diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-02-01 15:33:11 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-01 15:33:11 +0100 |
| commit | 400cd516b5fbc6137feb73c377a944e3dc64f53b (patch) | |
| tree | cd86a570dbde39fb286a5521f3c165ef4e68cf60 | |
| parent | 44c2e59661b34f7b9004a98ddd31e7b3e514e6ec (diff) | |
Allow multiple `struct ndpi_detection_module_struct` to share some state (#2271)
Add the concept of "global context".
Right now every instance of `struct ndpi_detection_module_struct` (we
will call it "local context" in this description) is completely
independent from each other. This provide optimal performances in
multithreaded environment, where we pin each local context to a thread,
and each thread to a specific CPU core: we don't have any data shared
across the cores.
Each local context has, internally, also some information correlating
**different** flows; something like:
```
if flow1 (PeerA <-> Peer B) is PROTOCOL_X; then
flow2 (PeerC <-> PeerD) will be PROTOCOL_Y
```
To get optimal classification results, both flow1 and flow2 must be
processed by the same local context. This is not an issue at all in the far
most common scenario where there is only one local context, but it might
be impractical in some more complex scenarios.
Create the concept of "global context": multiple local contexts can use
the same global context and share some data (structures) using it.
This way the data correlating multiple flows can be read/write from
different local contexts.
This is an optional feature, disabled by default.
Obviously data structures shared in a global context must be thread safe.
This PR updates the code of the LRU implementation to be, optionally,
thread safe.
Right now, only the LRU caches can be shared; the other main structures
(trees and automas) are basically read-only: there is little sense in
sharing them. Furthermore, these structures don't have any information
correlating multiple flows.
Every LRU cache can be shared, independently from the others, via
`ndpi_set_config(ndpi_struct, NULL, "lru.$CACHE_NAME.scope", "1")`.
It's up to the user to find the right trade-off between performances
(i.e. without shared data) and classification results (i.e. with some
shared data among the local contexts), depending on the specific traffic
patterns and on the algorithms used to balance the flows across the
threads/cores/local contexts.
Add some basic examples of library initialization in
`doc/library_initialization.md`.
This code needs libpthread as external dependency. It shouldn't be a big
issue; however a configure flag has been added to disable global context
support. A new CI job has been added to test it.
TODO: we should need to find a proper way to add some tests on
multithreaded enviroment... not an easy task...
*** API changes ***
If you are not interested in this feature, simply add a NULL parameter to
any `ndpi_init_detection_module()` calls.
49 files changed, 943 insertions, 91 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 107ee7ee8..3a7d44aa8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -67,7 +67,7 @@ jobs: git diff-index --quiet HEAD -- || true test: - name: ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.gcrypt }} ${{ matrix.compiler }} ${{ matrix.pcre }} ${{ matrix.maxminddb }} ${{ matrix.msan }} ${{ matrix.nBPF }} ${{matrix.lto_gold_linker}} + name: ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.gcrypt }} ${{ matrix.compiler }} ${{ matrix.pcre }} ${{ matrix.maxminddb }} ${{ matrix.msan }} ${{ matrix.nBPF }} ${{matrix.lto_gold_linker}} ${{matrix.global_context}} runs-on: ${{ matrix.os }} env: CC: ${{ matrix.compiler }} @@ -88,6 +88,7 @@ jobs: msan: [""] nBPF: [""] lto_gold_linker: [""] + global_context: [""] #Enable by default include: - compiler: "gcc-4.9" # "Oldest" gcc easily available. To simulate RHEL7 os: ubuntu-20.04 @@ -141,6 +142,15 @@ jobs: maxminddb: "--with-maxminddb" msan: "--with-sanitizer" nBPF: "nBPF" + - compiler: "cc" + os: ubuntu-latest + arch: "x86_64" + gcrypt: "" + pcre: "--with-pcre2" + maxminddb: "--with-maxminddb" + msan: "--with-sanitizer" + nBPF: "" + global_context: "--disable-global-context-support" - compiler: "clang-17" os: ubuntu-22.04 arch: "x86_64" diff --git a/Makefile.am b/Makefile.am index eea950d78..d17cdcead 100644 --- a/Makefile.am +++ b/Makefile.am @@ -15,6 +15,7 @@ EXTRA_DIST = README.md README.fuzzer.md CHANGELOG.md CONTRIBUTING.md \ doc/requirements.txt doc/conf.py doc/flow_risks.rst doc/protocols.rst doc/guide/nDPI_QuickStartGuide.pages \ doc/guide/nDPI_QuickStartGuide.pdf doc/img/logo.png doc/index.rst \ doc/Makefile doc/what_is_ndpi.rst doc/FAQ.md doc/configuration_parameters.md \ + doc/library_initialization.md \ python/DEV_GUIDE.md python/dev_requirements.txt python/ndpi_example.py python/ndpi/__init__.py \ python/ndpi/ndpi_build.py python/ndpi/ndpi.py python/README.md \ python/requirements.txt python/setup.py python/tests.py \ diff --git a/configure.ac b/configure.ac index 2c80140cb..784698f94 100644 --- a/configure.ac +++ b/configure.ac @@ -29,6 +29,7 @@ AC_ARG_ENABLE(npcap, AS_HELP_STRING([--disable-npcap], [msys2 only: Disable link AC_ARG_WITH(nbpf-path, AS_HELP_STRING([--with-nbpf-path], [nBPF library custom path; default: ${PWD}/../PF_RING/userland/nbpf]),[NBPF_HOME=$withval],[NBPF_HOME=${PWD}/../PF_RING/userland/nbpf]) AC_ARG_WITH(lto-and-gold-linker, AS_HELP_STRING([--with-lto-and-gold-linker], [Build with LTO and Gold linker])) AC_ARG_ENABLE(debug-build, AS_HELP_STRING([--enable-debug-build], [Enable debug build (`-g` flag)]),[enable_debugbuild=$enableval],[enable_debugbuild=no]) +AC_ARG_ENABLE(global-context-support, AS_HELP_STRING([--disable-global-context-support], [Disable support for global context. No external dependency on libpthread])) NDPI_CFLAGS="${NDPI_CFLAGS} -D_DEFAULT_SOURCE=1 -D_GNU_SOURCE=1" @@ -209,6 +210,13 @@ if test "x$ac_cv_lib_rrd_rrd_fetch_r" = xyes; then : EXTRA_TARGETS="$EXTRA_TARGETS rrdtool" fi +GLOBAL_CONTEXT_ENABLED=0 +AS_IF([test "x$enable_global_context_support" != "xno"], [ + AC_CHECK_LIB([pthread], [pthread_mutex_init]) + AC_DEFINE_UNQUOTED(USE_GLOBAL_CONTEXT, 1, [Use gloabl context feature. Depend on libpthread]) + GLOBAL_CONTEXT_ENABLED=1 +]) + ADDITIONAL_INCS= ADDITIONAL_LIBS="$LIBM" PCAP_HOME=$HOME/PF_RING/userland @@ -428,6 +436,7 @@ AC_SUBST(GPROF_ENABLED) AC_SUBST(USE_HOST_LIBGCRYPT) AC_SUBST(PCRE2_ENABLED) AC_SUBST(NBPF_ENABLED) +AC_SUBST(GLOBAL_CONTEXT_ENABLED) AC_SUBST(HANDLE_TLS_SIGS) AC_SUBST(DISABLE_NPCAP) AC_SUBST(EXE_SUFFIX) diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index 7c8e78ac2..5b7ca257e 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -20,6 +20,7 @@ TODO | NULL | "log.level" | 0 | 0 | 3 | Configure the log/debug level. Possible values: 0 = error, 1 = trace, 2 = debug, 3 = extra debug | | NULL | "lru.$CACHE_NAME.size" | See description | 0 | 16777215 | Set the size (in number of elements) of the specified LRU cache (0 = the cache is disabled). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "32768" for the bittorrent cache, "512" for the zoom cache and "1024" for all the other caches | | NULL | "lru.$CACHE_NAME.ttl" | See description | 0 | 16777215 | Set the TTL (in seconds) for the elements of the specified LRU cache (0 = the elements never explicitly expire). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "120" for the ookla cache, "60" for the msteams and stun_zoom caches and "0" for all the other caches | +| NULL | "lru.$CACHE_NAME.scope" | 0 | 0 | 1 | Set the scope of the specified LRU cache (0 = the cache is local, 1 = the cache is global). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The global scope con be set only if a global context has been initialized | | "tls" | "certificate_expiration_threshold" | 30 | 0 | 365 | The threshold (in days) used to trigger the `NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE` flow risk | | "tls" | "application_blocks_tracking" | disable | NULL | NULL | Enable/disable processing of TLS Application Blocks (post handshake) to extract statistical information about the flow | | "tls" | "metadata.sha1_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked | diff --git a/doc/library_initialization.md b/doc/library_initialization.md new file mode 100644 index 000000000..f70051aa9 --- /dev/null +++ b/doc/library_initialization.md @@ -0,0 +1,84 @@ + + + +A simple, common example + +``` + +struct ndpi_detection_module_struct *ndpi_struct; +ndpi_cfg_error rc; +int ret; + +ndpi_struct = ndpi_init_detection_module(NULL); +if(!ndpi_struct) { + ERROR; +} + +/* Configuration */ + +rc = ndpi_set_config(ndpi_struct, "tls", "certificate_expiration_threshold", "10"); +if(rc != NDPI_CFG_OK) { + ERROR; +} + +/* Finalization */ +ret = ndpi_finalize_initialization(ndpi_struct); +if(ret != 0) { + ERROR; +} + + +/* Initialization done, now you can feed packets to the library */ + + + +/* Cleanup */ + +ndpi_exit_detection_module(ndpi_struct); + + +``` + +A more complex example, with global context and a shared Oookla LRU cache (all the others caches are local) + +``` + +struct ndpi_global_context *g_ctx; +struct ndpi_detection_module_struct *ndpi_structs[num_local_contexts]; +ndpi_cfg_error rc; +int i, ret; + +g_ctx = ndpi_global_init(); +if(!g_ctx) { + ERROR; +} + +for(i = 0; i < num_local_contexts; i++) { + ndpi_structs[i] = ndpi_init_detection_module(g_ctx); + if(!ndpi_struct[i]) { + ERROR; + } + + rc = ndpi_set_config(ndpi_structs[i], NULL, "lru.ookla.scope", "1"); + if(rc != NDPI_CFG_OK) { + ERROR; + } + + ret = ndpi_finalize_initialization(ndpi_structs[i]); + if(ret != 0) { + ERROR; + } +} + +/* Initialization done */ + +/* Cleanup */ + +for(i = 0; i < num_local_contexts; i++) { + ndpi_exit_detection_module(ndpi_structs[i]); +} + +ndpi_global_deinit(g_ctx); + + +``` diff --git a/example/ndpiReader.c b/example/ndpiReader.c index d4ff82b95..6cce7b48f 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -367,7 +367,7 @@ void ndpiCheckHostStringMatch(char *testChar) { if(!testChar) return; - ndpi_str = ndpi_init_detection_module(); + ndpi_str = ndpi_init_detection_module(NULL); ndpi_finalize_initialization(ndpi_str); testRes = ndpi_match_string_subprotocol(ndpi_str, @@ -412,7 +412,7 @@ static void ndpiCheckIPMatch(char *testChar) { if(!testChar) return; - ndpi_str = ndpi_init_detection_module(); + ndpi_str = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_str, &all); @@ -476,7 +476,8 @@ static double ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], /** * @brief Set main components necessary to the detection */ -static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle); +static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle, + struct ndpi_global_context *g_ctx); /** * @brief Get flow byte distribution mean and variance @@ -646,7 +647,7 @@ static void help(u_int long_help) { max_num_reported_top_payloads, max_num_tcp_dissected_pkts, max_num_udp_dissected_pkts); NDPI_PROTOCOL_BITMASK all; - struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(); + struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all); @@ -810,7 +811,7 @@ void extcap_config() { ndpi_proto_defaults_t *proto_defaults; #endif - struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(); + struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(NULL); #if 0 ndpi_num_supported_protocols = ndpi_get_ndpi_num_supported_protocols(ndpi_info_mod); proto_defaults = ndpi_get_proto_defaults(ndpi_info_mod); @@ -1339,7 +1340,7 @@ static void parseOptions(int argc, char **argv) { case '9': { - struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(); + struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(NULL); extcap_packet_filter = ndpi_get_proto_by_name(ndpi_info_mod, optarg); if(extcap_packet_filter == NDPI_PROTOCOL_UNKNOWN) extcap_packet_filter = atoi(optarg); ndpi_exit_detection_module(ndpi_info_mod); @@ -2798,7 +2799,8 @@ static void on_protocol_discovered(struct ndpi_workflow * workflow, /** * @brief Setup for detection begin */ -static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { +static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle, + struct ndpi_global_context *g_ctx) { NDPI_PROTOCOL_BITMASK enabled_bitmask; struct ndpi_workflow_prefs prefs; int i, ret; @@ -2813,7 +2815,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { memset(&ndpi_thread_info[thread_id], 0, sizeof(ndpi_thread_info[thread_id])); ndpi_thread_info[thread_id].workflow = ndpi_workflow_init(&prefs, pcap_handle, 1, - serialization_format); + serialization_format, + g_ctx); /* Protocols to enable/disable. Default: everything is enabled */ NDPI_BITMASK_SET_ALL(enabled_bitmask); @@ -2854,6 +2857,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { } } + ndpi_thread_info[thread_id].workflow->g_ctx = g_ctx; + ndpi_workflow_set_flow_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, NULL); @@ -2867,7 +2872,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { for(i = 0; i < num_cfgs; i++) { rc = ndpi_set_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, - cfgs[i].proto, cfgs[i].param, cfgs[i].value); + cfgs[i].proto, cfgs[i].param, cfgs[i].value); if (rc != NDPI_CFG_OK) fprintf(stderr, "Error setting config [%s][%s][%s]: %d\n", cfgs[i].proto, cfgs[i].param, cfgs[i].value, rc); @@ -3841,10 +3846,21 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us /* LRU caches */ for(i = 0; i < NDPI_LRUCACHE_MAX; i++) { struct ndpi_lru_cache_stats s; - ndpi_get_lru_cache_stats(ndpi_thread_info[thread_id].workflow->ndpi_struct, i, &s); - cumulative_stats.lru_stats[i].n_insert += s.n_insert; - cumulative_stats.lru_stats[i].n_search += s.n_search; - cumulative_stats.lru_stats[i].n_found += s.n_found; + int scope; + char param[64]; + + snprintf(param, sizeof(param), "lru.%s.scope", ndpi_lru_cache_idx_to_name(i)); + if(ndpi_get_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, NULL, param, buf, sizeof(buf)) != NULL) { + scope = atoi(buf); + if(scope == NDPI_LRUCACHE_SCOPE_LOCAL || + (scope == NDPI_LRUCACHE_SCOPE_GLOBAL && thread_id == 0)) { + ndpi_get_lru_cache_stats(ndpi_thread_info[thread_id].workflow->g_ctx, + ndpi_thread_info[thread_id].workflow->ndpi_struct, i, &s); + cumulative_stats.lru_stats[i].n_insert += s.n_insert; + cumulative_stats.lru_stats[i].n_search += s.n_search; + cumulative_stats.lru_stats[i].n_found += s.n_found; + } + } } /* Automas */ @@ -4152,7 +4168,7 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us (long long unsigned int)cumulative_stats.patricia_stats[NDPI_PTREE_PROTOCOLS6].n_found); if(enable_malloc_bins) - fprintf(results_file, "Data-path malloc histogram: %s\n", ndpi_print_bin(&malloc_bins, 0, buf, sizeof(buf))); + fprintf(results_file, "Data-path malloc histogram: %s\n", ndpi_print_bin(&malloc_bins, 0, buf, sizeof(buf))); } fprintf(results_file, "\n"); @@ -4649,6 +4665,7 @@ void * processing_thread(void *_thread_id) { return NULL; } +/* ***************************************************** */ /** * @brief Begin, process, end detection process @@ -4660,10 +4677,23 @@ void test_lib() { #else long thread_id; #endif + struct ndpi_global_context *g_ctx; set_ndpi_malloc(ndpi_malloc_wrapper), set_ndpi_free(free_wrapper); set_ndpi_flow_malloc(NULL), set_ndpi_flow_free(NULL); +#ifndef USE_GLOBAL_CONTEXT + /* ndpiReader works even if libnDPI has been compiled without global context support, + but you can't configure any cache with global scope */ + g_ctx = NULL; +#else + g_ctx = ndpi_global_init(); + if(!g_ctx) { + fprintf(stderr, "Error ndpi_global_init\n"); + exit(-1); + } +#endif + #ifdef DEBUG_TRACE if(trace) fprintf(trace, "Num threads: %d\n", num_threads); #endif @@ -4676,7 +4706,7 @@ void test_lib() { #endif cap = openPcapFileOrDevice(thread_id, (const u_char*)_pcap_file[thread_id]); - setupDetection(thread_id, cap); + setupDetection(thread_id, cap, g_ctx); } gettimeofday(&begin, NULL); @@ -4736,6 +4766,8 @@ void test_lib() { terminateDetection(thread_id); } + + ndpi_global_deinit(g_ctx); } /* *********************************************** */ @@ -4853,7 +4885,7 @@ static void dgaUnitTest() { }; int debug = 0, i; NDPI_PROTOCOL_BITMASK all; - struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(); + struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL); assert(ndpi_str != NULL); @@ -5696,7 +5728,7 @@ void outlierUnitTest() { void domainsUnitTest() { NDPI_PROTOCOL_BITMASK all; - struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(); + struct ndpi_detection_module_struct *ndpi_info_mod = ndpi_init_detection_module(NULL); const char *lists_path = "../lists/public_suffix_list.dat"; struct stat st; diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index edc37090c..4517edbdf 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -188,7 +188,7 @@ static struct nDPI_workflow * init_workflow(char const * const file_or_device) printf("pcap_setfilter error: '%s'\n", pcap_geterr(workflow->pcap_handle)); } - workflow->ndpi_struct = ndpi_init_detection_module(); + workflow->ndpi_struct = ndpi_init_detection_module(NULL); if (workflow->ndpi_struct == NULL) { free_workflow(&workflow); return NULL; diff --git a/example/reader_util.c b/example/reader_util.c index e666e4690..bdf723e61 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -367,7 +367,7 @@ int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask, int inverte else op = 0; /* Default action: remove from the bitmask */ /* Use a temporary module with all protocols enabled */ - module = ndpi_init_detection_module(); + module = ndpi_init_detection_module(NULL); if(!module) return 1; NDPI_BITMASK_SET_ALL(all); @@ -408,11 +408,12 @@ int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask, int inverte struct ndpi_workflow* ndpi_workflow_init(const struct ndpi_workflow_prefs * prefs, pcap_t * pcap_handle, int do_init_flows_root, - ndpi_serialization_format serialization_format) { + ndpi_serialization_format serialization_format, + struct ndpi_global_context *g_ctx) { struct ndpi_detection_module_struct * module; struct ndpi_workflow * workflow; - module = ndpi_init_detection_module(); + module = ndpi_init_detection_module(g_ctx); if(module == NULL) { LOG(NDPI_LOG_ERROR, "global structure initialization failed\n"); diff --git a/example/reader_util.h b/example/reader_util.h index 4623be378..408a14ec4 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -383,6 +383,7 @@ typedef struct ndpi_workflow { /* allocated by prefs */ void **ndpi_flows_root; struct ndpi_detection_module_struct *ndpi_struct; + struct ndpi_global_context *g_ctx; u_int32_t num_allocated_flows; /* CSV,TLV,JSON serialization interface */ @@ -391,7 +392,7 @@ typedef struct ndpi_workflow { /* TODO: remove wrappers parameters and use ndpi global, when their initialization will be fixed... */ -struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * prefs, pcap_t * pcap_handle, int do_init_flows_root, ndpi_serialization_format serialization_format); +struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * prefs, pcap_t * pcap_handle, int do_init_flows_root, ndpi_serialization_format serialization_format, struct ndpi_global_context *g_ctx); /* workflow main free function */ diff --git a/fuzz/fuzz_common_code.c b/fuzz/fuzz_common_code.c index f0f75514e..08147d635 100644 --- a/fuzz/fuzz_common_code.c +++ b/fuzz/fuzz_common_code.c @@ -34,12 +34,13 @@ void fuzz_set_alloc_callbacks_and_seed(int seed) fuzz_set_alloc_seed(seed); } -void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_mod) +void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_mod, + struct ndpi_global_context *g_ctx) { NDPI_PROTOCOL_BITMASK all; if(*ndpi_info_mod == NULL) { - *ndpi_info_mod = ndpi_init_detection_module(); + *ndpi_info_mod = ndpi_init_detection_module(g_ctx); ndpi_set_config_u64(*ndpi_info_mod, NULL, "log.level", 3); ndpi_set_config(*ndpi_info_mod, "all", "log", "enable"); diff --git a/fuzz/fuzz_common_code.h b/fuzz/fuzz_common_code.h index c5e4fb9c9..e2a158664 100644 --- a/fuzz/fuzz_common_code.h +++ b/fuzz/fuzz_common_code.h @@ -8,7 +8,8 @@ extern "C" { #endif -void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_mod); +void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_mod, + struct ndpi_global_context *g_ctx); /* To allow memory allocation failures */ void fuzz_set_alloc_callbacks(void); diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 6f8ea2b9f..daf2b561c 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -27,6 +27,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { struct ndpi_flow_input_info input_info; ndpi_proto p, p2; char out[128]; + struct ndpi_global_context *g_ctx; char log_ts[32]; int value; char cfg_value[32]; @@ -37,7 +38,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_info_mod = ndpi_init_detection_module(); + if(fuzzed_data.ConsumeBool()) + g_ctx = ndpi_global_init(); + else + g_ctx = NULL; + + ndpi_info_mod = ndpi_init_detection_module(g_ctx); set_ndpi_debug_function(ndpi_info_mod, NULL); @@ -271,6 +277,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "lru.ookla.ttl", cfg_value); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.ookla.scope", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.bittorrent.size", cfg_value); @@ -281,6 +292,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "lru.bittorrent.ttl", cfg_value); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.bittorrent.scope", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.zoom.size", cfg_value); @@ -291,6 +307,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "lru.zoom.ttl", cfg_value); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.zoom.scope", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.stun.size", cfg_value); @@ -301,6 +322,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "lru.stun.ttl", cfg_value); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.stun.scope", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.tls_cert.size", cfg_value); @@ -311,6 +337,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "lru.tls_cert.ttl", cfg_value); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.tls_cert.scope", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.mining.size", cfg_value); @@ -321,6 +352,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "lru.mining.ttl", cfg_value); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.mining.scope", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.msteams.size", cfg_value); @@ -331,6 +367,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "lru.msteams.ttl", cfg_value); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.msteams.scope", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.stun_zoom.size", cfg_value); @@ -340,6 +381,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "lru.stun_zoom.ttl", cfg_value); } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "lru.stun_zoom.scope", cfg_value); + } /* Configure one cache via index */ if(fuzzed_data.ConsumeBool()) { idx = fuzzed_data.ConsumeIntegralInRange(0, static_cast<int>(NDPI_LRUCACHE_MAX)); @@ -347,10 +393,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(name) { value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */ sprintf(cfg_param, "lru.%s.size", name); + sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value); ndpi_get_config(ndpi_info_mod, NULL, cfg_param, cfg_value, sizeof(cfg_value)); value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 + 1); sprintf(cfg_param, "lru.%s.ttl", name); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value); + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_param, "lru.%s.scope", name); + sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value); ndpi_get_config(ndpi_info_mod, NULL, cfg_param, cfg_value, sizeof(cfg_value)); } @@ -500,7 +552,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* Get some final stats */ for(i = 0; i < NDPI_LRUCACHE_MAX + 1; i++) /* + 1 to test invalid type */ - ndpi_get_lru_cache_stats(ndpi_info_mod, static_cast<lru_cache_type>(i), &lru_stats); + ndpi_get_lru_cache_stats(g_ctx, ndpi_info_mod, static_cast<lru_cache_type>(i), &lru_stats); for(i = 0; i < NDPI_PTREE_MAX + 1; i++) /* + 1 to test invalid type */ ndpi_get_patricia_stats(ndpi_info_mod, static_cast<ptree_type>(i), &patricia_stats); for(i = 0; i < NDPI_AUTOMA_MAX + 1; i++) /* + 1 to test invalid type */ @@ -523,5 +575,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_exit_detection_module(ndpi_info_mod); + ndpi_global_deinit(g_ctx); + return 0; } diff --git a/fuzz/fuzz_dga.c b/fuzz/fuzz_dga.c index 3b09550ff..2635e64f5 100644 --- a/fuzz/fuzz_dga.c +++ b/fuzz/fuzz_dga.c @@ -13,7 +13,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { char *name; if (ndpi_struct == NULL) { - fuzz_init_detection_module(&ndpi_struct); + fuzz_init_detection_module(&ndpi_struct, NULL); ndpi_flow = ndpi_calloc(1, sizeof(struct ndpi_flow_struct)); } diff --git a/fuzz/fuzz_filecfg_categories.c b/fuzz/fuzz_filecfg_categories.c index 00e922c2f..9e24b6c03 100644 --- a/fuzz/fuzz_filecfg_categories.c +++ b/fuzz/fuzz_filecfg_categories.c @@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_struct = ndpi_init_detection_module(); + ndpi_struct = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); diff --git a/fuzz/fuzz_filecfg_category.c b/fuzz/fuzz_filecfg_category.c index 757ada01f..3e6de6edd 100644 --- a/fuzz/fuzz_filecfg_category.c +++ b/fuzz/fuzz_filecfg_category.c @@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_struct = ndpi_init_detection_module(); + ndpi_struct = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); diff --git a/fuzz/fuzz_filecfg_config.c b/fuzz/fuzz_filecfg_config.c index 6a096d75e..f9af6a59e 100644 --- a/fuzz/fuzz_filecfg_config.c +++ b/fuzz/fuzz_filecfg_config.c @@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_struct = ndpi_init_detection_module(); + ndpi_struct = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); diff --git a/fuzz/fuzz_filecfg_malicious_ja3.c b/fuzz/fuzz_filecfg_malicious_ja3.c index 9c32fc227..3d7b4e70b 100644 --- a/fuzz/fuzz_filecfg_malicious_ja3.c +++ b/fuzz/fuzz_filecfg_malicious_ja3.c @@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_struct = ndpi_init_detection_module(); + ndpi_struct = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); diff --git a/fuzz/fuzz_filecfg_malicious_sha1.c b/fuzz/fuzz_filecfg_malicious_sha1.c index ef056f9c8..6685b5d6e 100644 --- a/fuzz/fuzz_filecfg_malicious_sha1.c +++ b/fuzz/fuzz_filecfg_malicious_sha1.c @@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_struct = ndpi_init_detection_module(); + ndpi_struct = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); diff --git a/fuzz/fuzz_filecfg_protocols.c b/fuzz/fuzz_filecfg_protocols.c index 9a5bba43c..b42cb6524 100644 --- a/fuzz/fuzz_filecfg_protocols.c +++ b/fuzz/fuzz_filecfg_protocols.c @@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_struct = ndpi_init_detection_module(); + ndpi_struct = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); diff --git a/fuzz/fuzz_filecfg_risk_domains.c b/fuzz/fuzz_filecfg_risk_domains.c index 4e482c783..bb3677c16 100644 --- a/fuzz/fuzz_filecfg_risk_domains.c +++ b/fuzz/fuzz_filecfg_risk_domains.c @@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_struct = ndpi_init_detection_module(); + ndpi_struct = ndpi_init_detection_module(NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); diff --git a/fuzz/fuzz_is_stun.c b/fuzz/fuzz_is_stun.c index dc1c98f07..76576f100 100644 --- a/fuzz/fuzz_is_stun.c +++ b/fuzz/fuzz_is_stun.c @@ -21,7 +21,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { struct ndpi_packet_struct *packet; if (ndpi_struct == NULL) { - fuzz_init_detection_module(&ndpi_struct); + fuzz_init_detection_module(&ndpi_struct, NULL); } packet = &ndpi_struct->packet; diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index 7b0268eed..9d53918e3 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -10,6 +10,7 @@ struct ndpi_workflow_prefs *prefs = NULL; struct ndpi_workflow *workflow = NULL; +struct ndpi_global_context *g_ctx; u_int8_t enable_payload_analyzer = 0; u_int8_t enable_flow_stats = 1; @@ -48,7 +49,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { fuzz_set_alloc_callbacks(); #endif - workflow = ndpi_workflow_init(prefs, NULL /* pcap handler will be set later */, 0, ndpi_serialization_format_json); + g_ctx = ndpi_global_init(); + + workflow = ndpi_workflow_init(prefs, NULL /* pcap handler will be set later */, 0, ndpi_serialization_format_json, g_ctx); ndpi_set_config(workflow->ndpi_struct, NULL, "log.level", "3"); ndpi_set_config(workflow->ndpi_struct, "all", "log", "1"); diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c index 2098f4fd1..c570c3fd6 100644 --- a/fuzz/fuzz_process_packet.c +++ b/fuzz/fuzz_process_packet.c @@ -13,7 +13,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { uint8_t protocol_was_guessed; if (ndpi_info_mod == NULL) { - fuzz_init_detection_module(&ndpi_info_mod); + fuzz_init_detection_module(&ndpi_info_mod, NULL); ndpi_init_serializer(&json_serializer, ndpi_serialization_format_json); ndpi_init_serializer(&csv_serializer, ndpi_serialization_format_csv); diff --git a/fuzz/fuzz_quic_get_crypto_data.c b/fuzz/fuzz_quic_get_crypto_data.c index 86a2ec32f..16c95ab47 100644 --- a/fuzz/fuzz_quic_get_crypto_data.c +++ b/fuzz/fuzz_quic_get_crypto_data.c @@ -14,7 +14,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { u_int32_t first_int, version = 0; if(ndpi_info_mod == NULL) { - fuzz_init_detection_module(&ndpi_info_mod); + fuzz_init_detection_module(&ndpi_info_mod, NULL); flow = ndpi_calloc(1, SIZEOF_FLOW_STRUCT); } diff --git a/fuzz/fuzz_readerutils_workflow.cpp b/fuzz/fuzz_readerutils_workflow.cpp index a3aea2e11..9087a72c1 100644 --- a/fuzz/fuzz_readerutils_workflow.cpp +++ b/fuzz/fuzz_readerutils_workflow.cpp @@ -17,6 +17,7 @@ int malloc_size_stats = 0; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FuzzedDataProvider fuzzed_data(data, size); ndpi_workflow *w; + struct ndpi_global_context *g_ctx; struct ndpi_workflow_prefs prefs; pcap_t *pcap_handle; ndpi_serialization_format serialization_format; @@ -82,7 +83,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { return 0; } - w = ndpi_workflow_init(&prefs, pcap_handle, 1, serialization_format); + g_ctx = ndpi_global_init(); + + w = ndpi_workflow_init(&prefs, pcap_handle, 1, serialization_format, g_ctx); if(w) { NDPI_BITMASK_SET_ALL(enabled_bitmask); rc = ndpi_set_protocol_detection_bitmask2(w->ndpi_struct, &enabled_bitmask); @@ -101,6 +104,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } pcap_close(pcap_handle); + ndpi_global_deinit(g_ctx); + ndpi_free(_debug_protocols); return 0; diff --git a/fuzz/fuzz_tls_certificate.c b/fuzz/fuzz_tls_certificate.c index 0843a30fe..9f38dd52c 100644 --- a/fuzz/fuzz_tls_certificate.c +++ b/fuzz/fuzz_tls_certificate.c @@ -17,7 +17,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int is_ipv6; if (ndpi_struct == NULL) { - fuzz_init_detection_module(&ndpi_struct); + fuzz_init_detection_module(&ndpi_struct, NULL); ndpi_flow = ndpi_calloc(1, sizeof(struct ndpi_flow_struct)); } diff --git a/python/ndpi/ndpi.py b/python/ndpi/ndpi.py index 32d6ea595..3745af94d 100644 --- a/python/ndpi/ndpi.py +++ b/python/ndpi/ndpi.py @@ -32,7 +32,7 @@ class NDPI(object): "_detection_module") def __init__(self): - self._detection_module = lib.ndpi_init_detection_module() + self._detection_module = lib.ndpi_init_detection_module(ffi.NULL) if self._detection_module == ffi.NULL: raise MemoryError("Unable to instantiate NDPI object") lib.ndpi_py_setup_detection_module(self._detection_module) diff --git a/python/ndpi/ndpi_build.py b/python/ndpi/ndpi_build.py index a2af30716..07aac0de3 100644 --- a/python/ndpi/ndpi_build.py +++ b/python/ndpi/ndpi_build.py @@ -49,7 +49,7 @@ struct ndpi_flow_struct * ndpi_py_initialize_flow(void) { NDPI_APIS = """ u_int16_t ndpi_get_api_version(void); char* ndpi_revision(void); -struct ndpi_detection_module_struct *ndpi_init_detection_module(); +struct ndpi_detection_module_struct *ndpi_init_detection_module(struct ndpi_global_context *g_ctx); void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_struct); void ndpi_flow_free(void *ptr); ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index abef7ad34..ea40927bf 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -202,6 +202,22 @@ extern "C" { ndpi_protocol_match const * const match); /** + * Returns a new initialized global context. + * + * @return the initialized global context + * + */ + struct ndpi_global_context *ndpi_global_init(void); + + /** + * Deinit a properly initialized global context. + * + * @par g_ctx = global context to free/deinit + * + */ + void ndpi_global_deinit(struct ndpi_global_context *g_ctx); + + /** * Returns a new initialized detection module * Note that before you can use it you can still load * hosts and do other things. As soon as you are ready to use @@ -211,10 +227,11 @@ extern "C" { * indipendent detection contexts) but all these calls MUST NOT run * in parallel * + * @g_ctx = global context associated to the new detection module; NULL if no global context is needed * @return the initialized detection module * */ - struct ndpi_detection_module_struct *ndpi_init_detection_module(void); + struct ndpi_detection_module_struct *ndpi_init_detection_module(struct ndpi_global_context *g_ctx); /** * Completes the initialization (2nd step) @@ -1038,14 +1055,15 @@ extern "C" { u_int32_t ndpi_get_current_time(struct ndpi_flow_struct *flow); /* LRU cache */ - struct ndpi_lru_cache* ndpi_lru_cache_init(u_int32_t num_entries, u_int32_t ttl); + struct ndpi_lru_cache* ndpi_lru_cache_init(u_int32_t num_entries, u_int32_t ttl, int shared); void ndpi_lru_free_cache(struct ndpi_lru_cache *c); u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t *value, u_int8_t clean_key_when_found, u_int32_t now_sec); void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t value, u_int32_t now_sec); void ndpi_lru_get_stats(struct ndpi_lru_cache *c, struct ndpi_lru_cache_stats *stats); - int ndpi_get_lru_cache_stats(struct ndpi_detection_module_struct *ndpi_struct, + int ndpi_get_lru_cache_stats(struct ndpi_global_context *g_ctx, + struct ndpi_detection_module_struct *ndpi_struct, lru_cache_type cache_type, struct ndpi_lru_cache_stats *stats); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 0721f2db1..efaafb67a 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -144,6 +144,34 @@ typedef struct { } nbpf_filter; #endif +struct ndpi_global_context { + + /* LRU caches */ + + /* NDPI_PROTOCOL_OOKLA */ + int ookla_cache_is_global; + struct ndpi_lru_cache *ookla_global_cache; + + /* NDPI_PROTOCOL_BITTORRENT */ + struct ndpi_lru_cache *bittorrent_global_cache; + + /* NDPI_PROTOCOL_ZOOM */ + struct ndpi_lru_cache *zoom_global_cache; + + /* NDPI_PROTOCOL_STUN and subprotocols */ + struct ndpi_lru_cache *stun_global_cache; + struct ndpi_lru_cache *stun_zoom_global_cache; + + /* NDPI_PROTOCOL_TLS and subprotocols */ + struct ndpi_lru_cache *tls_cert_global_cache; + + /* NDPI_PROTOCOL_MINING and subprotocols */ + struct ndpi_lru_cache *mining_global_cache; + + /* NDPI_PROTOCOL_MSTEAMS */ + struct ndpi_lru_cache *msteams_global_cache; +}; + #define CFG_MAX_LEN 256 struct ndpi_detection_module_config_struct { @@ -177,20 +205,28 @@ struct ndpi_detection_module_config_struct { int ookla_cache_num_entries; int ookla_cache_ttl; + int ookla_cache_scope; int bittorrent_cache_num_entries; int bittorrent_cache_ttl; + int bittorrent_cache_scope; int zoom_cache_num_entries; int zoom_cache_ttl; + int zoom_cache_scope; int stun_cache_num_entries; int stun_cache_ttl; + int stun_cache_scope; int tls_cert_cache_num_entries; int tls_cert_cache_ttl; + int tls_cert_cache_scope; int mining_cache_num_entries; int mining_cache_ttl; + int mining_cache_scope; int msteams_cache_num_entries; int msteams_cache_ttl; + int msteams_cache_scope; int stun_zoom_cache_num_entries; int stun_zoom_cache_ttl; + int stun_zoom_cache_scope; /* Protocols */ @@ -301,6 +337,7 @@ struct ndpi_detection_module_struct { u_int8_t ip_version_limit; + struct ndpi_global_context *g_ctx; struct ndpi_detection_module_config_struct cfg; /* NDPI_PROTOCOL_TINC */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 72e2cd704..ebad711f1 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -24,6 +24,11 @@ E * ndpi_typedefs.h #ifndef __NDPI_TYPEDEFS_H__ #define __NDPI_TYPEDEFS_H__ +#ifndef NDPI_CFFI_PREPROCESSING +#define HAVE_STRUCT_TIMESPEC +#include <pthread.h> +#endif + #include "ndpi_define.h" #ifndef NDPI_CFFI_PREPROCESSING #include "ndpi_includes.h" @@ -743,6 +748,11 @@ typedef enum { NDPI_LRUCACHE_MAX /* Last one! */ } lru_cache_type; +typedef enum { + NDPI_LRUCACHE_SCOPE_LOCAL = 0, + NDPI_LRUCACHE_SCOPE_GLOBAL, +} lru_cache_scope; + struct ndpi_lru_cache_entry { u_int32_t key; /* Store the whole key to avoid ambiguities */ u_int32_t is_full:1, value:16, pad:15; @@ -757,7 +767,10 @@ struct ndpi_lru_cache_stats { struct ndpi_lru_cache { u_int32_t num_entries; - u_int32_t ttl; + u_int32_t ttl : 31, shared : 1; +#ifndef NDPI_CFFI_PREPROCESSING + pthread_mutex_t mutex; +#endif struct ndpi_lru_cache_stats stats; struct ndpi_lru_cache_entry *entries; }; @@ -947,6 +960,8 @@ struct ndpi_flow_udp_struct { /* ************************************************** */ + +struct ndpi_global_context; struct ndpi_detection_module_struct; struct ndpi_flow_struct; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index ab2470aaa..0870bcbc1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3088,9 +3088,60 @@ static void free_ptree_data(void *data) { } } +struct ndpi_global_context *ndpi_global_init(void) { + +#ifndef USE_GLOBAL_CONTEXT + return NULL; +#endif + + struct ndpi_global_context *g_ctx = ndpi_calloc(1, sizeof(struct ndpi_global_context)); + + if(g_ctx == NULL) + return(NULL); + + /* Global caches (if any) are initialized during the initialization + of the local context(s) */ + + /* Note that we don't have yet an easy way to log from this function */ + + return g_ctx; +} + /* ******************************************************************** */ -struct ndpi_detection_module_struct *ndpi_init_detection_module(void) { +void ndpi_global_deinit(struct ndpi_global_context *g_ctx) { + + /* Note that we don't have yet an easy way to log from this function */ + + if(g_ctx) { + + /* Global caches are freed here, so that we are able to get statistics even + after the uninitialization of all the local contexts */ + + if(g_ctx->ookla_global_cache) + ndpi_lru_free_cache(g_ctx->ookla_global_cache); + if(g_ctx->bittorrent_global_cache) + ndpi_lru_free_cache(g_ctx->bittorrent_global_cache); + if(g_ctx->zoom_global_cache) + ndpi_lru_free_cache(g_ctx->zoom_global_cache); + if(g_ctx->stun_global_cache) + ndpi_lru_free_cache(g_ctx->stun_global_cache); + if(g_ctx->stun_zoom_global_cache) + ndpi_lru_free_cache(g_ctx->stun_zoom_global_cache); + if(g_ctx->tls_cert_global_cache) + ndpi_lru_free_cache(g_ctx->tls_cert_global_cache); + if(g_ctx->mining_global_cache) + ndpi_lru_free_cache(g_ctx->mining_global_cache); + if(g_ctx->msteams_global_cache) + ndpi_lru_free_cache(g_ctx->msteams_global_cache); + + ndpi_free(g_ctx); + } +} + +/* ******************************************************************** */ + +struct ndpi_detection_module_struct *ndpi_init_detection_module(struct ndpi_global_context *g_ctx) { struct ndpi_detection_module_struct *ndpi_str = ndpi_malloc(sizeof(struct ndpi_detection_module_struct)); int i; @@ -3126,6 +3177,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) { ndpi_str->ip_risk_mask_ptree = ndpi_patricia_new(32 /* IPv4 */); ndpi_str->ip_risk_mask_ptree6 = ndpi_patricia_new(128 /* IPv6 */); + ndpi_str->g_ctx = g_ctx; set_default_config(&ndpi_str->cfg); NDPI_BITMASK_SET_ALL(ndpi_str->detection_bitmask); @@ -3546,64 +3598,128 @@ int ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) ndpi_add_domain_risk_exceptions(ndpi_str); if(ndpi_str->cfg.ookla_cache_num_entries > 0) { - ndpi_str->ookla_cache = ndpi_lru_cache_init(ndpi_str->cfg.ookla_cache_num_entries, - ndpi_str->cfg.ookla_cache_ttl); + if(ndpi_str->cfg.ookla_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->ookla_global_cache) { + ndpi_str->g_ctx->ookla_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.ookla_cache_num_entries, + ndpi_str->cfg.ookla_cache_ttl, 1); + } + ndpi_str->ookla_cache = ndpi_str->g_ctx->ookla_global_cache; + } else { + ndpi_str->ookla_cache = ndpi_lru_cache_init(ndpi_str->cfg.ookla_cache_num_entries, + ndpi_str->cfg.ookla_cache_ttl, 0); + } if(!ndpi_str->ookla_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.ookla_cache_num_entries); } } if(ndpi_str->cfg.bittorrent_cache_num_entries > 0) { - ndpi_str->bittorrent_cache = ndpi_lru_cache_init(ndpi_str->cfg.bittorrent_cache_num_entries, - ndpi_str->cfg.bittorrent_cache_ttl); + if(ndpi_str->cfg.bittorrent_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->bittorrent_global_cache) { + ndpi_str->g_ctx->bittorrent_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.bittorrent_cache_num_entries, + ndpi_str->cfg.bittorrent_cache_ttl, 1); + } + ndpi_str->bittorrent_cache = ndpi_str->g_ctx->bittorrent_global_cache; + } else { + ndpi_str->bittorrent_cache = ndpi_lru_cache_init(ndpi_str->cfg.bittorrent_cache_num_entries, + ndpi_str->cfg.bittorrent_cache_ttl, 0); + } if(!ndpi_str->bittorrent_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.bittorrent_cache_num_entries); } } if(ndpi_str->cfg.zoom_cache_num_entries > 0) { - ndpi_str->zoom_cache = ndpi_lru_cache_init(ndpi_str->cfg.zoom_cache_num_entries, - ndpi_str->cfg.zoom_cache_ttl); + if(ndpi_str->cfg.zoom_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->zoom_global_cache) { + ndpi_str->g_ctx->zoom_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.zoom_cache_num_entries, + ndpi_str->cfg.zoom_cache_ttl, 1); + } + ndpi_str->zoom_cache = ndpi_str->g_ctx->zoom_global_cache; + } else { + ndpi_str->zoom_cache = ndpi_lru_cache_init(ndpi_str->cfg.zoom_cache_num_entries, + ndpi_str->cfg.zoom_cache_ttl, 0); + } if(!ndpi_str->zoom_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.zoom_cache_num_entries); } } if(ndpi_str->cfg.stun_cache_num_entries > 0) { - ndpi_str->stun_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_cache_num_entries, - ndpi_str->cfg.stun_cache_ttl); + if(ndpi_str->cfg.stun_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->stun_global_cache) { + ndpi_str->g_ctx->stun_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_cache_num_entries, + ndpi_str->cfg.stun_cache_ttl, 1); + } + ndpi_str->stun_cache = ndpi_str->g_ctx->stun_global_cache; + } else { + ndpi_str->stun_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_cache_num_entries, + ndpi_str->cfg.stun_cache_ttl, 0); + } if(!ndpi_str->stun_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.stun_cache_num_entries); } } if(ndpi_str->cfg.tls_cert_cache_num_entries > 0) { - ndpi_str->tls_cert_cache = ndpi_lru_cache_init(ndpi_str->cfg.tls_cert_cache_num_entries, - ndpi_str->cfg.tls_cert_cache_ttl); + if(ndpi_str->cfg.tls_cert_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->tls_cert_global_cache) { + ndpi_str->g_ctx->tls_cert_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.tls_cert_cache_num_entries, + ndpi_str->cfg.tls_cert_cache_ttl, 1); + } + ndpi_str->tls_cert_cache = ndpi_str->g_ctx->tls_cert_global_cache; + } else { + ndpi_str->tls_cert_cache = ndpi_lru_cache_init(ndpi_str->cfg.tls_cert_cache_num_entries, + ndpi_str->cfg.tls_cert_cache_ttl, 0); + } if(!ndpi_str->tls_cert_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.tls_cert_cache_num_entries); } } if(ndpi_str->cfg.mining_cache_num_entries > 0) { - ndpi_str->mining_cache = ndpi_lru_cache_init(ndpi_str->cfg.mining_cache_num_entries, - ndpi_str->cfg.mining_cache_ttl); + if(ndpi_str->cfg.mining_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->mining_global_cache) { + ndpi_str->g_ctx->mining_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.mining_cache_num_entries, + ndpi_str->cfg.mining_cache_ttl, 1); + } + ndpi_str->mining_cache = ndpi_str->g_ctx->mining_global_cache; + } else { + ndpi_str->mining_cache = ndpi_lru_cache_init(ndpi_str->cfg.mining_cache_num_entries, + ndpi_str->cfg.mining_cache_ttl, 0); + } if(!ndpi_str->mining_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.mining_cache_num_entries); } } if(ndpi_str->cfg.msteams_cache_num_entries > 0) { - ndpi_str->msteams_cache = ndpi_lru_cache_init(ndpi_str->cfg.msteams_cache_num_entries, - ndpi_str->cfg.msteams_cache_ttl); + if(ndpi_str->cfg.msteams_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->msteams_global_cache) { + ndpi_str->g_ctx->msteams_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.msteams_cache_num_entries, + ndpi_str->cfg.msteams_cache_ttl, 1); + } + ndpi_str->msteams_cache = ndpi_str->g_ctx->msteams_global_cache; + } else { + ndpi_str->msteams_cache = ndpi_lru_cache_init(ndpi_str->cfg.msteams_cache_num_entries, + ndpi_str->cfg.msteams_cache_ttl, 0); + } if(!ndpi_str->msteams_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.msteams_cache_num_entries); } } if(ndpi_str->cfg.stun_zoom_cache_num_entries > 0) { - ndpi_str->stun_zoom_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_zoom_cache_num_entries, - ndpi_str->cfg.stun_zoom_cache_ttl); + if(ndpi_str->cfg.stun_zoom_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + if(!ndpi_str->g_ctx->stun_zoom_global_cache) { + ndpi_str->g_ctx->stun_zoom_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_zoom_cache_num_entries, + ndpi_str->cfg.stun_zoom_cache_ttl, 1); + } + ndpi_str->stun_zoom_cache = ndpi_str->g_ctx->stun_zoom_global_cache; + } else { + ndpi_str->stun_zoom_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_zoom_cache_num_entries, + ndpi_str->cfg.stun_zoom_cache_ttl, 0); + } if(!ndpi_str->stun_zoom_cache) { NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ndpi_str->cfg.stun_zoom_cache_num_entries); @@ -3910,28 +4026,36 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { if(ndpi_str->tinc_cache) cache_free((cache_t)(ndpi_str->tinc_cache)); - if(ndpi_str->ookla_cache) + if(!ndpi_str->cfg.ookla_cache_scope && + ndpi_str->ookla_cache) ndpi_lru_free_cache(ndpi_str->ookla_cache); - if(ndpi_str->bittorrent_cache) + if(!ndpi_str->cfg.bittorrent_cache_scope && + ndpi_str->bittorrent_cache) ndpi_lru_free_cache(ndpi_str->bittorrent_cache); - if(ndpi_str->zoom_cache) + if(!ndpi_str->cfg.zoom_cache_scope && + ndpi_str->zoom_cache) ndpi_lru_free_cache(ndpi_str->zoom_cache); - if(ndpi_str->stun_cache) + if(!ndpi_str->cfg.stun_cache_scope && + ndpi_str->stun_cache) ndpi_lru_free_cache(ndpi_str->stun_cache); - if(ndpi_str->stun_zoom_cache) + if(!ndpi_str->cfg.stun_zoom_cache_scope && + ndpi_str->stun_zoom_cache) ndpi_lru_free_cache(ndpi_str->stun_zoom_cache); - if(ndpi_str->tls_cert_cache) + if(!ndpi_str->cfg.tls_cert_cache_scope && + ndpi_str->tls_cert_cache) ndpi_lru_free_cache(ndpi_str->tls_cert_cache); - if(ndpi_str->mining_cache) + if(!ndpi_str->cfg.mining_cache_scope && + ndpi_str->mining_cache) ndpi_lru_free_cache(ndpi_str->mining_cache); - if(ndpi_str->msteams_cache) + if(!ndpi_str->cfg.msteams_cache_scope && + ndpi_str->msteams_cache) ndpi_lru_free_cache(ndpi_str->msteams_cache); if(ndpi_str->protocols_ptree) @@ -9283,7 +9407,7 @@ void ndpi_generate_options(u_int opt, FILE *options_out) { u_int i; if (!options_out) return; - ndpi_str = ndpi_init_detection_module(); + ndpi_str = ndpi_init_detection_module(NULL); if (!ndpi_str) return; NDPI_BITMASK_SET_ALL(all); @@ -9729,13 +9853,20 @@ u_int32_t ndpi_get_current_time(struct ndpi_flow_struct *flow) /* ******************************************************************** */ /* LRU cache */ -struct ndpi_lru_cache *ndpi_lru_cache_init(u_int32_t num_entries, u_int32_t ttl) { +struct ndpi_lru_cache *ndpi_lru_cache_init(u_int32_t num_entries, u_int32_t ttl, int shared) { struct ndpi_lru_cache *c = (struct ndpi_lru_cache *) ndpi_calloc(1, sizeof(struct ndpi_lru_cache)); if(!c) return(NULL); - c->ttl = ttl; + c->ttl = ttl & 0x7FFFFFFF; + c->shared = !!shared; + if(c->shared) { + if(pthread_mutex_init(&c->mutex, NULL) != 0) { + ndpi_free(c); + return(NULL); + } + } c->entries = (struct ndpi_lru_cache_entry *) ndpi_calloc(num_entries, sizeof(struct ndpi_lru_cache_entry)); if(!c->entries) { @@ -9752,9 +9883,26 @@ void ndpi_lru_free_cache(struct ndpi_lru_cache *c) { ndpi_free(c); } +static void __lru_cache_lock(struct ndpi_lru_cache *c) +{ + if(c->shared) { + pthread_mutex_lock(&c->mutex); + } +} + +static void __lru_cache_unlock(struct ndpi_lru_cache *c) +{ + if(c->shared) { + pthread_mutex_unlock(&c->mutex); + } +} + u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t *value, u_int8_t clean_key_when_found, u_int32_t now_sec) { u_int32_t slot = key % c->num_entries; + u_int8_t ret; + + __lru_cache_lock(c); c->stats.n_search++; if(c->entries[slot].is_full && c->entries[slot].key == key && @@ -9764,16 +9912,24 @@ u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, if(clean_key_when_found) c->entries[slot].is_full = 0; c->stats.n_found++; - return(1); + ret = 1; } else - return(0); + ret = 0; + + __lru_cache_unlock(c); + + return ret; } void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t value, u_int32_t now_sec) { u_int32_t slot = key % c->num_entries; + __lru_cache_lock(c); + c->stats.n_insert++; c->entries[slot].is_full = 1, c->entries[slot].key = key, c->entries[slot].value = value, c->entries[slot].timestamp = now_sec; + + __lru_cache_unlock(c); } void ndpi_lru_get_stats(struct ndpi_lru_cache *c, struct ndpi_lru_cache_stats *stats) { @@ -9788,37 +9944,53 @@ void ndpi_lru_get_stats(struct ndpi_lru_cache *c, struct ndpi_lru_cache_stats *s } } -int ndpi_get_lru_cache_stats(struct ndpi_detection_module_struct *ndpi_struct, +int ndpi_get_lru_cache_stats(struct ndpi_global_context *g_ctx, + struct ndpi_detection_module_struct *ndpi_struct, lru_cache_type cache_type, struct ndpi_lru_cache_stats *stats) { - if(!ndpi_struct || !stats) + int scope, is_local = 1; + char param[64], buf[8]; + + if(!stats || (!ndpi_struct && !g_ctx)) return -1; + if(!ndpi_struct) { + is_local = 0; + } else { + snprintf(param, sizeof(param), "lru.%s.scope", ndpi_lru_cache_idx_to_name(cache_type)); + ndpi_get_config(ndpi_struct, NULL, param, buf, sizeof(buf)); + scope = atoi(buf); + if(scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { + is_local = 0; + if(!g_ctx) + return -1; + } + } switch(cache_type) { case NDPI_LRUCACHE_OOKLA: - ndpi_lru_get_stats(ndpi_struct->ookla_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->ookla_cache : g_ctx->ookla_global_cache, stats); return 0; case NDPI_LRUCACHE_BITTORRENT: - ndpi_lru_get_stats(ndpi_struct->bittorrent_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->bittorrent_cache : g_ctx->bittorrent_global_cache, stats); return 0; case NDPI_LRUCACHE_ZOOM: - ndpi_lru_get_stats(ndpi_struct->zoom_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->zoom_cache : g_ctx->zoom_global_cache, stats); return 0; case NDPI_LRUCACHE_STUN: - ndpi_lru_get_stats(ndpi_struct->stun_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->stun_cache : g_ctx->stun_global_cache, stats); return 0; case NDPI_LRUCACHE_TLS_CERT: - ndpi_lru_get_stats(ndpi_struct->tls_cert_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->tls_cert_cache : g_ctx->tls_cert_global_cache, stats); return 0; case NDPI_LRUCACHE_MINING: - ndpi_lru_get_stats(ndpi_struct->mining_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->mining_cache : g_ctx->mining_global_cache, stats); return 0; case NDPI_LRUCACHE_MSTEAMS: - ndpi_lru_get_stats(ndpi_struct->msteams_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->msteams_cache : g_ctx->msteams_global_cache, stats); return 0; case NDPI_LRUCACHE_STUN_ZOOM: - ndpi_lru_get_stats(ndpi_struct->stun_zoom_cache, stats); + ndpi_lru_get_stats(is_local ? ndpi_struct->stun_zoom_cache : g_ctx->stun_zoom_global_cache, stats); return 0; default: return -1; @@ -10487,7 +10659,7 @@ static u_int16_t __get_proto_id(const char *proto_name_or_id) /* Try to decode the string as protocol name */ /* Use a temporary module with all protocols enabled */ - module = ndpi_init_detection_module(); + module = ndpi_init_detection_module(NULL); if(!module) return NDPI_PROTOCOL_UNKNOWN; NDPI_BITMASK_SET_ALL(all); @@ -10661,6 +10833,20 @@ static ndpi_cfg_error _set_param_protocol_enable_disable(struct ndpi_detection_m return NDPI_CFG_INVALID_PARAM; } +static int clbk_only_with_global_ctx(struct ndpi_detection_module_struct *ndpi_str, + void *_variable, const char *proto, + const char *param) +{ + int *variable = (int *)_variable; + + /* Integer set > 0 only if there is a global context */ + if(*variable > 0 && !ndpi_str->g_ctx) { + *variable = 0; + return -1; + } + return 0; +} + enum cfg_param_type { CFG_PARAM_ENABLE_DISABLE = 0, @@ -10749,27 +10935,35 @@ static const struct cfg_param { { NULL, "lru.ookla.size", "1024", "0", "16777215", CFG_PARAM_INT, __OFF(ookla_cache_num_entries), NULL }, { NULL, "lru.ookla.ttl", "120", "0", "16777215", CFG_PARAM_INT, __OFF(ookla_cache_ttl), NULL }, + { NULL, "lru.ookla.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(ookla_cache_scope), clbk_only_with_global_ctx }, { NULL, "lru.bittorrent.size", "32768", "0", "16777215", CFG_PARAM_INT, __OFF(bittorrent_cache_num_entries), NULL }, { NULL, "lru.bittorrent.ttl", "0", "0", "16777215", CFG_PARAM_INT, __OFF(bittorrent_cache_ttl), NULL }, + { NULL, "lru.bittorrent.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(bittorrent_cache_scope), clbk_only_with_global_ctx }, { NULL, "lru.zoom.size", "512", "0", "16777215", CFG_PARAM_INT, __OFF(zoom_cache_num_entries), NULL }, { NULL, "lru.zoom.ttl", "0", "0", "16777215", CFG_PARAM_INT, __OFF(zoom_cache_ttl), NULL }, + { NULL, "lru.zoom.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(zoom_cache_scope), clbk_only_with_global_ctx }, { NULL, "lru.stun.size", "1024", "0", "16777215", CFG_PARAM_INT, __OFF(stun_cache_num_entries), NULL }, { NULL, "lru.stun.ttl", "0", "0", "16777215", CFG_PARAM_INT, __OFF(stun_cache_ttl), NULL }, + { NULL, "lru.stun.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(stun_cache_scope), clbk_only_with_global_ctx }, { NULL, "lru.tls_cert.size", "1024", "0", "16777215", CFG_PARAM_INT, __OFF(tls_cert_cache_num_entries), NULL }, { NULL, "lru.tls_cert.ttl", "0", "0", "16777215", CFG_PARAM_INT, __OFF(tls_cert_cache_ttl), NULL }, + { NULL, "lru.tls_cert.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(tls_cert_cache_scope), clbk_only_with_global_ctx }, { NULL, "lru.mining.size", "1024", "0", "16777215", CFG_PARAM_INT, __OFF(mining_cache_num_entries), NULL }, { NULL, "lru.mining.ttl", "0", "0", "16777215", CFG_PARAM_INT, __OFF(mining_cache_ttl), NULL }, + { NULL, "lru.mining.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(mining_cache_scope), clbk_only_with_global_ctx }, { NULL, "lru.msteams.size", "1024", "0", "16777215", CFG_PARAM_INT, __OFF(msteams_cache_num_entries), NULL }, { NULL, "lru.msteams.ttl", "60", "0", "16777215", CFG_PARAM_INT, __OFF(msteams_cache_ttl), NULL }, + { NULL, "lru.msteams.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(msteams_cache_scope), clbk_only_with_global_ctx }, { NULL, "lru.stun_zoom.size", "1024", "0", "16777215", CFG_PARAM_INT, __OFF(stun_zoom_cache_num_entries), NULL }, { NULL, "lru.stun_zoom.ttl", "60", "0", "16777215", CFG_PARAM_INT, __OFF(stun_zoom_cache_ttl), NULL }, + { NULL, "lru.stun_zoom.scope", "0", "0", "1", CFG_PARAM_INT, __OFF(stun_zoom_cache_scope), clbk_only_with_global_ctx }, { NULL, NULL, NULL, NULL, NULL, 0, -1, NULL }, diff --git a/tests/cfgs/caches_global/config.txt b/tests/cfgs/caches_global/config.txt new file mode 100644 index 000000000..5050b0958 --- /dev/null +++ b/tests/cfgs/caches_global/config.txt @@ -0,0 +1 @@ +--cfg=lru.ookla.scope,1 --cfg=lru.bittorrent.scope,1 --cfg=lru.zoom.scope,1 --cfg=lru.stun.scope,1 --cfg=lru.tls_cert.scope,1 --cfg=lru.mining.scope,1 --cfg=lru.msteams.scope,1 --cfg=lru.stun_zoom.scope,1 diff --git a/tests/cfgs/caches_global/pcap/bittorrent.pcap b/tests/cfgs/caches_global/pcap/bittorrent.pcap new file mode 120000 index 000000000..304cd7bcd --- /dev/null +++ b/tests/cfgs/caches_global/pcap/bittorrent.pcap @@ -0,0 +1 @@ +../../default/pcap/bittorrent.pcap
\ No newline at end of file diff --git a/tests/cfgs/caches_global/pcap/lru_ipv6_caches.pcapng b/tests/cfgs/caches_global/pcap/lru_ipv6_caches.pcapng new file mode 120000 index 000000000..56b131a34 --- /dev/null +++ b/tests/cfgs/caches_global/pcap/lru_ipv6_caches.pcapng @@ -0,0 +1 @@ +../../default/pcap/lru_ipv6_caches.pcapng
\ No newline at end of file diff --git a/tests/cfgs/caches_global/pcap/mining.pcapng b/tests/cfgs/caches_global/pcap/mining.pcapng new file mode 120000 index 000000000..b1439cf48 --- /dev/null +++ b/tests/cfgs/caches_global/pcap/mining.pcapng @@ -0,0 +1 @@ +../../default/pcap/mining.pcapng
\ No newline at end of file diff --git a/tests/cfgs/caches_global/pcap/ookla.pcap b/tests/cfgs/caches_global/pcap/ookla.pcap new file mode 120000 index 000000000..7887844d7 --- /dev/null +++ b/tests/cfgs/caches_global/pcap/ookla.pcap @@ -0,0 +1 @@ +../../default/pcap/ookla.pcap
\ No newline at end of file diff --git a/tests/cfgs/caches_global/pcap/teams.pcap b/tests/cfgs/caches_global/pcap/teams.pcap new file mode 120000 index 000000000..3aa985b9e --- /dev/null +++ b/tests/cfgs/caches_global/pcap/teams.pcap @@ -0,0 +1 @@ +../../default/pcap/teams.pcap
\ No newline at end of file diff --git a/tests/cfgs/caches_global/pcap/zoom_p2p.pcapng b/tests/cfgs/caches_global/pcap/zoom_p2p.pcapng new file mode 120000 index 000000000..0f13069d9 --- /dev/null +++ b/tests/cfgs/caches_global/pcap/zoom_p2p.pcapng @@ -0,0 +1 @@ +../../default/pcap/zoom_p2p.pcapng
\ No newline at end of file diff --git a/tests/cfgs/caches_global/result/bittorrent.pcap.out b/tests/cfgs/caches_global/result/bittorrent.pcap.out new file mode 100644 index 000000000..65478a993 --- /dev/null +++ b/tests/cfgs/caches_global/result/bittorrent.pcap.out @@ -0,0 +1,51 @@ +DPI Packets (TCP): 24 (1.00 pkts/flow) +Confidence DPI : 24 (flows) +Num dissector calls: 1784 (74.33 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 120/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 48/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 48/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +BitTorrent 299 305728 24 + +Acceptable 299 305728 24 + + 1 TCP 192.168.1.3:52915 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][17 pkts/2745 bytes <-> 193 pkts/282394 bytes][Goodput ratio: 59/95][5.77 sec][bytes ratio: -0.981 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 319/30 779/919 241/95][Pkt Len c2s/s2c min/avg/max/stddev: 83/80 161/1463 242/1506 58/218][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 2,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,93,0,0] + 2 TCP 192.168.1.3:52895 <-> 83.216.184.241:51413 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][4 pkts/583 bytes <-> 4 pkts/975 bytes][Goodput ratio: 55/73][4.11 sec][bytes ratio: -0.252 (Download)][IAT c2s/s2c min/avg/max/stddev: 132/72 959/2027 1966/3982 760/1955][Pkt Len c2s/s2c min/avg/max/stddev: 80/73 146/244 198/648 44/235][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 25,12,25,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 192.168.1.3:52914 <-> 190.103.195.56:46633 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][4 pkts/640 bytes <-> 3 pkts/910 bytes][Goodput ratio: 59/78][3.54 sec][bytes ratio: -0.174 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 489/661 1178/883 1943/1105 596/222][Pkt Len c2s/s2c min/avg/max/stddev: 75/113 160/303 241/650 62/246][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 14,14,28,14,0,14,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.1.3:52907 <-> 82.58.216.115:38305 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][2 pkts/583 bytes <-> 2 pkts/818 bytes][Goodput ratio: 77/84][1.89 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,25,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 192.168.1.3:52927 <-> 83.216.184.241:51413 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/582 bytes <-> 2 pkts/796 bytes][Goodput ratio: 66/83][0.92 sec][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,40,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.1.3:52897 <-> 151.26.95.30:22673 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/510 bytes <-> 2 pkts/771 bytes][Goodput ratio: 61/83][0.92 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,20,60,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 TCP 192.168.1.3:52903 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/410 bytes <-> 3 pkts/851 bytes][Goodput ratio: 52/77][0.81 sec][bytes ratio: -0.350 (Download)][IAT c2s/s2c min/avg/max/stddev: 320/159 407/298 494/436 87/138][Pkt Len c2s/s2c min/avg/max/stddev: 80/80 137/284 196/601 47/227][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 34,0,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 192.168.1.3:52917 <-> 