diff options
| -rw-r--r-- | example/ndpiReader.c | 24 | ||||
| -rw-r--r-- | example/reader_util.c | 24 | ||||
| -rw-r--r-- | example/reader_util.h | 8 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 23 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 73 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 10 | ||||
| -rw-r--r-- | tests/cfgs/caches_cfg/result/teams.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/default/result/zoom2.pcap.out | 2 |
9 files changed, 121 insertions, 46 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index f7482ca65..5eb47f741 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1522,6 +1522,30 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol.protocol_by_ip)); + if(flow->multimedia_flow_type != ndpi_multimedia_unknown_flow) { + const char *content; + + switch(flow->multimedia_flow_type) { + case ndpi_multimedia_audio_flow: + content = "Audio"; + break; + + case ndpi_multimedia_video_flow: + content = "Video"; + break; + + case ndpi_multimedia_screen_sharing_flow: + content = "Screen Sharing"; + break; + + default: + content = "???"; + break; + } + + fprintf(out, "[Stream Content: %s]", content); + } + fprintf(out, "[%s]", ndpi_is_encrypted_proto(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol) ? "Encrypted" : "ClearText"); diff --git a/example/reader_util.c b/example/reader_util.c index a35eaf3c5..d044fb76a 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1,7 +1,7 @@ /* * reader_util.c * - * Copyright (C) 2011-22 - ntop.org + * Copyright (C) 2011-23 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -1141,16 +1141,17 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->num_dissector_calls = flow->ndpi_flow->num_dissector_calls; ndpi_snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", - flow->ndpi_flow->host_server_name); + flow->ndpi_flow->host_server_name); ndpi_snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", - flow->ndpi_flow->flow_extra_info); + flow->ndpi_flow->flow_extra_info); flow->risk = flow->ndpi_flow->risk; if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP)) { if(flow->ndpi_flow->protos.dhcp.fingerprint[0] != '\0') flow->dhcp_fingerprint = ndpi_strdup(flow->ndpi_flow->protos.dhcp.fingerprint); + if(flow->ndpi_flow->protos.dhcp.class_ident[0] != '\0') flow->dhcp_class_ident = ndpi_strdup(flow->ndpi_flow->protos.dhcp.class_ident); } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_BITTORRENT) && @@ -1160,6 +1161,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(flow->ndpi_flow->protos.bittorrent.hash[0] != '\0') { flow->bittorent_hash = ndpi_malloc(sizeof(flow->ndpi_flow->protos.bittorrent.hash) * 2 + 1); + if(flow->bittorent_hash) { for(i=0, j = 0; i < sizeof(flow->ndpi_flow->protos.bittorrent.hash); i++) { sprintf(&flow->bittorent_hash[j], "%02x", @@ -1167,6 +1169,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl j += 2; } + flow->bittorent_hash[j] = '\0'; } } @@ -1369,6 +1372,11 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } + if(is_ndpi_proto(flow, NDPI_PROTOCOL_ZOOM)) + flow->multimedia_flow_type = flow->ndpi_flow->zoom.flow_type; + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SKYPE_TEAMS_CALL)) + flow->multimedia_flow_type = flow->ndpi_flow->skype_teams.flow_type; + /* HTTP metadata are "global" not in `flow->ndpi_flow->protos` union; for example, we can have HTTP/BitTorrent and in that case we want to export also HTTP attributes */ if(is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP) @@ -1388,8 +1396,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl sizeof(flow->http.user_agent), "%s", (flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : "")); - if (workflow->ndpi_serialization_format != ndpi_serialization_format_unknown) - { + if (workflow->ndpi_serialization_format != ndpi_serialization_format_unknown) { if (ndpi_flow2json(workflow->ndpi_struct, flow->ndpi_flow, flow->ip_version, flow->protocol, flow->vlan_id, @@ -1397,17 +1404,16 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl &flow->src_ip6, &flow->dst_ip6, flow->src_port, flow->dst_port, flow->detected_protocol, - &flow->ndpi_flow_serializer) != 0) - { + &flow->ndpi_flow_serializer) != 0) { LOG(NDPI_LOG_ERROR, "flow2json failed\n"); exit(-1); } + ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "detection_completed", flow->detection_completed); ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "check_extra_packets", flow->check_extra_packets); } - if(flow->detection_completed && (!flow->check_extra_packets)) { - + if(flow->detection_completed && (!flow->check_extra_packets)) { flow->flow_payload = flow->ndpi_flow->flow_payload, flow->flow_payload_len = flow->ndpi_flow->flow_payload_len; flow->ndpi_flow->flow_payload = NULL; /* We'll free the memory */ diff --git a/example/reader_util.h b/example/reader_util.h index c5c399cd5..3b185d347 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -214,30 +214,36 @@ typedef struct ndpi_flow_info { *pktlen_c_to_s, *pktlen_s_to_c; enum info_type info_type; + union { char info[256]; + struct { unsigned char auth_failed; char username[127]; char password[128]; } ftp_imap_pop_smtp; + struct { char domain[85]; char hostname[85]; char username[86]; } kerberos; + struct { char ip[16]; char port[6]; char hostname[48]; char fqdn[48]; } softether; + struct { char identity_uuid[36]; char machine[48]; char platform[32]; char services[48]; } tivoconnect; + struct { uint16_t result_code; uint16_t internal_port; @@ -289,6 +295,8 @@ typedef struct ndpi_flow_info { char *username, *password; } telnet; + ndpi_multimedia_flow_type multimedia_flow_type; + void *src_id, *dst_id; struct ndpi_entropy *entropy; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index b04b8b644..a64601f3d 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -54,10 +54,17 @@ typedef enum { } ndpi_log_level_t; typedef enum { - ndpi_l4_proto_unknown = 0, - ndpi_l4_proto_tcp_only, - ndpi_l4_proto_udp_only, - ndpi_l4_proto_tcp_and_udp, + ndpi_multimedia_unknown_flow = 0, + ndpi_multimedia_audio_flow, + ndpi_multimedia_video_flow, + ndpi_multimedia_screen_sharing_flow, +} ndpi_multimedia_flow_type; + +typedef enum { + ndpi_l4_proto_unknown = 0, + ndpi_l4_proto_tcp_only, + ndpi_l4_proto_udp_only, + ndpi_l4_proto_tcp_and_udp, } ndpi_l4_proto_info; typedef enum { @@ -1437,6 +1444,14 @@ struct ndpi_flow_struct { char *nat_ip; /* Via HTTP X-Forwarded-For */ } http; + struct { + ndpi_multimedia_flow_type flow_type; + } skype_teams; + + struct { + ndpi_multimedia_flow_type flow_type; + } zoom; + /* Put outside of the union to avoid issues in case the protocol is remapped to something other than Kerberos due to a faulty diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9253d0f2a..b338839c8 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2889,27 +2889,27 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_exit_detection_module(ndpi_str); return(NULL); } - + ndpi_str->host_risk_mask_automa.ac_automa = ac_automata_init(ac_domain_match_handler); if(!ndpi_str->host_risk_mask_automa.ac_automa) { ndpi_exit_detection_module(ndpi_str); return(NULL); } - + ndpi_str->common_alpns_automa.ac_automa = ac_automata_init(ac_domain_match_handler); if(!ndpi_str->common_alpns_automa.ac_automa) { ndpi_exit_detection_module(ndpi_str); return(NULL); } - + load_common_alpns(ndpi_str); - + ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(NULL); if(!ndpi_str->tls_cert_subject_automa.ac_automa) { ndpi_exit_detection_module(ndpi_str); return(NULL); } - + ndpi_str->malicious_ja3_hashmap = NULL; /* Initialized on demand */ ndpi_str->malicious_sha1_hashmap = NULL; /* Initialized on demand */ ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */ @@ -3214,23 +3214,23 @@ int ndpi_get_automa_stats(struct ndpi_detection_module_struct *ndpi_struct, case NDPI_AUTOMA_HOST: ndpi_automa_get_stats(ndpi_struct->host_automa.ac_automa, stats); return 0; - + case NDPI_AUTOMA_DOMAIN: ndpi_automa_get_stats(ndpi_struct->risky_domain_automa.ac_automa, stats); return 0; - + case NDPI_AUTOMA_TLS_CERT: ndpi_automa_get_stats(ndpi_struct->tls_cert_subject_automa.ac_automa, stats); return 0; - + case NDPI_AUTOMA_RISK_MASK: ndpi_automa_get_stats(ndpi_struct->host_risk_mask_automa.ac_automa, stats); return 0; - + case NDPI_AUTOMA_COMMON_ALPNS: ndpi_automa_get_stats(ndpi_struct->common_alpns_automa.ac_automa, stats); return 0; - + default: return -1; } @@ -6036,7 +6036,7 @@ static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow, u_int8_t use_cl else key = ntohl(flow->s_address.v4); } - + return key; } @@ -6052,7 +6052,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi u_int16_t dport = ntohs(flow->s_port); u_int8_t s_match = ((sport >= 3478) && (sport <= 3481)) ? 1 : 0; u_int8_t d_match = ((dport >= 3478) && (dport <= 3481)) ? 1 : 0; - + if(s_match || d_match) { ndpi_int_change_protocol(ndpi_str, flow, NDPI_PROTOCOL_SKYPE_TEAMS, flow->detected_protocol_stack[1], @@ -6065,7 +6065,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi ndpi_get_current_time(flow)); } - } + } } /* ********************************************************************************* */ @@ -6077,22 +6077,13 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup() */ -#if 0 - if(flow) { - /* Do not go for DNS when there is an application protocol. Example DNS.Apple */ - if((flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) - && (flow->detected_protocol_stack[0] /* app */ != flow->detected_protocol_stack[1] /* major */)) - NDPI_CLR_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN); - } -#endif - // printf("====>> %u.%u [%u]\n", ret->master_protocol, ret->app_protocol, flow->detected_protocol_stack[0]); switch(ret->app_protocol) { case NDPI_PROTOCOL_MICROSOFT_AZURE: ndpi_reconcile_msteams_udp(ndpi_str, flow); break; - + /* Skype for a host doing MS Teams means MS Teams (MS Teams uses Skype as transport protocol for voice/video) @@ -6113,7 +6104,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s if(flow && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE)) ndpi_reconcile_msteams_udp(ndpi_str, flow); break; - + case NDPI_PROTOCOL_NETFLOW: case NDPI_PROTOCOL_SFLOW: case NDPI_PROTOCOL_RTP: @@ -6138,7 +6129,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s && ndpi_str->msteams_cache ) { u_int16_t dummy; - + if(ndpi_lru_find_cache(ndpi_str->msteams_cache, make_msteams_key(flow, 1 /* client */), &dummy, 0 /* Don't remove it as it can be used for other connections */, @@ -6146,10 +6137,10 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s ndpi_int_change_protocol(ndpi_str, flow, NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_PARTIAL); - } + } } break; - + case NDPI_PROTOCOL_SKYPE_TEAMS: case NDPI_PROTOCOL_SKYPE_TEAMS_CALL: if(flow->l4_proto == IPPROTO_UDP && ndpi_str->msteams_cache) { @@ -6167,6 +6158,32 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s ndpi_get_current_time(flow)); } } + + if(ret->app_protocol == NDPI_PROTOCOL_SKYPE_TEAMS_CALL) { + struct ndpi_packet_struct *packet = &ndpi_str->packet; + + if((packet != NULL) && (packet->udp != NULL)) { + u_int16_t sport = ntohs(packet->udp->source); + u_int16_t dport = ntohs(packet->udp->dest); + + /* + https://extremeportal.force.com/ExtrArticleDetail?an=000101782 + + Audio: UDP 50000-50019; 3478; 3479 + Video: UDP 50020-50039; 3480 + Sharing: UDP 50040-50059; 3481 + */ + + if((dport == 3478) || (dport == 3479) || ((sport >= 50000) && (sport <= 50019))) + flow->skype_teams.flow_type = ndpi_multimedia_audio_flow; + else if((dport == 3480) || ((sport >= 50020) && (sport <= 50039))) + flow->skype_teams.flow_type = ndpi_multimedia_video_flow; + else if((dport == 3481) || ((sport >= 50040) && (sport <= 50059))) + flow->skype_teams.flow_type = ndpi_multimedia_screen_sharing_flow; + else + flow->skype_teams.flow_type = ndpi_multimedia_unknown_flow; + } + } break; case NDPI_PROTOCOL_RDP: @@ -8057,7 +8074,7 @@ ndpi_protocol ndpi_guess_undetected_protocol_v4(struct ndpi_detection_module_str return(ret); } } - + return(ndpi_guess_undetected_protocol(ndpi_str, flow, proto)); } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 10328380c..8356c39b3 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2995,3 +2995,4 @@ char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen) { return(cp); } + diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index a0d6352f7..c727cca58 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -105,7 +105,8 @@ PACK_ON struct zoom_media_encapsulation { #define ZOOM_PORT 8801 -static u_int8_t isZoom(u_int16_t sport, u_int16_t dport, +static u_int8_t isZoom(struct ndpi_flow_struct *flow, + u_int16_t sport, u_int16_t dport, const u_int8_t *payload, const u_int16_t payloadLen, u_int8_t *is_rtp, u_int8_t *zoom_stream_type, u_int16_t *payload_offset) { @@ -118,7 +119,7 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport, if((sport == ZOOM_PORT) || (dport == ZOOM_PORT)) { struct zoom_sfu_encapsulation *enc = (struct zoom_sfu_encapsulation*)payload; - /* traceEvent(TRACE_NORMAL, "==> %u <-> %u [type: %u]", sport, dport, enc->sfu_type); */ + /* printf("==> %u <-> %u [type: %u]\n", sport, dport, enc->sfu_type); */ if((enc->sfu_type >= 3) && (enc->sfu_type <= 5)) { struct zoom_media_encapsulation *enc = (struct zoom_media_encapsulation*)(&payload[sizeof(struct zoom_sfu_encapsulation)]); @@ -130,16 +131,19 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport, case 30: /* Screen Share */ *is_rtp = 0; *payload_offset = 27; + flow->zoom.flow_type = ndpi_multimedia_screen_sharing_flow; break; case 15: /* Audio */ *is_rtp = 1; *payload_offset = 27; + flow->zoom.flow_type = ndpi_multimedia_audio_flow; break; case 16: /* Video */ *is_rtp = 1; *payload_offset = 32; + flow->zoom.flow_type = ndpi_multimedia_video_flow; break; case 33: /* RTCP */ @@ -181,7 +185,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, return; } - if(isZoom(s_port, d_port, payload, payload_len, + if(isZoom(flow, s_port, d_port, payload, payload_len, &is_rtp, &zoom_stream_type, &payload_offset)) { if(payload_offset < payload_len) { /* diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out index 1b75d4976..0270bd2c0 100644 --- a/tests/cfgs/caches_cfg/result/teams.pcap.out +++ b/tests/cfgs/caches_cfg/result/teams.pcap.out @@ -96,7 +96,7 @@ JA3 Host Stats: 48 UDP 93.71.110.205:16333 <-> 192.168.1.6:50036 [proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/414 bytes <-> 5 pkts/634 bytes][Goodput ratio: 69/67][2.31 sec][bytes ratio: -0.210 (Download)][IAT c2s/s2c min/avg/max/stddev: 101/15 634/572 1166/1168 532/565][Pkt Len c2s/s2c min/avg/max/stddev: 130/88 138/127 154/158 11/27][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,25,37,37,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 UDP 192.168.1.6:50016 -> 192.168.0.4:50005 [proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][1.22 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 50 UDP 192.168.1.6:50036 -> 192.168.0.4:50020 [proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][1.22 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 51 UDP 192.168.1.6:50016 <-> 52.114.250.123:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/110 bytes <-> 2 pkts/424 bytes][Goodput ratio: 61/80][0.12 sec][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,33,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 51 UDP 192.168.1.6:50016 <-> 52.114.250.123:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/110 bytes <-> 2 pkts/424 bytes][Goodput ratio: 61/80][0.12 sec][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,33,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 52 UDP 192.168.1.6:50036 <-> 52.114.250.123:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/110 bytes <-> 2 pkts/424 bytes][Goodput ratio: 61/80][0.12 sec][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,33,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 53 UDP 192.168.1.6:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][1 pkts/527 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 54 UDP 192.168.1.6:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][1 pkts/527 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/zoom2.pcap.out b/tests/cfgs/default/result/zoom2.pcap.out index 8b9ff7534..1a4647522 100644 --- a/tests/cfgs/default/result/zoom2.pcap.out +++ b/tests/cfgs/default/result/zoom2.pcap.out @@ -32,6 +32,6 @@ JA3 Host Stats: 1 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][1283 pkts/302584 bytes <-> 947 pkts/159626 bytes][Goodput ratio: 82/75][39.98 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/36 141/131 26/34][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 236/169 376/369 87/64][PLAIN TEXT (replace)][Plen Bins: 0,1,64,18,7,0,0,4,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/41804 bytes <-> 128 pkts/129769 bytes][Goodput ratio: 96/96][1.32 sec][bytes ratio: -0.513 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/9 101/100 25/11][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 972/1014 1078/1279 292/263][PLAIN TEXT (replace)][Plen Bins: 1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,85,0,1,0,0,5,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][12 pkts/3043 bytes <-> 8 pkts/5520 bytes][Goodput ratio: 74/90][0.73 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.289 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/58 175/174 83/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 254/690 1506/1506 404/622][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,10,10,10,10,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0] 5 ICMP 192.168.1.178:0 -> 144.195.73.154:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/420 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 30/0 73/0 21/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70/0 70/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |