diff options
| author | Luca Deri <deri@ntop.org> | 2022-01-13 19:03:17 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-01-13 19:06:21 +0100 |
| commit | 406ac7e8c825ba05bc6371ed3088226bdef21b02 (patch) | |
| tree | b759ec5050b56aa561874ce214ca7fddd6c1567f | |
| parent | dc60cd09c49f52d2eba6c169f973f757695e4f5a (diff) | |
Added the ability to specify trusted issueDN often used in companies to self-signed certificates
This allows to avoid triggering alerts for trusted albeit private certificate issuers.
Extended the example/protos.txt with the new syntax for specifying trusted issueDN.
Example:
trusted_issuer_dn:"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US"
| -rw-r--r-- | example/ndpiReader.c | 2 | ||||
| -rw-r--r-- | example/protos.txt | 3 | ||||
| -rw-r--r-- | src/include/ndpi_api.h.in | 9 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 7 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 126 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 20 | ||||
| -rw-r--r-- | tests/result/anyconnect-vpn.pcap.out | 105 |
7 files changed, 126 insertions, 146 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 7b883ab71..a84f1e0d0 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -3004,7 +3004,7 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us for(i = 0; i < sizeof(cumulative_stats.flow_confidence)/sizeof(cumulative_stats.flow_confidence[0]); i++) { if(cumulative_stats.flow_confidence[i] != 0) - printf("\tConfidence %-17s: %-10llu (flows)\n", ndpi_confidence_get_name(i), + printf("\tConfidence: %-10s %-13llu (flows)\n", ndpi_confidence_get_name(i), (long long unsigned int)cumulative_stats.flow_confidence[i]); } } diff --git a/example/protos.txt b/example/protos.txt index 555503f4c..3428ee109 100644 --- a/example/protos.txt +++ b/example/protos.txt @@ -54,3 +54,6 @@ ip:54.80.47.130@AmazonPrime host_risk_mask:".local"=0 host_risk_mask:".msftconnecttest.com"=0 + +# Custom certification autorities we trust +trusted_issuer_dn:"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US" diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 40e16c993..02436b285 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -726,6 +726,15 @@ extern "C" { int ndpi_add_host_risk_mask(struct ndpi_detection_module_struct *ndpi_mod, char *host, ndpi_risk mask); /** + * Add a trusted certificate issuer DN + * + * @par ndpi_mod = the detection module + * @par dn = the issuer DN as it appears in the certificate (example "CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US") + * @return 0 if the rule is loaded correctly; < 0 in case an error is detected + */ + int ndpi_add_trusted_issuer_dn(struct ndpi_detection_module_struct *ndpi_mod, char *dn); + + /** * Read a file and load the categories * * @par ndpi_mod = the detection module diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index eab3fe24d..e4595271d 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1016,6 +1016,11 @@ typedef enum { ndpi_hangout_cache } ndpi_lru_cache_type; +typedef struct ndpi_list_struct { + char *value; + struct ndpi_list_struct *next; +} ndpi_list; + struct ndpi_detection_module_struct { NDPI_PROTOCOL_BITMASK detection_bitmask; NDPI_PROTOCOL_BITMASK generic_http_packet_bitmask; @@ -1077,6 +1082,8 @@ struct ndpi_detection_module_struct { host_risk_mask_automa, common_alpns_automa; /* IMPORTANT: please update ndpi_finalize_initialization() whenever you add a new automa */ + ndpi_list *trusted_issuer_dn; + void *ip_risk_mask_ptree; struct { diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index cbd875eef..8d88b5c2e 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2368,7 +2368,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_microsoft_azure_protocol_list, prefs & ndpi_dont_load_tor_hosts); /* Microsoft Azure */ } - + ndpi_str->ip_risk_mask_ptree = ndpi_patricia_new(32 /* IPv4 */); NDPI_BITMASK_RESET(ndpi_str->detection_bitmask); @@ -2397,6 +2397,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_str->malicious_ja3_automa.ac_automa = NULL; /* Initialized on demand */ ndpi_str->malicious_sha1_automa.ac_automa = NULL; /* Initialized on demand */ ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */ + ndpi_str->trusted_issuer_dn = NULL; if((sizeof(categories) / sizeof(char *)) != NDPI_PROTOCOL_NUM_CATEGORIES) { NDPI_LOG_ERR(ndpi_str, "[NDPI] invalid categories length: expected %u, got %u\n", NDPI_PROTOCOL_NUM_CATEGORIES, @@ -2779,6 +2780,19 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { ac_automata_release((AC_AUTOMATA_t *) ndpi_str->common_alpns_automa.ac_automa, 1 /* free patterns strings memory */); + if(ndpi_str->trusted_issuer_dn) { + ndpi_list *head = ndpi_str->trusted_issuer_dn; + + while(head != NULL) { + ndpi_list *next; + + if(head->value) ndpi_free(head->value); + next = head->next; + ndpi_free(head); + head = next; + } + } + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/ndpi_exit_detection_module.c" #endif @@ -3042,6 +3056,40 @@ int ndpi_add_host_risk_mask(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************************************** */ +int ndpi_add_trusted_issuer_dn(struct ndpi_detection_module_struct *ndpi_str, char *dn) { + ndpi_list *head; + + if(dn == NULL) + return(-1); + else + head = (ndpi_list*)ndpi_malloc(sizeof(ndpi_list)); + + if(head == NULL) return(-2); + + if(dn[0] == '"') { + char buf[128], *quote; + + snprintf(buf, sizeof(buf), "%s", &dn[1]); + + if((quote = strchr(buf, '"')) != NULL) + quote[0] = '\0'; + + head->value = strdup(buf); + } else + head->value = strdup(dn); + + if(head->value == NULL) { + ndpi_free(head); + return(-3); + } + + head->next = ndpi_str->trusted_issuer_dn; + ndpi_str->trusted_issuer_dn = head; + + return(0); +} +/* ******************************************************************** */ + int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule, u_int8_t do_add) { char *at, *proto, *elem; ndpi_proto_defaults_t *def; @@ -3060,13 +3108,15 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule, return(-1); } - key = strtok(NULL, "="); + if(!strcmp(rule_type, "trusted_issuer_dn")) + return(ndpi_add_trusted_issuer_dn(ndpi_str, strtok(NULL, ":"))); + key = strtok(NULL, "="); if(key) { - char *mask = strtok(NULL, "="); + char *value = strtok(NULL, "="); - if(mask) { - ndpi_risk risk_mask = (ndpi_risk)atoll(mask); + if(value) { + ndpi_risk risk_mask = (ndpi_risk)atoll(value); if(!strcmp(rule_type, "ip_risk_mask")) { return(ndpi_add_ip_risk_mask(ndpi_str, key, risk_mask)); @@ -3449,7 +3499,7 @@ int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str, int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) { FILE *fd; char *buffer, *old_buffer; - int chunk_len = 512, buffer_len = chunk_len, old_buffer_len; + int chunk_len = 1024, buffer_len = chunk_len, old_buffer_len; int i, rc = -1; fd = fopen(path, "r"); @@ -4541,7 +4591,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, flow->is_ipv6 = (packet->iphv6 != NULL); if(flow->is_ipv6 == 0) flow->saddr = packet->iph->saddr, flow->daddr = packet->iph->daddr; /* See (*#*) */ - + flow->last_packet_time_ms = packet->current_time_ms; packet->packet_lines_parsed_complete = 0; @@ -4554,7 +4604,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, if(tcph != NULL) { flow->sport = tcph->source, flow->dport = tcph->dest; /* (*#*) */ - + if(!ndpi_str->direction_detect_disable) packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0; @@ -4616,7 +4666,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, } } else if(udph != NULL) { flow->sport = udph->source, flow->dport = udph->dest; /* (*#*) */ - + if(!ndpi_str->direction_detect_disable) packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0; } @@ -4878,7 +4928,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s case NDPI_PROTOCOL_RDP: ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ break; - + case NDPI_PROTOCOL_ANYDESK: if(flow->l4_proto == IPPROTO_TCP) /* TCP only */ ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ @@ -4922,7 +4972,7 @@ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_ if(flow && flow->bt_check_performed /* Do the check once */) return(0); - + if(ndpi_struct->bittorrent_cache) { u_int16_t cached_proto; u_int8_t found = 0; @@ -4930,7 +4980,7 @@ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_ if(flow) flow->bt_check_performed = 1; - + /* Check cached communications */ key1 = ndpi_bittorrent_hash_funct(saddr, sport), key2 = ndpi_bittorrent_hash_funct(daddr, dport); @@ -5111,7 +5161,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ret.app_protocol = NDPI_PROTOCOL_BITTORRENT; } } - + if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) { *protocol_was_guessed = 1; ndpi_fill_protocol_category(ndpi_str, flow, &ret); @@ -5908,7 +5958,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->server_line.len = packet->line[packet->parsed_lines].len - NDPI_STATICSTRING_LEN("Server:"); } packet->http_num_headers++; - } else + } else /* "Host:" header line in HTTP request */ if(packet->line[packet->parsed_lines].len > 6 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Host:", 5) == 0) { @@ -5921,7 +5971,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->host_line.len = packet->line[packet->parsed_lines].len - 5; } packet->http_num_headers++; - } else + } else /* "X-Forwarded-For:" header line in HTTP request. Commonly used for HTTP proxies. */ if(packet->line[packet->parsed_lines].len > 17 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "X-Forwarded-For:", 16) == 0) { @@ -5934,7 +5984,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->forwarded_line.len = packet->line[packet->parsed_lines].len - 16; } packet->http_num_headers++; - } else + } else /* "Authorization:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 15 && @@ -5960,63 +6010,63 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->referer_line.ptr = &packet->line[packet->parsed_lines].ptr[9]; packet->referer_line.len = packet->line[packet->parsed_lines].len - 9; packet->http_num_headers++; - } else + } else /* "User-Agent:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 12 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "User-agent: ", 12) == 0) { packet->user_agent_line.ptr = &packet->line[packet->parsed_lines].ptr[12]; packet->user_agent_line.len = packet->line[packet->parsed_lines].len - 12; packet->http_num_headers++; - } else + } else /* "Content-Encoding:" header line in HTTP response (and request?). */ if(packet->line[packet->parsed_lines].len > 18 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Encoding: ", 18) == 0) { packet->http_encoding.ptr = &packet->line[packet->parsed_lines].ptr[18]; packet->http_encoding.len = packet->line[packet->parsed_lines].len - 18; packet->http_num_headers++; - } else + } else /* "Transfer-Encoding:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 19 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Transfer-Encoding: ", 19) == 0) { packet->http_transfer_encoding.ptr = &packet->line[packet->parsed_lines].ptr[19]; packet->http_transfer_encoding.len = packet->line[packet->parsed_lines].len - 19; packet->http_num_headers++; - } else + } else /* "Content-Length:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 16 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "content-length: ", 16) == 0) { packet->http_contentlen.ptr = &packet->line[packet->parsed_lines].ptr[16]; packet->http_contentlen.len = packet->line[packet->parsed_lines].len - 16; packet->http_num_headers++; - } else + } else /* "Content-Disposition"*/ if(packet->line[packet->parsed_lines].len > 21 && ((strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Disposition: ", 21) == 0))) { packet->content_disposition_line.ptr = &packet->line[packet->parsed_lines].ptr[21]; packet->content_disposition_line.len = packet->line[packet->parsed_lines].len - 21; packet->http_num_headers++; - } else + } else /* "Cookie:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Cookie: ", 8) == 0) { packet->http_cookie.ptr = &packet->line[packet->parsed_lines].ptr[8]; packet->http_cookie.len = packet->line[packet->parsed_lines].len - 8; packet->http_num_headers++; - } else + } else /* "Origin:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Origin: ", 8) == 0) { packet->http_origin.ptr = &packet->line[packet->parsed_lines].ptr[8]; packet->http_origin.len = packet->line[packet->parsed_lines].len - 8; packet->http_num_headers++; - } else + } else /* "X-Session-Type:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 16 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "X-Session-Type: ", 16) == 0) { packet->http_x_session_type.ptr = &packet->line[packet->parsed_lines].ptr[16]; packet->http_x_session_type.len = packet->line[packet->parsed_lines].len - 16; packet->http_num_headers++; - } else + } else /* Identification and counting of other HTTP headers. * We consider the most common headers, but there are many others, * which can be seen at references below: @@ -6046,7 +6096,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, "Upgrade-Insecure-Requests: ", 27) == 0)) { /* Just count. In the future, if needed, this if can be splited to parse these headers */ packet->http_num_headers++; - } else + } else /* "Content-Type:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 14 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Type: ", 14) == 0 ) { @@ -6057,7 +6107,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->content_line.len--, packet->content_line.ptr++; packet->http_num_headers++; - } else + } else /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ if((packet->content_line.len == 0) && (packet->line[packet->parsed_lines].len > 13) && @@ -6065,8 +6115,8 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[13]; packet->content_line.len = packet->line[packet->parsed_lines].len - 13; packet->http_num_headers++; - } - + } + if(packet->content_line.len > 0) { /* application/json; charset=utf-8 */ char separator[] = {';', '\r', '\0'}; @@ -6538,7 +6588,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct #ifdef BITTORRENT_CACHE_DEBUG printf("[%s:%u] Guessed %u.%u\n", __FILE__, __LINE__, ret.master_protocol, ret.app_protocol); #endif - + ret.category = ndpi_get_proto_category(ndpi_str, ret); return(ret); } @@ -6558,7 +6608,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct #ifdef BITTORRENT_CACHE_DEBUG printf("[%s:%u] Guessed %u.