diff options
| author | Toni <matzeton@googlemail.com> | 2022-09-21 18:24:04 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-21 18:24:04 +0200 |
| commit | 644ad34962365fa794b8f58e01a7290496f3d6ef (patch) | |
| tree | 6585447ab509e90ce4733066c8182f8e930ebc36 | |
| parent | d6701e8979292834cd50abc78e8beafea7c7be8c (diff) | |
Improved NATPMP dissection. (#1745)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | example/ndpiReader.c | 9 | ||||
| -rw-r--r-- | example/reader_util.c | 8 | ||||
| -rw-r--r-- | example/reader_util.h | 7 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 7 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/natpmp.c | 130 | ||||
| -rw-r--r-- | tests/result/gnutella.pcap.out | 14 | ||||
| -rw-r--r-- | tests/result/natpmp.pcap.out | 15 | ||||
| -rw-r--r-- | tests/result/skype.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/skype_no_unknown.pcap.out | 6 |
10 files changed, 165 insertions, 49 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 9ad07f82c..3dde6be3c 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1514,6 +1514,15 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } break; + case INFO_NATPMP: + if (flow->natpmp.internal_port != 0 && flow->natpmp.ip[0] != '\0') + { + fprintf(out, "[Result: %u][Internal Port: %u][External Port: %u][External Address: %s]", + flow->natpmp.result_code, flow->natpmp.internal_port, flow->natpmp.external_port, + flow->natpmp.ip); + } + break; + case INFO_FTP_IMAP_POP_SMTP: if (flow->ftp_imap_pop_smtp.username[0] != '\0') { diff --git a/example/reader_util.c b/example/reader_util.c index 37e5bf4b4..927d22ab2 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1107,6 +1107,14 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl ndpi_snprintf(flow->softether.fqdn, sizeof(flow->softether.fqdn), "%s", flow->ndpi_flow->protos.softether.fqdn); } + /* NATPMP */ + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_NATPMP)) { + flow->info_type = INFO_NATPMP; + flow->natpmp.result_code = flow->ndpi_flow->protos.natpmp.result_code; + flow->natpmp.internal_port = flow->ndpi_flow->protos.natpmp.internal_port; + flow->natpmp.external_port = flow->ndpi_flow->protos.natpmp.external_port; + inet_ntop(AF_INET, &flow->ndpi_flow->protos.natpmp.external_address.ipv4, &flow->natpmp.ip[0], sizeof(flow->natpmp.ip)); + } /* DISCORD */ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_DISCORD) && !is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) && flow->ndpi_flow->protos.discord.client_ip[0] != '\0') { diff --git a/example/reader_util.h b/example/reader_util.h index 26510f700..703e33094 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -167,6 +167,7 @@ enum info_type { INFO_FTP_IMAP_POP_SMTP, INFO_TLS_QUIC_ALPN_VERSION, INFO_TLS_QUIC_ALPN_ONLY, + INFO_NATPMP, }; // flow tracking @@ -241,6 +242,12 @@ typedef struct ndpi_flow_info { char platform[32]; char services[48]; } tivoconnect; + struct { + uint16_t result_code; + uint16_t internal_port; + uint16_t external_port; + char ip[16]; + } natpmp; }; ndpi_serializer ndpi_flow_serializer; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 18a53911d..c5cd96ade 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1475,6 +1475,13 @@ struct ndpi_flow_struct { char platform[32]; char services[48]; } tivoconnect; + + struct { + u_int16_t result_code; + u_int16_t internal_port; + u_int16_t external_port; + ndpi_ip_addr_t external_address; + } natpmp; } protos; /*** ALL protocol specific 64 bit variables here ***/ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 1d5ba1ee3..7a34b0b76 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1327,6 +1327,16 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_end_of_block(serializer); break; + case NDPI_PROTOCOL_NATPMP: + ndpi_serialize_start_of_block(serializer, "natpmp"); + ndpi_serialize_string_uint32(serializer, "result", flow->protos.natpmp.result_code); + ndpi_serialize_string_uint32(serializer, "internal_port", flow->protos.natpmp.internal_port); + ndpi_serialize_string_uint32(serializer, "external_port", flow->protos.natpmp.external_port); + inet_ntop(AF_INET, &flow->protos.natpmp.external_address.ipv4, buf, sizeof(buf)); + ndpi_serialize_string_string(serializer, "external_address", buf); + ndpi_serialize_end_of_block(serializer); + break; + case NDPI_PROTOCOL_STUN: ndpi_serialize_start_of_block(serializer, "stun"); ndpi_serialize_string_uint32(serializer, "num_pkts", flow->stun.num_pkts); diff --git a/src/lib/protocols/natpmp.c b/src/lib/protocols/natpmp.c index 87b788bea..994ee1d6a 100644 --- a/src/lib/protocols/natpmp.c +++ b/src/lib/protocols/natpmp.c @@ -31,11 +31,14 @@ enum natpmp_type { NATPMP_REQUEST_ADDRESS = 0x00, NATPMP_REQUEST_UDP_MAPPING = 0x01, NATPMP_REQUEST_TCP_MAPPING = 0x02, - NATPMP_RESPONSE_ADRESS = 0x80, + NATPMP_RESPONSE_ADDRESS = 0x80, NATPMP_RESPONSE_UDP_MAPPING = 0x81, NATPMP_RESPONSE_TCP_MAPPING = 0x82 }; +static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + static void ndpi_int_natpmp_add_connection(struct ndpi_detection_module_struct * const ndpi_struct, struct ndpi_flow_struct * const flow) { @@ -44,70 +47,143 @@ static void ndpi_int_natpmp_add_connection(struct ndpi_detection_module_struct * NDPI_PROTOCOL_NATPMP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + if (flow->extra_packets_func == NULL) + { + flow->max_extra_packets_to_check = 5; + flow->extra_packets_func = ndpi_search_natpmp_extra; + } } -void ndpi_search_natpmp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static void natpmp_disable_extra_dissection(struct ndpi_flow_struct * const flow) { - struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; - enum natpmp_type natpmp_type; + flow->max_extra_packets_to_check = 0; + flow->extra_packets_func = NULL; +} - NDPI_LOG_DBG(ndpi_struct, "search nat-pmp\n"); +static int natpmp_is_common_header(struct ndpi_packet_struct const * const packet) +{ + return packet->payload_packet_len >= 2 && packet->payload[0] == 0x00 /* Protocol version: 0x00 */; +} - if (packet->payload_packet_len < 2 || packet->payload[0] != 0x00 /* Protocol version: 0x00 */) +static int natpmp_is_valid(struct ndpi_packet_struct const * const packet, enum natpmp_type * const natpmp_type) +{ + if (natpmp_is_common_header(packet) == 0) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + return 0; } - natpmp_type = packet->payload[1]; - switch (natpmp_type) + *natpmp_type = packet->payload[1]; + switch (*natpmp_type) { case NATPMP_REQUEST_ADDRESS: if (packet->payload_packet_len != 2) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return 0; } - return; - + break; case NATPMP_REQUEST_UDP_MAPPING: case NATPMP_REQUEST_TCP_MAPPING: if (packet->payload_packet_len != 12 || get_u_int16_t(packet->payload, 2) != 0x0000) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + return 0; } break; - - case NATPMP_RESPONSE_ADRESS: + case NATPMP_RESPONSE_ADDRESS: case NATPMP_RESPONSE_UDP_MAPPING: case NATPMP_RESPONSE_TCP_MAPPING: - if ((natpmp_type == NATPMP_RESPONSE_ADRESS && packet->payload_packet_len != 12) || - (natpmp_type != NATPMP_RESPONSE_ADRESS && packet->payload_packet_len != 16)) + if ((*natpmp_type == NATPMP_RESPONSE_ADDRESS && packet->payload_packet_len != 12) || + (*natpmp_type != NATPMP_RESPONSE_ADDRESS && packet->payload_packet_len != 16)) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + return 0; } { u_int16_t result_code = ntohs(get_u_int16_t(packet->payload, 2)); if (result_code > 5) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + return 0; } } break; default: - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + return 0; + } + + return 1; +} + +static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + enum natpmp_type natpmp_type; + + if (natpmp_is_valid(packet, &natpmp_type) == 0) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid NATPMP Header"); + return 0; + } + + switch (natpmp_type) + { + case NATPMP_REQUEST_ADDRESS: + return 1; // Nothing to do here. + case NATPMP_REQUEST_UDP_MAPPING: + case NATPMP_REQUEST_TCP_MAPPING: + flow->protos.natpmp.internal_port = ntohs(get_u_int16_t(packet->payload, 4)); + flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 6)); + if (flow->protos.natpmp.internal_port == 0) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Request Port Mapping: Internal port must not 0"); + } + break; + case NATPMP_RESPONSE_ADDRESS: + flow->protos.natpmp.result_code = ntohs(get_u_int16_t(packet->payload, 2)); + flow->protos.natpmp.external_address.ipv4 = get_u_int32_t(packet->payload, 8); + if (flow->protos.natpmp.result_code != 0 && flow->protos.natpmp.external_address.ipv4 != 0) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Address Response: Result code indicates an error, but External IPv4 Address is set"); + } + break; + case NATPMP_RESPONSE_UDP_MAPPING: + case NATPMP_RESPONSE_TCP_MAPPING: + { + flow->protos.natpmp.internal_port = ntohs(get_u_int16_t(packet->payload, 8)); + flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 12)); + if (flow->protos.natpmp.internal_port == 0 || flow->protos.natpmp.external_port == 0) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Port Mapping Response: Internal/External port must not 0"); + } + break; + } + } + + return 1; +} + +void ndpi_search_natpmp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + enum natpmp_type natpmp_type; + + NDPI_LOG_DBG(ndpi_struct, "search nat-pmp\n"); + + if (natpmp_is_valid(packet, &natpmp_type) == 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } - if (flow->packet_counter > 2 || + if ((flow->packet_counter > 2 && natpmp_type != NATPMP_REQUEST_ADDRESS) || ntohs(packet->udp->source) == NATPMP_PORT || ntohs(packet->udp->dest) == NATPMP_PORT) { ndpi_int_natpmp_add_connection(ndpi_struct, flow); + if (ndpi_search_natpmp_extra(ndpi_struct, flow) == 0) + { + natpmp_disable_extra_dissection(flow); + } } } diff --git a/tests/result/gnutella.pcap.out b/tests/result/gnutella.pcap.out index ec38fd18b..5accad659 100644 --- a/tests/result/gnutella.pcap.out +++ b/tests/result/gnutella.pcap.out @@ -4,9 +4,9 @@ DPI Packets (TCP): 528 (3.85 pkts/flow) DPI Packets (UDP): 1232 (2.01 pkts/flow) DPI Packets (other): 10 (1.00 pkts/flow) Confidence Unknown : 592 (flows) -Confidence Match by port : 5 (flows) -Confidence DPI : 163 (flows) -Num dissector calls: 66381 (87.34 diss/flow) +Confidence Match by port : 1 (flows) +Confidence DPI : 167 (flows) +Num dissector calls: 65961 (86.79 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -209,10 +209,10 @@ JA3 Host Stats: 162 ICMPV6 [::]:0 -> [ff02::1:ffa4:e108]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/78 bytes -> 0 pkts/0 bytes][Goodput ratio: 20/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 163 UDP 10.0.2.15:63717 -> 224.0.0.252:5355 [proto: 154/LLMNR][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Hostname/SNI: msedgewin10][PLAIN TEXT (MSEDGEWIN)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 164 UDP 10.0.2.15:28681 -> 107.4.56.177:10000 [proto: 161/CiscoVPN][IP: 0/Unknown][Encrypted][Confidence: Match by port][cat: VPN/2][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 165 UDP 10.0.2.15:57619 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 166 UDP 10.0.2.15:57620 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 167 UDP 10.0.2.15:57621 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 168 UDP 10.0.2.15:57622 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 165 UDP 10.0.2.15:57619 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 166 UDP 10.0.2.15:57620 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 167 UDP 10.0.2.15:57621 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 168 UDP 10.0.2.15:57622 -> 10.0.2.2:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] Undetected flows: diff --git a/tests/result/natpmp.pcap.out b/tests/result/natpmp.pcap.out index 3b816952f..1b706794f 100644 --- a/tests/result/natpmp.pcap.out +++ b/tests/result/natpmp.pcap.out @@ -1,9 +1,8 @@ -Guessed flow protos: 1 +Guessed flow protos: 3 -DPI Packets (UDP): 3 (1.00 pkts/flow) -Confidence Match by port : 1 (flows) -Confidence DPI : 2 (flows) -Num dissector calls: 108 (36.00 diss/flow) +DPI Packets (UDP): 7 (2.33 pkts/flow) +Confidence DPI : 3 (flows) +Num dissector calls: 3 (1.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -22,6 +21,6 @@ Patricia protocols: 6/0 (search/found) NAT-PMP 7 368 3 - 1 UDP 192.168.2.100:35763 -> 192.168.2.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.2.100:59817 -> 192.168.2.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/108 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][0.25 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.2.100:36845 -> 192.168.2.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.2.100:35763 -> 192.168.2.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][< 1 sec][Result: 0][Internal Port: 22000][External Port: 20216][External Address: 0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.2.100:59817 -> 192.168.2.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/108 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][0.25 sec][Result: 0][Internal Port: 22000][External Port: 6243][External Address: 0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.2.100:36845 -> 192.168.2.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/44 bytes -> 0 pkts/0 bytes][Goodput ratio: 4/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index 186347cc6..f93130799 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -1,7 +1,7 @@ -Guessed flow protos: 93 +Guessed flow protos: 95 DPI Packets (TCP): 1554 (16.02 pkts/flow) -DPI Packets (UDP): 331 (1.73 pkts/flow) +DPI Packets (UDP): 337 (1.76 pkts/flow) DPI Packets (other): 5 (1.00 pkts/flow) Confidence Unknown : 59 (flows) Confidence Match by port : 28 (flows) @@ -125,8 +125,8 @@ JA3 Host Stats: 79 UDP 192.168.1.34:13021 -> 176.26.55.167:63773 [proto: 125.38/Skype_Teams.Skype_TeamsCall][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: VoIP/10][5 pkts/300 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][20.13 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 80 UDP 192.168.1.34:58681 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/166 bytes][Goodput ratio: 58/74][0.07 sec][Hostname/SNI: db3msgr5011709.gateway.messenger.live.com][::][PLAIN TEXT (MSGR5011709)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 81 UDP 192.168.1.34:62454 <-> 192.168.1.1:53 [proto: 5.143/DNS.AppleiCloud][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Web/5][1 pkts/101 bytes <-> 1 pkts/133 bytes][Goodput ratio: 58/68][0.05 sec][Hostname/SNI: p05-keyvalueservice.icloud.com.akadns.net][17.172.100.36][PLAIN TEXT (valueservice)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 82 UDP 192.168.1.34:49511 -> 192.168.1.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][1.78 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 83 UDP 192.168.1.34:54067 -> 192.168.1.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][1.83 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 82 UDP 192.168.1.34:49511 -> 192.168.1.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][1.78 sec][Result: 0][Internal Port: 13021][External Port: 13021][External Address: 0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 83 UDP 192.168.1.34:54067 -> 192.168.1.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][1.83 sec][Result: 0][Internal Port: 13021][External Port: 13021][External Address: 0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 84 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 53/53][0.05 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 85 UDP 192.168.1.34:51879 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.05 sec][Hostname/SNI: e4593.g.akamaiedge.net][23.206.33.166][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 86 UDP 192.168.1.34:63321 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.05 sec][Hostname/SNI: e4593.g.akamaiedge.net][23.206.33.166][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 88b7e7c78..211483cc2 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -1,7 +1,7 @@ -Guessed flow protos: 68 +Guessed flow protos: 69 DPI Packets (TCP): 1080 (14.21 pkts/flow) -DPI Packets (UDP): 285 (1.53 pkts/flow) +DPI Packets (UDP): 288 (1.55 pkts/flow) DPI Packets (other): 5 (1.00 pkts/flow) Confidence Unknown : 44 (flows) Confidence Match by port : 22 (flows) @@ -108,7 +108,7 @@ JA3 Host Stats: 64 UDP 192.168.1.34:13021 -> 174.49.171.224:32011 [proto: 125.38/Skype_Teams.Skype_TeamsCall][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: VoIP/10][5 pkts/300 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][20.15 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 65 UDP 192.168.1.34:57694 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/166 bytes][Goodput ratio: 58/74][0.05 sec][Hostname/SNI: db3msgr5011709.gateway.messenger.live.com][::][PLAIN TEXT (MSGR5011709)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 66 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][0.16 sec][Hostname/SNI: lucas-imac.local][lucas-imac.local][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 67 UDP 192.168.1.34:59052 -> 192.168.1.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][1.83 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 67 UDP 192.168.1.34:59052 -> 192.168.1.1:5351 [proto: 312/NAT-PMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][1.83 sec][Result: 0][Internal Port: 13021][External Port: 13021][External Address: 0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 68 UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][cat: System/18][1 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][Hostname/SNI: lucas-imac][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 69 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/74 bytes][Goodput ratio: 0/0][0.30 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 70 UDP 192.168.1.34:59788 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.06 sec][Hostname/SNI: e4593.g.akamaiedge.net][23.206.33.166][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |