diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-03-30 17:13:51 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-03-30 17:13:51 +0200 |
| commit | 4d11941d322b95728048446bb9d0a2d5fbb552f9 (patch) | |
| tree | 3ae81f2a5e4dea35f21ee73191fceda280b0c704 /tests/pcap/ookla.pcap | |
| parent | 3e06bcce8dc558239c4a7e33e936adde8c05791f (diff) | |
Ookla: rework detection (#1922)
The logic of the LRU cache has been changed: once we know an ip has
connected to an Ookla server, all the following (unknown) flows (for
a short time interval) from the same ip to the port 8080 are treated
as Ookla ones.
Most of the changes in this commit are about introducing the concept of
"aggressive detection". In some cases, to properly detect a
protocol we might use some statistical/behavior logic that, from one
side, let us to identify the protocol more often but, from the other
side, might lead to some false positives.
To allow the user/application to easily detect when such logic has been
triggered, the new confidence value `NDPI_CONFIDENCE_DPI_AGGRESSIVE` has been
added.
It is always possible to disable/configure this kind of logic via the
API.
Detection of Ookla flows using plain TLS over port 8080 is the first
example of aggressive detection in nDPI.
Tested with:
* Android 9.0 with app 4.8.3
* Ubuntu 20.04 with Firefox 110
* Win 10 with app 1.15 and 1.16
* Win 10 with Chrome 108, Edge 108 and Firefox 106
Diffstat (limited to 'tests/pcap/ookla.pcap')
| -rw-r--r-- | tests/pcap/ookla.pcap | bin | 7485 -> 42424 bytes |
1 files changed, 0 insertions, 0 deletions
diff --git a/tests/pcap/ookla.pcap b/tests/pcap/ookla.pcap Binary files differindex 80123e856..ac57c6d17 100644 --- a/tests/pcap/ookla.pcap +++ b/tests/pcap/ookla.pcap |