%u\n", __FILE__, __LINE__, ret.master_protocol, ret.app_protocol); #endif - + ret.category = ndpi_get_proto_category(ndpi_str, ret); return(ret); } @@ -6575,7 +6625,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct #ifdef BITTORRENT_CACHE_DEBUG printf("[%s:%u] Guessed %u.%u\n", __FILE__, __LINE__, ret.master_protocol, ret.app_protocol); #endif - + return(ret); } @@ -6596,7 +6646,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct #ifdef BITTORRENT_CACHE_DEBUG printf("[%s:%u] Guessed %u.%u\n", __FILE__, __LINE__, ret.master_protocol, ret.app_protocol); #endif - + return(ret); } @@ -6897,7 +6947,7 @@ void ndpi_generate_options(u_int opt) { { for(i = 1 /* Skip no risk */; i < NDPI_MAX_RISK; i++) { ndpi_risk_enum r = (ndpi_risk_enum)i; - + printf(" <Option%d value=\"%u\">%s</Option%d>\n", i, i, ndpi_risk2str(r), i); } @@ -7580,7 +7630,7 @@ u_int8_t ndpi_ends_with(char *str, char *ends) { u_int8_t ends_len = strlen(ends); u_int8_t rc; - + if(str_len < ends_len) return(0); rc = (strncmp(&str[str_len-ends_len], ends, ends_len) != 0) ? 0 : 1; @@ -7631,7 +7681,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if(rc) { if(flow) - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); } return(rc); @@ -7640,7 +7690,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, u_int8_t max_num_char_repetitions = 0, last_char = 0, num_char_repetitions = 0, num_dots = 0, num_trigram_dots = 0; u_int8_t max_domain_element_len = 0, curr_domain_element_len = 0, first_element_is_numeric = 1; ndpi_protocol_match_result ret_match; - + if((!name) || (strchr(name, '_') != NULL) || (ndpi_ends_with(name, "in-addr.arpa")) @@ -7665,7 +7715,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if(strcmp(inet_ntoa(ip_addr), name) == 0) return(0); /* Ignore numeric IPs */ } - + if(strncmp(name, "www.", 4) == 0) name = &name[4]; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 4815275d4..b83505cd5 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -469,7 +469,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE) if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD) - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/ + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months */ if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) @@ -652,8 +652,24 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } if(flow->protos.tls_quic.subjectDN && flow->protos.tls_quic.issuerDN - && (!strcmp(flow->protos.tls_quic.subjectDN, flow->protos.tls_quic.issuerDN))) + && (!strcmp(flow->protos.tls_quic.subjectDN, flow->protos.tls_quic.issuerDN))) { + /* Last resort: we check if this is a trusted issuerDN */ + ndpi_list *head = ndpi_struct->trusted_issuer_dn; + + while(head != NULL) { +#if DEBUG_TLS + printf("TLS] %s() issuerDN %s / %s\n", __FUNCTION__, + flow->protos.tls_quic.issuerDN, head->value); +#endif + + if(strcmp(flow->protos.tls_quic.issuerDN, head->value) == 0) + return; /* This is a trusted DN */ + else + head = head->next; + } + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE); + } #if DEBUG_TLS printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf); diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out deleted file mode 100644 index a27a6f397..000000000 --- a/tests/result/anyconnect-vpn.pcap.out +++ /dev/null @@ -1,105 +0,0 @@ -Guessed flow protos: 17 - -DPI Packets (TCP): 173 (7.86 pkts/flow) -DPI Packets (UDP): 90 (2.43 pkts/flow) -DPI Packets (other): 10 (1.00 pkts/flow) -Confidence Unknown : 2 (flows) -Confidence Match by port : 6 (flows) -Confidence Match by IP : 4 (flows) -Confidence DPI : 57 (flows) - -Unknown 19 1054 2 -DNS 32 3655 16 -HTTP 50 11137 5 -MDNS 24 4279 4 -NetBIOS 15 1542 1 -SSDP 15 5625 9 -ICMP 2 126 2 -IGMP 8 378 6 -TLS 255 78703 7 -ICMPV6 18 2964 2 -Slack 29 4979 2 -Google 2 132 1 -AJP 5 390 1 -Apple 7 656 2 -CiscoVPN 2474 896875 3 -ApplePush 6 966 3 -AmazonAWS 36 3540 3 - -JA3 Host Stats: - IP Address # JA3C - 1 10.0.0.227 4 - - - 1 UDP 10.0.0.227:54107 <-> 8.37.102.91:443 [proto: 161/CiscoVPN][Encrypted][Confidence: DPI][cat: VPN/2][1413 pkts/395331 bytes <-> 1028 pkts/497166 bytes][Goodput ratio: 85/91][20.52 sec][bytes ratio: -0.114 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 669/953 35/48][Pkt Len c2s/s2c min/avg/max/stddev: 135/90 280/484 1511/1511 283/514][Risk: ** Known protocol on non standard port **][Risk Score: 50][PLAIN TEXT (m@GOC.)][Plen Bins: 0,0,10,45,17,5,7,1,1,2,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] - 2 TCP 10.0.0.227:56929 <-> 8.37.102.91:443 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][48 pkts/9073 bytes <-> 44 pkts/18703 bytes][Goodput ratio: 65/84][21.89 sec][bytes ratio: -0.347 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/11 97/138 21/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 189/425 1514/1514 246/579][Risk: ** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][Risk Score: 160][TLSv1.2][JA3C: c9f0b47c9805f516e6d3900cb51f7841][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,4,2,21,31,0,2,6,4,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,21,0,0] - 3 TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 80/90][23.14 sec][ALPN: http/1.1][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1048/487 11570/9008 2987/2009][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 325/652 1514/1514 494/646][Risk: ** Weak TLS cipher **** SNI TLS extension was missing **][Risk Score: 150][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,12,4,0,0,4,0,0,0,8,0,0,0,0,0,0,0,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,8,4,0,0,0,4,0,4,0,16,0,25,0,0] - 4 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][Risk: ** Known protocol on non standard port **** Self-signed Certificate **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][Risk Score: 210][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Firefox][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,44,3,3,3,3,3,0,3,3,3,0,3,7,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,3,0,3,0,0,0,0,0] - 5 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61/87][0.35 sec][ALPN: http/1.1][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/26 48/88 21/29][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/522 1175/1514 274/624][Risk: ** Weak TLS cipher **** SNI TLS extension was missing **][Risk Score: 150][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,8,0,0,8,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,8,0,25,0,0] - 6 TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][Encrypted][Confidence: DPI][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 64/61][11.47 sec][Hostname/SNI: slack.com][ALPN: h2;http/1.1][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866/28 11074/80 2947/34][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184/171 853/487 228/155][TLSv1.2][JA3C: d8dc5f8940df366b3a58b935569143e8][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,0,8,0,0,0,0,0,0,0,8,16,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: ConnCheck/30][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 67/81][18.51 sec][Hostname/SNI: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824/3642 10081/10083 3593/4385][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 192/340 373/450 153/173][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 TCP 10.0.0.227:56320 <-> 10.0.0.149:8009 [proto: 161/CiscoVPN][Encrypted][Confidence: DPI][cat: VPN/2][20 pkts/2420 bytes <-> 10 pkts/1760 bytes][Goodput ratio: 45/62][45.04 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/5003 2648/5004 5001/5006 2495/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/176 121/176 176/176 55/0][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 ICMPV6 [fe80::2e7e:81ff:feb0:4aa1]:0 -> [ff02::1]:0 [proto: 102/ICMPV6][ClearText][Confidence: DPI][cat: Network/14][16 pkts/2784 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][45.47 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2867/0 3028/0 3072/0 84/0][Pkt Len c2s/s2c min/avg/max/stddev: 174/0 174/0 174/0 0/0][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 TCP 10.0.0.227:56955 <-> 10.0.0.151:8060 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][6 pkts/650 bytes <-> 5 pkts/1668 bytes][Goodput ratio: 37/80][4.02 sec][Hostname/SNI: 10.0.0.151][bytes ratio: -0.439 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 4/4 9/6 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108/334 308/1206 89/442][URL: 10.0.0.151:8060/dial/dd.xml][StatusCode: 200][Content-Type: text/xml][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known protocol on non standard port **** HTTP Numeric IP Address **][Risk Score: 60][PLAIN TEXT (GET /dial/dd.xml HTTP/1.1)][Plen Bins: 0,0,0,0,0,33,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0] - 11 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: ConnCheck/30][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Goodput ratio: 62/74][18.47 sec][Hostname/SNI: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694/6151 10081/10078 4344/4052][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 163/258 368/450 145/192][URL: detectportal.firefox.com/success.txt][StatusCode: 200][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 12 TCP 10.0.0.227:56954 <-> 10.0.0.149:8008 [proto: 161.7/CiscoVPN.HTTP][Encrypted][Confidence: DPI][cat: Web/5][4 pkts/527 bytes <-> 3 pkts/1401 bytes][Goodput ratio: 48/85][0.01 sec][Hostname/SNI: 10.0.0.149][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 2/3 6/3 3/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 132/467 317/1261 107/561][URL: 10.0.0.149:8008/ssdp/device-desc.xml][StatusCode: 0][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (HGET /ssdp/device)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0] - 13 UDP [fe80::408:3e45:3abc:1552]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][ClearText][Confidence: DPI][cat: Network/14][9 pkts/1628 bytes -> 0 pkts/0 bytes][Goodput ratio: 66/0][25.40 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 152/0 181/0 206/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 UDP 10.0.0.227:137 -> 10.0.0.255:137 [proto: 10/NetBIOS][ClearText][Confidence: DPI][cat: System/18][15 pkts/1542 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][6.05 sec][Hostname/SNI: lp-rkerur-osx][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 465/0 1499/0 677/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 103/0 110/0 9/0][PLAIN TEXT ( EMFACNFCELEFFC)][Plen Bins: 0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 TCP 10.0.0.227:56914 <-> 52.37.243.173:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][Confidence: Match by IP][cat: Cloud/13][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][21.75 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/1 3340/2605 9634/9670 4130/3611][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 TCP 10.0.0.227:56915 <-> 52.37.243.173:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][Confidence: Match by IP][cat: Cloud/13][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][22.76 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/0 3340/3011 10636/10673 4210/3967][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 17 UDP 10.0.0.213:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][ClearText][Confidence: DPI][cat: Network/14][9 pkts/1448 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][25.40 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 132/0 161/0 186/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 18 UDP 10.0.0.151:1900 -> 10.0.0.227:57547 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][4 pkts/1412 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][2.86 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 19 TCP 10.0.0.227:56881 <-> 162.222.43.153:443 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][6 pkts/762 bytes <-> 6 pkts/396 bytes][Goodput ratio: 48/0][0.05 sec][bytes ratio: 0.316 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 0/1 0/2 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 82/66 127/66 292/66 75/0][Plen Bins: 50,33,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 20 UDP 10.0.0.227:57547 -> 239.255.255.250:1900 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][4 pkts/864 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][3.00 sec][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 21 UDP 10.0.0.149:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][ClearText][Confidence: DPI][cat: Network/14][4 pkts/655 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][0.00 sec][Hostname/SNI: _googlezone._tcp.local][_googlezone._tcp.local][PLAIN TEXT (googlezone)][Plen Bins: 0,25,25,0,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 22 UDP 10.0.0.149:38616 -> 10.0.0.227:61328 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 23 UDP 10.0.0.149:48166 -> 10.0.0.227:57547 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 24 UDP 10.0.0.149:49816 -> 10.0.0.227:57547 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 25 UDP 10.0.0.149:50081 -> 10.0.0.227:57547 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 26 UDP 10.0.0.149:51382 -> 10.0.0.227:57547 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 27 UDP 10.0.0.227:5353 -> 10.0.0.213:5353 [proto: 8/MDNS][ClearText][Confidence: DPI][cat: Network/14][2 pkts/548 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][12.10 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 28 TCP 10.0.0.227:56879 <-> 52.10.115.210:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][Confidence: Match by IP][cat: Cloud/13][4 pkts/342 bytes <-> 2 pkts/202 bytes][Goodput ratio: 23/34][0.61 sec][bytes ratio: 0.257 (Upload)][IAT c2s/s2c min/avg/max/stddev: 33/574 203/574 541/574 239/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/101 86/101 105/101 20/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 29 UDP 10.0.0.227:59582 <-> 75.75.75.75:53 [proto: 5.238/DNS.ApplePush][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/92 bytes <-> 1 pkts/323 bytes][Goodput ratio: 54/87][0.02 sec][Hostname/SNI: 1-courier.sandbox.push.apple.com][17.188.138.71][PLAIN TEXT (courier)][Plen Bins: 0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 30 TCP 10.0.0.227:56871 <-> 8.37.103.196:443 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][1 pkts/66 bytes <-> 5 pkts/330 bytes][Goodput ratio: 0/0][20.32 sec][bytes ratio: -0.667 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/66 66/66 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 31 TCP 10.0.0.227:56916 -> 10.0.0.151:8009 [proto: 139/AJP][ClearText][Confidence: Match by port][cat: Web/5][5 pkts/390 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][5.03 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 32 TCP 10.0.0.227:56886 <-> 17.57.144.116:5223 [proto: 238.140/ApplePush.Apple][Encrypted][Confidence: DPI][cat: Cloud/13][3 pkts/174 bytes <-> 2 pkts/185 bytes][Goodput ratio: 0/28][0.02 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 33 UDP 10.0.0.151:1900 -> 10.0.0.227:61328 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][1 pkts/353 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 34 TCP 10.0.0.227:56910 <-> 35.201.124.9:443 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][2 pkts/170 bytes <-> 2 pkts/164 bytes][Goodput ratio: 22/19][0.05 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 35 UDP 10.0.0.227:62427 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: ConnCheck/30][1 pkts/84 bytes <-> 1 pkts/242 bytes][Goodput ratio: 49/82][0.02 sec][Hostname/SNI: detectportal.firefox.com][184.25.56.82][PLAIN TEXT (detectportal)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 36 UDP 10.0.0.227:58074 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/75 bytes <-> 1 pkts/230 bytes][Goodput ratio: 43/81][0.01 sec][Hostname/SNI: www.outlook.com][40.97.222.34][PLAIN TEXT (outlook)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 37 UDP 10.0.0.227:60341 <-> 75.75.75.75:53 [proto: 5.140/DNS.Apple][ClearText][Confidence: DPI][cat: Web/5][1 pkts/73 bytes <-> 1 pkts/224 bytes][Goodput ratio: 42/81][0.01 sec][Hostname/SNI: www.apple.com][184.27.115.161][PLAIN TEXT (edgekey)][Plen Bins: 50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 38 UDP 10.0.0.227:64193 <-> 75.75.75.75:53 [proto: 5.238/DNS.ApplePush][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/85 bytes <-> 1 pkts/192 bytes][Goodput ratio: 50/78][0.02 sec][Hostname/SNI: 24-courier.push.apple.com][17.57.144.20][PLAIN TEXT (courier)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 39 UDP 10.0.0.227:51060 <-> 75.75.75.75:53 [proto: 5.238/DNS.ApplePush][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/84 bytes <-> 1 pkts/190 bytes][Goodput ratio: 49/77][0.02 sec][Hostname/SNI: 1-courier.push.apple.com][17.57.144.116][PLAIN TEXT (courier)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 40 UDP 10.0.0.227:52879 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/174 bytes][Goodput ratio: 54/75][0.02 sec][Hostname/SNI: vcacrashplan01.hq.corp.viasat.com][::][PLAIN TEXT (cacrashplan)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 41 UDP 10.0.0.227:57261 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/174 bytes][Goodput ratio: 54/75][0.02 sec][Hostname/SNI: vcacrashplan01.hq.corp.viasat.com][::][PLAIN TEXT (cacrashplan)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 42 UDP 10.0.0.227:61387 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/163 bytes][Goodput ratio: 48/74][0.03 sec][Hostname/SNI: vco.pandion.viasat.com][::][PLAIN TEXT (pandion)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 43 UDP 10.0.0.227:62322 <-> 75.75.76.76:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/163 bytes][Goodput ratio: 48/74][0.05 sec][Hostname/SNI: vco.pandion.viasat.com][::][PLAIN TEXT (pandion)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 44 UDP 10.0.0.227:57017 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/145 bytes][Goodput ratio: 54/71][0.02 sec][Hostname/SNI: lp-rkerur-osx.hsd1.ca.comcast.net][::][PLAIN TEXT (RKERUR)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 45 UDP 10.0.0.227:59222 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/145 bytes][Goodput ratio: 54/71][0.02 sec][Hostname/SNI: lp-rkerur-osx.hsd1.ca.comcast.net][::][PLAIN TEXT (RKERUR)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 46 UDP 10.0.0.227:54851 <-> 75.75.76.76:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/157 bytes][Goodput ratio: 44/73][0.05 sec][Hostname/SNI: print.viasat.com][::][PLAIN TEXT (viasat)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 47 UDP 10.0.0.227:61328 -> 239.255.255.250:1900 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][1 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 48 UDP 10.0.0.227:63107 <-> 75.75.76.76:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/65 bytes <-> 1 pkts/140 bytes][Goodput ratio: 35/70][0.03 sec][Hostname/SNI: local][::][PLAIN TEXT (servers)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 49 UDP 10.0.0.227:64972 