typedef struct message {

u_int8_t *buffer;

u_int buffer_len, buffer_used;

} message_t;

/* NDPI_PROTOCOL_TINC */

u_int32_t telnet_stage:2; // 0 - 2

struct {

/* NDPI_PROTOCOL_TLS */

u_int8_t certificate_processed:1, fingerprint_set:1, _pad:6;

}

if(flow->l4_proto == IPPROTO_TCP) {

}

if(flow->l4_proto == IPPROTO_UDP) {

void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct,

struct ndpi_flow_struct *flow) {

struct ndpi_packet_struct *packet = &ndpi_struct->packet;

u_int avail_bytes;

/* TCP */

#ifdef DEBUG_TLS_MEMORY

printf("[TLS Mem] Handling TCP/TLS flow [payload_len: %u][buffer_len: %u][direction: %u]\n",

packet->payload_packet_len,

packet->packet_direction);

#endif

/* Allocate buffer */

return;

#ifdef DEBUG_TLS_MEMORY

#endif

}

if(avail_bytes < packet->payload_packet_len) {

if(!newbuf) return;

#ifdef DEBUG_TLS_MEMORY

#endif

}

if(packet->payload_packet_len > 0 && avail_bytes >= packet->payload_packet_len) {

u_int8_t ok = 0;

ok = 1;

} else

ok = 1;

if(ok) {

packet->payload, packet->payload_packet_len);

#ifdef DEBUG_TLS_MEMORY

printf("[TLS Mem] Copied data to buffer [%u/%u bytes][direction: %u][tcp_seq: %u][next: %u]\n",

packet->packet_direction,

ntohl(packet->tcp->seq),

ntohl(packet->tcp->seq)+packet->payload_packet_len);

#endif

} else {

#ifdef DEBUG_TLS_MEMORY

printf("[TLS Mem] Skipping packet [%u bytes][direction: %u][tcp_seq: %u][expected next: %u]\n",

packet->packet_direction,

ntohl(packet->tcp->seq),

ntohl(packet->tcp->seq)+packet->payload_packet_len);

struct ndpi_flow_struct *flow) {

struct ndpi_packet_struct *packet = &ndpi_struct->packet;

u_int8_t something_went_wrong = 0;

#ifdef DEBUG_TLS_MEMORY

printf("[TLS Mem] ndpi_search_tls_tcp() Processing new packet [payload_packet_len: %u]\n",

return(1); /* Keep working */

ndpi_search_tls_tcp_memory(ndpi_struct, flow);

/* Valid TLS Content Types:

https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5 */

NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

something_went_wrong = 1;

}

const u_int8_t *p;

u_int8_t content_type;

return(1); /* Keep working */

#ifdef DEBUG_TLS_MEMORY

printf("[TLS Mem] Not enough TLS data [%u < %u][%02X %02X %02X %02X %02X]\n",

#endif

break;

}

printf("[TLS Mem] Processing %u bytes message\n", len);

#endif

/* Overwriting packet payload */

p = packet->payload;

#endif

if(len >= 7) {

if(alert_level == 2 /* Warning (1), Fatal (2) */)

ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, NULL);

}

{

ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);

}

u_int16_t processed = 5;

while((processed+4) <= len) {

u_int32_t block_len = (block[1] << 16) + (block[2] << 8) + block[3];

if(/* (block_len == 0) || */ /* Note blocks can have zero lenght */

}

packet->payload = block;

if((processed+packet->payload_packet_len) > len) {

something_went_wrong = 1;

} else if(len > 5 /* Minimum block size */) {

/* Process element as a whole */

if(content_type == 0x17 /* Application Data */) {

/* Let's do a quick check to make sure this really looks like TLS */

if(block_len < 16384 /* Max TLS block size */)

ndpi_looks_like_tls(ndpi_struct, flow);

{

ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);

}

packet->payload = p;

packet->payload_packet_len = p_len; /* Restore */

else

break;

#ifdef DEBUG_TLS_MEMORY

#endif

}

Confidence Match by port : 27 (flows)

Confidence Match by IP : 1 (flows)

Confidence DPI : 204 (flows)

Unknown 1575 272476 61

DNS 2 267 1

Guessed flow protos: 72

DPI Packets (UDP): 288 (1.55 pkts/flow)

DPI Packets (other): 5 (1.00 pkts/flow)

Confidence Unknown : 45 (flows)

Guessed flow protos: 4

DPI Packets (UDP): 87 (2.17 pkts/flow)

DPI Packets (other): 1 (1.00 pkts/flow)

Confidence Unknown : 1 (flows)

3 TCP 192.168.1.6:60532 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][Encrypted][Confidence: DPI][cat: Cloud/13][49 pkts/58592 bytes <-> 28 pkts/6555 bytes][Goodput ratio: 94/72][0.71 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.799 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/29 177/221 32/57][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1196/234 1494/1506 564/435][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 2,2,2,0,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,81,4,0,0]

4 TCP 192.168.1.6:60554 <-> 52.113.194.132:443 [proto: 91.250/TLS.Teams][Encrypted][Confidence: DPI][cat: Collaborative/15][24 pkts/2746 bytes <-> 28 pkts/30546 bytes][Goodput ratio: 52/95][0.23 sec][Hostname/SNI: config.teams.microsoft.com][bytes ratio: -0.835 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/9 21/140 7/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 114/1091 1136/1506 217/607][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: *.config.teams.microsoft.com,config.teams.microsoft.com][JA3S: 7d8fd34fdb13a7fff30d5a52846b6c4c][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=config.teams.microsoft.com][Certificate SHA-1: B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA][Firefox][Validity: 2019-12-11 02:04:20 - 2021-12-11 02:04:20][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,0,3,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,7,0,0,0,0,0,65,0,0]

5 TCP 192.168.1.6:60561 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][Encrypted][Confidence: DPI][cat: Cloud/13][23 pkts/19184 bytes <-> 14 pkts/5643 bytes][Goodput ratio: 92/83][0.82 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.545 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/44 161/136 43/48][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 834/403 1494/1506 690/567][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 4,4,4,0,0,0,9,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,60,9,0,0]

7 TCP 192.168.1.6:60559 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][Encrypted][Confidence: DPI][cat: Cloud/13][21 pkts/15525 bytes <-> 12 pkts/5499 bytes][Goodput ratio: 91/85][0.35 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.477 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/21 52/51 22/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 739/458 1494/1506 682/595][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][Safari][Plen Bins: 5,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,0,52,11,0,0]

8 TCP 192.168.1.6:60545 <-> 52.114.77.58:443 [proto: 91.250/TLS.Teams][Encrypted][Confidence: DPI][cat: Collaborative/15][49 pkts/7568 bytes <-> 34 pkts/11426 bytes][Goodput ratio: 65/83][9.23 sec][Hostname/SNI: presence.teams.microsoft.com][ALPN: h2;http/1.1][bytes ratio: -0.203 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 226/294 4927/4971 803/983][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154/336 1494/1506 217/458][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][Plen Bins: 0,21,17,10,8,6,4,0,6,2,0,0,2,6,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]

9 TCP 192.168.1.6:60549 <-> 13.107.18.11:443 [proto: 91.219/TLS.Microsoft365][Encrypted][Confidence: DPI][cat: Collaborative/15][28 pkts/7696 bytes <-> 26 pkts/9797 bytes][Goodput ratio: 80/85][1.16 sec][Hostname/SNI: substrate.office.com][ALPN: h2;http/1.1][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 47/23 539/167 115/43][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 275/377 1494/1506 397/471][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][ServerNames: outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com][JA3S: a66ea560599a2f5c89eec8c3a0d69cee][Issuer: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com][Certificate SHA-1: AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2][Validity: 2019-07-12 00:00:00 - 2021-07-12 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,22,7,0,7,0,7,0,0,3,3,0,0,0,3,0,7,0,3,0,10,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0]