aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlns <matzeton@googlemail.com>2022-08-09 20:26:44 +0200
committerToni Uhlig <matzeton@googlemail.com>2022-08-18 11:03:01 +0200
commit4956025111ee66104b91b94e47e2dafd55c3a9b4 (patch)
treeba246b77d9a0d8dbcddc369169647997c9f38a2e
parent540848c254ab4f8f89b6cfab03269ed8dc4dc887 (diff)
Improved QUIC IETF 0-RTT detection.improved/ietf-quic-0rtt-detection
Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat
-rw-r--r--src/lib/protocols/quic.c9
-rw-r--r--tests/pcap/quic_0RTT.pcapbin2644 -> 8468 bytes
-rw-r--r--tests/result/quic_0RTT.pcap.out14
3 files changed, 11 insertions, 12 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index 530ba27b2..aa9c04f9d 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1442,10 +1442,7 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct,
u_int8_t pub_bit1, pub_bit2, pub_bit3, pub_bit4, pub_bit5, pub_bit7, pub_bit8;
u_int8_t dest_conn_id_len, source_conn_id_len;
- /* According to draft-ietf-quic-transport-29: "Clients MUST ensure that UDP
- datagrams containing Initial packets have UDP payloads of at least 1200
- bytes". Similar limit exists for previous versions */
- if(packet->payload_packet_len < 1200) {
+ if(packet->payload_packet_len < 14) {
return 0;
}
@@ -1485,8 +1482,8 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct,
}
if(((is_version_quic(*version) && !is_version_quic_v2(*version)) ||
(*version == V_Q046) || (*version == V_Q050)) &&
- (pub_bit3 != 0 || pub_bit4 != 0)) {
- NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not Initial Packet\n", *version);
+ (pub_bit3 != 0)) {
+ NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not Initial Packet or 0-RTT\n", *version);
return 0;
}
if(is_version_quic_v2(*version) &&
diff --git a/tests/pcap/quic_0RTT.pcap b/tests/pcap/quic_0RTT.pcap
index 7ade88654..95e7c2b6c 100644
--- a/tests/pcap/quic_0RTT.pcap
+++ b/tests/pcap/quic_0RTT.pcap
Binary files differ
diff --git a/tests/result/quic_0RTT.pcap.out b/tests/result/quic_0RTT.pcap.out
index 102ca515e..3191d6789 100644
--- a/tests/result/quic_0RTT.pcap.out
+++ b/tests/result/quic_0RTT.pcap.out
@@ -1,8 +1,8 @@
Guessed flow protos: 0
-DPI Packets (UDP): 1 (1.00 pkts/flow)
-Confidence DPI : 1 (flows)
-Num dissector calls: 64 (64.00 diss/flow)
+DPI Packets (UDP): 2 (1.00 pkts/flow)
+Confidence DPI : 2 (flows)
+Num dissector calls: 65 (32.50 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
@@ -15,10 +15,11 @@ Automa domain: 1/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 1/0 (search/found)
Automa common alpns: 0/0 (search/found)
-Patricia risk mask: 0/0 (search/found)
+Patricia risk mask: 2/0 (search/found)
Patricia risk: 0/0 (search/found)
-Patricia protocols: 0/0 (search/found)
+Patricia protocols: 2/2 (search/found)
+Google 15 5178 1
QUIC 2 2588 1
JA3 Host Stats:
@@ -26,4 +27,5 @@ JA3 Host Stats:
1 ::1 1
- 1 UDP [::1]:60459 <-> [::1]:4443 [proto: 188/QUIC][Encrypted][Confidence: DPI][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/1294 bytes][Goodput ratio: 95/95][0.00 sec][Hostname/SNI: abcd][ALPN: h3-32][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][TLSv1.3][JA3C: a7b629a5bd67bfc25e2c78b3daa4c12f][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
+ 1 UDP 192.168.2.100:51972 <-> 142.250.181.227:443 [proto: 188.126/QUIC.Google][Encrypted][Confidence: DPI][cat: Web/5][7 pkts/2168 bytes <-> 8 pkts/3010 bytes][Goodput ratio: 86/89][0.23 sec][bytes ratio: -0.163 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/10 121/30 45/14][Pkt Len c2s/s2c min/avg/max/stddev: 75/67 310/376 1292/1292 416/426][Plen Bins: 26,20,20,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0]
+ 2 UDP [::1]:60459 <-> [::1]:4443 [proto: 188/QUIC][Encrypted][Confidence: DPI][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/1294 bytes][Goodput ratio: 95/95][0.00 sec][Hostname/SNI: abcd][ALPN: h3-32][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][TLSv1.3][JA3C: a7b629a5bd67bfc25e2c78b3daa4c12f][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.