diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-05-29 18:31:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-29 18:31:10 +0200 |
| commit | 81e42b748e46666158596cc22224b0ec11d85be0 (patch) | |
| tree | 8deb2ebecddd9556607dbee28c5de51d0c4c74c7 /tests/cfgs | |
| parent | 6127e04900d14682f524cca5b5720b2fb9f0e283 (diff) | |
RTP: fix detection over TCP (#2462)
RFC4571 is not the only way to wrap RTP messages in TCP streams.
For example, when RTP is encapsulated over TURN flows (i.e. via DATA
attribute) there is no additional framing.
See also 6127e0490
Diffstat (limited to 'tests/cfgs')
| -rw-r--r-- | tests/cfgs/default/pcap/stun_dtls_rtp.pcapng | bin | 10120 -> 30096 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/stun_dtls_rtp.pcapng.out | 16 | ||||
| -rw-r--r-- | tests/cfgs/stun_extra_dissection/config.txt | 2 | ||||
| l--------- | tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng | 1 | ||||
| -rw-r--r-- | tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out | 34 |
5 files changed, 45 insertions, 8 deletions
diff --git a/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng Binary files differindex 9d51e7ca7..2d1308ec7 100644 --- a/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng +++ b/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng diff --git a/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out index d396ffb37..2e4518519 100644 --- a/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out +++ b/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out @@ -1,9 +1,10 @@ +DPI Packets (TCP): 11 (11.00 pkts/flow) DPI Packets (UDP): 17 (17.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 6 (6.00 diss/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 13 (6.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache stun: 4/0/0 (insert/search/found) +LRU cache stun: 7/0/0 (insert/search/found) LRU cache tls_cert: 0/1/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -17,16 +18,17 @@ Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 1/1 (search/found) +Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -GoogleCall 39 8413 1 +GoogleCall 102 26347 2 -Acceptable 39 8413 1 +Acceptable 102 26347 2 JA3 Host Stats: IP Address # JA3C 1 192.168.12.156 1 - 1 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 17][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.12.182:50221 <-> 142.250.82.249:3478 [proto: 78.404/STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][28 pkts/3492 bytes <-> 35 pkts/14442 bytes][Goodput ratio: 56/87][0.89 sec][Hostname/SNI: turn.l.google.com][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 55/55 17/18][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 125/413 250/1162 71/442][Mapped IP/Port: 93.35.170.27:64994][Peer IP/Port: 10.13.0.50:1259][Relayed IP/Port: 10.13.0.62:15530][PLAIN TEXT (Lvsrdelc)][Plen Bins: 2,2,12,15,21,10,2,0,0,0,5,0,0,0,0,0,0,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 17][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/stun_extra_dissection/config.txt b/tests/cfgs/stun_extra_dissection/config.txt index 8f6faf085..87f466543 100644 --- a/tests/cfgs/stun_extra_dissection/config.txt +++ b/tests/cfgs/stun_extra_dissection/config.txt @@ -1 +1 @@ ---cfg=stun,max_packets_extra_dissection,255 +--cfg=stun,max_packets_extra_dissection,255 -U 0 -T 0 --cfg=packets_limit_per_flow,255 diff --git a/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng new file mode 120000 index 000000000..d30bde120 --- /dev/null +++ b/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng @@ -0,0 +1 @@ +../../default/pcap/stun_dtls_rtp.pcapng
\ No newline at end of file diff --git a/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out new file mode 100644 index 000000000..afe07e3c2 --- /dev/null +++ b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out @@ -0,0 +1,34 @@ +DPI Packets (TCP): 63 (63.00 pkts/flow) +DPI Packets (UDP): 39 (39.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 13 (6.50 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 42/0/0 (insert/search/found) +LRU cache tls_cert: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/2 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +GoogleCall 102 26347 2 + +Acceptable 102 26347 2 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.12.156 1 + + + 1 TCP 192.168.12.182:50221 <-> 142.250.82.249:3478 [proto: 338.404/SRTP.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][DPI packets: 63][cat: VoIP/10][28 pkts/3492 bytes <-> 35 pkts/14442 bytes][Goodput ratio: 56/87][0.89 sec][Hostname/SNI: turn.l.google.com][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 55/55 17/18][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 125/413 250/1162 71/442][Mapped IP/Port: 10.13.0.62:15530][Peer IP/Port: 10.13.0.50:1259][Relayed IP/Port: 10.13.0.62:15530][PLAIN TEXT (Lvsrdelc)][Plen Bins: 2,2,12,15,21,10,2,0,0,0,5,0,0,0,0,0,0,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][DPI packets: 39][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] |