diff options
| -rw-r--r-- | example/ndpiReader.c | 4 | ||||
| -rw-r--r-- | python/ndpi.py | 1 | ||||
| -rw-r--r-- | python/ndpi_typestruct.py | 1 | ||||
| -rw-r--r-- | src/include/ndpi_api.h.in | 22 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 61 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 12 | ||||
| -rw-r--r-- | tests/pcap/ocsp.pcapng | bin | 0 -> 85580 bytes | |||
| -rw-r--r-- | tests/result/ocsp.pcapng.out | 19 |
10 files changed, 50 insertions, 73 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index d421e45dd..446d51a90 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -285,7 +285,6 @@ void ndpiCheckHostStringMatch(char *testChar) { ndpi_protocol_match_result match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED }; int testRes; - u_int8_t is_host_match = 1; char appBufStr[64]; ndpi_protocol detected_protocol; struct ndpi_detection_module_struct *ndpi_str; @@ -302,8 +301,7 @@ void ndpiCheckHostStringMatch(char *testChar) { // ac_automata_display( module->host_automa.ac_automa, 'n'); testRes = ndpi_match_string_subprotocol(ndpi_str, - testChar, strlen(testChar), &match, - is_host_match); + testChar, strlen(testChar), &match); if(testRes) { memset( &detected_protocol, 0, sizeof(ndpi_protocol) ); diff --git a/python/ndpi.py b/python/ndpi.py index 653f7a4b7..48103e777 100644 --- a/python/ndpi.py +++ b/python/ndpi.py @@ -889,7 +889,6 @@ struct ndpi_detection_module_struct { /* HTTP/DNS/HTTPS host matching */ ndpi_automa host_automa, /* Used for DNS/HTTPS */ - content_automa, /* Used for HTTP subprotocol_detection */ bigrams_automa, impossible_bigrams_automa; /* TOR */ /* IMPORTANT: please update ndpi_finalize_initalization() whenever you add a new automa */ diff --git a/python/ndpi_typestruct.py b/python/ndpi_typestruct.py index b56029584..606bf6576 100644 --- a/python/ndpi_typestruct.py +++ b/python/ndpi_typestruct.py @@ -251,7 +251,6 @@ NDPIDetectionModuleStruct._fields_ = [ ("ndpi_num_supported_protocols", c_uint), ("ndpi_num_custom_protocols", c_uint), ("host_automa", NDPIAutoma), - ("content_automa", NDPIAutoma), ("bigrams_automa", NDPIAutoma), ("impossible_bigrams_automa", NDPIAutoma), ("custom_categories", CustomCategories), diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 68dd320a4..0ace029d0 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -424,7 +424,6 @@ extern "C" { * @par string_to_match = the string to match * @par string_to_match_len = the length of the string * @par ret_match = completed returned match information - * @par is_host_match = value of the second field of struct ndpi_automa * @return the ID of the matched subprotocol; * -1 if automa is not finalized; * -2 if automa==NULL or string_to_match==NULL or empty string_to_match @@ -433,8 +432,7 @@ extern "C" { int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, char *string_to_match, u_int string_to_match_len, - ndpi_protocol_match_result *ret_match, - u_int8_t is_host_match); + ndpi_protocol_match_result *ret_match); /** * Check if the host passed match with a protocol * @@ -465,24 +463,6 @@ extern "C" { struct ndpi_flow_struct *flow, u_int16_t subprotocol_id); /** - * Check if the string content passed match with a protocol - * - * @par ndpi_struct = the detection module - * @par flow = the flow where match the host - * @par string_to_match = the string to match - * @par string_to_match_len = the length of the string - * @par ret_match = completed returned match information - * @par master_protocol_id = value of the ID associated to the master protocol detected - * @return the ID of the matched subprotocol - * - */ - u_int16_t ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - char *string_to_match, - u_int string_to_match_len, - ndpi_protocol_match_result *ret_match, - u_int16_t master_protocol_id); - /** * Exclude protocol from search * * @par ndpi_struct = the detection module diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 44d64bde2..020328f28 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -91,7 +91,7 @@ typedef enum { NDPI_PROTOCOL_MONGODB = 60, /* Leonn Paiva <leonn.paiva@gmail.com> */ NDPI_PROTOCOL_QQLIVE = 61, NDPI_PROTOCOL_THUNDER = 62, - NDPI_PROTOCOL_FREE = 63, /* FREE */ + NDPI_PROTOCOL_OCSP = 63, NDPI_PROTOCOL_PS_VUE = 64, NDPI_PROTOCOL_IRC = 65, NDPI_PROTOCOL_AYIYA = 66, diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index c2e4ebd6b..a57988feb 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1086,7 +1086,6 @@ struct ndpi_detection_module_struct { int ac_automa_finalized; /* HTTP/DNS/HTTPS/QUIC host matching */ ndpi_automa host_automa, /* Used for DNS/HTTPS */ - content_automa, /* Used for HTTP subprotocol_detection */ risky_domain_automa, tls_cert_subject_automa, malicious_ja3_automa, malicious_sha1_automa, host_risk_mask_automa, common_alpns_automa; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 0ab5e6c9a..20dd05f19 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1136,8 +1136,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "Thunder", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE, - "FREE", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_OCSP, + "OCSP", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PS_VUE, @@ -2352,7 +2352,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_str->ndpi_num_custom_protocols = 0; ndpi_str->host_automa.ac_automa = ac_automata_init(ac_domain_match_handler); - ndpi_str->content_automa.ac_automa = ac_automata_init(ac_domain_match_handler); ndpi_str->host_risk_mask_automa.ac_automa = ac_automata_init(ac_domain_match_handler); ndpi_str->common_alpns_automa.ac_automa = ac_automata_init(ac_domain_match_handler); load_common_alpns(ndpi_str); @@ -2385,9 +2384,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs if(ndpi_str->tls_cert_subject_automa.ac_automa) ac_automata_feature(ndpi_str->tls_cert_subject_automa.ac_automa,AC_FEATURE_LC); - if(ndpi_str->content_automa.ac_automa) - ac_automata_feature(ndpi_str->content_automa.ac_automa,AC_FEATURE_LC); - if(ndpi_str->host_risk_mask_automa.ac_automa) ac_automata_feature(ndpi_str->host_risk_mask_automa.ac_automa,AC_FEATURE_LC); @@ -2408,9 +2404,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs if(ndpi_str->tls_cert_subject_automa.ac_automa) ac_automata_name(ndpi_str->tls_cert_subject_automa.ac_automa,"tls_cert",AC_FEATURE_DEBUG); - if(ndpi_str->content_automa.ac_automa) - ac_automata_name(ndpi_str->content_automa.ac_automa,"content",AC_FEATURE_DEBUG); - if(ndpi_str->host_risk_mask_automa.ac_automa) ac_automata_name(ndpi_str->host_risk_mask_automa.ac_automa,"content",AC_FEATURE_DEBUG); @@ -2447,26 +2440,22 @@ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) break; case 1: - automa = &ndpi_str->content_automa; - break; - - case 2: automa = &ndpi_str->tls_cert_subject_automa; break; - case 3: + case 2: automa = &ndpi_str->malicious_ja3_automa; break; - case 4: + case 3: automa = &ndpi_str->malicious_sha1_automa; break; - case 5: + case 4: automa = &ndpi_str->host_risk_mask_automa; break; - case 6: + case 5: automa = &ndpi_str->common_alpns_automa; break; @@ -2715,9 +2704,6 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { ac_automata_release((AC_AUTOMATA_t *) ndpi_str->host_automa.ac_automa, 1 /* free patterns strings memory */); - if(ndpi_str->content_automa.ac_automa != NULL) - ac_automata_release((AC_AUTOMATA_t *) ndpi_str->content_automa.ac_automa, 0); - if(ndpi_str->risky_domain_automa.ac_automa != NULL) ac_automata_release((AC_AUTOMATA_t *) ndpi_str->risky_domain_automa.ac_automa, 1 /* free patterns strings memory */); @@ -6881,9 +6867,8 @@ int ndpi_match_prefix(const u_int8_t *payload, /* ****************************************************** */ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_str, char *string_to_match, - u_int string_to_match_len, ndpi_protocol_match_result *ret_match, - u_int8_t is_host_match) { - ndpi_automa *automa = is_host_match ? &ndpi_str->host_automa : &ndpi_str->content_automa; + u_int string_to_match_len, ndpi_protocol_match_result *ret_match) { + ndpi_automa *automa = &ndpi_str->host_automa; int rc; if((automa->ac_automa == NULL) || (string_to_match_len == 0)) @@ -6918,11 +6903,11 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, char *string_to_match, u_int string_to_match_len, u_int16_t master_protocol_id, - ndpi_protocol_match_result *ret_match, u_int8_t is_host_match) { + ndpi_protocol_match_result *ret_match) { int matching_protocol_id; matching_protocol_id = - ndpi_match_string_subprotocol(ndpi_str, string_to_match, string_to_match_len, ret_match, is_host_match); + ndpi_match_string_subprotocol(ndpi_str, string_to_match, string_to_match_len, ret_match); if(matching_protocol_id < 0) return NDPI_PROTOCOL_UNKNOWN; @@ -6953,8 +6938,15 @@ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_modu } #ifdef DEBUG - string_to_match[string_to_match_len] = '\0'; - NDPI_LOG_DBG2(ndpi_str, "[NTOP] Unable to find a match for '%s'\n", string_to_match); + { + char m[256]; + int len = ndpi_min(sizeof(m), string_to_match_len); + + strncpy(m, string_to_match, len); + m[len] = '\0'; + + NDPI_LOG_DBG2(ndpi_str, "[NTOP] Unable to find a match for '%s'\n", m); + } #endif ret_match->protocol_id = NDPI_PROTOCOL_UNKNOWN, ret_match->protocol_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, @@ -6985,7 +6977,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ ndpi_protocol_category_t id; rc = ndpi_automa_match_string_subprotocol(ndpi_str, flow, string_to_match, string_to_match_len, - master_protocol_id, ret_match, 1); + master_protocol_id, ret_match); id = ret_match->protocol_category; if(ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &id) != -1) { @@ -7035,17 +7027,6 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc /* ****************************************************** */ -u_int16_t ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, - char *string_to_match, u_int string_to_match_len, - ndpi_protocol_match_result *ret_match, - u_int16_t master_protocol_id) { - return(ndpi_automa_match_string_subprotocol(ndpi_str, flow, string_to_match, string_to_match_len, - master_protocol_id, ret_match, 0)); -} - -/* ****************************************************** */ - static inline int ndpi_match_xgram(unsigned int *map,unsigned int l,const char *str) { unsigned int i,c; for(i=0,c=0; *str && i < l; i++) { @@ -7527,7 +7508,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if(flow && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) return(0); /* Ignore DGA check for protocols already fully detected */ - if(ndpi_match_string_subprotocol(ndpi_str, name, strlen(name), &ret_match, 1) > 0) + if(ndpi_match_string_subprotocol(ndpi_str, name, strlen(name), &ret_match) > 0) return(0); /* Ignore DGA for known domain names */ if(isdigit(name[0])) { diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index bb5b38eed..932b0f451 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -682,11 +682,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if(flow->http_detected && packet->content_line.ptr && *(char*)packet->content_line.ptr) { - ndpi_protocol_match_result ret_match; - - ndpi_match_content_subprotocol(ndpi_struct, flow, - (char*)packet->content_line.ptr, packet->content_line.len, - &ret_match, NDPI_PROTOCOL_HTTP); + /* Matching on Content-Type. + OCSP: application/ocsp-request, application/ocsp-response + */ + if(strncmp((const char *)packet->content_line.ptr, "application/ocsp-", 17) == 0) { + NDPI_LOG_DBG2(ndpi_struct, "Found OCSP\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OCSP, NDPI_PROTOCOL_HTTP); + } } } diff --git a/tests/pcap/ocsp.pcapng b/tests/pcap/ocsp.pcapng Binary files differnew file mode 100644 index 000000000..6c4a84498 --- /dev/null +++ b/tests/pcap/ocsp.pcapng diff --git a/tests/result/ocsp.pcapng.out b/tests/result/ocsp.pcapng.out new file mode 100644 index 000000000..0ef35d743 --- /dev/null +++ b/tests/result/ocsp.pcapng.out @@ -0,0 +1,19 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 60 (6.00 pkts/flow) + +HTTP 23 10871 1 +OCSP 239 49474 7 +Google 50 8108 1 +AmazonAWS 32 5194 1 + + 1 TCP 192.168.1.128:49034 <-> 23.12.96.145:80 [proto: 7.63/HTTP.OCSP][ClearText][cat: Network/14][24 pkts/3999 bytes <-> 22 pkts/8476 bytes][Goodput ratio: 29/69][117.30 sec][Host: ocsp.entrust.net][bytes ratio: -0.359 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5094/5187 10241/10241 4906/5058][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 167/385 505/1566 128/500][URL: ocsp.entrust.net/][StatusCode: 200][Req Content-Type: application/ocsp-request][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (BHPOST / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0] + 2 TCP 192.168.1.227:49813 <-> 109.70.240.130:80 [proto: 7/HTTP][ClearText][cat: Web/5][10 pkts/2245 bytes <-> 13 pkts/8626 bytes][Goodput ratio: 51/84][65.14 sec][Host: ocsp07.actalis.it][bytes ratio: -0.587 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/8 28/36 10/15][Pkt Len c2s/s2c min/avg/max/stddev: 112/112 224/664 491/1566 171/540][URL: ocsp07.actalis.it/VA/AUTH-ROOT/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSw4x5v4bTlizjNRmTdkYSy7q0R9gQUUtiIOsifeGbtifN7OHCUyQICNtACEEWXMtjzGMt1k6L0aA%2BQ6tk%3D][StatusCode: 200][Content-Type: application/ocsp-response][User-Agent: Microsoft-CryptoAPI/10.0][PLAIN TEXT (GET /VA/AUTH)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,41,8,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] + 3 TCP 192.168.1.128:47904 <-> 93.184.220.29:80 [proto: 7.63/HTTP.OCSP][ClearText][cat: Network/14][27 pkts/4355 bytes <-> 23 pkts/5119 bytes][Goodput ratio: 27/47][166.99 sec][Host: ocsp.digicert.com][bytes ratio: -0.081 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 