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/101 bytes][Goodput ratio: 58/58][0.02 sec][Hostname/SNI: lb._dns-sd._udp.0.128.28.172.in-addr.arpa][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 50 TCP 10.0.0.227:56865 <-> 10.0.0.149:8008 [proto: 161/CiscoVPN][Encrypted][Confidence: Match by port][cat: VPN/2][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][0.00 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 51 TCP 10.0.0.227:56885 <-> 184.25.56.53:80 [proto: 7/HTTP][ClearText][Confidence: Match by port][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][0.02 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 52 UDP 10.0.0.227:61613 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/97 bytes <-> 1 pkts/97 bytes][Goodput ratio: 56/56][0.02 sec][Hostname/SNI: lb._dns-sd._udp.0.0.0.10.in-addr.arpa][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 53 UDP 10.0.0.227:49781 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/69 bytes <-> 1 pkts/117 bytes][Goodput ratio: 39/64][0.02 sec][Hostname/SNI: apple.com][17.178.96.59][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 54 UDP 10.0.0.227:52879 <-> 75.75.76.76:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.04 sec][Hostname/SNI: vco.pandion.viasat.com][8.37.102.91][PLAIN TEXT (pandion)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 55 ICMPV6 [fe80::408:3e45:3abc:1552]:0 -> [ff02::16]:0 [proto: 102/ICMPV6][ClearText][Confidence: DPI][cat: Network/14][2 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][1.02 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 56 UDP 10.0.0.227:51990 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/75 bytes <-> 1 pkts/91 bytes][Goodput ratio: 43/53][0.04 sec][Hostname/SNI: mail.viasat.com][8.37.103.196][PLAIN TEXT (viasat)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 57 UDP 10.0.0.227:57253 <-> 75.75.75.75:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/71 bytes <-> 1 pkts/87 bytes][Goodput ratio: 40/51][0.02 sec][Hostname/SNI: mozilla.org][63.245.208.195][PLAIN TEXT (mozilla)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 58 UDP 10.0.0.227:58155 <-> 75.75.76.76:53 [proto: 5.118/DNS.Slack][ClearText][Confidence: DPI][cat: Collaborative/15][1 pkts/69 bytes <-> 1 pkts/85 bytes][Goodput ratio: 39/50][0.03 sec][Hostname/SNI: slack.com][99.86.34.156][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 59 TCP 10.0.0.227:56874 <-> 74.125.197.188:443 [proto: 91.126/TLS.Google][Encrypted][Confidence: Match by IP][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][0.04 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 60 IGMP 10.0.0.213:0 -> 224.0.0.2:0 [proto: 82/IGMP][ClearText][Confidence: DPI][cat: Network/14][2 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][13.31 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 61 IGMP 10.0.0.213:0 -> 224.0.0.251:0 [proto: 82/IGMP][ClearText][Confidence: DPI][cat: Network/14][2 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][13.31 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 62 ICMP 10.0.0.227:0 -> 75.75.76.76:0 [proto: 81/ICMP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/70 bytes -> 0 pkts/0 bytes][Goodput ratio: 39/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 63 ICMP 10.0.0.1:0 -> 224.0.0.1:0 [proto: 81/ICMP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/56 bytes -> 0 pkts/0 bytes][Goodput ratio: 14/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 64 IGMP 10.0.0.1:0 -> 224.0.0.1:0 [proto: 82/IGMP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/56 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 65 IGMP 10.0.0.149:0 -> 224.0.0.251:0 [proto: 82/IGMP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/46 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 66 IGMP 10.0.0.149:0 -> 239.255.3.22:0 [proto: 82/IGMP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/46 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 67 IGMP 10.0.0.149:0 -> 239.255.255.250:0 [proto: 82/IGMP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/46 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - - -Undetected flows: - 1 TCP 10.0.0.227:56866 -> 10.0.0.151:8060 [proto: 0/Unknown][ClearText][Confidence: Unknown][9 pkts/594 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][21.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 311/0 2655/0 6845/0 2564/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 10.0.0.227:52595 -> 10.0.0.1:192 [proto: 0/Unknown][ClearText][Confidence: Unknown][10 pkts/460 bytes -> 0 pkts/0 bytes][Goodput ratio: 9/0][17.54 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 503/0 1948/0 5506/0 2007/0][Pkt Len c2s/s2c min/avg/max/stddev: 46/0 46/0 46/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |