diff options
| author | Luca Deri <deri@ntop.org> | 2020-10-26 21:40:59 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-10-26 21:40:59 +0100 |
| commit | 948a9060378a2a33f5701947386492ff10cb2de6 (patch) | |
| tree | 82ad122f24bc6ee7a9f5abea09abf790099091fe | |
| parent | 9873972acb2be4682434543b051833feff071f6e (diff) | |
Added -D flag for detecting DoH in the wild
Removed heuristic from CiscoVPN as it leads to false positives
| -rw-r--r-- | example/ndpiReader.c | 143 | ||||
| -rw-r--r-- | example/reader_util.c | 28 | ||||
| -rw-r--r-- | example/reader_util.h | 5 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_analyze.c | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/ciscovpn.c | 23 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 14 | ||||
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/result/anyconnect-vpn.pcap.out | 4 |
10 files changed, 174 insertions, 53 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 4ff298db8..ac82fb45c 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -76,7 +76,7 @@ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_cluster u_int8_t verbose = 0, enable_joy_stats = 0; int nDPI_LogLevel = 0; char *_debug_protocols = NULL; -u_int8_t human_readeable_string_len = 5; +u_int8_t human_readeable_string_len = 5, enable_doh_dot_detection = 0; u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */; static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; @@ -213,6 +213,48 @@ extern void ndpi_report_payload_stats(); FILE *trace = NULL; #endif +/* ********************************** */ + +#define NUM_DOH_BINS 2 + +struct ndpi_bin doh_ndpi_bins[NUM_DOH_BINS]; + +u_int8_t doh_centroids[NUM_DOH_BINS][PLEN_NUM_BINS] = { + { 23,25,3,0,26,0,0,0,0,0,0,0,0,0,2,0,0,15,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }, + { 35,30,21,0,0,0,2,4,0,0,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } +}; + +float doh_max_distance = 35.5; + +void init_doh_bins() { + u_int i; + + for(i=0; i<NUM_DOH_BINS; i++) { + ndpi_init_bin(&doh_ndpi_bins[i], ndpi_bin_family8, PLEN_NUM_BINS); + doh_ndpi_bins[i].u.bins8 = doh_centroids[i]; + } +} + +/* *********************************************** */ + +u_int check_bin_doh_similarity(struct ndpi_bin *bin, float *similarity) { + u_int i; + float lowest_similarity = 9999999999; + + for(i=0; i<NUM_DOH_BINS; i++) { + *similarity = ndpi_bin_similarity(&doh_ndpi_bins[i], bin, 0); + + if(*similarity <= doh_max_distance) + return(1); + + if(*similarity < lowest_similarity) lowest_similarity = *similarity; + } + + *similarity = lowest_similarity; + + return(0); +} + /* *********************************************** */ void ndpiCheckHostStringMatch(char *testChar) { @@ -391,7 +433,7 @@ static void help(u_int long_help) { "-i <file|device> " #endif "[-f <filter>][-s <duration>][-m <duration>][-b <num bin clusters>]\n" - " [-p <protos>][-l <loops> [-q][-d][-J][-h][-e <len>][-t][-v <level>]\n" + " [-p <protos>][-l <loops> [-q][-d][-J][-h][-D][-e <len>][-t][-v <level>]\n" " [-n <threads>][-w <file>][-c <file>][-C <file>][-j <file>][-x <file>]\n" " [-T <num>][-U <num>] [-x <domain>]\n\n" "Usage:\n" @@ -439,6 +481,7 @@ static void help(u_int long_help) { " | only the last instance will be considered\n" " -T <num> | Max number of TCP processed packets before giving up [default: %u]\n" " -U <num> | Max number of UDP processed packets before giving up [default: %u]\n" + " -D | Enable DoH traffic analysis based on content (no DPI)\n" " -x <domain> | Check domain name [Test only]\n" , human_readeable_string_len, @@ -715,7 +758,7 @@ static void parseOptions(int argc, char **argv) { } #endif - while((opt = getopt_long(argc, argv, "b:e:c:C:df:g:i:hp:P:l:s:tu:v:V:n:Jrp:x:w:q0123:456:7:89:m:T:U:", + while((opt = getopt_long(argc, argv, "b:e:c:C:dDf:g:i:hp:P:l:s:tu:v:V:n:Jrp:x:w:q0123:456:7:89:m:T:U:", longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); @@ -731,6 +774,10 @@ static