diff options
| author | Toni <matzeton@googlemail.com> | 2025-01-11 11:23:42 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-11 11:23:42 +0100 |
| commit | 9a0a3bb8e77896d11c851736c550a0f8e10e3a43 (patch) | |
| tree | d1fb2e4e76e63ecc4b917bf4587579577dc92ad3 | |
| parent | d351907af8b93020d5d4ac2949d8e9dd0cfb0dd7 (diff) | |
Improved WebSocket-over-HTTP detection (#2664)
* detect `chisel` SSH-over-HTTP-WebSocket
* use `strncasecmp()` for `LINE_*` matching macros
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
91 files changed, 167 insertions, 104 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 93eccf0d1..22f6e5605 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -82,13 +82,15 @@ typedef struct default_ports_tree_node { #define LINE_ENDS(ndpi_int_one_line_struct, string_to_compare) \ ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ - memcmp((ndpi_int_one_line_struct).ptr + \ - ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ - string_to_compare, strlen(string_to_compare)) == 0) + ndpi_strncasestr((const char *)((ndpi_int_one_line_struct).ptr) + \ + ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ + string_to_compare, strlen(string_to_compare)) == \ + (const char *)((ndpi_int_one_line_struct).ptr) + ((ndpi_int_one_line_struct).len - strlen(string_to_compare))) #define LINE_CMP(ndpi_int_one_line_struct, string_to_compare, string_to_compare_length) \ ((ndpi_int_one_line_struct).ptr != NULL && \ - memcmp((ndpi_int_one_line_struct).ptr, string_to_compare, string_to_compare_length) == 0) + ndpi_strncasestr((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, \ + string_to_compare_length) == (const char *)((ndpi_int_one_line_struct).ptr)) #define NDPI_MAX_PARSE_LINES_PER_PACKET 64 diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 97df06ed9..33f737bdd 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1088,6 +1088,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 80, 0 /* ntop */, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP, + NDPI_PROTOCOL_WEBSOCKET, NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT, diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index b4cb3d1e3..47af111d8 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -106,6 +106,38 @@ static void ndpi_search_websocket(struct ndpi_detection_module_struct *ndpi_stru NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n"); ndpi_check_websocket(ndpi_struct, flow); + // Check also some HTTP headers indicating an upcoming WebSocket connection + if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && + flow->detected_protocol_stack[1] != NDPI_PROTOCOL_WEBSOCKET) + { + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + uint16_t i; + + NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); + for (i = 0; i < packet->parsed_lines; i++) { + if (LINE_STARTS(packet->line[i], "upgrade:") != 0 && + LINE_ENDS(packet->line[i], "websocket") != 0) + { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + } else if (LINE_STARTS(packet->line[i], "sec-websocket") != 0) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + if (ndpi_strncasestr((const char *)packet->line[i].ptr, "chisel", + packet->line[i].len) != NULL) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, + "Obfuscated SSH-in-HTTP-WebSocket traffic"); + } + } + } + if (i == packet->parsed_lines) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + return; } diff --git a/tests/cfgs/caches_cfg/result/ookla.pcap.out b/tests/cfgs/caches_cfg/result/ookla.pcap.out index 815355dde..51b747a4c 100644 --- a/tests/cfgs/caches_cfg/result/ookla.pcap.out +++ b/tests/cfgs/caches_cfg/result/ookla.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 40 (6.67 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 5 (flows) -Num dissector calls: 589 (98.17 diss/flow) +Num dissector calls: 590 (98.33 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/caches_global/result/ookla.pcap.out b/tests/cfgs/caches_global/result/ookla.pcap.out index f474f2aa6..6de62da9f 100644 --- a/tests/cfgs/caches_global/result/ookla.pcap.out +++ b/tests/cfgs/caches_global/result/ookla.pcap.out @@ -4,7 +4,7 @@ DPI Packets (TCP): 40 (6.67 pkts/flow) Confidence DPI (partial cache): 1 (flows) Confidence DPI : 4 (flows) Confidence DPI (aggressive) : 1 (flows) -Num dissector calls: 589 (98.17 diss/flow) +Num dissector calls: 590 (98.33 diss/flow) LRU cache ookla: 4/2/2 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/pcap/websocket-chisel-ssh.pcap b/tests/cfgs/default/pcap/websocket-chisel-ssh.pcap Binary files differnew file mode 100644 index 000000000..afa0416dc --- /dev/null +++ b/tests/cfgs/default/pcap/websocket-chisel-ssh.pcap diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out index bd832618f..240b87869 100644 --- a/tests/cfgs/default/result/1kxun.pcap.out +++ b/tests/cfgs/default/result/1kxun.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 120 (1.21 pkts/flow) Confidence Unknown : 9 (flows) Confidence Match by port : 6 (flows) Confidence DPI : 182 (flows) -Num dissector calls: 4633 (23.52 diss/flow) +Num dissector calls: 4719 (23.95 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/45/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/6in4tunnel.pcap.out b/tests/cfgs/default/result/6in4tunnel.pcap.out index 64193da57..9939727bc 100644 --- a/tests/cfgs/default/result/6in4tunnel.pcap.out +++ b/tests/cfgs/default/result/6in4tunnel.pcap.out @@ -2,7 +2,7 @@ DPI Packets (TCP): 29 (5.80 pkts/flow) DPI Packets (UDP): 4 (2.00 pkts/flow) DPI Packets (other): 3 (1.00 pkts/flow) Confidence DPI : 10 (flows) -Num dissector calls: 28 (2.80 diss/flow) +Num dissector calls: 29 (2.90 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/EAQ.pcap.out b/tests/cfgs/default/result/EAQ.pcap.out index bdaa8a5b3..aba1aae05 100644 --- a/tests/cfgs/default/result/EAQ.pcap.out +++ b/tests/cfgs/default/result/EAQ.pcap.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 12 (6.00 pkts/flow) DPI Packets (UDP): 116 (4.00 pkts/flow) Confidence DPI : 31 (flows) -Num dissector calls: 5184 (167.23 diss/flow) +Num dissector calls: 5186 (167.29 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out index fc6625a3b..3350344cd 100644 --- a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out +++ b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 36 (2.00 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Match by port : 5 (flows) Confidence DPI : 33 (flows) -Num dissector calls: 558 (14.68 diss/flow) +Num dissector calls: 560 (14.74 diss/flow) LRU cache ookla: 0/1/0 (insert/search/found) LRU cache bittorrent: 0/15/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/WebattackRCE.pcap.out b/tests/cfgs/default/result/WebattackRCE.pcap.out index 589f6d9db..d36219f6d 100644 --- a/tests/cfgs/default/result/WebattackRCE.pcap.out +++ b/tests/cfgs/default/result/WebattackRCE.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 797 (1.00 pkts/flow) Confidence DPI : 797 (flows) -Num dissector calls: 11955 (15.00 diss/flow) +Num dissector calls: 12752 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/WebattackSQLinj.pcap.out b/tests/cfgs/default/result/WebattackSQLinj.pcap.out index 24b4128cd..b37c31045 100644 --- a/tests/cfgs/default/result/WebattackSQLinj.pcap.out +++ b/tests/cfgs/default/result/WebattackSQLinj.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 54 (6.00 pkts/flow) Confidence DPI : 9 (flows) -Num dissector calls: 135 (15.00 diss/flow) +Num dissector calls: 144 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/WebattackXSS.pcap.out b/tests/cfgs/default/result/WebattackXSS.pcap.out index 3290e71ed..2c4f3a849 100644 --- a/tests/cfgs/default/result/WebattackXSS.pcap.out +++ b/tests/cfgs/default/result/WebattackXSS.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 639 DPI Packets (TCP): 3972 (6.01 pkts/flow) Confidence Match by port : 639 (flows) Confidence DPI : 22 (flows) -Num dissector calls: 330 (0.50 diss/flow) +Num dissector calls: 352 (0.53 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/1917/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/alexa-app.pcapng.out b/tests/cfgs/default/result/alexa-app.pcapng.out index d8c108687..1c3ec12fb 100644 --- a/tests/cfgs/default/result/alexa-app.pcapng.out +++ b/tests/cfgs/default/result/alexa-app.pcapng.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 64 (1.94 pkts/flow) DPI Packets (other): 6 (1.00 pkts/flow) Confidence Match by port : 14 (flows) Confidence DPI : 146 (flows) -Num dissector calls: 572 (3.58 diss/flow) +Num dissector calls: 591 (3.69 diss/flow) LRU cache ookla: 0/5/0 (insert/search/found) LRU cache bittorrent: 0/42/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/android.pcap.out b/tests/cfgs/default/result/android.pcap.out index 3a7edf260..59eb658a6 100644 --- a/tests/cfgs/default/result/android.pcap.out +++ b/tests/cfgs/default/result/android.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 4 (1.00 pkts/flow) Confidence Match by port : 2 (flows) Confidence DPI : 60 (flows) Confidence Match by IP : 1 (flows) -Num dissector calls: 241 (3.83 diss/flow) +Num dissector calls: 244 (3.87 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/9/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out index 6a61d28f2..0b1ba4bc3 100644 --- a/tests/cfgs/default/result/anyconnect-vpn.pcap.out +++ b/tests/cfgs/default/result/anyconnect-vpn.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 10 (1.00 pkts/flow) Confidence Unknown : 2 (flows) Confidence Match by port : 6 (flows) Confidence DPI : 61 (flows) -Num dissector calls: 819 (11.87 diss/flow) +Num dissector calls: 823 (11.93 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/24/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/bot.pcap.out b/tests/cfgs/default/result/bot.pcap.out index f217a0871..1bc5a090e 100644 --- a/tests/cfgs/default/result/bot.pcap.out +++ b/tests/cfgs/default/result/bot.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/bt-http.pcapng.out b/tests/cfgs/default/result/bt-http.pcapng.out index bee0f12e5..bae948788 100644 --- a/tests/cfgs/default/result/bt-http.pcapng.out +++ b/tests/cfgs/default/result/bt-http.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 7 (7.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 20 (20.00 diss/flow) +Num dissector calls: 21 (21.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 5/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/conncheck.pcap.out b/tests/cfgs/default/result/conncheck.pcap.out index 0fc7a3667..30c9751a4 100644 --- a/tests/cfgs/default/result/conncheck.pcap.out +++ b/tests/cfgs/default/result/conncheck.pcap.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 65 (7.22 pkts/flow) DPI Packets (UDP): 2 (2.00 pkts/flow) Confidence DPI : 10 (flows) -Num dissector calls: 136 (13.60 diss/flow) +Num dissector calls: 145 (14.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/crawler_false_positive.pcapng.out b/tests/cfgs/default/result/crawler_false_positive.pcapng.out index c8a457dbf..dc05af3e6 100644 --- a/tests/cfgs/default/result/crawler_false_positive.pcapng.out +++ b/tests/cfgs/default/result/crawler_false_positive.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 8 (8.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/dotenv.pcap.out b/tests/cfgs/default/result/dotenv.pcap.out index 40a815a73..66605ec4d 100644 --- a/tests/cfgs/default/result/dotenv.pcap.out +++ b/tests/cfgs/default/result/dotenv.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out index 1f86a5b25..6be03e519 100644 --- a/tests/cfgs/default/result/emotet.pcap.out +++ b/tests/cfgs/default/result/emotet.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 48 (8.00 pkts/flow) Confidence DPI : 6 (flows) -Num dissector calls: 229 (38.17 diss/flow) +Num dissector calls: 232 (38.67 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/exe_download.pcap.out b/tests/cfgs/default/result/exe_download.pcap.out index 017392e4a..674350736 100644 --- a/tests/cfgs/default/result/exe_download.pcap.out +++ b/tests/cfgs/default/result/exe_download.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/exe_download_as_png.pcap.out b/tests/cfgs/default/result/exe_download_as_png.pcap.out index 70bbf98c4..2fac2db36 100644 --- a/tests/cfgs/default/result/exe_download_as_png.pcap.out +++ b/tests/cfgs/default/result/exe_download_as_png.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/false_positives.pcapng.out b/tests/cfgs/default/result/false_positives.pcapng.out index f1a38cf6c..669ae9318 100644 --- a/tests/cfgs/default/result/false_positives.pcapng.out +++ b/tests/cfgs/default/result/false_positives.pcapng.out @@ -2,7 +2,7 @@ DPI Packets (TCP): 4 (4.00 pkts/flow) DPI Packets (UDP): 18 (3.60 pkts/flow) Confidence Unknown : 1 (flows) Confidence DPI : 5 (flows) -Num dissector calls: 864 (144.00 diss/flow) +Num dissector calls: 871 (145.17 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -13,9 +13,9 @@ LRU cache fpc_dns: 0/6/0 (insert/search/found) Automa host: 1/0 (search/found) Automa domain: 1/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 6/0 (search/found) +Patricia risk mask: 8/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) @@ -23,8 +23,8 @@ Patricia protocols: 12/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) Unknown 6 460 1 -HTTP 4 973 1 RTP 110 19309 4 +WebSocket 4 973 1 Acceptable 114 20282 5 Unrated 6 460 1 @@ -33,7 +33,7 @@ Unrated 6 460 1 2 UDP 10.126.70.67:23784 <-> 10.236.7.225:50160 [VLAN: 107][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][18 pkts/3924 bytes <-> 12 pkts/2616 bytes][Goodput ratio: 79/79][0.34 sec][bytes ratio: 0.200 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/19 20/20 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 218/218 218/218 218/218 0/0][PLAIN TEXT (UUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 10.102.45.249:31046 <-> 10.133.48.100:21176 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][22 pkts/2860 bytes <-> 8 pkts/989 bytes][Goodput ratio: 34/30][0.44 sec][bytes ratio: 0.486 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/19 22/19 44/20 15/0][Pkt Len c2s/s2c min/avg/max/stddev: 130/113 130/124 130/130 0/8][Plen Bins: 10,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 10.133.32.101:36408 -> 10.110.31.25:1272 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][20 pkts/2260 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 21/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 113/0 113/0 113/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 TCP 10.140.231.26:61202 <-> 159.65.12.169:443 [VLAN: 113][proto: GTP:7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Web/5][2 pkts/557 bytes <-> 2 pkts/416 bytes][Goodput ratio: 58/45][0.20 sec][Hostname/SNI: wludo.superkinglabs.com][URL: wludo.superkinglabs.com:443/ws][StatusCode: 101][Server: nginx/1.12.2][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** HTTP Obsolete Server **][Risk Score: 200][Risk Info: Empty or missing User-Agent / Expected on port 80 / Obsolete nginx server 1.12.2][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /ws HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 10.140.231.26:61202 <-> 159.65.12.169:443 [VLAN: 113][proto: GTP:7.251/HTTP.WebSocket][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Web/5][2 pkts/557 bytes <-> 2 pkts/416 bytes][Goodput ratio: 58/45][0.20 sec][Hostname/SNI: wludo.superkinglabs.com][URL: wludo.superkinglabs.com:443/ws][StatusCode: 101][Server: nginx/1.12.2][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** Susp Entropy **** HTTP Obsolete Server **][Risk Score: 210][Risk Info: Empty or missing User-Agent / Expected on port 80 / Entropy: 5.197 (Executable?) / Obsolete nginx server 1.12.2][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /ws HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] Undetected flows: diff --git a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out index 70e17e96f..f7eab4fce 100644 --- a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out @@ -5,7 +5,7 @@ DPI Packets (other): 1 (1.00 pkts/flow) Confidence Unknown : 3 (flows) Confidence Match by port : 23 (flows) Confidence DPI : 13 (flows) -Num dissector calls: 986 (25.28 diss/flow) +Num dissector calls: 999 (25.62 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/78/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/gnutella.pcap.out b/tests/cfgs/default/result/gnutella.pcap.out index 186c6695d..ab60e1959 100644 --- a/tests/cfgs/default/result/gnutella.pcap.out +++ b/tests/cfgs/default/result/gnutella.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 10 (1.00 pkts/flow) Confidence Unknown : 389 (flows) Confidence Match by port : 1 (flows) Confidence DPI : 370 (flows) -Num dissector calls: 52247 (68.75 diss/flow) +Num dissector calls: 52250 (68.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/1170/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out b/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out index 731a7df71..9ca25aa60 100644 --- a/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out +++ b/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 67 (11.17 pkts/flow) Confidence DPI : 6 (flows) -Num dissector calls: 20 (3.33 diss/flow) +Num dissector calls: 21 (3.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/hls.pcapng.out b/tests/cfgs/default/result/hls.pcapng.out index 3bad3d969..56ebf689b 100644 --- a/tests/cfgs/default/result/hls.pcapng.out +++ b/tests/cfgs/default/result/hls.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http-basic-auth.pcap.out b/tests/cfgs/default/result/http-basic-auth.pcap.out index be5bab391..2b3957b81 100644 --- a/tests/cfgs/default/result/http-basic-auth.pcap.out +++ b/tests/cfgs/default/result/http-basic-auth.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 9 DPI Packets (TCP): 183 (7.32 pkts/flow) Confidence Match by port : 9 (flows) Confidence DPI : 16 (flows) -Num dissector calls: 240 (9.60 diss/flow) +Num dissector calls: 256 (10.24 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/27/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http-crash-content-disposition.pcap.out b/tests/cfgs/default/result/http-crash-content-disposition.pcap.out index fe75dca40..c9c15bdf2 100644 --- a/tests/cfgs/default/result/http-crash-content-disposition.pcap.out +++ b/tests/cfgs/default/result/http-crash-content-disposition.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 8 (8.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http-lines-split.pcap.out b/tests/cfgs/default/result/http-lines-split.pcap.out index e41c81357..e1cd5ff0a 100644 --- a/tests/cfgs/default/result/http-lines-split.pcap.out +++ b/tests/cfgs/default/result/http-lines-split.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 8 (8.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http-manipulated.pcap.out b/tests/cfgs/default/result/http-manipulated.pcap.out index 90115fb48..2e43cfda0 100644 --- a/tests/cfgs/default/result/http-manipulated.pcap.out +++ b/tests/cfgs/default/result/http-manipulated.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 12 (6.00 pkts/flow) Confidence DPI : 2 (flows) -Num dissector calls: 30 (15.00 diss/flow) +Num dissector calls: 32 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http-pwd.pcapng.out b/tests/cfgs/default/result/http-pwd.pcapng.out index e311e31f3..96f6ca4f8 100644 --- a/tests/cfgs/default/result/http-pwd.pcapng.out +++ b/tests/cfgs/default/result/http-pwd.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 9 (9.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http.pcapng.out b/tests/cfgs/default/result/http.pcapng.out index 517dd6dfd..ac87d3834 100644 --- a/tests/cfgs/default/result/http.pcapng.out +++ b/tests/cfgs/default/result/http.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http_asymmetric.pcapng.out b/tests/cfgs/default/result/http_asymmetric.pcapng.out index 75a9aeefc..e2980e42a 100644 --- a/tests/cfgs/default/result/http_asymmetric.pcapng.out +++ b/tests/cfgs/default/result/http_asymmetric.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 18 (9.00 pkts/flow) Confidence DPI : 2 (flows) -Num dissector calls: 30 (15.00 diss/flow) +Num dissector calls: 32 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http_auth.pcap.out b/tests/cfgs/default/result/http_auth.pcap.out index 6dec7a384..93824c5aa 100644 --- a/tests/cfgs/default/result/http_auth.pcap.out +++ b/tests/cfgs/default/result/http_auth.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http_invalid_server.pcap.out b/tests/cfgs/default/result/http_invalid_server.pcap.out index 27fb72457..35f9b314b 100644 --- a/tests/cfgs/default/result/http_invalid_server.pcap.out +++ b/tests/cfgs/default/result/http_invalid_server.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http_on_sip_port.pcap.out b/tests/cfgs/default/result/http_on_sip_port.pcap.out index 18e617e78..fcebc7536 100644 --- a/tests/cfgs/default/result/http_on_sip_port.pcap.out +++ b/tests/cfgs/default/result/http_on_sip_port.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 4 (4.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 16 (16.00 diss/flow) +Num dissector calls: 17 (17.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http_origin_different_than_host.pcap.out b/tests/cfgs/default/result/http_origin_different_than_host.pcap.out index 4035e63e0..5a66dae51 100644 --- a/tests/cfgs/default/result/http_origin_different_than_host.pcap.out +++ b/tests/cfgs/default/result/http_origin_different_than_host.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 4 (4.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 22 (22.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -20,8 +20,8 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -HTTP 4 1229 1 +WebSocket 4 1229 1 Acceptable 4 1229 1 - 1 TCP 10.140.206.74:34536 <-> 18.135.206.102:80 [VLAN: 113][proto: GTP:7/HTTP][IP: 265/AmazonAWS][ClearText][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 4][cat: Web/5][2 pkts/835 bytes <-> 2 pkts/394 bytes][Goodput ratio: 73/42][0.35 sec][Hostname/SNI: csb.performgroup.io][URL: csb.performgroup.io/?topreferer=optawidgets.365scores.com][StatusCode: 101][User-Agent: Mozilla/5.0 (Linux; Android 9; JKM-LX1 Build/HUAWEIJKM-LX1; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/106.0.5249.118 Mobile Safari/537.36][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][PLAIN TEXT (topreferer)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 10.140.206.74:34536 <-> 18.135.206.102:80 [VLAN: 113][proto: GTP:7.251/HTTP.WebSocket][IP: 265/AmazonAWS][ClearText][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 4][cat: Web/5][2 pkts/835 bytes <-> 2 pkts/394 bytes][Goodput ratio: 73/42][0.35 sec][Hostname/SNI: csb.performgroup.io][URL: csb.performgroup.io/?topreferer=optawidgets.365scores.com][StatusCode: 101][User-Agent: Mozilla/5.0 (Linux; Android 9; JKM-LX1 Build/HUAWEIJKM-LX1; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/106.0.5249.118 Mobile Safari/537.36][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 5.542 (Executable?)][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][PLAIN TEXT (topreferer)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/http_starting_with_reply.pcapng.out b/tests/cfgs/default/result/http_starting_with_reply.pcapng.out index 595de367d..dfa6ff87e 100644 --- a/tests/cfgs/default/result/http_starting_with_reply.pcapng.out +++ b/tests/cfgs/default/result/http_starting_with_reply.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 7 (7.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/http_ua_splitted_in_two_pkts.pcapng.out b/tests/cfgs/default/result/http_ua_splitted_in_two_pkts.pcapng.out index 749fd633f..09616474e 100644 --- a/tests/cfgs/default/result/http_ua_splitted_in_two_pkts.pcapng.out +++ b/tests/cfgs/default/result/http_ua_splitted_in_two_pkts.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 5 (5.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/instagram.pcap.out b/tests/cfgs/default/result/instagram.pcap.out index 85f49f78c..0cf067462 100644 --- a/tests/cfgs/default/result/instagram.pcap.out +++ b/tests/cfgs/default/result/instagram.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 1 (1.00 pkts/flow) Confidence Unknown : 1 (flows) Confidence Match by port : 7 (flows) Confidence DPI : 30 (flows) -Num dissector calls: 1345 (35.39 diss/flow) +Num dissector calls: 1352 (35.58 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/24/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/iphone.pcap.out b/tests/cfgs/default/result/iphone.pcap.out index 10f87bd70..80a23ee09 100644 --- a/tests/cfgs/default/result/iphone.pcap.out +++ b/tests/cfgs/default/result/iphone.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 55 (1.77 pkts/flow) DPI Packets (other): 5 (1.00 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 50 (flows) -Num dissector calls: 359 (7.04 diss/flow) +Num dissector calls: 360 (7.06 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/ipp.pcap.out b/tests/cfgs/default/result/ipp.pcap.out index 02d9547a6..8f2d65af7 100644 --- a/tests/cfgs/default/result/ipp.pcap.out +++ b/tests/cfgs/default/result/ipp.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 21 (7.00 pkts/flow) Confidence DPI : 3 (flows) -Num dissector calls: 63 (21.00 diss/flow) +Num dissector calls: 66 (22.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/jsonrpc.pcap.out b/tests/cfgs/default/result/jsonrpc.pcap.out index 82ee598cb..2ded0a181 100644 --- a/tests/cfgs/default/result/jsonrpc.pcap.out +++ b/tests/cfgs/default/result/jsonrpc.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 10 (5.00 pkts/flow) Confidence DPI : 2 (flows) -Num dissector calls: 150 (75.00 diss/flow) +Num dissector calls: 151 (75.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out index 8a4c29870..acee52645 100644 --- a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out +++ b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 56 (8.00 pkts/flow) Confidence Unknown : 2 (flows) Confidence DPI : 5 (flows) -Num dissector calls: 358 (51.14 diss/flow) +Num dissector calls: 361 (51.57 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/6/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/malware.pcap.out b/tests/cfgs/default/result/malware.pcap.out index e681e38c0..2f91ce8d3 100644 --- a/tests/cfgs/default/result/malware.pcap.out +++ b/tests/cfgs/default/result/malware.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 2 (2.00 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 5 (flows) -Num dissector calls: 19 (3.17 diss/flow) +Num dissector calls: 20 (3.33 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/mpeg-dash.pcap.out b/tests/cfgs/default/result/mpeg-dash.pcap.out index 84b5f8a72..91449721f 100644 --- a/tests/cfgs/default/result/mpeg-dash.pcap.out +++ b/tests/cfgs/default/result/mpeg-dash.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 13 (3.25 pkts/flow) Confidence DPI : 4 (flows) -Num dissector calls: 84 (21.00 diss/flow) +Num dissector calls: 88 (22.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/mpeg.pcap.out b/tests/cfgs/default/result/mpeg.pcap.out index 79e698c97..cb250f991 100644 --- a/tests/cfgs/default/result/mpeg.pcap.out +++ b/tests/cfgs/default/result/mpeg.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/ndpi_match_string_subprotocol__error.pcapng.out b/tests/cfgs/default/result/ndpi_match_string_subprotocol__error.pcapng.out index 4e11e4406..8b0d26655 100644 --- a/tests/cfgs/default/result/ndpi_match_string_subprotocol__error.pcapng.out +++ b/tests/cfgs/default/result/ndpi_match_string_subprotocol__error.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 3 (3.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 20 (20.00 diss/flow) +Num dissector calls: 21 (21.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/netflix.pcap.out b/tests/cfgs/default/result/netflix.pcap.out index 5df48b188..464ff860e 100644 --- a/tests/cfgs/default/result/netflix.pcap.out +++ b/tests/cfgs/default/result/netflix.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 27 (2.08 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 60 (flows) -Num dissector calls: 448 (7.34 diss/flow) +Num dissector calls: 474 (7.77 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/ocs.pcap.out b/tests/cfgs/default/result/ocs.pcap.out index 19fa81d13..a9fc87f2c 100644 --- a/tests/cfgs/default/result/ocs.pcap.out +++ b/tests/cfgs/default/result/ocs.pcap.out @@ -4,7 +4,7 @@ DPI Packets (TCP): 117 (9.75 pkts/flow) DPI Packets (UDP): 8 (1.00 pkts/flow) Confidence DPI : 18 (flows) Confidence Match by IP : 2 (flows) -Num dissector calls: 88 (4.40 diss/flow) +Num dissector calls: 93 (4.65 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/6/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/ocsp.pcapng.out b/tests/cfgs/default/result/ocsp.pcapng.out index decd45e65..78f33716d 100644 --- a/tests/cfgs/default/result/ocsp.pcapng.out +++ b/tests/cfgs/default/result/ocsp.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 60 (6.00 pkts/flow) Confidence DPI : 10 (flows) -Num dissector calls: 150 (15.00 diss/flow) +Num dissector calls: 160 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/ookla.pcap.out b/tests/cfgs/default/result/ookla.pcap.out index f474f2aa6..6de62da9f 100644 --- a/tests/cfgs/default/result/ookla.pcap.out +++ b/tests/cfgs/default/result/ookla.pcap.out @@ -4,7 +4,7 @@ DPI Packets (TCP): 40 (6.67 pkts/flow) Confidence DPI (partial cache): 1 (flows) Confidence DPI : 4 (flows) Confidence DPI (aggressive) : 1 (flows) -Num dissector calls: 589 (98.17 diss/flow) +Num dissector calls: 590 (98.33 diss/flow) LRU cache ookla: 4/2/2 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_3.pcapng.out b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_3.pcapng.out index 118a6e133..7a475fa38 100644 --- a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_3.pcapng.out +++ b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_3.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 4 (4.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/paltalk.pcapng.out b/tests/cfgs/default/result/paltalk.pcapng.out index 87f9253f0..922b579d8 100644 --- a/tests/cfgs/default/result/paltalk.pcapng.out +++ b/tests/cfgs/default/result/paltalk.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 17 (4.25 pkts/flow) Confidence DPI : 4 (flows) -Num dissector calls: 332 (83.00 diss/flow) +Num dissector calls: 333 (83.25 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/punycode-idn.pcap.out b/tests/cfgs/default/result/punycode-idn.pcap.out index c1e0c2a52..401a8d512 100644 --- a/tests/cfgs/default/result/punycode-idn.pcap.out +++ b/tests/cfgs/default/result/punycode-idn.pcap.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 8 (8.00 pkts/flow) DPI Packets (UDP): 4 (2.00 pkts/flow) Confidence DPI : 3 (flows) -Num dissector calls: 17 (5.67 diss/flow) +Num dissector calls: 18 (6.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/quickplay.pcap.out b/tests/cfgs/default/result/quickplay.pcap.out index 61d68b854..835026944 100644 --- a/tests/cfgs/default/result/quickplay.pcap.out +++ b/tests/cfgs/default/result/quickplay.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 78 (3.71 pkts/flow) Confidence DPI : 21 (flows) -Num dissector calls: 245 (11.67 diss/flow) +Num dissector calls: 261 (12.43 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/sites.pcapng.out b/tests/cfgs/default/result/sites.pcapng.out index 15f44694b..bf5284d23 100644 --- a/tests/cfgs/default/result/sites.pcapng.out +++ b/tests/cfgs/default/result/sites.pcapng.out @@ -4,7 +4,7 @@ DPI Packets (TCP): 330 (5.50 pkts/flow) DPI Packets (UDP): 4 (1.00 pkts/flow) Confidence Match by port : 4 (flows) Confidence DPI : 60 (flows) -Num dissector calls: 74 (1.16 diss/flow) +Num dissector calls: 75 (1.17 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/12/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/sites2.pcapng.out b/tests/cfgs/default/result/sites2.pcapng.out index 95b8978f2..0815a379d 100644 --- a/tests/cfgs/default/result/sites2.pcapng.out +++ b/tests/cfgs/default/result/sites2.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 31 (6.20 pkts/flow) Confidence DPI : 5 (flows) -Num dissector calls: 19 (3.80 diss/flow) +Num dissector calls: 20 (4.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/soap.pcap.out b/tests/cfgs/default/result/soap.pcap.out index 7bab6ba48..665128fb5 100644 --- a/tests/cfgs/default/result/soap.pcap.out +++ b/tests/cfgs/default/result/soap.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 11 (3.67 pkts/flow) Confidence DPI : 3 (flows) -Num dissector calls: 419 (139.67 diss/flow) +Num dissector calls: 420 (140.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/softether.pcap.out b/tests/cfgs/default/result/softether.pcap.out index 2765be6ba..0e884d695 100644 --- a/tests/cfgs/default/result/softether.pcap.out +++ b/tests/cfgs/default/result/softether.pcap.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 4 (4.00 pkts/flow) DPI Packets (UDP): 31 (10.33 pkts/flow) Confidence DPI : 4 (flows) -Num dissector calls: 428 (107.00 diss/flow) +Num dissector calls: 429 (107.25 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/sql_injection.pcap.out b/tests/cfgs/default/result/sql_injection.pcap.out index 900e48f9f..c6cac93f0 100644 --- a/tests/cfgs/default/result/sql_injection.pcap.out +++ b/tests/cfgs/default/result/sql_injection.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 3 (3.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/starcraft_battle.pcap.out b/tests/cfgs/default/result/starcraft_battle.pcap.out index 4a0a95303..13bbc396d 100644 --- a/tests/cfgs/default/result/starcraft_battle.pcap.out +++ b/tests/cfgs/default/result/starcraft_battle.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 1 (1.00 pkts/flow) Confidence Match by port : 12 (flows) Confidence DPI : 39 (flows) Confidence Match by IP : 1 (flows) -Num dissector calls: 1722 (33.12 diss/flow) +Num dissector calls: 1742 (33.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/39/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/steam.pcapng.out b/tests/cfgs/default/result/steam.pcapng.out index c41c6fb72..9f5ee7faf 100644 --- a/tests/cfgs/default/result/steam.pcapng.out +++ b/tests/cfgs/default/result/steam.pcapng.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 28 (5.60 pkts/flow) DPI Packets (UDP): 2 (1.00 pkts/flow) Confidence DPI : 7 (flows) -Num dissector calls: 113 (16.14 diss/flow) +Num dissector calls: 114 (16.29 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out index 4c3d4b463..5c86b5dfc 100644 --- a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out +++ b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out @@ -6,7 +6,7 @@ DPI Packets (other): 2 (1.00 pkts/flow) Confidence Unknown : 1 (flows) Confidence Match by port : 1 (flows) Confidence DPI : 33 (flows) -Num dissector calls: 662 (18.91 diss/flow) +Num dissector calls: 664 (18.97 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/6/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out b/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out index 1634e2e1c..f9e86b1db 100644 --- a/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out +++ b/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 18 (6.00 pkts/flow) DPI Packets (UDP): 2 (2.00 pkts/flow) Confidence DPI : 4 (flows) -Num dissector calls: 176 (44.00 diss/flow) +Num dissector calls: 183 (45.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -12,18 +12,18 @@ LRU cache fpc_dns: 1/3/1 (insert/search/found) Automa host: 4/3 (search/found) Automa domain: 4/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 1/0 (search/found) +Automa risk mask: 2/0 (search/found) Automa common alpns: 2/2 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 4/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 7/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -HTTP 35 22912 1 YouTube 32 24681 2 SOCKS 33 21475 1 +WebSocket 35 22912 1 Acceptable 68 44387 2 Fun 32 24681 2 @@ -34,6 +34,6 @@ JA Host Stats: 1 TCP 192.168.1.183:51390 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 17 pkts/22332 bytes][Goodput ratio: 52/95][0.14 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/9 81/74 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1314 585/6668 160/1472][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,55,0,0,0,5] - 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 60][Risk Info: Found host 127.0.0.1 / Expected on port 80][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] + 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7.251/HTTP.WebSocket][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Susp Entropy **][Risk Score: 70][Risk Info: Found host 127.0.0.1 / Expected on port 80 / Entropy: 5.294 (Executable?)][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] 3 TCP 127.0.0.1:44532 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][20 pkts/2203 bytes <-> 13 pkts/19272 bytes][Goodput ratio: 38/95][0.17 sec][bytes ratio: -0.795 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/10 44/82 16/26][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 110/1482 585/4000 112/1624][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (www.youtube.com)][Plen Bins: 31,21,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26] 4 UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/trickbot.pcap.out b/tests/cfgs/default/result/trickbot.pcap.out index 212114a35..5341ede87 100644 --- a/tests/cfgs/default/result/trickbot.pcap.out +++ b/tests/cfgs/default/result/trickbot.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 8 (8.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/waze.pcap.out b/tests/cfgs/default/result/waze.pcap.out index 21eb7fb14..cd9f0cebd 100644 --- a/tests/cfgs/default/result/waze.pcap.out +++ b/tests/cfgs/default/result/waze.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 1 (1.00 pkts/flow) Confidence Unknown : 1 (flows) Confidence Match by port : 9 (flows) Confidence DPI : 23 (flows) -Num dissector calls: 393 (11.91 diss/flow) +Num dissector calls: 401 (12.15 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/30/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/webdav.pcap.out b/tests/cfgs/default/result/webdav.pcap.out index b7959c061..919e4cd12 100644 --- a/tests/cfgs/default/result/webdav.pcap.out +++ b/tests/cfgs/default/result/webdav.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 41 (5.12 pkts/flow) Confidence DPI : 8 (flows) -Num dissector calls: 120 (15.00 diss/flow) +Num dissector calls: 128 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/webex.pcap.out b/tests/cfgs/default/result/webex.pcap.out index 46643f8af..6277f6e88 100644 --- a/tests/cfgs/default/result/webex.pcap.out +++ b/tests/cfgs/default/result/webex.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 8 (4.00 pkts/flow) Confidence Match by port : 3 (flows) Confidence DPI : 53 (flows) Confidence Match by IP : 1 (flows) -Num dissector calls: 270 (4.74 diss/flow) +Num dissector calls: 272 (4.77 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/12/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/websocket-chisel-ssh.pcap.out b/tests/cfgs/default/result/websocket-chisel-ssh.pcap.out new file mode 100644 index 000000000..e1313af49 --- /dev/null +++ b/tests/cfgs/default/result/websocket-chisel-ssh.pcap.out @@ -0,0 +1,28 @@ +DPI Packets (TCP): 8 (4.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 44 (22.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 1/0 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 4/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +WebSocket 9 1243 2 + +Acceptable 9 1243 2 + + 1 TCP 172.18.82.242:41986 <-> 172.18.82.243:80 [proto: 7.251/HTTP.WebSocket][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][3 pkts/429 bytes <-> 4 pkts/477 bytes][Goodput ratio: 52/43][0.52 sec][Hostname/SNI: something1.tld][bytes ratio: -0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 106/102 213/307 106/145][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/119 289/247 103/74][StatusCode: 101][Server: nginx][User-Agent: Go-http-client/1.1][Risk: ** Susp Entropy **** Obfuscated Traffic **][Risk Score: 110][Risk Info: Obfuscated SSH-in-HTTP-WebSocket traffic / Entropy: 5.164 (Executable?)][TCP Fingerprint: 2_64_65500_c9121a61c67d/Unknown][PLAIN TEXT (GET / H)][Plen Bins: 33,0,0,0,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 172.18.82.243:80 -> 172.18.82.242:51634 [proto: 7.251/HTTP.WebSocket][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7.251/HTTP.WebSocket, Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/337 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][< 1 sec][StatusCode: 101][Server: nginx][Risk: ** HTTP Susp User-Agent **** Susp Entropy **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No client to server traffic / Empty or missing User-Agent / Entropy: 5.286 (Executable?)][PLAIN TEXT (HTTP/1.1 101 Switching Protocol)][Plen Bins: 50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/weibo.pcap.out b/tests/cfgs/default/result/weibo.pcap.out index 033717ba3..4b8e335eb 100644 --- a/tests/cfgs/default/result/weibo.pcap.out +++ b/tests/cfgs/default/result/weibo.pcap.out @@ -4,7 +4,7 @@ DPI Packets (TCP): 100 (3.33 pkts/flow) DPI Packets (UDP): 35 (2.50 pkts/flow) Confidence Match by port : 21 (flows) Confidence DPI : 23 (flows) -Num dissector calls: 539 (12.25 diss/flow) +Num dissector calls: 549 (12.48 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/63/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/windowsupdate_over_http.pcap.out b/tests/cfgs/default/result/windowsupdate_over_http.pcap.out index 8c3cfc220..0bffe2af1 100644 --- a/tests/cfgs/default/result/windowsupdate_over_http.pcap.out +++ b/tests/cfgs/default/result/windowsupdate_over_http.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/wow.pcap.out b/tests/cfgs/default/result/wow.pcap.out index e829e61ef..12963c063 100644 --- a/tests/cfgs/default/result/wow.pcap.out +++ b/tests/cfgs/default/result/wow.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 36 (7.20 pkts/flow) Confidence DPI : 5 (flows) -Num dissector calls: 112 (22.40 diss/flow) +Num dissector calls: 114 (22.80 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/xiaomi.pcap.out b/tests/cfgs/default/result/xiaomi.pcap.out index 05dcd2cdc..1ffdc37e9 100644 --- a/tests/cfgs/default/result/xiaomi.pcap.out +++ b/tests/cfgs/default/result/xiaomi.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 19 (2.71 pkts/flow) Confidence DPI : 7 (flows) -Num dissector calls: 615 (87.86 diss/flow) +Num dissector calls: 616 (88.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/xss.pcap.out b/tests/cfgs/default/result/xss.pcap.out index 946e7f96f..7cca3c024 100644 --- a/tests/cfgs/default/result/xss.pcap.out +++ b/tests/cfgs/default/result/xss.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 9 (4.50 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 1 (flows) -Num dissector calls: 15 (7.50 diss/flow) +Num dissector calls: 16 (8.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/zattoo.pcap.out b/tests/cfgs/default/result/zattoo.pcap.out index 3a3612b81..25b5c8c57 100644 --- a/tests/cfgs/default/result/zattoo.pcap.out +++ b/tests/cfgs/default/result/zattoo.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 10 (5.00 pkts/flow) Confidence DPI : 2 (flows) -Num dissector calls: 15 (7.50 diss/flow) +Num dissector calls: 16 (8.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out b/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out index 6d53a6a01..70fc30f6e 100644 --- a/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out +++ b/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 40 (6.67 pkts/flow) Confidence DPI (partial cache): 1 (flows) Confidence DPI : 5 (flows) -Num dissector calls: 589 (98.17 diss/flow) +Num dissector calls: 590 (98.33 diss/flow) LRU cache ookla: 4/1/1 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/disable_protocols/result/soap.pcap.out b/tests/cfgs/disable_protocols/result/soap.pcap.out index 7218d2299..173dc70c4 100644 --- a/tests/cfgs/disable_protocols/result/soap.pcap.out +++ b/tests/cfgs/disable_protocols/result/soap.pcap.out @@ -3,7 +3,7 @@ Guessed flow protos: 2 DPI Packets (TCP): 20 (6.67 pkts/flow) Confidence Match by port : 2 (flows) Confidence DPI : 1 (flows) -Num dissector calls: 456 (152.00 diss/flow) +Num dissector calls: 457 (152.33 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/6/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/disable_use_client_ip/result/bot.pcap.out b/tests/cfgs/disable_use_client_ip/result/bot.pcap.out index 70e1e4dfa..f63234eb9 100644 --- a/tests/cfgs/disable_use_client_ip/result/bot.pcap.out +++ b/tests/cfgs/disable_use_client_ip/result/bot.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/disable_use_client_port/result/iphone.pcap.out b/tests/cfgs/disable_use_client_port/result/iphone.pcap.out index f63bd8031..987616a5b 100644 --- a/tests/cfgs/disable_use_client_port/result/iphone.pcap.out +++ b/tests/cfgs/disable_use_client_port/result/iphone.pcap.out @@ -3,7 +3,7 @@ DPI Packets (UDP): 55 (1.77 pkts/flow) DPI Packets (other): 5 (1.00 pkts/flow) Confidence Unknown : 1 (flows) Confidence DPI : 50 (flows) -Num dissector calls: 359 (7.04 diss/flow) +Num dissector calls: 360 (7.06 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out index 4a4627642..5597a6d4c 100644 --- a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out +++ b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 120 (1.21 pkts/flow) Confidence Unknown : 9 (flows) Confidence Match by port : 6 (flows) Confidence DPI : 182 (flows) -Num dissector calls: 4633 (23.52 diss/flow) +Num dissector calls: 4719 (23.95 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/45/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out b/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out index e333204c0..cc0cf6c58 100644 --- a/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out +++ b/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out @@ -6,7 +6,7 @@ Confidence Unknown : 9 (flows) Confidence Match by port : 4 (flows) Confidence DPI : 182 (flows) Confidence Match by IP : 2 (flows) -Num dissector calls: 4633 (23.52 diss/flow) +Num dissector calls: 4719 (23.95 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/45/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/guessing_disable/result/webex.pcap.out b/tests/cfgs/guessing_disable/result/webex.pcap.out index 241ff980c..8b8cba273 100644 --- a/tests/cfgs/guessing_disable/result/webex.pcap.out +++ b/tests/cfgs/guessing_disable/result/webex.pcap.out @@ -2,7 +2,7 @@ DPI Packets (TCP): 393 (7.15 pkts/flow) DPI Packets (UDP): 8 (4.00 pkts/flow) Confidence Unknown : 4 (flows) Confidence DPI : 53 (flows) -Num dissector calls: 270 (4.74 diss/flow) +Num dissector calls: 272 (4.77 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/12/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/http_process_response_disable/result/http.pcapng.out b/tests/cfgs/http_process_response_disable/result/http.pcapng.out index 35ed5dccb..0fd65680c 100644 --- a/tests/cfgs/http_process_response_disable/result/http.pcapng.out +++ b/tests/cfgs/http_process_response_disable/result/http.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 4 (4.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/http_process_response_disable/result/http_asymmetric.pcapng.out b/tests/cfgs/http_process_response_disable/result/http_asymmetric.pcapng.out index 600ac83e2..9f8f6954b 100644 --- a/tests/cfgs/http_process_response_disable/result/http_asymmetric.pcapng.out +++ b/tests/cfgs/http_process_response_disable/result/http_asymmetric.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (3.00 pkts/flow) Confidence DPI : 2 (flows) -Num dissector calls: 30 (15.00 diss/flow) +Num dissector calls: 32 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out b/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out index 23afb55e1..4ffa5e0a4 100644 --- a/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out +++ b/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 120 (1.21 pkts/flow) Confidence Unknown : 9 (flows) Confidence Match by port : 6 (flows) Confidence DPI : 182 (flows) -Num dissector calls: 4633 (23.52 diss/flow) +Num dissector calls: 4719 (23.95 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/45/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/subclassification_disable/result/http.pcapng.out b/tests/cfgs/subclassification_disable/result/http.pcapng.out index 2aa9e7f79..db2ad3bd4 100644 --- a/tests/cfgs/subclassification_disable/result/http.pcapng.out +++ b/tests/cfgs/subclassification_disable/result/http.pcapng.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 6 (6.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +Num dissector calls: 16 (16.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out index 7392d7e76..c0b99b0b3 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out @@ -2,7 +2,7 @@ DPI Packets (TCP): 31 (10.33 pkts/flow) DPI Packets (UDP): 2 (2.00 pkts/flow) Confidence DPI : 3 (flows) Confidence DPI (aggressive) : 1 (flows) -Num dissector calls: 176 (44.00 diss/flow) +Num dissector calls: 183 (45.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -13,18 +13,18 @@ LRU cache fpc_dns: 1/3/1 (insert/search/found) Automa host: 4/3 (search/found) Automa domain: 4/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 1/0 (search/found) +Automa risk mask: 2/0 (search/found) Automa common alpns: 2/2 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 4/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 7/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -HTTP 35 22912 1 YouTube 32 24681 2 SOCKS 33 21475 1 +WebSocket 35 22912 1 Acceptable 68 44387 2 Fun 32 24681 2 @@ -35,6 +35,6 @@ JA Host Stats: 1 TCP 192.168.1.183:51390 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 17 pkts/22332 bytes][Goodput ratio: 52/95][0.14 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/9 81/74 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1314 585/6668 160/1472][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,55,0,0,0,5] - 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Found host 127.0.0.1 / Expected on port 80 / Obfuscated TLS-in-HTTP-WebSocket traffic][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] + 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7.251/HTTP.WebSocket][IP: 0/Unknown][ClearText][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Susp Entropy **** Obfuscated Traffic **][Risk Score: 170][Risk Info: Found host 127.0.0.1 / Expected on port 80 / Entropy: 5.294 (Executable?) / Obfuscated TLS-in-HTTP-WebSocket traffic][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] 3 TCP 127.0.0.1:44532 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][20 pkts/2203 bytes <-> 13 pkts/19272 bytes][Goodput ratio: 38/95][0.17 sec][bytes ratio: -0.795 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/10 44/82 16/26][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 110/1482 585/4000 112/1624][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (www.youtube.com)][Plen Bins: 31,21,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26] 4 UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |