aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2023-12-11 14:53:12 +0100
committerGitHub <noreply@github.com>2023-12-11 14:53:12 +0100
commitb3f2b1bb7f90c18a7542ab06acdf26318cdfa6fe (patch)
tree1d23bc99d1c2271fdbeadad5a571e3907f5e40f5
parent673b6e73451cce242aa612c06e80b5865b243ed6 (diff)
STUN: rework extra dissection (#2202)
Keep looking for RTP packets but remove the monitoring concept. We will re-introduce a more general concept of "flow in monitoring state" later. The function was disabled by default. Some configuration knobs will be provided when/if #2190 is merged.
Diffstat
-rw-r--r--example/ndpiReader.c22
-rw-r--r--fuzz/fuzz_config.cpp15
-rw-r--r--fuzz/fuzz_ndpi_reader.c3
-rw-r--r--src/include/ndpi_api.h6
-rw-r--r--src/include/ndpi_typedefs.h6
-rw-r--r--src/lib/ndpi_main.c39
-rw-r--r--src/lib/ndpi_private.h3
-rw-r--r--src/lib/protocols/stun.c20
-rw-r--r--tests/cfgs/disable_stun_monitoring/config.txt1
l---------tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng1
-rw-r--r--tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out48
-rw-r--r--tests/cfgs/enable_stun_monitoring_with_subproto/config.txt1
l---------tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng1
l---------tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng1
l---------tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap1
-rw-r--r--tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out33
-rw-r--r--tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out34
-rw-r--r--tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out80
18 files changed, 9 insertions, 306 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index ecc5ba13a..15679cdef 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -94,8 +94,6 @@ static u_int8_t ignore_vlanid = 0;
/** User preferences **/
u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0;
u_int8_t verbose = 0, enable_flow_stats = 0;
-int stun_monitoring_pkts_to_process = -1; /* Default */
-int stun_monitoring_flags = -1; /* Default */
int nDPI_LogLevel = 0;
char *_debug_protocols = NULL;
char *_disabled_protocols = NULL;
@@ -591,8 +589,6 @@ static void help(u_int long_help) {
" -Z proto:value | Set this value of aggressiveness for this protocol (0 to disable it). This flag can be used multiple times\n"
" --lru-cache-size=NAME:size | Specify the size for this LRU cache (0 to disable it). This flag can be used multiple times\n"
" --lru-cache-ttl=NAME:size | Specify the TTL [in seconds] for this LRU cache (0 to disable it). This flag can be used multiple times\n"
- " --stun-monitoring=<pkts>:<flags> | Configure STUN monitoring: keep monitoring STUN session for <pkts> more pkts looking for RTP\n"
- " | (0:0 to disable the feature); set the specified features in <flags>\n"
,
human_readeable_string_len,
min_pattern_len, max_pattern_len, max_num_packets_per_flow, max_packet_payload_dissection,
@@ -646,8 +642,6 @@ static void help(u_int long_help) {
#define OPTLONG_VALUE_LRU_CACHE_SIZE 1000
#define OPTLONG_VALUE_LRU_CACHE_TTL 1001
-#define OPTLONG_VALUE_STUN_MONITORING 2000
-
static struct option longopts[] = {
/* mandatory extcap options */
{ "extcap-interfaces", no_argument, NULL, '0'},
@@ -691,7 +685,6 @@ static struct option longopts[] = {
{ "lru-cache-size", required_argument, NULL, OPTLONG_VALUE_LRU_CACHE_SIZE},
{ "lru-cache-ttl", required_argument, NULL, OPTLONG_VALUE_LRU_CACHE_TTL},
- { "stun-monitoring", required_argument, NULL, OPTLONG_VALUE_STUN_MONITORING},
{0, 0, 0, 0}
};
@@ -966,7 +959,6 @@ static void parseOptions(int argc, char **argv) {
#endif
#endif
int cache_idx, cache_size, cache_ttl;
- u_int32_t num_pkts, flags;
#ifdef USE_DPDK
{
@@ -1302,15 +1294,6 @@ static void parseOptions(int argc, char **argv) {
lru_cache_ttls[cache_idx] = cache_ttl;
break;
- case OPTLONG_VALUE_STUN_MONITORING:
- if(parse_two_unsigned_integer(optarg, &num_pkts, &flags) == -1) {
- printf("Invalid parameter [%s]\n", optarg);
- exit(1);
- }
- stun_monitoring_pkts_to_process = num_pkts;
- stun_monitoring_flags = flags;
- break;
-
default:
#ifdef DEBUG_TRACE
if(trace) fprintf(trace, " #### Unknown option -%c: skipping it #### \n", opt);
@@ -2752,11 +2735,6 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
ndpi_set_protocol_aggressiveness(ndpi_thread_info[thread_id].workflow->ndpi_struct, i, aggressiveness[i]);
}
- if(stun_monitoring_pkts_to_process != -1 &&
- stun_monitoring_flags != -1)
- ndpi_set_monitoring_state(ndpi_thread_info[thread_id].workflow->ndpi_struct, NDPI_PROTOCOL_STUN,
- stun_monitoring_pkts_to_process, stun_monitoring_flags);
-
ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct);
if(enable_doh_dot_detection)
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
index 0abf63515..afd9367fb 100644
--- a/fuzz/fuzz_config.cpp
+++ b/fuzz/fuzz_config.cpp
@@ -13,7 +13,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
struct ndpi_detection_module_struct *ndpi_info_mod;
struct ndpi_flow_struct flow;
u_int8_t protocol_was_guessed;
- u_int32_t i, num, num2;
+ u_int32_t i, num;
u_int16_t random_proto, bool_value;
int random_value;
NDPI_PROTOCOL_BITMASK enabled_bitmask;
@@ -36,7 +36,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
6 + /* files */
((NDPI_LRUCACHE_MAX + 1) * 5) + /* LRU caches */
2 + 1 + 4 + /* ndpi_set_detection_preferences() */
- 1 + 3 + 1 + 3 + /* Monitoring */
7 + /* Opportunistic tls */
2 + /* Pid */
2 + /* Category */
@@ -108,18 +107,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
ndpi_set_detection_preferences(ndpi_info_mod, static_cast<ndpi_detection_preference>(0xFF), 0xFF); /* Invalid preference */
- if(fuzzed_data.ConsumeBool()) {
- ndpi_set_monitoring_state(ndpi_info_mod, NDPI_PROTOCOL_STUN,
- fuzzed_data.ConsumeIntegralInRange(0, (1 << 16)),
- fuzzed_data.ConsumeIntegralInRange(0, 7));
- ndpi_get_monitoring_state(ndpi_info_mod, NDPI_PROTOCOL_STUN, &num, &num2);
- }
-
- random_proto = fuzzed_data.ConsumeIntegralInRange(0, (1 << 16) - 1);
- random_value = fuzzed_data.ConsumeIntegralInRange(0,2);
- ndpi_set_monitoring_state(ndpi_info_mod, random_proto, random_value, random_value);
- ndpi_get_monitoring_state(ndpi_info_mod, random_proto, &num, &num2);
-
ndpi_set_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP, fuzzed_data.ConsumeBool());
ndpi_get_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP);
ndpi_set_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_IMAP, fuzzed_data.ConsumeBool());
diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
index 5f2d980c5..cd2292e66 100644
--- a/fuzz/fuzz_ndpi_reader.c
+++ b/fuzz/fuzz_ndpi_reader.c
@@ -74,9 +74,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 0 /* unused */);
- ndpi_set_monitoring_state(workflow->ndpi_struct, NDPI_PROTOCOL_STUN,
- 10, NDPI_MONITORING_STUN_SUBCLASSIFIED);
-
memset(workflow->stats.protocol_counter, 0,
sizeof(workflow->stats.protocol_counter));
memset(workflow->stats.protocol_counter_bytes, 0,
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 9c634f2a6..64d183ef6 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -1099,12 +1099,6 @@ extern "C" {
u_int32_t ndpi_get_protocol_aggressiveness(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t proto);
- int ndpi_set_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
- u_int16_t proto, u_int32_t num_pkts, u_int32_t flags);
- int ndpi_get_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
- u_int16_t proto, u_int32_t *num_pkts, u_int32_t *flags);
-
-
/**
* Find a protocol id associated with a string automata
*
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index e7338b0fc..d7c4537aa 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -753,12 +753,6 @@ struct ndpi_lru_cache {
/* Ookla */
#define NDPI_AGGRESSIVENESS_OOKLA_TLS 0x01 /* Enable detection over TLS (using ookla cache) */
-
-/* Monitoring flags */
-
-/* Stun */
-#define NDPI_MONITORING_STUN_SUBCLASSIFIED 0x01 /* Monitor STUN flows even if we have a valid sub-protocol */
-
/* ************************************************** */
struct ndpi_flow_tcp_struct {
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 02db29a68..6eafa598b 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3387,9 +3387,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
ndpi_str->opportunistic_tls_ftp_enabled = 1;
ndpi_str->opportunistic_tls_stun_enabled = 1;
- ndpi_str->monitoring_stun_pkts_to_process = 4;
- ndpi_str->monitoring_stun_flags = 0;
-
ndpi_str->aggressiveness_ookla = NDPI_AGGRESSIVENESS_OOKLA_TLS;
if(prefs & ndpi_enable_tcp_ack_payload_heuristic)
@@ -10430,42 +10427,6 @@ int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow)
/* ******************************************************************** */
-int ndpi_set_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
- u_int16_t proto, u_int32_t num_pkts, u_int32_t flags)
-{
- if(!ndpi_struct || num_pkts > 0xFFFF)
- return -1;
-
- switch(proto) {
- case NDPI_PROTOCOL_STUN:
- ndpi_struct->monitoring_stun_pkts_to_process = num_pkts;
- ndpi_struct->monitoring_stun_flags = flags;
- return 0;
- default:
- return -1;
- }
-}
-
-/* ******************************************************************** */
-
-int ndpi_get_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
- u_int16_t proto, u_int32_t *num_pkts, u_int32_t *flags)
-{
- if(!ndpi_struct || !num_pkts || !flags)
- return -1;
-
- switch(proto) {
- case NDPI_PROTOCOL_STUN:
- *num_pkts = ndpi_struct->monitoring_stun_pkts_to_process;
- *flags = ndpi_struct->monitoring_stun_flags;
- return 0;
- default:
- return -1;
- }
-}
-
-/* ******************************************************************** */
-
int ndpi_set_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t proto, int value)
{
diff --git a/src/lib/ndpi_private.h b/src/lib/ndpi_private.h
index e45a0aabe..148b4b9eb 100644
--- a/src/lib/ndpi_private.h
+++ b/src/lib/ndpi_private.h
@@ -253,9 +253,6 @@ struct ndpi_detection_module_struct {
int opportunistic_tls_ftp_enabled;
int opportunistic_tls_stun_enabled;
- u_int32_t monitoring_stun_pkts_to_process;
- u_int32_t monitoring_stun_flags;
-
u_int32_t aggressiveness_ookla;
int tcp_ack_paylod_heuristic;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index b3d83da8c..74dfc829b 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -345,9 +345,8 @@ static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struc
/* We have a sub-classification */
- if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) &&
- flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTP)
- return 1;
+ if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_RTP)
+ return 0;
/* Looking for XOR-PEER-ADDRESS metadata; TODO: other protocols? */
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP)
@@ -614,25 +613,22 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, __get_master(flow), confidence);
}
- /* This is quite complex. We want extra dissection for:
+ /* We want extra dissection for:
* sub-classification
- * metadata extraction in general
- * Telegram: we need more packets to find all XOR-PEER-ADDRESS attributes
- * monitoring, i.e. looking for RTP
- And all these cases might overlap...
+ * metadata extraction or looking for RTP
+ The latter is enabled only without sub-classification or for Telegram
+ (to find all XOR-PEER-ADDRESS attributes)
*/
if(!flow->extra_packets_func) {
if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */ ||
- flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */ ||
- (ndpi_struct->monitoring_stun_pkts_to_process > 0 &&
- (ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED))) {
+ flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */) {
NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n");
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) {
flow->max_extra_packets_to_check = 10; /* Looking for metadata. There are no really RTP packets
in Telegram flows, so no need to enable monitoring for them */
} else {
- flow->max_extra_packets_to_check = ndpi_max(4, ndpi_struct->monitoring_stun_pkts_to_process);
+ flow->max_extra_packets_to_check = 4;
flow->extra_packets_func = stun_search_again;
}
}
diff --git a/tests/cfgs/disable_stun_monitoring/config.txt b/tests/cfgs/disable_stun_monitoring/config.txt
deleted file mode 100644
index 828d83cd4..000000000
--- a/tests/cfgs/disable_stun_monitoring/config.txt
+++ /dev/null
@@ -1 +0,0 @@
---stun-monitoring=0:0
diff --git a/tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng b/tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng
deleted file mode 120000
index 56b131a34..000000000
--- a/tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng
+++ /dev/null
@@ -1 +0,0 @@
-../../default/pcap/lru_ipv6_caches.pcapng \ No newline at end of file
diff --git a/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out
deleted file mode 100644
index 19e22069d..000000000
--- a/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out
+++ /dev/null
@@ -1,48 +0,0 @@
-Guessed flow protos: 3
-
-DPI Packets (TCP): 9 (3.00 pkts/flow)
-DPI Packets (UDP): 36 (4.00 pkts/flow)
-Confidence DPI (cache) : 6 (flows)
-Confidence DPI : 6 (flows)
-Num dissector calls: 776 (64.67 diss/flow)
-LRU cache ookla: 0/0/0 (insert/search/found)
-LRU cache bittorrent: 25/12/4 (insert/search/found)
-LRU cache zoom: 0/0/0 (insert/search/found)
-LRU cache stun: 6/8/0 (insert/search/found)
-LRU cache tls_cert: 1/3/2 (insert/search/found)
-LRU cache mining: 0/0/0 (insert/search/found)
-LRU cache msteams: 0/0/0 (insert/search/found)
-LRU cache stun_zoom: 0/0/0 (insert/search/found)
-Automa host: 9/0 (search/found)
-Automa domain: 9/0 (search/found)
-Automa tls cert: 1/1 (search/found)
-Automa risk mask: 0/0 (search/found)
-Automa common alpns: 3/3 (search/found)
-Patricia risk mask: 0/0 (search/found)
-Patricia risk mask IPv6: 22/0 (search/found)
-Patricia risk: 0/0 (search/found)
-Patricia risk IPv6: 12/0 (search/found)
-Patricia protocols: 0/0 (search/found)
-Patricia protocols IPv6: 24/0 (search/found)
-
-BitTorrent 25 4546 5
-WhatsAppCall 24 3996 3
-STUN 30 3450 1
-Cloudflare 9 8862 3
-
-JA3 Host Stats:
- IP Address # JA3C
-
-
- 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 12][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 2 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]
- 3 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]
- 4 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]
- 5 UDP [2a2f:8509:1cb2:466d:ecbf:69d6:109c:608]:62229 -> [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 8][cat: Download/7][9 pkts/2397 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][9.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1249/0 8358/0 2694/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 266/0 610/0 243/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 44,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 6 UDP [3069:c624:1d42:9469:98b1:67ff:fe43:325]:56131 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1958 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][2.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/0 236/0 1183/0 350/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 178/0 214/0 41/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BHBeRjaHJ)][Plen Bins: 9,0,18,0,72,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 7 UDP [2118:ec33:112b:7908:2c80:27ff:fef7:d71f]:48415 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1742 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][2.97 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 279/0 1388/0 400/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 158/0 214/0 51/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (NGuJOnsW)][Plen Bins: 18,0,36,0,45,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 8 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27]:60506 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 8][cat: Download/7][11 pkts/1319 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][6.03 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 670/0 2769/0 758/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 120/0 431/0 99/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 72,18,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 9 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][8.49 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 10 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [38b2:46b7:27a4:94c3:c134:948:e069:d71f]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][20.08 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 11 UDP [3297:a1af:5121:cfc:360b:2e07:872f:1ea0]:43865 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][0.26 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BZ9/sp6)][Plen Bins: 50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 12 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: Download/7][1 pkts/166 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/config.txt b/tests/cfgs/enable_stun_monitoring_with_subproto/config.txt
deleted file mode 100644
index 1dfcde8ad..000000000
--- a/tests/cfgs/enable_stun_monitoring_with_subproto/config.txt
+++ /dev/null
@@ -1 +0,0 @@
---stun-monitoring=20:1
diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng
deleted file mode 120000
index d30bde120..000000000
--- a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng
+++ /dev/null
@@ -1 +0,0 @@
-../../default/pcap/stun_dtls_rtp.pcapng \ No newline at end of file
diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng b/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng
deleted file mode 120000
index b7223bfd0..000000000
--- a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng
+++ /dev/null
@@ -1 +0,0 @@
-../../default/pcap/stun_dtls_rtp_unidir.pcapng \ No newline at end of file
diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap b/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap
deleted file mode 120000
index 5e8affbfb..000000000
--- a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap
+++ /dev/null
@@ -1 +0,0 @@
-../../default/pcap/wa_voice.pcap \ No newline at end of file
diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out
deleted file mode 100644
index 817890521..000000000
--- a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out
+++ /dev/null
@@ -1,33 +0,0 @@
-Guessed flow protos: 0
-
-DPI Packets (UDP): 25 (25.00 pkts/flow)
-Confidence DPI : 1 (flows)
-Num dissector calls: 6 (6.00 diss/flow)
-LRU cache ookla: 0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/0/0 (insert/search/found)
-LRU cache zoom: 0/0/0 (insert/search/found)
-LRU cache stun: 2/0/0 (insert/search/found)
-LRU cache tls_cert: 1/2/0 (insert/search/found)
-LRU cache mining: 0/0/0 (insert/search/found)
-LRU cache msteams: 0/0/0 (insert/search/found)
-LRU cache stun_zoom: 0/0/0 (insert/search/found)
-Automa host: 0/0 (search/found)
-Automa domain: 0/0 (search/found)
-Automa tls cert: 1/1 (search/found)
-Automa risk mask: 0/0 (search/found)
-Automa common alpns: 0/0 (search/found)
-Patricia risk mask: 2/0 (search/found)
-Patricia risk mask IPv6: 0/0 (search/found)
-Patricia risk: 0/0 (search/found)
-Patricia risk IPv6: 0/0 (search/found)
-Patricia protocols: 1/1 (search/found)
-Patricia protocols IPv6: 0/0 (search/found)
-
-GoogleHangoutDuo 39 8413 1
-
-JA3 Host Stats:
- IP Address # JA3C
- 1 192.168.12.156 1
-
-
- 1 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.201/DTLS.GoogleHangoutDuo][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 25][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 210][Risk Info: No ALPN / CN=hangouts][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out
deleted file mode 100644
index a0ff564d9..000000000
--- a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out
+++ /dev/null
@@ -1,34 +0,0 @@
-Guessed flow protos: 0
-
-DPI Packets (UDP): 36 (18.00 pkts/flow)
-Confidence DPI : 2 (flows)
-Num dissector calls: 12 (6.00 diss/flow)
-LRU cache ookla: 0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/0/0 (insert/search/found)
-LRU cache zoom: 0/0/0 (insert/search/found)
-LRU cache stun: 32/88/0 (insert/search/found)
-LRU cache tls_cert: 0/5/0 (insert/search/found)
-LRU cache mining: 0/0/0 (insert/search/found)
-LRU cache msteams: 0/0/0 (insert/search/found)
-LRU cache stun_zoom: 0/0/0 (insert/search/found)
-Automa host: 0/0 (search/found)
-Automa domain: 0/0 (search/found)
-Automa tls cert: 1/0 (search/found)
-Automa risk mask: 0/0 (search/found)
-Automa common alpns: 0/0 (search/found)
-Patricia risk mask: 4/0 (search/found)
-Patricia risk mask IPv6: 0/0 (search/found)
-Patricia risk: 0/0 (search/found)
-Patricia risk IPv6: 0/0 (search/found)
-Patricia protocols: 4/0 (search/found)
-Patricia protocols IPv6: 0/0 (search/found)
-
-RTP 43 10358 2
-
-JA3 Host Stats:
- IP Address # JA3C
- 1 10.10.0.1 1
-
-
- 1 UDP 10.1.0.3:5853 -> 10.10.0.1:2808 [proto: 30.87/DTLS.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 15][cat: Network/14][18 pkts/5384 bytes -> 0 pkts/0 bytes][Goodput ratio: 86/0][7.17 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 386/0 4001/0 979/0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 299/0 750/0 221/0][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **][Risk Score: 150][Risk Info: CN=8][DTLSv1.0][JA3S: 1cfcbe58451407e23669f1dd08565519][Issuer: CN=8][Subject: CN=8][Certificate SHA-1: 94:8C:6F:C3:00:6A:A1:63:F1:52:7E:7F:1F:A7:93:90:46:3B:B1:2D][Validity: 2015-12-10 05:41:43 - 2016-01-10 05:41:43][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (Coturn)][Plen Bins: 0,5,5,5,34,22,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 2 UDP 10.10.0.1:65226 -> 10.1.0.3:57730 [proto: 30.87/DTLS.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 21][cat: Network/14][25 pkts/4974 bytes -> 0 pkts/0 bytes][Goodput ratio: 79/0][7.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/0 4001/0 904/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 199/0 478/0 92/0][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 110][Risk Info: No ALPN][DTLSv1.0][JA3C: fd8faf73d274d5614a51dae82304be0a][PLAIN TEXT (username1)][Plen Bins: 0,8,16,16,32,0,4,8,0,12,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out
deleted file mode 100644
index ee7f07b15..000000000
--- a/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out
+++ /dev/null
@@ -1,80 +0,0 @@
-Guessed flow protos: 8
-
-DPI Packets (TCP): 20 (3.33 pkts/flow)
-DPI Packets (UDP): 102 (4.86 pkts/flow)
-DPI Packets (other): 1 (1.00 pkts/flow)
-Confidence Unknown : 1 (flows)
-Confidence DPI (cache) : 1 (flows)
-Confidence DPI : 26 (flows)
-Num dissector calls: 387 (13.82 diss/flow)
-LRU cache ookla: 0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/3/0 (insert/search/found)
-LRU cache zoom: 0/0/0 (insert/search/found)
-LRU cache stun: 14/3/2 (insert/search/found)
-LRU cache tls_cert: 0/0/0 (insert/search/found)
-LRU cache mining: 0/1/0 (insert/search/found)
-LRU cache msteams: 0/0/0 (insert/search/found)
-LRU cache stun_zoom: 0/0/0 (insert/search/found)
-Automa host: 20/10 (search/found)
-Automa domain: 20/0 (search/found)
-Automa tls cert: 0/0 (search/found)
-Automa risk mask: 4/0 (search/found)
-Automa common alpns: 14/14 (search/found)
-Patricia risk mask: 28/0 (search/found)
-Patricia risk mask IPv6: 0/0 (search/found)
-Patricia risk: 1/0 (search/found)
-Patricia risk IPv6: 1/0 (search/found)
-Patricia protocols: 44/10 (search/found)
-Patricia protocols IPv6: 2/0 (search/found)
-
-Unknown 2 120 1
-MDNS 10 1188 2
-SSDP 8 1365 5
-DHCP 5 1710 1
-WhatsAppCall 48 5768 5
-ICMP 4 280 1
-RTP 213 37951 2
-TLS 8 542 1
-Dropbox 4 1528 1
-Google 2 164 1
-WhatsApp 352 86475 4
-Spotify 2 172 1
-ApplePush 24 8007 1
-WhatsAppFiles 52 24946 2
-
-JA3 Host Stats:
- IP Address # JA3C
- 1 192.168.2.12 2
-
-
- 1 TCP 192.168.2.12:50504 <-> 157.240.20.52:443 [proto: 91.142/TLS.WhatsApp][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][41 pkts/3669 bytes <-> 44 pkts/43871 bytes][Goodput ratio: 27/93][0.41 sec][Hostname/SNI: pps.whatsapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.846 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/8 129/77 24/19][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 89/997 583/1454 85/624][TLSv1.3][JA3C: 7a7a639628f0fe5c7e057628a5bbec5a][JA3S: 475c9302dc42b2751db9edcac3b74891][Safari][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 8,11,4,0,0,2,2,0,2,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,61,0,0,0,0]
- 2 TCP 192.168.2.12:49355 <-> 157.240.20.53:5222 [proto: 142/WhatsApp][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 4][cat: Chat/9][132 pkts/14116 bytes <-> 131 pkts/24439 bytes][Goodput ratio: 38/65][54.73 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 342/421 9349/9387 1279/1420][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/187 393/1454 62/283][PLAIN TEXT (fd.9LTIP9)][Plen Bins: 1,63,2,3,10,10,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0]
- 3 UDP 91.252.56.51:32704 <-> 192.168.2.12:56328 [proto: 45.87/WhatsAppCall.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: VoIP/10][87 pkts/14598 bytes <-> 77 pkts/17336 bytes][Goodput ratio: 75/81][11.91 sec][bytes ratio: -0.086 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 136/121 921/265 137/64][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 168/225 318/331 61/68][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (KEXQD/)][Plen Bins: 6,4,7,27,16,4,11,12,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 4 TCP 192.168.2.12:50503 <-> 31.13.86.51:443 [proto: 91.242/TLS.WhatsAppFiles][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 6][cat: Download/7][25 pkts/2993 bytes <-> 25 pkts/21759 bytes][Goodput ratio: 44/92][0.39 sec][Hostname/SNI: media-mxp1-1.cdn.whatsapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.758 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/10 127/126 28/30][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/870 583/1454 124/639][TLSv1.3][JA3C: b92a79ed03c3ff5611abb2305370d3e3][JA3S: 475c9302dc42b2751db9edcac3b74891][Safari][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 7,14,7,0,0,3,0,0,7,0,3,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,47,0,0,0,0]
- 5 TCP 192.168.2.12:49354 <-> 17.242.60.84:5223 [proto: 238/ApplePush][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 1][cat: Cloud/13][14 pkts/6933 bytes <-> 10 pkts/1074 bytes][Goodput ratio: 87/39][54.11 sec][bytes ratio: 0.732 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4462/757 43773/5113 12515/1779][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 495/107 1506/215 607/44][Plen Bins: 0,42,14,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,21,0,0]
- 6 UDP 192.168.2.12:56328 <-> 31.13.86.48:3478 [proto: 45.87/WhatsAppCall.RTP][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 21][cat: VoIP/10][21 pkts/2349 bytes <-> 28 pkts/3668 bytes][Goodput ratio: 62/68][34.51 sec][bytes ratio: -0.219 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1959/1447 12194/12196 2978/2626][Pkt Len c2s/s2c min/avg/max/stddev: 48/44 112/131 249/326 64/101][Plen Bins: 40,20,0,20,0,0,8,4,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 7 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/1710 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][17.30 sec][Hostname/SNI: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 8 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][4 pkts/1528 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 9 UDP 192.168.2.12:56328 -> 1.60.78.64:64282 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 16][cat: VoIP/10][16 pkts/1376 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 625/0 643/0 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 10 UDP 192.168.2.12:56328 <-> 157.240.193.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6151 22207/12302 9311/6151][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 11 UDP 192.168.2.12:56328 <-> 157.240.196.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6148 22207/12297 9311/6148][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 12 UDP 192.168.2.12:56328 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6149 22207/12298 9311/6149][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 13 UDP 192.168.2.12:56328 <-> 185.60.216.51:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 8626/6151 22207/12301 9311/6150][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 14 UDP 192.168.2.12:64716 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][4 pkts/671 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][9.04 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 15 UDP [fe80::414:409d:8afd:9f05]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][5 pkts/644 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 16 UDP 192.168.2.12:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][5 pkts/544 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 17 TCP 17.171.47.85:443 <-> 192.168.2.12:50502 [proto: 91/TLS][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][4 pkts/271 bytes <-> 4 pkts/271 bytes][Goodput ratio: 11/11][0.28 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 94/0 278/0 130/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68/68 97/97 18/18][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 18 ICMP 192.168.2.12:0 -> 91.252.56.51:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][4 pkts/280 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.92 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 19 UDP 192.168.2.12:55296 <-> 192.168.2.1:53 [proto: 5.242/DNS.WhatsAppFiles][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/105 bytes][Goodput ratio: 52/59][0.03 sec][Hostname/SNI: media-mxp1-1.cdn.whatsapp.net][31.13.86.51][PLAIN TEXT (whatsapp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 20 UDP 192.168.2.12:60549 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/117 bytes][Goodput ratio: 44/64][0.04 sec][Hostname/SNI: pps.whatsapp.net][157.240.20.52][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 21 UDP 192.168.2.12:60765 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/74 bytes <-> 1 pkts/113 bytes][Goodput ratio: 43/62][0.03 sec][Hostname/SNI: g.whatsapp.net][157.240.20.53][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 22 UDP 192.168.2.12:50191 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/179 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 23 UDP 192.168.2.12:57546 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/179 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 24 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Music/25][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.00 sec][PLAIN TEXT (KTSpotUdp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 25 UDP 169.254.162.244:50384 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/168 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 26 UDP 192.168.2.1:50384 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/168 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 27 UDP 192.168.2.12:51431 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/74 bytes <-> 1 pkts/90 bytes][Goodput ratio: 43/53][0.00 sec][Hostname/SNI: www.google.com][216.239.38.120][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-
-
-Undetected flows:
- 1 TCP 192.168.2.12:49352 <-> 169.254.162.244:49159 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 2][1 pkts/54 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.