void parseOptions(int argc, char **argv) { enable_protocol_guess = 0; break; + case 'D': + enable_doh_dot_detection = 1; + break; + case 'e': human_readeable_string_len = atoi(optarg); break; @@ -2000,9 +2047,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { ndpi_finalize_initalization(ndpi_thread_info[thread_id].workflow->ndpi_struct); -#ifdef USE_TLS_LEN - ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1); -#endif + if(enable_doh_dot_detection) + ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1); } /* *********************************************** */ @@ -2513,23 +2559,63 @@ static void printFlowsStats() { if(verbose > 1) { #ifndef DIRECTION_BINS - struct ndpi_bin *bins = (struct ndpi_bin*)ndpi_malloc(sizeof(struct ndpi_bin)*num_flows); - u_int16_t *cluster_ids = (u_int16_t*)ndpi_malloc(sizeof(u_int16_t)*num_flows); + struct ndpi_bin *bins = (struct ndpi_bin*)ndpi_malloc(sizeof(struct ndpi_bin)*num_flows); + u_int16_t *cluster_ids = (u_int16_t*)ndpi_malloc(sizeof(u_int16_t)*num_flows); + u_int32_t num_flow_bins = 0; #endif for(i=0; i<num_flows; i++) { #ifndef DIRECTION_BINS + if(enable_doh_dot_detection) { + /* Discard flows with few packets per direction */ + if((all_flows[i].flow->src2dst_packets < 10) + || (all_flows[i].flow->dst2src_packets < 10) + /* Ignore flows for which we have not seen the beginning */ + ) + goto print_flow; + + if(all_flows[i].flow->protocol == 6 /* TCP */) { + /* Discard flows with no SYN as we need to check ALPN */ + if((all_flows[i].flow->src2dst_syn_count == 0) || (all_flows[i].flow->dst2src_syn_count == 0)) + goto print_flow; + + if(all_flows[i].flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) { + if((all_flows[i].flow->src2dst_packets+all_flows[i].flow->dst2src_packets) < 40) + goto print_flow; /* Too few packets for TLS negotiation etc */ + } + } + } + if(bins && cluster_ids) { - memcpy(&bins[i], &all_flows[i].flow->payload_len_bin, sizeof(struct ndpi_bin)); - ndpi_normalize_bin(&bins[i]); + u_int j; + u_int8_t not_empty; + + if(enable_doh_dot_detection) { + not_empty = 0; + + /* Check if bins are empty (and in this case discard it) */ + for(j=0; j<all_flows[i].flow->payload_len_bin.num_bins; j++) + if(all_flows[i].flow->payload_len_bin.u.bins8[j] != 0) { + not_empty = 1; + break; + } + } else + not_empty = 1; + + if(not_empty) { + memcpy(&bins[num_flow_bins], &all_flows[i].flow->payload_len_bin, sizeof(struct ndpi_bin)); + ndpi_normalize_bin(&bins[num_flow_bins]); + num_flow_bins++; + } } #endif + print_flow: printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id); } #ifndef DIRECTION_BINS - if(bins && cluster_ids && (num_bin_clusters > 0)) { + if(bins && cluster_ids && (num_bin_clusters > 0) && (num_flow_bins > 0)) { char buf[64]; u_int j; struct ndpi_bin *centroids; @@ -2539,7 +2625,7 @@ static void printFlowsStats() { ndpi_init_bin(¢roids[i], ndpi_bin_family32 /* Use 32 bit to avoid overlaps */, bins[0].num_bins); - ndpi_cluster_bins(bins, num_flows, num_bin_clusters, cluster_ids, centroids); + ndpi_cluster_bins(bins, num_flow_bins, num_bin_clusters, cluster_ids, centroids); printf("\n" "\tBin clusters\n" @@ -2547,8 +2633,11 @@ static void printFlowsStats() { for(j=0; j<num_bin_clusters; j++) { u_int16_t num_printed = 0; + float max_similarity = 0; + + for(i=0; i<num_flow_bins; i++) { + float similarity, s; - for(i=0; i<num_flows; i++) { if(cluster_ids[i] != j) continue; if(num_printed == 0) { @@ -2567,16 +2656,38 @@ static void printFlowsStats() { ntohs(all_flows[i].flow->dst_port)); print_bin(out, NULL, &bins[i]); - printf("][similarity: %f]", ndpi_bin_similarity(¢roids[j], &bins[i], 0)); + printf("][similarity: %f]", + (similarity = ndpi_bin_similarity(¢roids[j], &bins[i], 0))); if(all_flows[i].flow->ssh_tls.client_requested_server_name[0] != '\0') fprintf(out, "[%s]", all_flows[i].flow->ssh_tls.client_requested_server_name); + if(enable_doh_dot_detection) { + if(((all_flows[i].flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) + || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_DOH_DOT) + ) + && all_flows[i].flow->ssh_tls.tls_alpn /* ALPN */ + ) { + if(check_bin_doh_similarity(&bins[i], &s)) + printf("[DoH (%f distance)]", s); + else + printf("[NO DoH (%f distance)]", s); + } else { + if(all_flows[i].flow->ssh_tls.tls_alpn == NULL) + printf("[NO DoH check: missing ALPN]"); + } + } + printf("\n"); num_printed++; + if(similarity > max_similarity) max_similarity = similarity; } - if(num_printed) printf("\n"); + if(num_printed) { + printf("\tMax similarity: %f\n", max_similarity); + printf("\n"); + } } for(i=0; i<num_bin_clusters; i++) @@ -3595,6 +3706,8 @@ int orginal_main(int argc, char **argv) { exit(0); } + if(enable_doh_dot_detection) init_doh_bins(); + if(!quiet_mode) { printf("\n-----------------------------------------------------------\n" "* NOTE: This is demo app to show *some* nDPI features.\n" diff --git a/example/reader_util.c b/example/reader_util.c index 9b31f0e3f..3a8faed03 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -38,6 +38,8 @@ #include <float.h> #endif +#include "reader_util.h" + #ifndef ETH_P_IP #define ETH_P_IP 0x0800 /* IPv4 */ #endif @@ -77,11 +79,6 @@ #define DLT_LINUX_SLL 113 #endif -#define PLEN_MAX 1504 -#define PLEN_BIN_LEN 32 -#define PLEN_NUM_BINS 48 /* 47*32 = 1504 */ -#define MAX_NUM_BIN_PKTS 256 - #include "ndpi_main.h" #include "reader_util.h" #include "ndpi_classify.h" @@ -89,6 +86,7 @@ extern u_int8_t enable_protocol_guess, enable_joy_stats, enable_payload_analyzer; extern u_int8_t verbose, human_readeable_string_len; extern u_int8_t max_num_udp_dissected_pkts /* 8 */, max_num_tcp_dissected_pkts /* 10 */; +extern u_int8_t enable_doh_dot_detection; static u_int32_t flow_id = 0; /* ****************************************************** */ @@ -1213,17 +1211,17 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ndpi_flow->protos.stun_ssl.ssl.alpn); } -#ifdef USE_TLS_LEN - /* For TLS we use TLS block lenght instead of payload lenght */ - ndpi_reset_bin(&flow->payload_len_bin); - - for(i=0; i<flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; i++) { - u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]); - - /* printf("[TLS_LEN] %u\n", len); */ - ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1); + if(enable_doh_dot_detection) { + /* For TLS we use TLS block lenght instead of payload lenght */ + ndpi_reset_bin(&flow->payload_len_bin); + + for(i=0; i<flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; i++) { + u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]); + + /* printf("[TLS_LEN] %u\n", len); */ + ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1); + } } -#endif } if(flow->detection_completed && (!flow->check_extra_packets)) { diff --git a/example/reader_util.h b/example/reader_util.h index 4dba29ddc..7337bb182 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -54,6 +54,11 @@ extern int dpdk_port_init(int port, struct rte_mempool *mbuf_pool); extern int dpdk_port_deinit(int port); #endif +#define PLEN_MAX 1504 +#define PLEN_BIN_LEN 32 +#define PLEN_NUM_BINS 48 /* 47*32 = 1504 */ +#define MAX_NUM_BIN_PKTS 256 + /* ETTA Spec defiintions for feature readiness */ #define ETTA_MIN_PACKETS 10 #define ETTA_MIN_OCTETS 4000 diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 1a53a93c6..0c22a02fb 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1032,6 +1032,7 @@ struct ndpi_detection_module_struct { u_int32_t current_ts; u_int32_t ticks_per_second; u_int16_t num_tls_blocks_to_follow; + u_int8_t skip_tls_blocks_until_change_cipher:1, _notused:7; #ifdef NDPI_ENABLE_DEBUG_MESSAGES void *user_data; diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c index 37e31474f..ddc782fbe 100644 --- a/src/lib/ndpi_analyze.c +++ b/src/lib/ndpi_analyze.c @@ -468,6 +468,7 @@ void ndpi_normalize_bin(struct ndpi_bin *b) { b->u.bins8[i] = (b->u.bins8[i]*100) / tot; } break; + case ndpi_bin_family16: for(i=0; i<b->num_bins; i++) tot += b->u.bins16[i]; @@ -476,6 +477,7 @@ void ndpi_normalize_bin(struct ndpi_bin *b) { b->u.bins16[i] = (b->u.bins16[i]*100) / tot; } break; + case ndpi_bin_family32: for(i=0; i<b->num_bins; i++) tot += b->u.bins32[i]; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9de47e471..65f1db852 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -603,10 +603,11 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str case ndpi_pref_enable_tls_block_dissection: /* - If this option is enabled only the TLS Application data blocks past the - certificate negotiation are considered + If this option is enabled only the TLS Application data blocks past the + certificate negotiation are considered */ ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS; + ndpi_str->skip_tls_blocks_until_change_cipher = 1; break; default: diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index c97ab25db..b503f1184 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -57,7 +57,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru if((tdport == 10000 && tsport == 10000) || ((tsport == 443 || tdport == 443) && (packet->payload_packet_len >= 4) && - (packet->payload[0] == 0x17 && + (packet->payload[0] == 0x17 /* TLS Application Data */ && packet->payload[1] == 0x01 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) @@ -68,28 +68,27 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); return; } +#if 0 + /* Code disabled as it is too generic and it can lead to false positives */ else if(((tsport == 443 || tdport == 443) || (tsport == 80 || tdport == 80)) && (packet->payload_packet_len >= 5) && - ((packet->payload[0] == 0x17 && - packet->payload[1] == 0x03 && - packet->payload[2] == 0x03 && - packet->payload[3] == 0x00 && - packet->payload[4] == 0x3A))) + ((packet->payload[0] == 0x17 /* TLS Application Data */ && + packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && /* TLS 1.2 */ + packet->payload[3] == 0x00 && packet->payload[4] == 0x3A /* Length */))) { /* TLS signature of Cisco AnyConnect 0X170303003A */ NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n"); ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); return; } +#endif else if(((tsport == 8009 || tdport == 8009) || (tsport == 8008 || tdport == 8008)) && (packet->payload_packet_len >= 5) && - ((packet->payload[0] == 0x17 && - packet->payload[1] == 0x03 && - packet->payload[2] == 0x03 && - packet->payload[3] == 0x00 && - packet->payload[4] == 0x69))) + ((packet->payload[0] == 0x17 /* TLS Application Data */ && + packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && /* TLS 1.2 */ + packet->payload[3] == 0x00 && packet->payload[4] == 0x69 /* Length */))) { /* TCP signature of Cisco AnyConnect 0X1703030069 */ NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n"); @@ -116,7 +115,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru (usport == 443 || udport == 443) && (packet->payload_packet_len >= 5) && - (packet->payload[0] == 0x17 && + (packet->payload[0] == 0x17 /* TLS Application Data */ && packet->payload[1] == 0x01 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00 && diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 192625c5c..7f9e8d5c0 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -712,12 +712,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ if(content_type == 0x14 /* Change Cipher Spec */) { - /* - Ignore Application Data up until change cipher - so in this case we reset the number of observed - TLS blocks - */ - flow->l4.tcp.tls.num_tls_blocks = 0; + if(ndpi_struct->skip_tls_blocks_until_change_cipher) { + /* + Ignore Application Data up until change cipher + so in this case we reset the number of observed + TLS blocks + */ + flow->l4.tcp.tls.num_tls_blocks = 0; + } } if((len > 9) diff --git a/tests/Makefile.am b/tests/Makefile.am index 75fc7e030..82625902c 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -3,4 +3,4 @@ TESTS = do.sh EXTRA_DIST = do.sh vagrind_test.sh ossfuzz.sh pcap result all: - @echo "" + @echo -n "" diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out index b2fcc0a4e..fa65086c1 100644 --- a/tests/result/anyconnect-vpn.pcap.out +++ b/tests/result/anyconnect-vpn.pcap.out @@ -35,8 +35,8 @@ JA3 Host Stats: 12 TCP 10.0.0.227:56954 <-> 10.0.0.149:8008 [proto: 7/HTTP][cat: Web/5][4 pkts/527 bytes <-> 3 pkts/1401 bytes][Goodput ratio: 48/85][0.01 sec][Host: 10.0.0.149][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 2/3 6/3 3/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 132/467 317/1261 107/561][URL: 10.0.0.149:8008/ssdp/device-desc.xml][StatusCode: 200][Content-Type: application/xml][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known protocol on non standard port **][PLAIN TEXT (HGET /ssdp/device)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0] 13 UDP [fe80::408:3e45:3abc:1552]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][9 pkts/1628 bytes -> 0 pkts/0 bytes][Goodput ratio: 66/0][25.40 sec][Host: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 152/0 181/0 206/0 24/0][Risk: ** Malformed packet **][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 14 UDP 10.0.0.227:137 -> 10.0.0.255:137 [proto: 10/NetBIOS][cat: System/18][15 pkts/1542 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][6.05 sec][Host: lp-rkerur-osx][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 465/0 1499/0 677/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 103/0 110/0 9/0][PLAIN TEXT ( EMFACNFCELEFFC)][Plen Bins: 0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 TCP 10.0.0.227:56914 <-> 52.37.243.173:443 [proto: 161.178/CiscoVPN.Amazon][cat: VPN/2][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][21.75 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/1 3340/2605 9634/9670 4130/3611][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][Risk: ** Known protocol on non standard port **][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 TCP 10.0.0.227:56915 <-> 52.37.243.173:443 [proto: 161.178/CiscoVPN.Amazon][cat: VPN/2][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][22.76 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/0 3340/3011 10636/10673 4210/3967][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][Risk: ** Known protocol on non standard port **][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 TCP 10.0.0.227:56914 <-> 52.37.243.173:443 [proto: 91.178/TLS.Amazon][cat: Web/5][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][21.75 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/1 3340/2605 9634/9670 4130/3611][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 TCP 10.0.0.227:56915 <-> 52.37.243.173:443 [proto: 91.178/TLS.Amazon][cat: Web/5][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][22.76 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/0 3340/3011 10636/10673 4210/3967][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 UDP 10.0.0.213:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][9 pkts/1448 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][25.40 sec][Host: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 132/0 161/0 186/0 24/0][Risk: ** Malformed packet **][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 UDP 10.0.0.151:1900 -> 10.0.0.227:57547 [proto: 12/SSDP][cat: System/18][4 pkts/1412 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][2.86 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 10.0.0.227:56881 <-> 162.222.43.153:443 [proto: 91/TLS][cat: Web/5][6 pkts/762 bytes <-> 6 pkts/396 bytes][Goodput ratio: 48/0][0.05 sec][bytes ratio: 0.316 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 0/1 0/2 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 82/66 127/66 292/66 75/0][Plen Bins: 50,33,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |