Improved MDNS/LLMNR detection.improved/mdsn-llmnr-detection

 * Checking for port 5353/5355 is not enough.
 * Added additional multicast address and header checks.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

2 files changed, 10 insertions, 0 deletions

diff --git a/tests/pcap/dnscrypt-v2.pcap b/tests/pcap/dnscrypt-v2.pcap
new file mode 100644
index 000000000..676ab73a3
--- /dev/null
+++ b/tests/pcap/dnscrypt-v2.pcap
diff --git a/tests/result/dnscrypt-v2.pcap.out b/tests/result/dnscrypt-v2.pcap.out
new file mode 100644
index 000000000..5b0cd7915
--- /dev/null
+++ b/tests/result/dnscrypt-v2.pcap.out
@@ -0,0 +1,10 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	6	(2.00 pkts/flow)
+Confidence DPI              : 3 (flows)
+
+DNScrypt	6	4300	3
+
+	1	UDP 127.0.0.1:50893 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/410 bytes][Goodput ratio: 96/90][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 127.0.0.1:38650 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/282 bytes][Goodput ratio: 96/85][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 127.0.0.1:42883 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/218 bytes][Goodput ratio: 96/80][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0]