151.15.48.189:47001 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/455 bytes <-> 2 pkts/771 bytes][Goodput ratio: 56/83][0.09 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,40,0,0,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 TCP 192.168.1.3:52911 <-> 151.26.95.30:22673 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/442 bytes <-> 2 pkts/771 bytes][Goodput ratio: 55/83][0.94 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,20,20,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 TCP 192.168.1.3:52921 <-> 95.234.159.16:41205 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/440 bytes <-> 2 pkts/772 bytes][Goodput ratio: 55/83][0.27 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,20,20,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 TCP 192.168.1.3:52906 <-> 82.57.97.83:53137 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/434 bytes <-> 2 pkts/771 bytes][Goodput ratio: 54/83][0.36 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,20,20,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 TCP 192.168.1.3:52922 <-> 95.237.193.34:11321 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/434 bytes <-> 2 pkts/771 bytes][Goodput ratio: 54/83][0.26 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,20,20,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 TCP 192.168.1.3:52887 <-> 82.57.97.83:53137 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/430 bytes <-> 2 pkts/771 bytes][Goodput ratio: 54/83][0.45 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,20,20,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 TCP 192.168.1.3:52896 <-> 79.53.228.2:14627 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/409 bytes <-> 2 pkts/771 bytes][Goodput ratio: 51/83][0.25 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 20,0,40,0,20,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 TCP 192.168.1.3:52926 <-> 93.65.249.100:31336 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes <-> 2 pkts/796 bytes][Goodput ratio: 50/83][0.23 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 TCP 192.168.1.3:52888 <-> 82.58.216.115:38305 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes <-> 1 pkts/624 bytes][Goodput ratio: 50/89][0.22 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 17 TCP 192.168.1.3:52902 <-> 190.103.195.56:46633 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][2 pkts/349 bytes <-> 2 pkts/265 bytes][Goodput ratio: 62/50][1.91 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 25,0,25,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 18 TCP 192.168.1.3:52912 <-> 151.72.255.163:59928 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][3 pkts/455 bytes <-> 1 pkts/157 bytes][Goodput ratio: 56/58][0.15 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 25,0,50,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 19 TCP 192.168.1.3:52893 -> 79.55.129.22:12097 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 TCP 192.168.1.3:52894 -> 120.62.33.241:39332 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 21 TCP 192.168.1.3:52908 -> 79.55.129.22:12097 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 22 TCP 192.168.1.3:52909 -> 79.53.228.2:14627 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 23 TCP 192.168.1.3:52910 -> 120.62.33.241:39332 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 24 TCP 192.168.1.3:52925 -> 93.65.227.100:19116 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Download/7][1 pkts/134 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126][PLAIN TEXT (BitTorrent protocol)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/caches_global/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/caches_global/result/lru_ipv6_caches.pcapng.out new file mode 100644 index 000000000..2def9f8d7 --- /dev/null +++ b/tests/cfgs/caches_global/result/lru_ipv6_caches.pcapng.out @@ -0,0 +1,48 @@ +DPI Packets (TCP): 9 (3.00 pkts/flow) +DPI Packets (UDP): 30 (3.33 pkts/flow) +Confidence DPI (cache) : 4 (flows) +Confidence DPI : 8 (flows) +Num dissector calls: 642 (53.50 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 25/7/2 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 6/8/0 (insert/search/found) +LRU cache tls_cert: 1/3/2 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 9/0 (search/found) +Automa domain: 9/0 (search/found) +Automa tls cert: 1/1 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 3/3 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 22/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 12/0 (search/found) +Patricia protocols: 0/0 (search/found) +Patricia protocols IPv6: 24/0 (search/found) + +BitTorrent 25 4546 5 +WhatsAppCall 24 3996 3 +STUN 30 3450 1 +Cloudflare 9 8862 3 + +Acceptable 88 20854 12 + +JA3 Host Stats: + IP Address # JA3C + + + 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 12][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 3 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 4 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 5 UDP [2a2f:8509:1cb2:466d:ecbf:69d6:109c:608]:62229 -> [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][9 pkts/2397 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][9.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1249/0 8358/0 2694/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 266/0 610/0 243/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 44,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP [3069:c624:1d42:9469:98b1:67ff:fe43:325]:56131 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1958 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][2.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/0 236/0 1183/0 350/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 178/0 214/0 41/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BHBeRjaHJ)][Plen Bins: 9,0,18,0,72,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP [2118:ec33:112b:7908:2c80:27ff:fef7:d71f]:48415 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1742 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][2.97 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 279/0 1388/0 400/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 158/0 214/0 51/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (NGuJOnsW)][Plen Bins: 18,0,36,0,45,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27]:60506 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Download/7][11 pkts/1319 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][6.03 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 670/0 2769/0 758/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 120/0 431/0 99/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 72,18,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][8.49 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [38b2:46b7:27a4:94c3:c134:948:e069:d71f]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][20.08 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP [3297:a1af:5121:cfc:360b:2e07:872f:1ea0]:43865 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][0.26 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BZ9/sp6)][Plen Bins: 50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: Download/7][1 pkts/166 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/caches_global/result/mining.pcapng.out b/tests/cfgs/caches_global/result/mining.pcapng.out new file mode 100644 index 000000000..ef8daea4d --- /dev/null +++ b/tests/cfgs/caches_global/result/mining.pcapng.out @@ -0,0 +1,31 @@ +DPI Packets (TCP): 17 (4.25 pkts/flow) +Confidence DPI : 4 (flows) +Num dissector calls: 101 (25.25 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 4/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 8/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Mining 673 219078 4 + +Unsafe 673 219078 4 + + 1 TCP 192.168.2.148:46838 <-> 94.23.199.191:3333 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][159 pkts/143155 bytes <-> 113 pkts/13204 bytes][Goodput ratio: 93/43][1091.42 sec][currency: ZCash][bytes ratio: 0.831 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 7234/8131 71734/71815 15224/15291][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 900/117 1514/376 709/99][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 28,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,29,0,0] + 2 TCP 147.229.13.222:49307 <-> 185.71.66.39:9999 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Mining/99][112 pkts/10941 bytes <-> 97 pkts/20817 bytes][Goodput ratio: 45/74][295.93 sec][currency: Ethereum][bytes ratio: -0.311 (Download)][IAT c2s/s2c min/avg/max/stddev: 8/0 2992/2893 9784/10017 3265/3384][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 98/215 259/297 57/112][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (worker)][Plen Bins: 0,1,28,0,12,0,0,58,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 192.168.2.92:55190 <-> 178.32.196.217:9050 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][83 pkts/11785 bytes <-> 62 pkts/8859 bytes][Goodput ratio: 53/53][1154.54 sec][currency: ZCash/Monero][bytes ratio: 0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 15953/19141 60205/60205 20621/20751][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/143 326/369 91/88][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 0,40,0,0,0,44,0,13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.2.148:53846 <-> 116.211.167.195:3333 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][24 pkts/4455 bytes <-> 23 pkts/5862 bytes][Goodput ratio: 70/78][1065.16 sec][currency: ZCash][bytes ratio: -0.136 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46166/51528 195463/195463 61020/65306][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 186/255 1498/364 395/138][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 4,13,4,8,0,0,0,0,0,61,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,0,0] diff --git a/tests/cfgs/caches_global/result/ookla.pcap.out b/tests/cfgs/caches_global/result/ookla.pcap.out new file mode 100644 index 000000000..6cc0458e4 --- /dev/null +++ b/tests/cfgs/caches_global/result/ookla.pcap.out @@ -0,0 +1,42 @@ +Guessed flow protos: 1 + +DPI Packets (TCP): 40 (6.67 pkts/flow) +Confidence DPI (partial cache): 1 (flows) +Confidence DPI : 4 (flows) +Confidence DPI (aggressive) : 1 (flows) +Num dissector calls: 559 (93.17 diss/flow) +LRU cache ookla: 4/2/2 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/2/0 (insert/search/found) +LRU cache mining: 0/1/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 3/2 (search/found) +Automa domain: 3/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 4/4 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 11/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Ookla 113 38411 6 + +Safe 113 38411 6 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.128 2 + + + 1 TCP 192.168.1.128:35830 <-> 89.96.108.170:8080 [proto: 91.191/TLS.Ookla][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][DPI packets: 6][cat: Web/5][21 pkts/21216 bytes <-> 8 pkts/1950 bytes][Goodput ratio: 93/72][0.32 sec][Hostname/SNI: spd-pub-mi-01-01.fastwebnet.it][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: 0.832 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/61 274/280 62/109][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1010/244 1514/387 612/138][TLSv1.3][JA3C: c279b0189edb9269da7bc43dea5e0c36][JA4: t13d1714h2_5b57614c22b0_8f66f9ee9c6c][JA3S: fcb2d4d0991292272fcb1e464eedfd43][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,4,0,0,0,0,4,9,0,9,0,0,0,0,0,4,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0] + 2 TCP 192.168.1.128:48854 <-> 104.16.209.12:443 [proto: 91.191/TLS.Ookla][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][8 pkts/1620 bytes <-> 6 pkts/3818 bytes][Goodput ratio: 67/89][0.06 sec][Hostname/SNI: www.speedtest.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.404 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 18/15 7/6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 202/636 583/1514 181/646][TLSv1.3][JA3C: 579ccef312d18482fc42e2b822ca2430][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (@oTAgOeedtest.net)][Plen Bins: 0,0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0] + 3 TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 7.191/HTTP.Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][12 pkts/2238 bytes <-> 8 pkts/2082 bytes][Goodput ratio: 64/74][5.33 sec][Hostname/SNI: massarosa-1.speedtest.welcomeitalia.it][bytes ratio: 0.036 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 528/47 5005/84 1493/28][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 186/260 430/523 168/194][URL: massarosa-1.speedtest.welcomeitalia.it/crossdomain.xml][StatusCode: 200][Content-Type: application/xml][Server: Apache/2.2.22 (Ubuntu)][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8][Risk: ** HTTP Obsolete Server **][Risk Score: 50][Risk Info: Obsolete Apache server 2.2.22][PLAIN TEXT (GET /crossdomain.xml HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,12,75,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.1.192:51156 <-> 89.96.108.170:8080 [proto: 191/Ookla][IP: 0/Unknown][ClearText][Confidence: DPI (partial cache)][DPI packets: 10][cat: Network/14][6 pkts/591 bytes <-> 4 pkts/1784 bytes][Goodput ratio: 32/85][0.05 sec][bytes ratio: -0.502 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/10 15/20 6/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/446 143/1514 31/617][PLAIN TEXT (gKRZvA)][Plen Bins: 0,40,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 5 TCP 192.168.1.7:51215 <-> 46.44.253.187:8080 [proto: 191/Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][19 pkts/1421 bytes <-> 11 pkts/920 bytes][Goodput ratio: 11/20][0.80 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 26/0 44/75 103/137 23/41][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/84 85/100 9/8][PLAIN TEXT ( 6HELLO 2.4 2016)][Plen Bins: 94,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.1.192:37790 <-> 185.157.229.246:8080 [proto: 191/Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][6 pkts/454 bytes <-> 4 pkts/317 bytes][Goodput ratio: 11/14][0.06 sec][bytes ratio: 0.178 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/5 46/9 17/4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 76/79 106/108 14/17][PLAIN TEXT (HELLO 2.9 )][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/caches_global/result/teams.pcap.out b/tests/cfgs/caches_global/result/teams.pcap.out new file mode 100644 index 000000000..5fca8dfad --- /dev/null +++ b/tests/cfgs/caches_global/result/teams.pcap.out @@ -0,0 +1,142 @@ +Guessed flow protos: 2 + +DPI Packets (TCP): 337 (8.02 pkts/flow) +DPI Packets (UDP): 74 (1.85 pkts/flow) +DPI Packets (other): 1 (1.00 pkts/flow) +Confidence Unknown : 1 (flows) +Confidence Match by port : 2 (flows) +Confidence DPI (partial) : 4 (flows) +Confidence DPI : 76 (flows) +Num dissector calls: 529 (6.37 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/9/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 24/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/3/0 (insert/search/found) +LRU cache msteams: 27/19/15 (insert/search/found) +LRU cache stun_zoom: 0/1/0 (insert/search/found) +Automa host: 85/71 (search/found) +Automa domain: 85/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 24/1 (search/found) +Automa common alpns: 67/67 (search/found) +Patricia risk mask: 80/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 121/47 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Unknown 4 456 1 +DNS 8 1126 4 +DHCP 7 2323 2 +ntop 40 9816 3 +Skype_TeamsCall 93 19649 12 +ICMP 2 140 1 +TLS 23 11660 3 +Dropbox 2 1054 2 +Skype_Teams 178 78638 8 +Apple 2 231 1 +Spotify 1 82 1 +Microsoft 405 284048 12 +Microsoft365 136 52120 6 +Teams 595 215358 26 +Azure 2 294 1 + +Safe 1065 521113 45 +Acceptable 428 155344 36 +Fun 1 82 1 +Unrated 4 456 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.6 6 + + + 1 TCP 192.168.1.6:60543 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 9][cat: Cloud/13][67 pkts/86089 bytes <-> 40 pkts/7347 bytes][Goodput ratio: 95/64][0.72 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.843 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/16 152/86 28/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1285/184 1494/1506 497/372][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 1,1,1,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,89,3,0,0] + 2 TCP 192.168.1.6:60532 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 8][cat: Cloud/13][49 pkts/58592 bytes <-> 28 pkts/6555 bytes][Goodput ratio: 94/72][0.71 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.799 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/29 177/221 32/57][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1196/234 1494/1506 564/435][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 2,2,2,0,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,81,4,0,0] + 3 TCP 192.168.1.6:60554 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][IP: 125/Skype_Teams][Encrypted][Confidence: DPI][DPI packets: 12][cat: Collaborative/15][24 pkts/2746 bytes <-> 28 pkts/30546 bytes][Goodput ratio: 52/95][0.23 sec][Hostname/SNI: config.teams.microsoft.com][bytes ratio: -0.835 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/9 21/140 7/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 114/1091 1136/1506 217/607][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][ServerNames: *.config.teams.microsoft.com,config.teams.microsoft.com][JA3S: 7d8fd34fdb13a7fff30d5a52846b6c4c][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=config.teams.microsoft.com][Certificate SHA-1: B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA][Firefox][Validity: 2019-12-11 02:04:20 - 2021-12-11 02:04:20][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,0,3,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,7,0,0,0,0,0,65,0,0] + 4 TCP 192.168.1.6:60561 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 10][cat: Cloud/13][23 pkts/19184 bytes <-> 14 pkts/5643 bytes][Goodput ratio: 92/83][0.82 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.545 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/44 161/136 43/48][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 834/403 1494/1506 690/567][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 4,4,4,0,0,0,9,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,60,9,0,0] + 5 TCP 192.168.1.6:60535 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 10][cat: Cloud/13][21 pkts/16793 bytes <-> 13 pkts/5565 bytes][Goodput ratio: 92/84][0.33 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.502 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/18 48/49 17/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 800/428 1494/1506 681/581][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][Safari][Plen Bins: 5,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,53,10,0,0] + 6 TCP 192.168.1.6:60559 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Cloud/13][21 pkts/15525 bytes <-> 12 pkts/5499 bytes][Goodput ratio: 91/85][0.35 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.477 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/21 52/51 22/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 739/458 1494/1506 682/595][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][Safari][Plen Bins: 5,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,0,52,11,0,0] + 7 TCP 192.168.1.6:60545 <-> 52.114.77.58:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][49 pkts/7568 bytes <-> 34 pkts/11426 bytes][Goodput ratio: 65/83][9.23 sec][Hostname/SNI: presence.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.203 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 226/294 4927/4971 803/983][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154/336 1494/1506 217/458][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,21,17,10,8,6,4,0,6,2,0,0,2,6,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + 8 TCP 192.168.1.6:60549 <-> 13.107.18.11:443 [proto: 91.219/TLS.Microsoft365][IP: 21/Outlook][Encrypted][Confidence: DPI][DPI packets: 10][cat: Collaborative/15][28 pkts/7696 bytes <-> 26 pkts/9797 bytes][Goodput ratio: 80/85][1.16 sec][Hostname/SNI: substrate.office.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 47/23 539/167 115/43][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 275/377 1494/1506 397/471][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][ServerNames: outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com][JA3S: a66ea560599a2f5c89eec8c3a0d69cee][Issuer: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com][Certificate SHA-1: AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2][Validity: 2019-07-12 00:00:00 - 2021-07-12 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,22,7,0,7,0,7,0,0,3,3,0,0,0,3,0,7,0,3,0,10,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0] + 9 TCP 192.168.1.6:60548 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 8][cat: Cloud/13][18 pkts/12047 bytes <-> 11 pkts/5433 bytes][Goodput ratio: 90/86][0.32 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.378 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/23 51/51 21/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 669/494 1494/1506 669/609][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 6,6,6,0,0,0,6,0,0,0,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,44,12,0,0] + 10 TCP 192.168.1.6:60533 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][IP: 125/Skype_Teams][Encrypted][Confidence: DPI][DPI packets: 12][cat: Collaborative/15][20 pkts/1861 bytes <-> 20 pkts/12980 bytes][Goodput ratio: 41/91][0.10 sec][Hostname/SNI: teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/4 29/29 8/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 93/649 312/1506 76/603][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][ServerNames: teams.microsoft.com][JA3S: 0f14538e1c9070becdad7739c67d6363][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=teams.microsoft.com][Certificate SHA-1: 68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E][Validity: 2019-09-12 18:16:45 - 2021-09-12 18:16:45][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,15,10,0,5,0,10,0,5,0,5,0,0,0,0,0,5,0,0,10,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0] + 11 TCP 192.168.1.6:60540 <-> 52.114.75.70:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][14 pkts/5711 bytes <-> 10 pkts/8093 bytes][Goodput ratio: 83/92][0.13 sec][Hostname/SNI: eu-prod.asyncgw.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.173 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/9 32/32 13/14][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 408/809 1494/1506 517/688][TLSv1.2][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][JA4: t12d1312h2_8b80da21ef18_b00751acaffa][Plen Bins: 0,7,0,7,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,15,31,0,0] + 12 TCP 192.168.1.6:60537 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 8][cat: Cloud/13][16 pkts/8418 bytes <-> 10 pkts/5367 bytes][Goodput ratio: 87/88][0.27 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.221 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/27 46/46 20/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 526/537 1494/1506 639/623][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,7,7,0,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,31,15,0,0] + 13 TCP 192.168.1.6:60555 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cloud/13][18 pkts/5861 bytes <-> 13 pkts/7901 bytes][Goodput ratio: 80/89][2.79 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: -0.148 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 192/269 2443/2490 625/741][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 326/608 1494/1506 448/617][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Firefox][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,16,11,0,0,5,0,0,0,5,5,0,0,11,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,22,0,0] + 14 UDP 192.168.1.6:51681 <-> 52.114.77.136:3478 [proto: 125/Skype_Teams][IP: 276/Azure][Encrypted][Confidence: Match by port][DPI packets: 12][cat: VoIP/10][14 pkts/5838 bytes <-> 17 pkts/7907 bytes][Goodput ratio: 90/91][4.57 sec][bytes ratio: -0.151 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 347/256 2336/2336 693/595][Pkt Len c2s/s2c min/avg/max/stddev: 79/79 417/465 1243/1227 434/401][PLAIN TEXT (TBHSWF)][Plen Bins: 0,36,0,0,0,12,6,0,3,6,0,0,0,3,0,0,0,0,0,0,0,0,0,6,6,0,0,0,0,0,3,0,3,3,0,0,0,9,0,0,0,0,0,0,0,0,0,0] + 15 TCP 192.168.1.6:60547 <-> 52.114.88.59:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][20 pkts/3926 bytes <-> 15 pkts/8828 bytes][Goodput ratio: 66/89][0.32 sec][Hostname/SNI: chatsvcagg.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.384 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/25 91/80 23/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 196/589 1494/1506 320/612][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,21,10,5,0,5,10,5,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,21,0,0] + 16 TCP 192.168.1.6:60565 <-> 52.114.108.8:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][19 pkts/3306 bytes <-> 14 pkts/9053 bytes][Goodput ratio: 61/90][0.43 sec][Hostname/SNI: emea.ng.msg.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.465 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27/12 276/54 68/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 174/647 1060/1506 238/633][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,22,16,5,0,0,5,0,0,0,0,0,0,5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,22,0,0] + 17 TCP 192.168.1.6:60541 <-> 52.114.75.69:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 10][cat: VoIP/10][13 pkts/4051 bytes <-> 9 pkts/7973 bytes][Goodput ratio: 79/92][0.14 sec][Hostname/SNI: eu-api.asm.skype.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.326 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/11 31/36 14/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 312/886 1494/1506 422/676][TLSv1.2][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][JA4: t12d1312h2_8b80da21ef18_b00751acaffa][ServerNames: *.asm.skype.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=*.asm.skype.com][Certificate SHA-1: B9:41:1D:AE:56:09:68:D2:07:D0:69:E1:68:00:08:2B:EF:63:1E:48][Validity: 2019-05-07 12:50:03 - 2021-05-07 12:50:03][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,8,0,8,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,34,0,0] + 18 TCP 192.168.1.6:60556 <-> 40.126.9.7:443 [proto: 91.219/TLS.Microsoft365][IP: 219/Microsoft365][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][15 pkts/4178 bytes <-> 12 pkts/7795 bytes][Goodput ratio: 76/90][0.43 sec][Hostname/SNI: login.microsoftonline.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/45 105/135 29/49][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 279/650 1494/1506 415/671][TLSv1.2][JA3C: a69708a64f853c3bcc214c2c5faf84f3][JA4: t12d2010h2_2a284e3b0c56_f05fdf8c38a9][Safari][Plen Bins: 7,7,0,15,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,7,31,0,0] + 19 TCP 192.168.1.6:60560 <-> 40.126.9.67:443 [proto: 91.219/TLS.Microsoft365][IP: 219/Microsoft365][Encrypted][Confidence: DPI][DPI packets: 9][cat: Collaborative/15][14 pkts/4099 bytes <-> 12 pkts/7812 bytes][Goodput ratio: 77/90][0.36 sec][Hostname/SNI: login.microsoftonline.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.312 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/20 107/54 31/21][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 293/651 1494/1506 427/672][TLSv1.2][JA3C: a69708a64f853c3bcc214c2c5faf84f3][JA4: t12d2010h2_2a284e3b0c56_f05fdf8c38a9][ServerNames: login.microsoftonline.com,login.microsoftonline-p.com,loginex.microsoftonline.com,login2.microsoftonline.com,stamp2.login.microsoftonline-int.com,login.microsoftonline-int.com,loginex.microsoftonline-int.com,login2.microsoftonline-int.com,stamp2.login.microsoftonline.com][JA3S: 678aeaf909676262acfb913ccb78a126][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=stamp2.login.microsoftonline.com][Certificate SHA-1: 7E:0F:A2:51:8F:FB:49:30:C3:34:07:5E:F8:7C:FD:34:20:A2:96:63][Safari][Validity: 2018-09-24 21:49:30 - 2020-09-24 21:49:30][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,7,0,15,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,7,31,0,0] + 20 TCP 192.168.1.6:60544 <-> 52.114.76.48:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][21 pkts/3510 bytes <-> 17 pkts/8350 bytes][Goodput ratio: 67/89][9.73 sec][Hostname/SNI: northeurope.notifications.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.408 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 34/743 403/8978 94/2380][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 167/491 1114/1506 247/578][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,21,10,0,5,0,0,10,5,0,0,15,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,21,0,0] + 21 TCP 192.168.1.6:60562 <-> 104.40.187.151:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI (partial)][DPI packets: 14][cat: VoIP/10][19 pkts/3484 bytes <-> 13 pkts/8009 bytes][Goodput ratio: 63/89][0.29 sec][Hostname/SNI: api.microsoftstream.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.394 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/12 45/45 15/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 183/616 1379/1506 297/613][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,22,22,0,0,0,5,5,0,0,0,5,0,0,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,22,0,0] + 22 TCP 192.168.1.6:60563 <-> 52.169.186.119:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI (partial)][DPI packets: 14][cat: VoIP/10][17 pkts/3244 bytes <-> 12 pkts/8152 bytes][Goodput ratio: 65/90][0.22 sec][Hostname/SNI: euno-1.api.microsoftstream.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.431 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/13 69/48 22/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 191/679 1352/1506 306/618][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,18,18,0,0,0,6,6,0,0,0,6,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,25,0,0] + 23 TCP 192.168.1.6:60552 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 8][cat: Cloud/13][14 pkts/5842 bytes <-> 11 pkts/5445 bytes][Goodput ratio: 84/86][0.66 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.035 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/71 143/237 42/77][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 417/495 1494/1506 527/609][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][JA4: t12d150700_0707305c9f76_0f3b2bcde21d][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 8,8,8,0,0,0,8,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,16,16,0,0] + 24 TCP 192.168.1.6:60542 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][IP: 125/Skype_Teams][Encrypted][Confidence: DPI][DPI packets: 12][cat: Collaborative/15][18 pkts/2750 bytes <-> 19 pkts/8360 bytes][Goodput ratio: 64/87][2.95 sec][Hostname/SNI: config.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.505 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 197/61 1998/468 513/122][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 153/440 575/1506 158/563][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][ServerNames: *.config.teams.microsoft.com,config.teams.microsoft.com][JA3S: 0f14538e1c9070becdad7739c67d6363][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=config.teams.microsoft.com][Certificate SHA-1: B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA][Validity: 2019-12-11 02:04:20 - 2021-12-11 02:04:20][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,11,11,0,11,0,11,0,0,11,5,0,5,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0] + 25 TCP 192.168.1.6:60536 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][IP: 125/Skype_Teams][Encrypted][Confidence: DPI][DPI packets: 12][cat: Collaborative/15][13 pkts/3676 bytes <-> 10 pkts/6984 bytes][Goodput ratio: 80/92][0.04 sec][Hostname/SNI: teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.310 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 13/15 5/6][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 283/698 1494/1506 438/666][TLSv1.2][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][JA4: t12d1312h2_8b80da21ef18_b00751acaffa][ServerNames: teams.microsoft.com][JA3S: 0f14538e1c9070becdad7739c67d6363][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=teams.microsoft.com][Certificate SHA-1: 68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E][Validity: 2019-09-12 18:16:45 - 2021-09-12 18:16:45][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,15,0,7,0,15,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] + 26 TCP 192.168.1.6:60568 <-> 40.79.138.41:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI (partial)][DPI packets: 5][cat: VoIP/10][12 pkts/2175 bytes <-> 9 pkts/8211 bytes][Goodput ratio: 62/93][0.18 sec][Hostname/SNI: gate.hockeyapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.581 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/22 37/68 16/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 181/912 599/1506 178/631][TLSv1.2][JA3C: a69708a64f853c3bcc214c2c5faf84f3][JA4: t12d2010h2_2a284e3b0c56_f05fdf8c38a9][Safari][Plen Bins: 0,0,0,9,0,9,0,9,0,0,0,0,9,0,0,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,36,0,0] + 27 TCP 192.168.1.6:60564 <-> 40.79.138.41:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI (partial)][DPI packets: 5][cat: VoIP/10][12 pkts/2159 bytes <-> 9 pkts/8211 bytes][Goodput ratio: 62/93][0.17 sec][Hostname/SNI: gate.hockeyapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.584 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/20 33/42 14/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 180/912 599/1506 176/631][TLSv1.2][JA3C: a69708a64f853c3bcc214c2c5faf84f3][JA4: t12d2010h2_2a284e3b0c56_f05fdf8c38a9][Safari][Plen Bins: 0,0,0,9,0,9,0,9,0,0,0,0,9,0,0,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,36,0,0] + 28 TCP 192.168.1.6:60551 <-> 52.114.15.45:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 11][cat: Collaborative/15][13 pkts/2426 bytes <-> 11 pkts/7772 bytes][Goodput ratio: 70/92][0.88 sec][Hostname/SNI: trouter2-asse-a.trouter.teams.microsoft.com][bytes ratio: -0.524 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 70/90 207/235 82/92][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 187/707 1393/1506 353/636][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][ServerNames: *.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2][Subject: CN=*.trouter.teams.microsoft.com][Certificate SHA-1: DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4][Firefox][Validity: 2019-11-29 17:57:58 - 2021-11-29 17:57:58][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,24,0,7,7,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,31,0,0] + 29 TCP 192.168.1.6:60534 <-> 40.126.9.5:443 [proto: 91.219/TLS.Microsoft365][IP: 219/Microsoft365][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][15 pkts/2846 bytes <-> 10 pkts/7289 bytes][Goodput ratio: 64/91][0.20 sec][Hostname/SNI: login.microsoftonline.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.438 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/21 41/53 16/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/729 1471/1506 349/665][TLSv1.2][JA3C: a69708a64f853c3bcc214c2c5faf84f3][JA4: t12d2010h2_2a284e3b0c56_f05fdf8c38a9][Safari][Plen Bins: 9,9,0,18,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,36,0,0] + 30 TCP 162.125.19.131:443 <-> 192.168.1.6:60344 [proto: 91/TLS][IP: 121/Dropbox][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][8 pkts/761 bytes <-> 8 pkts/9347 bytes][Goodput ratio: 31/94][0.12 sec][bytes ratio: -0.849 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/1 111/4 41/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 95/1168 299/1494 77/500][Plen Bins: 0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,63,0,0,0] + 31 TCP 192.168.1.6:60567 <-> 52.114.77.136:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][13 pkts/2389 bytes <-> 11 pkts/7293 bytes][Goodput ratio: 69/91][1.77 sec][Hostname/SNI: api.flightproxy.teams.microsoft.com][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/50 84/122 28/46][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 184/663 703/1506 228/665][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 0,16,0,16,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] + 32 TCP 192.168.1.6:60557 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][IP: 125/Skype_Teams][Encrypted][Confidence: DPI][DPI packets: 12][cat: Collaborative/15][12 pkts/2422 bytes <-> 13 pkts/7118 bytes][Goodput ratio: 72/90][0.17 sec][Hostname/SNI: teams.microsoft.com][bytes ratio: -0.492 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/14 91/79 27/23][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 202/548 954/1506 267/645][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][ServerNames: teams.microsoft.com][JA3S: 7d8fd34fdb13a7fff30d5a52846b6c4c][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=teams.microsoft.com][Certificate SHA-1: 68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E][Firefox][Validity: 2019-09-12 18:16:45 - 2021-09-12 18:16:45][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,16,0,8,0,8,8,0,0,8,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] + 33 UDP 93.71.110.205:16332 <-> 192.168.1.6:50016 [proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][30 pkts/5952 bytes <-> 7 pkts/3184 bytes][Goodput ratio: 79/91][2.72 sec][bytes ratio: 0.303 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 99/467 1167/1168 282/553][Pkt Len c2s/s2c min/avg/max/stddev: 80/80 198/455 1256/1256 284/507][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (SMnzNK)][Plen Bins: 0,8,60,18,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0] + 34 TCP 192.168.1.6:50036 <-> 52.114.250.153:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 13][cat: Collaborative/15][17 pkts/1759 bytes <-> 13 pkts/7267 bytes][Goodput ratio: 46/90][3.92 sec][Hostname/SNI: 52.114.250.153][bytes ratio: -0.610 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 273/381 3619/3662 928/1094][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 103/559 289/1506 79/554][Risk: ** TLS Cert Mismatch **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / 52.114.250.153 vs tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.co][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][ServerNames: tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5][Subject: CN=tr.teams.microsoft.com][Certificate SHA-1: A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75][Firefox][Validity: 2019-05-24 14:10:26 - 2021-05-24 14:10:26][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 11,11,0,11,0,18,5,5,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0] + 35 TCP 192.168.1.6:60538 <-> 52.114.75.70:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][12 pkts/1791 bytes <-> 8 pkts/7215 bytes][Goodput ratio: 54/93][0.15 sec][Hostname/SNI: eu-prod.asyncgw.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.602 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/16 37/65 15/24][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 149/902 689/1506 176/629][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,10,0,10,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] + 36 TCP 192.168.1.6:60539 <-> 52.114.75.69:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: VoIP/10][12 pkts/1773 bytes <-> 8 pkts/7189 bytes][Goodput ratio: 53/93][0.15 sec][Hostname/SNI: eu-api.asm.skype.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/20 32/58 15/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 148/899 674/1506 171/632][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][JA4: t12d1311h2_8b80da21ef18_77989cba1f4a][Plen Bins: 0,10,0,10,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] + 37 TCP 192.168.1.6:50018 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][20 pkts/1629 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 29/90][1.92 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.626 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/18 69/92 24/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 81/546 241/1506 48/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 38 TCP 192.168.1.6:50021 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][18 pkts/1509 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 32/90][0.66 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/23 46/85 20/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 84/546 241/1506 50/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 39 TCP 192.168.1.6:50014 <-> 52.114.250.152:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][14 pkts/1347 bytes <-> 11 pkts/6975 bytes][Goodput ratio: 42/91][0.22 sec][Hostname/SNI: 52.114.250.152][bytes ratio: -0.676 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/22 43/84 20/30][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 96/634 289/1506 73/570][Risk: ** TLS Cert Mismatch **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / 52.114.250.152 vs tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.co][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][ServerNames: tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5][Subject: CN=tr.teams.microsoft.com][Certificate SHA-1: A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75][Firefox][Validity: 2019-05-24 14:10:26 - 2021-05-24 14:10:26][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,14,0,14,0,14,0,7,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0] + 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] + 42 UDP 192.168.1.6:50036 <-> 52.114.250.137:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/1390 bytes <-> 4 pkts/733 bytes][Goodput ratio: 85/77][4.06 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/100 1003/774 2235/2092 994/932][Pkt Len c2s/s2c min/avg/max/stddev: 228/174 278/183 314/198 33/10][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,44,11,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 43 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][25.01 sec][Hostname/SNI: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4986/0 5001/0 5018/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 44 UDP 192.168.1.6:50016 <-> 52.114.250.141:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][4 pkts/1162 bytes <-> 3 pkts/546 bytes][Goodput ratio: 85/77][1.99 sec][bytes ratio: 0.361 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/98 611/101 1783/104 829/3][Pkt Len c2s/s2c min/avg/max/stddev: 256/174 290/182 314/198 25/11][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,42,0,14,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 45 TCP 93.62.150.157:443 <-> 192.168.1.6:60512 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][2 pkts/1258 bytes <-> 2 pkts/108 bytes][Goodput ratio: 89/0][< 1 sec][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0] + 46 UDP 192.168.1.6:50017 <-> 52.114.250.141:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/594 bytes <-> 3 pkts/611 bytes][Goodput ratio: 79/79][4.05 sec][bytes ratio: -0.014 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 99/97 2002/2002 3906/3906 1904/1904][Pkt Len c2s/s2c min/avg/max/stddev: 110/187 198/204 256/229 63/18][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,16,0,33,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 47 UDP 192.168.1.6:50037 <-> 52.114.250.137:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/594 bytes <-> 3 pkts/611 bytes][Goodput ratio: 79/79][4.05 sec][bytes ratio: -0.014 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 95/94 2000/2000 3905/3905 1905/1906][Pkt Len c2s/s2c min/avg/max/stddev: 110/187 198/204 256/229 63/18][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,16,0,33,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 48 UDP 93.71.110.205:16333 <-> 192.168.1.6:50036 [proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][Stream Content: Video][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/414 bytes <-> 5 pkts/634 bytes][Goodput ratio: 69/67][2.31 sec][bytes ratio: -0.210 (Download)][IAT c2s/s2c min/avg/max/stddev: 101/15 634/572 1166/1168 532/565][Pkt Len c2s/s2c min/avg/max/stddev: 130/88 138/127 154/158 11/27][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,25,37,37,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 49 UDP 192.168.1.6:50016 -> 192.168.0.4:50005 [proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][1.22 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 50 UDP 192.168.1.6:50036 -> 192.168.0.4:50020 [proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][Stream Content: Video][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][1.22 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 51 UDP 192.168.1.6:50016 <-> 52.114.250.123:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/110 bytes <-> 2 pkts/424 bytes][Goodput ratio: 61/80][0.12 sec][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,33,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 52 UDP 192.168.1.6:50036 <-> 52.114.250.123:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/110 bytes <-> 2 pkts/424 bytes][Goodput ratio: 61/80][0.12 sec][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,33,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 53 UDP 192.168.1.6:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][1 pkts/527 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 54 UDP 192.168.1.6:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][1 pkts/527 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 55 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/397 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][PLAIN TEXT (6.10.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 56 UDP 192.168.1.6:63930 <-> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/96 bytes <-> 1 pkts/301 bytes][Goodput ratio: 56/86][0.04 sec][Hostname/SNI: dc.applicationinsights.microsoft.com][40.79.138.41][PLAIN TEXT (applicationinsights)][Plen Bins: 0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 57 UDP 192.168.1.6:54069 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/83 bytes <-> 1 pkts/264 bytes][Goodput ratio: 49/84][0.06 sec][Hostname/SNI: api.microsoftstream.com][104.40.187.151][PLAIN TEXT (microsoftstream)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 58 UDP 192.168.1.6:62735 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/90 bytes <-> 1 pkts/225 bytes][Goodput ratio: 53/81][0.01 sec][Hostname/SNI: euno-1.api.microsoftstream.com][52.169.186.119][PLAIN TEXT (microsoftstream)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 59 UDP 192.168.1.6:57504 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/92 bytes <-> 1 pkts/222 bytes][Goodput ratio: 54/81][0.04 sec][Hostname/SNI: chatsvcagg.svcs.teams.office.com][52.114.88.59][PLAIN TEXT (chatsvcagg)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 60 UDP 192.168.1.6:58457 <-> 192.168.1.1:53 [proto: 5.219/DNS.Microsoft365][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/78 bytes <-> 1 pkts/236 bytes][Goodput ratio: 46/82][0.01 sec][Hostname/SNI: outlook.office.com][13.107.18.11][PLAIN TEXT (outlook)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 61 UDP 192.168.1.6:50653 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/95 bytes <-> 1 pkts/216 bytes][Goodput ratio: 55/80][0.03 sec][Hostname/SNI: api.flightproxy.teams.microsoft.com][52.114.77.136][PLAIN TEXT (flightproxy)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 62 UDP 52.114.252.8:3479 <-> 192.168.1.6:50016 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/166 bytes <-> 1 pkts/142 bytes][Goodput ratio: 74/70][0.01 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 63 UDP 52.114.252.21:3480 <-> 192.168.1.6:50036 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Video][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/166 bytes <-> 1 pkts/142 bytes][Goodput ratio: 74/70][0.01 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 64 UDP 192.168.1.6:64046 <-> 192.168.1.1:53 [proto: 5.26/DNS.ntop][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/166 bytes <-> 1 pkts/136 bytes][Goodput ratio: 49/69][1.01 sec][Hostname/SNI: b._dns-sd._udp.ntop.org][::][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NXDOMAIN][PLAIN TEXT (postmaster)][Plen Bins: 0,66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 65 UDP 192.168.1.6:63106 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/95 bytes <-> 1 pkts/203 bytes][Goodput ratio: 55/79][0.03 sec][Hostname/SNI: eu-prod.asyncgw.teams.microsoft.com][52.114.75.70][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 66 UDP 192.168.1.6:61245 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/87 bytes <-> 1 pkts/209 bytes][Goodput ratio: 51/80][0.05 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][52.114.250.123][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 67 UDP 192.168.1.6:55765 <-> 192.168.1.1:53 [proto: 5.276/DNS.Azure][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/109 bytes <-> 1 pkts/185 bytes][Goodput ratio: 61/77][0.01 sec][Hostname/SNI: b-tr-teams-euno-05.northeurope.cloudapp.azure.com][::][PLAIN TEXT (northeurope)][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 68 UDP 192.168.1.6:59403 <-> 192.168.1.1:53 [proto: 5.219/DNS.Microsoft365][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/80 bytes <-> 1 pkts/214 bytes][Goodput ratio: 47/80][0.01 sec][Hostname/SNI: substrate.office.com][13.107.18.11][PLAIN TEXT (substrate)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 69 UDP 192.168.1.6:49514 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/86 bytes <-> 1 pkts/204 bytes][Goodput ratio: 51/79][0.01 sec][Hostname/SNI: config.teams.microsoft.com][52.113.194.132][PLAIN TEXT (config)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 70 UDP 192.168.1.6:57530 <-> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/100 bytes <-> 1 pkts/181 bytes][Goodput ratio: 57/76][0.03 sec][Hostname/SNI: presence.services.sfb.trafficmanager.net][52.114.77.58][PLAIN TEXT (presence)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 71 UDP 192.168.1.6:53678 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/103 bytes <-> 1 pkts/173 bytes][Goodput ratio: 59/75][0.01 sec][Hostname/SNI: trouter2-asse-a.trouter.teams.microsoft.com][2a01:111:f100:7000::6fdd:54a1][PLAIN TEXT (trouter)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 72 UDP 192.168.1.6:60837 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/100 bytes <-> 1 pkts/176 bytes][Goodput ratio: 57/76][0.01 sec][Hostname/SNI: c-flightproxy-euno-01-teams.cloudapp.net][::][PLAIN TEXT (flightproxy)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 73 UDP 192.168.1.6:65230 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/103 bytes <-> 1 pkts/161 bytes][Goodput ratio: 59/73][0.01 sec][Hostname/SNI: trouter2-asse-a.trouter.teams.microsoft.com][52.114.15.45][PLAIN TEXT (trouter)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 74 UDP 192.168.1.6:65387 <-> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/171 bytes][Goodput ratio: 54/75][0.01 sec][Hostname/SNI: northeuropecns.trafficmanager.net][52.114.76.48][PLAIN TEXT (northeuropecns)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 75 UDP 192.168.1.6:51033 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/80 bytes <-> 1 pkts/182 bytes][Goodput ratio: 47/77][0.04 sec][Hostname/SNI: eu-api.asm.skype.com][52.114.75.69][PLAIN TEXT (trafficmanager)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 76 UDP 192.168.1.6:51309 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/169 bytes][Goodput ratio: 54/75][0.01 sec][Hostname/SNI: skypedataprdcolneu04.cloudapp.net][::][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 77 UDP 192.168.1.6:62863 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/103 bytes <-> 1 pkts/158 bytes][Goodput ratio: 59/73][0.07 sec][Hostname/SNI: emea.ng.msg.teams-msgapi.trafficmanager.net][52.114.108.8][PLAIN TEXT (msgapi)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 78 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5.140/DNS.Apple][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Hostname/SNI: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 79 UDP 192.168.1.6:60813 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/109 bytes][Goodput ratio: 54/61][0.01 sec][Hostname/SNI: skypedataprdcolneu04.cloudapp.net][52.114.77.33][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 80 TCP 192.168.1.6:58533 -> 149.154.167.91:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 3][cat: Web/5][3 pkts/186 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][4.29 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 81 ICMP 93.71.110.205:0 -> 192.168.1.6:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 82 UDP 192.168.1.112:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Music/25][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][PLAIN TEXT (SpotUdp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + + +Undetected flows: + 1 TCP 151.11.50.139:2222 <-> 192.168.1.6:54750 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 4][2 pkts/252 bytes <-> 2 pkts/204 bytes][Goodput ratio: 47/35][0.05 sec][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/caches_global/result/zoom_p2p.pcapng.out b/tests/cfgs/caches_global/result/zoom_p2p.pcapng.out new file mode 100644 index 000000000..bf6c8b4f4 --- /dev/null +++ b/tests/cfgs/caches_global/result/zoom_p2p.pcapng.out @@ -0,0 +1,46 @@ +Guessed flow protos: 4 + +DPI Packets (UDP): 52 (5.20 pkts/flow) +DPI Packets (other): 2 (1.00 pkts/flow) +Confidence DPI (partial cache): 4 (flows) +Confidence DPI : 8 (flows) +Num dissector calls: 842 (70.17 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/12/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 8/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/4/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 4/4/4 (insert/search/found) +Automa host: 3/0 (search/found) +Automa domain: 3/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 18/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 20/6 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +MDNS 3 549 1 +ICMP 53 6042 2 +Dropbox 16 2784 1 +Zoom 691 262429 8 + +Acceptable 763 271804 12 + + 1 UDP 192.168.12.156:39065 <-> 192.168.1.226:46757 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 13][cat: Video/26][148 pkts/108673 bytes <-> 174 pkts/110457 bytes][Goodput ratio: 94/93][1.67 sec][bytes ratio: -0.008 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/8 88/71 15/12][Pkt Len c2s/s2c min/avg/max/stddev: 127/98 734/635 1269/1302 277/371][PLAIN TEXT (192.168.1.226)][Plen Bins: 0,0,9,1,0,0,0,6,1,0,0,0,0,2,5,11,10,5,4,4,2,0,0,1,2,2,0,0,0,0,0,1,16,0,0,0,3,1,5,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.156:49579 -> 10.78.14.178:49586 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 13][cat: Video/26][154 pkts/19404 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][4.51 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/0 82/0 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 126/0 126/0 126/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (10.78.14.178)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.12.156:42208 -> 10.78.14.178:47312 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 13][cat: Video/26][130 pkts/16380 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][2.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/0 82/0 18/0][Pkt Len c2s/s2c min/avg/max/stddev: 126/0 126/0 126/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (10.78.14.178)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 ICMP 206.247.10.253:0 -> 192.168.12.156:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][40 pkts/4560 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][38.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 895/0 2027/0 1000/0][Pkt Len c2s/s2c min/avg/max/stddev: 114/0 114/0 114/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.12.1:17500 -> 192.168.12.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][16 pkts/2784 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][450.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30007/0 30010/0 30013/0 9/0][Pkt Len c2s/s2c min/avg/max/stddev: 174/0 174/0 174/0 0/0][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.12.156:38453 -> 206.247.87.213:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.30 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1974/0 2015/0 2040/0 19/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.12.156:39065 -> 206.247.87.213:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.30 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1976/0 2015/0 2040/0 18/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.12.156:42208 -> 206.247.10.253:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1990/0 2013/0 2032/0 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 192.168.12.156:49579 -> 206.247.10.253:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1990/0 2013/0 2030/0 12/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 ICMP 206.247.87.213:0 -> 192.168.12.156:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][13 pkts/1482 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][38.30 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3298/0 22119/0 6017/0][Pkt Len c2s/s2c min/avg/max/stddev: 114/0 114/0 114/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP 192.168.12.156:38453 -> 192.168.1.226:41036 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 5][cat: Video/26][5 pkts/635 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][0.06 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (192.168.1.226)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP 192.168.12.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][3 pkts/549 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][384.13 sec][Hostname/SNI: _ipps._tcp.local][_ipps._tcp.local][PLAIN TEXT (webdav)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/dga/dga_evaluate.c b/tests/dga/dga_evaluate.c index 2d226f2d4..27f89fbdc 100644 --- a/tests/dga/dga_evaluate.c +++ b/tests/dga/dga_evaluate.c @@ -92,7 +92,7 @@ int main(int argc, char **argv) { /* Initialize nDPI detection module*/ NDPI_PROTOCOL_BITMASK all; - struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(); + struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(NULL); assert(ndpi_str != NULL); NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_str, &all); diff --git a/tests/do.sh.in b/tests/do.sh.in index e8a08f035..dde8587f9 100755 --- a/tests/do.sh.in +++ b/tests/do.sh.in @@ -30,6 +30,8 @@ PCRE2_ENABLED=@PCRE2_ENABLED@ PCRE_PCAPS="WebattackRCE.pcap" NBPF_ENABLED=@NBPF_ENABLED@ NBPF_PCAPS="h323-overflow.pcap" +GLOBAL_CONTEXT_ENABLED=@GLOBAL_CONTEXT_ENABLED@ +GLOBAL_CONTEXT_CFGS="caches_global" READER="${CMD_PREFIX} ../../../example/ndpiReader${EXE_SUFFIX} --cfg=filename.config,../../../example/config.txt -A -p ../../../example/protos.txt -c ../../../example/categories.txt -r ../../../example/risky_domains.txt -j ../../../example/ja3_fingerprints.csv -S ../../../example/sha1_fingerprints.csv -G ../../../lists -q -K JSON -k /dev/null -t -v 2" RC=0 @@ -152,6 +154,21 @@ if [ $FUZZY_TESTING_ENABLED -eq 1 ]; then fi for d in $(find ./cfgs/* -type d -maxdepth 0 2>/dev/null) ; do + + SKIP_CFG=0 + if [ $GLOBAL_CONTEXT_ENABLED -eq 0 ]; then + for c in $GLOBAL_CONTEXT_CFGS; do + if [ $c = $(basename $d) ]; then + SKIP_CFG=1 + break + fi + done + fi + if [ $SKIP_CFG -eq 1 ]; then + printf "Configuration \""$(basename $d)"\" \tSKIPPED\n" + continue + fi + cd ./cfgs/"$(basename $d)" PCAPS=`cd pcap; /bin/ls *.*cap*` diff --git a/tests/unit/unit.c b/tests/unit/unit.c index 948fd2a9e..4b83be3b1 100644 --- a/tests/unit/unit.c +++ b/tests/unit/unit.c @@ -373,7 +373,7 @@ int main(int argc, char **argv) { return -1; } - ndpi_info_mod = ndpi_init_detection_module(); + ndpi_info_mod = ndpi_init_detection_module(NULL); if (ndpi_info_mod == NULL) return -1; diff --git a/windows/nDPI.vcxproj b/windows/nDPI.vcxproj index d7022a7db..2e78c488c 100644 --- a/windows/nDPI.vcxproj +++ b/windows/nDPI.vcxproj @@ -82,6 +82,7 @@ <GenerateDebugInformation>true</GenerateDebugInformation> <SubSystem>Windows</SubSystem> <AdditionalDependencies>Ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + <AdditionalDependencies>Ws2_32.lib;$(ProjectDir)..\windows\packages\pthreads.2.9.1.4\build\native\lib\v110\x64\Debug\static\cdecl\libpthread-static.lib;%(AdditionalDependencies)</AdditionalDependencies> <FullProgramDatabaseFile>true</FullProgramDatabaseFile> <AssemblyDebug>true</AssemblyDebug> </Link> |