol_list);
       ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_riotgames_protocol_list);
+      ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_threema_protocol_list);
     }
   }
 
@@ -4427,6 +4433,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* UltraSurf */
   init_ultrasurf_dissector(ndpi_str, &a, detection_bitmask);
 
+  /* Threema */
+  init_threema_dissector(ndpi_str, &a, detection_bitmask);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif
diff --git a/src/lib/protocols/threema.c b/src/lib/protocols/threema.c
new file mode 100644
index 000000000..348b70988
--- /dev/null
+++ b/src/lib/protocols/threema.c
@@ -0,0 +1,103 @@
+/*
+ * threema.c
+ *
+ * Copyright (C) 2022 - ntop.org
+ *
+ * nDPI is free software: you can zmqtribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_THREEMA
+
+#include "ndpi_api.h"
+
+
+static void ndpi_int_threema_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
+                                            struct ndpi_flow_struct * const flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found Threema\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow,
+                             NDPI_PROTOCOL_UNKNOWN,
+                             NDPI_PROTOCOL_THREEMA,
+                             NDPI_CONFIDENCE_DPI);
+}
+
+static void ndpi_search_threema(struct ndpi_detection_module_struct *ndpi_struct,
+                                struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+
+  NDPI_LOG_DBG(ndpi_struct, "search Threema\n");
+
+  if (ntohs(packet->tcp->source) != 5222 && ntohs(packet->tcp->dest) != 5222) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  switch (flow->packet_counter)
+  {
+    case 1:
+      if (packet->payload_packet_len != 48)
+      {
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+      }
+      return;
+    case 2:
+      if (packet->payload_packet_len != 80)
+      {
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+      }
+      return;
+    case 3:
+      if (packet->payload_packet_len != 191)
+      {
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+      }
+      return;
+    case 4:
+      return; // packet length varies
+    default:
+      break;
+  }
+
+  if (packet->payload_packet_len < 2)
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  uint16_t len = le16toh(get_u_int16_t(packet->payload, 0));
+  if (len + 2 != packet->payload_packet_len)
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  ndpi_int_threema_add_connection(ndpi_struct, flow);
+}
+
+void init_threema_dissector(struct ndpi_detection_module_struct *ndpi_struct,
+                            u_int32_t *id,
+                            NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+  ndpi_set_bitmask_protocol_detection("Threema", ndpi_struct, detection_bitmask, *id,
+    NDPI_PROTOCOL_THREEMA,
+    ndpi_search_threema,
+    NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+    SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+    ADD_TO_DETECTION_BITMASK
+  );
+  *id += 1;
+}
diff --git a/tests/pcap/threema.pcap b/tests/pcap/threema.pcap
new file mode 100644
index 000000000..91753d525
--- /dev/null
+++ b/tests/pcap/threema.pcap
diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out
index c81d1a9dc..9cf25e027 100644
--- a/tests/result/synscan.pcap.out
+++ b/tests/result/synscan.pcap.out
@@ -103,7 +103,7 @@ iSCSI	2	116	2
 	43	TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	44	TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	45	TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	46	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 305/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	46	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 306/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	47	TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	48	TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	49	TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -164,7 +164,7 @@ iSCSI	2	116	2
 	104	TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	105	TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	106	TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	107	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 305/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	107	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 306/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	108	TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	109	TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	110	TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/threema.pcap.out b/tests/result/threema.pcap.out
new file mode 100644
index 000000000..7e313fe7a
--- /dev/null
+++ b/tests/result/threema.pcap.out
@@ -0,0 +1,14 @@
+Guessed flow protos:	2
+
+DPI Packets (TCP):	66	(11.00 pkts/flow)
+Confidence Match by IP      : 2 (flows)
+Confidence DPI              : 4 (flows)
+
+Threema	83	11578	6
+
+	1	TCP 192.168.2.100:50484 <-> 185.88.236.110:5222 [proto: 305/Threema][Encrypted][Confidence: DPI][cat: Chat/9][9 pkts/1998 bytes <-> 6 pkts/1066 bytes][Goodput ratio: 70/62][30.23 sec][bytes ratio: 0.304 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/28 347/6958 2277/27743 788/12000][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 222/178 801/534 238/162][Plen Bins: 0,33,22,0,0,11,0,0,0,0,0,0,11,0,11,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 192.168.2.100:50298 <-> 185.88.236.110:5222 [proto: 305/Threema][Encrypted][Confidence: DPI][cat: Chat/9][10 pkts/2025 bytes <-> 5 pkts/548 bytes][Goodput ratio: 67/38][46.73 sec][bytes ratio: 0.574 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/31 5838/33 46525/38 15378/3][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 202/110 510/146 167/24][Plen Bins: 0,44,11,0,0,11,0,0,0,11,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.2.100:50618 <-> 185.88.236.110:5222 [proto: 305/Threema][Encrypted][Confidence: DPI][cat: Chat/9][9 pkts/879 bytes <-> 6 pkts/1079 bytes][Goodput ratio: 31/62][5.39 sec][bytes ratio: -0.102 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/28 52/1686 209/4996 67/2340][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/180 257/661 59/217][Plen Bins: 0,40,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 192.168.2.100:50500 <-> 185.88.236.110:5222 [proto: 305/Threema][Encrypted][Confidence: DPI][cat: Chat/9][8 pkts/813 bytes <-> 4 pkts/676 bytes][Goodput ratio: 34/60][61.48 sec][bytes ratio: 0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/31 290/32 1612/32 591/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 102/169 257/390 61/131][Plen Bins: 0,40,20,0,0,20,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 192.168.2.100:50718 <-> 185.88.236.110:5222 [proto: 305/Threema][Encrypted][Confidence: Match by IP][cat: Chat/9][8 pkts/775 bytes <-> 5 pkts/472 bytes][Goodput ratio: 31/28][73.43 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/28 12233/29 73277/30 27300/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/94 257/146 62/33][Plen Bins: 0,50,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	TCP 192.168.2.100:50860 <-> 185.88.236.110:5222 [proto: 305/Threema][Encrypted][Confidence: Match by IP][cat: Chat/9][8 pkts/775 bytes <-> 5 pkts/472 bytes][Goodput ratio: 31/28][60.00 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/29 9996/31 59845/33 22293/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/94 257/146 62/33][Plen Bins: 0,50,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/utils/asn_update.sh b/utils/asn_update.sh
index 1c78f5732..f03196a0a 100755
--- a/utils/asn_update.sh
+++ b/utils/asn_update.sh
@@ -134,6 +134,11 @@ DEST=../src/lib/inc_generated/ndpi_asn_riotgames.c.inc
 create_list NDPI_PROTOCOL_RIOTGAMES $DEST "AS6507"
 echo "(3) RiotGames IPs are available in $DEST"
 
+echo "(1) Downloading Threema..."
+DEST=../src/lib/inc_generated/ndpi_asn_threema.c.inc
+create_list NDPI_PROTOCOL_THREEMA $DEST "AS29691"
+echo "(3) Threema IPs are available in $DEST"
+
 if [ ${TOTAL_ASN} -eq ${FAILED_ASN} ]; then
 	printf '%s: %s\n' "${0}" "All download(s) failed, ./get_routes_by_asn.sh broken?"
 	exit 1
author	Toni <matzeton@googlemail.com>	2022-07-06 19:30:10 +0200
committer	GitHub <noreply@github.com>	2022-07-06 19:30:10 +0200
commit	15042870f94d19d824e5f80c6274690711f72ef7 (patch)
tree	029aba69902dbe894c5bc413489ff88a8d2a96c8
parent	105f661e46803a3eb3543dd9bddd251622e878d4 (diff)