6194/7858 10240/10240 4838/4216][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 161/223 505/917 122/269][URL: ocsp.digicert.com/][StatusCode: 200][Req Content-Type: application/ocsp-request][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (POST / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.1.128:54154 <-> 142.250.184.99:80 [proto: 7.126/HTTP.Google][ClearText][cat: Web/5][26 pkts/3864 bytes <-> 24 pkts/4244 bytes][Goodput ratio: 20/33][193.02 sec][Host: ocsp.pki.goog][bytes ratio: -0.047 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/7 7460/8270 10243/10242 4397/3814][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 149/177 512/820 105/194][URL: ocsp.pki.goog/gts1o1core][StatusCode: 200][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (POST /gts)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 192.168.1.128:43728 <-> 92.122.95.235:80 [proto: 7.63/HTTP.OCSP][ClearText][cat: Network/14][19 pkts/3022 bytes <-> 17 pkts/3792 bytes][Goodput ratio: 26/47][123.97 sec][Host: r3.o.lencr.org][bytes ratio: -0.113 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 6898/7491 10244/10244 4464/4342][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 159/223 504/1007 118/286][URL: r3.o.lencr.org/][StatusCode: 200][Req Content-Type: application/ocsp-request][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (xPOST / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.1.128:59922 <-> 151.101.2.133:80 [proto: 7.63/HTTP.OCSP][ClearText][cat: Network/14][18 pkts/2533 bytes <-> 17 pkts/4012 bytes][Goodput ratio: 16/50][115.14 sec][Host: ocsp.globalsign.com][bytes ratio: -0.226 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6576/7043 10240/10240 4898/4566][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 141/236 519/1462 92/343][URL: ocsp.globalsign.com/gsrsaovsslca2018][StatusCode: 200][Req Content-Type: application/ocsp-request][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (JiZPOST /gsrsaovsslca)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0] + 7 TCP 192.168.1.128:45514 <-> 109.70.240.114:80 [proto: 7.63/HTTP.OCSP][ClearText][cat: Network/14][12 pkts/1823 bytes <-> 12 pkts/3749 bytes][Goodput ratio: 22/62][65.05 sec][Host: ocsp09.actalis.it][bytes ratio: -0.346 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5666/5124 10241/10241 5060/5116][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 152/312 517/1566 110/448][URL: ocsp09.actalis.it/VA/AUTHOV-G3][StatusCode: 200][Req Content-Type: application/ocsp-request][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (POST /VA/AUTHOV)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0] + 8 TCP 192.168.1.128:49382 <-> 52.85.15.92:80 [proto: 7.265/HTTP.AmazonAWS][ClearText][cat: Cloud/13][17 pkts/2410 bytes <-> 15 pkts/2784 bytes][Goodput ratio: 16/36][115.66 sec][Host: ocsp.sca1b.amazontrust.com][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 7320/8368 10240/10240 4401/3916][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 142/186 514/1124 93/251][URL: ocsp.sca1b.amazontrust.com/][StatusCode: 200][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (KPOST / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 TCP 192.168.1.128:34320 <-> 151.139.128.14:80 [proto: 7.63/HTTP.OCSP][ClearText][cat: Network/14][12 pkts/1817 bytes <-> 12 pkts/2623 bytes][Goodput ratio: 22/46][65.10 sec][Host: geant.ocsp.sectigo.com][bytes ratio: -0.182 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5676/5133 10240/10240 5053/5106][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 151/219 511/846 108/229][URL: geant.ocsp.sectigo.com/][StatusCode: 200][Req Content-Type: application/ocsp-request][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (WPOST / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,33,0,33,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 TCP 192.168.1.128:34340 <-> 151.139.128.14:80 [proto: 7.63/HTTP.OCSP][ClearText][cat: Network/14][12 pkts/1813 bytes <-> 12 pkts/2341 bytes][Goodput ratio: 21/39][65.09 sec][Host: ocsp.usertrust.com][bytes ratio: -0.127 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5681/5127 10240/10240 5067/5111][Pkt Len c2s/s2c min/avg/max/stddev: 118/118 151/195 507/590 107/171][URL: ocsp.usertrust.com/][StatusCode: 200][Req Content-Type: application/ocsp-request][Content-Type: application/ocsp-response][User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0][PLAIN TEXT (sPOST / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,33,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |