aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2019-10-08 23:40:56 +0200
committerLuca Deri <deri@ntop.org>2019-10-08 23:40:56 +0200
commit24a26a2e942b26ec93b5cff330f9cda29487ab68 (patch)
tree2862a47c9bd9252cd74e748f2bb84667c59b681c
parent0a7521060a910d0ea1d098af334c7bae8b92f0e3 (diff)
Added NetBIOS metadata export
Diffstat
-rw-r--r--src/lib/protocols/netbios.c51
-rw-r--r--tests/result/1kxun.pcap.out16
-rw-r--r--tests/result/skype_no_unknown.pcap.out14
-rw-r--r--tests/result/tor.pcap.out2
-rw-r--r--tests/result/wechat.pcap.out4
5 files changed, 43 insertions, 44 deletions
diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
index fd0e579c1..09666366a 100644
--- a/src/lib/protocols/netbios.c
+++ b/src/lib/protocols/netbios.c
@@ -41,7 +41,7 @@ int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) {
len = (*in++)/2;
b = out;
- *out=0;
+ *out = 0;
if(len > (out_len-1) || len < 1)
return(-1);
@@ -71,24 +71,29 @@ int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) {
static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct
- *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+ *ndpi_struct, struct ndpi_flow_struct *flow) {
+ char name[64];
+
+ if(!ndpi_struct->disable_metadata_export) {
+ u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14;
+
+ if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], name, sizeof(name)) > 0)
+ snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
+ }
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN);
}
-void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
u_int16_t dport;
- char name[64];
NDPI_LOG_DBG(ndpi_struct, "search netbios\n");
if(packet->udp != NULL) {
dport = ntohs(packet->udp->dest);
-
/*check standard NETBIOS over udp to port 137 */
if((dport == 137 || 0) && packet->payload_packet_len >= 50) {
struct netbios_header h;
@@ -110,6 +115,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
+
if(((h.flags & 0x8710) == 0x10) &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -117,15 +123,10 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n");
- if(ndpi_netbios_name_interpret((char*)&packet->payload[12], name, sizeof(name)) > 0) {
- if(!ndpi_struct->disable_metadata_export) {
- snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
- }
- }
-
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
+
if(packet->payload[2] == 0x80 &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -136,6 +137,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
+
if(h.flags == 0x4000 &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -146,6 +148,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
+
if(h.flags == 0x8400 &&
h.questions == 0 &&
h.answer_rrs == 1 &&
@@ -157,6 +160,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
+
if(h.flags == 0x8500 &&
h.questions == 0 &&
h.answer_rrs == 1 &&
@@ -168,7 +172,8 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
- if(h.flags == 0x2910 &&
+
+ if(((h.flags == 0x2900) || (h.flags == 0x2910)) &&
h.questions == 1 &&
h.answer_rrs == 0 &&
h.authority_rrs == 0 && h.additional_rrs == 1) {
@@ -179,6 +184,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
+
if(h.flags == 0xAD86 &&
h.questions == 0 &&
h.answer_rrs == 1 &&
@@ -190,6 +196,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
+
if(h.flags == 0x0110 &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -203,7 +210,6 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
}
if((h.flags & 0xf800) == 0) {
-
NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query request\n");
if(get_u_int16_t(packet->payload, 4) == htons(1) &&
@@ -325,23 +331,17 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
/*netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */
if((dport == 138) &&
- packet->payload_packet_len >= 14 &&
- ntohs(get_u_int16_t(packet->payload, 10)) == packet->payload_packet_len - 14) {
-
+ packet->payload_packet_len >= 14 &&
+ ntohs(get_u_int16_t(packet->payload, 10)) == packet->payload_packet_len - 14) {
+
NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n");
-
+
if(packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) {
NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n");
if(ntohl(get_u_int32_t(packet->payload, 4)) == ntohl(packet->iph->saddr)) {
NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n");
- if(ndpi_netbios_name_interpret((char*)&packet->payload[12], name, sizeof(name)) > 0) {
- if(!ndpi_struct->disable_metadata_export) {
- snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
- }
- }
-
ndpi_int_netbios_add_connection(ndpi_struct, flow);
return;
}
@@ -354,7 +354,6 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc
/* destination port must be 139 */
if(dport == 139) {
-
NDPI_LOG_DBG2(ndpi_struct, "found netbios with destination port 139\n");
/* payload_packet_len must be 72 */
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index 029725e01..26251f44d 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -61,10 +61,10 @@ JA3 Host Stats:
39 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][4 pkts/1368 bytes -> 0 pkts/0 bytes][Host: shen][DHCP Fingerprint: 1,121,3,6,15,119,252][PLAIN TEXT (android)]
40 UDP 192.168.5.16:68 <-> 192.168.119.1:67 [proto: 18/DHCP][cat: Network/14][2 pkts/684 bytes <-> 2 pkts/684 bytes][Host: macbook-air][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46]
41 UDP 192.168.5.48:49701 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][7 pkts/1253 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1227/0 2798.8/0.0 5942/0 1567.2/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 179/0 179.0/0.0 179/0 0.0/0.0][PLAIN TEXT (SEARCH )]
- 42 UDP 192.168.3.236:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][13 pkts/1196 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 715/0 2708.2/0.0 9111/0 2901.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92.0/0.0 92/0 0.0/0.0][PLAIN TEXT (FDEBFEEBFACACACACACACACACACAAA)]
- 43 UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][cat: System/18][3 pkts/648 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( ENEBEDECEPEPELEBEJ)]
- 44 UDP 192.168.115.8:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/552 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 299.6/0.0 749/0 366.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92.0/0.0 92/0 0.0/0.0][PLAIN TEXT ( FHFAEBEECACACACACACACACACACACA)]
- 45 UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/549 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( FDEBEOEKEJ)]
+ 42 UDP 192.168.3.236:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][13 pkts/1196 bytes -> 0 pkts/0 bytes][Host: isatap][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 715/0 2708.2/0.0 9111/0 2901.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92.0/0.0 92/0 0.0/0.0][PLAIN TEXT (FDEBFEEBFACACACACACACACACACAAA)]
+ 43 UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][cat: System/18][3 pkts/648 bytes -> 0 pkts/0 bytes][Host: macbookair-e1d0][PLAIN TEXT ( ENEBEDECEPEPELEBEJ)]
+ 44 UDP 192.168.115.8:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/552 bytes -> 0 pkts/0 bytes][Host: wpad][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 299.6/0.0 749/0 366.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92.0/0.0 92/0 0.0/0.0][PLAIN TEXT ( FHFAEBEECACACACACACACACACACACA)]
+ 45 UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/549 bytes -> 0 pkts/0 bytes][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)]
46 UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][5 pkts/490 bytes -> 0 pkts/0 bytes]
47 UDP [fe80::beee:7bff:fe0c:b3de]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][4 pkts/392 bytes -> 0 pkts/0 bytes]
48 UDP 192.168.5.16:63372 <-> 168.95.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/289 bytes][Host: dl-obs.official.line.naver.jp][PLAIN TEXT (official)]
@@ -72,7 +72,7 @@ JA3 Host Stats:
50 UDP 192.168.5.9:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: joanna-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][PLAIN TEXT (Joanna)]
51 UDP 192.168.5.41:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: kevin-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][PLAIN TEXT (MSFT 5.07)]
52 UDP 192.168.115.8:60724 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Streaming/17][2 pkts/146 bytes <-> 1 pkts/137 bytes][Host: pic.1kxun.com]
- 53 UDP 192.168.0.104:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][3 pkts/276 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( FDEDCOEBFC)]
+ 53 UDP 192.168.0.104:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][3 pkts/276 bytes -> 0 pkts/0 bytes][Host: sc.arrancar.org][PLAIN TEXT ( FDEDCOEBFC)]
54 UDP 192.168.115.8:51024 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Streaming/17][2 pkts/160 bytes <-> 1 pkts/112 bytes][Host: jp.kankan.1kxun.mobi][PLAIN TEXT (kankan)]
55 UDP 192.168.115.8:54420 <-> 8.8.8.8:53 [proto: 5.48/DNS.QQ][cat: Chat/9][2 pkts/150 bytes <-> 1 pkts/116 bytes][Host: vv.video.qq.com]
56 UDP 192.168.115.8:52723 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Streaming/17][2 pkts/152 bytes <-> 1 pkts/108 bytes][Host: kankan.1kxun.com][PLAIN TEXT (kankan)]
@@ -81,7 +81,7 @@ JA3 Host Stats:
59 TCP 192.168.5.16:53613 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes -> 0 pkts/0 bytes]
60 UDP [fe80::9bd:81dd:2fdc:5750]:61548 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)]
61 UDP [fe80::9bd:81dd:2fdc:5750]:64568 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)]
- 62 UDP 192.168.5.45:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EOEBFDEGEJEMEFCACACACACACACACA)]
+ 62 UDP 192.168.5.45:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: nasfile][PLAIN TEXT ( EOEBFDEGEJEMEFCACACACACACACACA)]
63 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: ____________]
64 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: ____________]
65 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: ____________]
@@ -126,8 +126,8 @@ JA3 Host Stats:
104 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes]
105 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes <-> 1 pkts/60 bytes]
106 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][1 pkts/98 bytes -> 0 pkts/0 bytes]
- 107 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EHEGEJEMEFCACACACACACACACACACA)]
- 108 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( FDEBEOEKEJ)]
+ 107 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: gfile][PLAIN TEXT ( EHEGEJEMEFCACACACACACACACACACA)]
+ 108 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)]
109 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)]
110 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)]
111 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index ef7b7421b..c3b9fb152 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -57,13 +57,13 @@ JA3 Host Stats:
37 TCP 192.168.1.34:51268 <-> 111.221.74.18:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/852 bytes <-> 4 pkts/351 bytes][bytes ratio: 0.416 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/294 3510.6/4388.5 15598/8483 4823.8/4094.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 85.2/87.8 138/145 21.6/33.2]
38 TCP 192.168.1.34:51267 <-> 111.221.74.18:40025 [proto: 125/Skype][cat: VoIP/10][10 pkts/785 bytes <-> 4 pkts/378 bytes][bytes ratio: 0.350 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1703.2/147.5 4607/294 1700.3/146.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 78.5/94.5 159/164 27.6/40.3]
39 TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/872 bytes <-> 3 pkts/285 bytes][bytes ratio: 0.507 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/199 2007.5/199.0 5293/199 1964.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 87.2/95.0 138/145 22.1/35.5]
- 40 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/958 bytes <-> 2 pkts/184 bytes][bytes ratio: 0.678 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1258 253.0/1258.0 1243/1258 495.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 104/92 159.7/92.0 271/92 78.7/0.0][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)]
+ 40 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/958 bytes <-> 2 pkts/184 bytes][Host: __msbrowse__][bytes ratio: 0.678 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1258 253.0/1258.0 1243/1258 495.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 104/92 159.7/92.0 271/92 78.7/0.0][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)]
41 TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 238/ApplePush][cat: Cloud/13][4 pkts/674 bytes <-> 4 pkts/444 bytes][bytes ratio: 0.206 (Upload)][IAT c2s/s2c min/avg/max/stddev: 215/1 3565.3/3493.7 10265/10480 4737.4/4940.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 168.5/111.0 279/156 102.7/45.0]
42 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 1573195445)]
43 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 1573195445)]
44 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 3375359593)]
45 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 3375359593)]
- 46 UDP 192.168.1.34:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][7 pkts/680 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 210.2/0.0 1261/0 469.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 97.1/0.0 110/0 8.1/0.0][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)]
+ 46 UDP 192.168.1.34:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][7 pkts/680 bytes -> 0 pkts/0 bytes][Host: __msbrowse__][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 210.2/0.0 1261/0 469.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 97.1/0.0 110/0 8.1/0.0][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)]
47 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 125/Skype][cat: VoIP/10][6 pkts/353 bytes <-> 5 pkts/306 bytes][bytes ratio: 0.071 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2640.0/2885.0 10417/10457 4490.2/4391.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 58.8/61.2 78/66 8.8/2.4]
48 UDP 192.168.1.34:58631 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1093/0 7642.3/0.0 27046/0 8520.2/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 81.0/0.0 81/0 0.0/0.0][PLAIN TEXT (akadns)]
49 UDP 192.168.1.34:60688 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1093/0 7642.0/0.0 27046/0 8520.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 81.0/0.0 81/0 0.0/0.0][PLAIN TEXT (akadns)]
@@ -87,8 +87,8 @@ JA3 Host Stats:
67 UDP 192.168.1.34:64240 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1091/0 4416.0/0.0 9098/0 3405.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 73/0 73.0/0.0 73/0 0.0/0.0]
68 TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/293 bytes <-> 3 pkts/186 bytes][bytes ratio: 0.223 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/54 26.5/54.0 53/54 26.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 97.7/62.0 161/66 45.8/2.8]
69 TCP 192.168.1.34:51308 -> 80.121.84.93:443 [proto: 91/TLS][cat: Web/5][6 pkts/468 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1005/0 1009.8/0.0 1015/0 4.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 78.0/0.0 78/0 0.0/0.0]
- 70 UDP 192.168.1.1:138 -> 192.168.1.34:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/452 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EBEMEJEDEFEHEBFEEFCACACACACACA)]
- 71 UDP 192.168.1.34:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/432 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EMFFEDEBFDENEBEDECEPEPELFAFCEP)]
+ 70 UDP 192.168.1.1:138 -> 192.168.1.34:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/452 bytes -> 0 pkts/0 bytes][Host: alicegate][PLAIN TEXT ( EBEMEJEDEFEHEBFEEFCACACACACACA)]
+ 71 UDP 192.168.1.34:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/432 bytes -> 0 pkts/0 bytes][Host: lucasmacbookpro][PLAIN TEXT ( EMFFEDEBFDENEBEDECEPEPELFAFCEP)]
72 TCP 192.168.1.34:51284 <-> 91.190.218.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/237 bytes <-> 3 pkts/186 bytes][bytes ratio: 0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/62 34.0/62.0 68/62 34.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 79.0/62.0 105/66 20.8/2.8]
73 TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes][bytes ratio: 0.013 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/61 31.0/61.0 62/61 31.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 63.7/62.0 78/66 10.3/2.8]
74 TCP 192.168.1.34:51286 <-> 91.190.218.125:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes][bytes ratio: 0.013 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/65 31.0/65.0 62/65 31.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 63.7/62.0 78/66 10.3/2.8]
@@ -99,13 +99,13 @@ JA3 Host Stats:
79 UDP 192.168.1.34:13021 -> 174.49.171.224:32011 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][5 pkts/300 bytes -> 0 pkts/0 bytes]
80 UDP 192.168.1.34:57694 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/166 bytes][Host: db3msgr5011709.gateway.messenger.live.com][PLAIN TEXT (MSGR5011709)]
81 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes]
- 82 UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/216 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)]
+ 82 UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/216 bytes -> 0 pkts/0 bytes][Host: lucas-imac][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)]
83 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][2 pkts/132 bytes <-> 1 pkts/74 bytes]
84 UDP 192.168.1.34:59788 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)]
85 UDP 192.168.1.34:63661 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)]
86 UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/142 bytes -> 0 pkts/0 bytes][Lucas-iMac.local]
- 87 UDP 192.168.1.92:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACACA)]
- 88 UDP 192.168.1.92:53826 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)]
+ 87 UDP 192.168.1.92:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: workgroup][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACACA)]
+ 88 UDP 192.168.1.92:53826 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: lucas-imac][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)]
89 UDP 192.168.1.34:61016 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/80 bytes -> 0 pkts/0 bytes][Host: apps.skypeassets.com][PLAIN TEXT (skypeassets)]
90 UDP 192.168.1.34:13021 -> 64.4.23.148:40029 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][1 pkts/79 bytes -> 0 pkts/0 bytes]
91 UDP 192.168.1.34:13021 -> 64.4.23.171:40031 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][1 pkts/79 bytes -> 0 pkts/0 bytes]
diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out
index 6965e9997..001315777 100644
--- a/tests/result/tor.pcap.out
+++ b/tests/result/tor.pcap.out
@@ -18,5 +18,5 @@ JA3 Host Stats:
7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155.3/6464.2 63835/63837 17571.0/19124.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242.3/430.5 640/1514 246.7/415.8][TLSv1][Client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (sieb.com)]
8 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][10 pkts/1860 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30033/0 66765.1/0.0 360548/0 103867.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 186/0 186.0/0.0 186/0 0.0/0.0][PLAIN TEXT ( 676879976)]
9 UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][6 pkts/906 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1227/0 6282.2/0.0 16006/0 5399.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 151/0 151.0/0.0 151/0 0.0/0.0][PLAIN TEXT (Endian)]
- 10 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)]
+ 10 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][Host: endian-pc][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)]
11 TCP 192.168.1.252:51104 -> 157.56.30.46:443 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes]
diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out
index 301732609..5eb35de0f 100644
--- a/tests/result/wechat.pcap.out
+++ b/tests/result/wechat.pcap.out
@@ -59,9 +59,9 @@ JA3 Host Stats:
39 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][13 pkts/866 bytes <-> 4 pkts/280 bytes][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 272/45308 12754.9/45308.0 45020/45308 13611.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66.6/70.0 74/74 2.1/4.0]
40 TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/TLS.Google][cat: Web/5][3 pkts/1078 bytes -> 0 pkts/0 bytes]
41 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/TLS.WeChat][cat: Chat/9][3 pkts/802 bytes <-> 3 pkts/198 bytes][bytes ratio: 0.604 (Upload)][IAT c2s/s2c min/avg/max/stddev: 6562/9679 8102.0/9679.0 9642/9679 1540.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 267.3/66.0 670/66 284.7/0.0]
- 42 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][9 pkts/828 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 179.1/0.0 816/0 312.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92.0/0.0 92/0 0.0/0.0][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)]
+ 42 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][9 pkts/828 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 179.1/0.0 816/0 312.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92.0/0.0 92/0 0.0/0.0][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)]
43 IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][15 pkts/810 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 409/0 289919.8/0.0 3384346/0 895903.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 54.0/0.0 54/0 0.0/0.0]
- 44 UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][3 pkts/751 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EHEJEPFGEBEOEOEJ)]
+ 44 UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][3 pkts/751 bytes -> 0 pkts/0 bytes][Host: giovanni-pc][PLAIN TEXT ( EHEJEPFGEBEOEOEJ)]
45 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][5 pkts/338 bytes <-> 4 pkts/280 bytes][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 351/910 5596.8/910.0 20327/910 8509.2/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 67.6/70.0 74/74 3.2/4.0]
46 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][5 pkts/338 bytes <-> 4 pkts/280 bytes][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 312/33511 13774.2/33511.0 33196/33511 13761.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 67.6/70.0 74/74 3.2/4.0]
47 UDP 192.168.1.103:19041 <-> 192.168.1.254:53 [proto: 5.48/DNS.QQ][cat: Chat/9][1 pkts/73 bytes <-> 1 pkts/537 bytes][Host: res.wx.qq.com]
Powered by cgit, Themed by Ted Yin.