diff options
91 files changed, 851 insertions, 608 deletions
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 62f0d417c..d519d7302 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -18,7 +18,7 @@ jobs: uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'ndpi' - fuzz-seconds: 1200 + fuzz-seconds: 1320 dry-run: false sanitizer: ${{ matrix.sanitizer }} - name: Check Crash (fails when a crash is detected) diff --git a/.gitignore b/.gitignore index c494b9ff7..b0054952b 100644 --- a/.gitignore +++ b/.gitignore @@ -76,6 +76,8 @@ /fuzz/fuzz_binaryfusefilter /fuzz/fuzz_tls_certificate /fuzz/fuzz_dga +/fuzz/fuzz_is_stun_udp +/fuzz/fuzz_is_stun_tcp /fuzz/fuzz_ds_cmsketch /fuzz/fuzz_gcrypt_light /fuzz/fuzz_gcrypt_aes @@ -91,6 +93,8 @@ /fuzz/fuzz_quic_get_crypto_data_seed_corpus.zip /fuzz/fuzz_config_seed_corpus.zip /fuzz/fuzz_community_id_seed_corpus.zip +/fuzz/fuzz_is_stun_udp_seed_corpus.zip +/fuzz/fuzz_is_stun_tcp_seed_corpus.zip /fuzz/fuzz_serialization_seed_corpus.zip /fuzz/fuzz_alg_ses_des_seed_corpus.zip /fuzz/fuzz_alg_bins_seed_corpus.zip diff --git a/doc/protocols.rst b/doc/protocols.rst index bc819801a..4c05cef45 100644 --- a/doc/protocols.rst +++ b/doc/protocols.rst @@ -179,4 +179,13 @@ References: `Main site <https://ethereum.org/en/developers/docs/intro-to-ethereu Notes: -- same as Bitcoin, not each crypto exchange is a mining, it could be a normal transaction, sending or receving or even blockchain exploration.
\ No newline at end of file +- same as Bitcoin, not each crypto exchange is a mining, it could be a normal transaction, sending or receving or even blockchain exploration. + + +.. _Proto 355: + +`NDPI_PROTOCOL_TELEGRAM_VOIP` +============================ +Audio/video calls made using the Telegram app. + +References: `Wikipedia <https://en.wikipedia.org/wiki/Telegram_(software)/>`_. diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 360b39a46..2cb21cc21 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -1,4 +1,4 @@ -bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga +bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga fuzz_is_stun_udp fuzz_is_stun_tcp #Alghoritms bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream #Data structures @@ -412,6 +412,32 @@ fuzz_dga_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ $(fuzz_dga_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ +fuzz_is_stun_udp_SOURCES = fuzz_is_stun.c fuzz_common_code.c +fuzz_is_stun_udp_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) +fuzz_is_stun_udp_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) +fuzz_is_stun_udp_LDFLAGS = $(LIBS) +if HAS_FUZZLDFLAGS +fuzz_is_stun_udp_CFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_is_stun_udp_LDFLAGS += $(LIB_FUZZING_ENGINE) +endif +# force usage of CXX for linker +fuzz_is_stun_udp_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ + $(fuzz_is_stun_udp_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ + +fuzz_is_stun_tcp_SOURCES = fuzz_is_stun.c fuzz_common_code.c +fuzz_is_stun_tcp_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) -DSTUN_TCP +fuzz_is_stun_tcp_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) +fuzz_is_stun_tcp_LDFLAGS = $(LIBS) +if HAS_FUZZLDFLAGS +fuzz_is_stun_tcp_CFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_is_stun_tcp_LDFLAGS += $(LIB_FUZZING_ENGINE) +endif +# force usage of CXX for linker +fuzz_is_stun_tcp_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ + $(fuzz_is_stun_tcp_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ + fuzz_gcrypt_light_SOURCES = fuzz_gcrypt_light.cpp fuzz_common_code.c fuzz_gcrypt_light_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) -I ../src/lib/third_party/include/ fuzz_gcrypt_light_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) -I ../src/lib/third_party/include/ @@ -555,10 +581,17 @@ fuzz_serialization_seed_corpus.zip: $(files_corpus_fuzz_serialization) zip -j fuzz_serialization_seed_corpus.zip $(files_corpus_fuzz_serialization) files_corpus_fuzz_community_id := $(wildcard corpus/fuzz_community_id/*) - fuzz_community_id_seed_corpus.zip: $(files_corpus_fuzz_community_id) zip -j fuzz_community_id_seed_corpus.zip $(files_corpus_fuzz_community_id) +files_corpus_fuzz_is_stun_udp := $(wildcard corpus/fuzz_is_stun_udp/*) +fuzz_is_stun_udp_seed_corpus.zip: $(files_corpus_fuzz_is_stun_udp) + zip -j fuzz_is_stun_udp_seed_corpus.zip $(files_corpus_fuzz_is_stun_udp) + +files_corpus_fuzz_is_stun_tcp := $(wildcard corpus/fuzz_is_stun_tcp/*) +fuzz_is_stun_tcp_seed_corpus.zip: $(files_corpus_fuzz_is_stun_tcp) + zip -j fuzz_is_stun_tcp_seed_corpus.zip $(files_corpus_fuzz_is_stun_tcp) + files_corpus_fuzz_ds_patricia := $(wildcard corpus/fuzz_ds_patricia/*) fuzz_ds_patricia_seed_corpus.zip: $(files_corpus_fuzz_ds_patricia) zip -j fuzz_ds_patricia_seed_corpus.zip $(files_corpus_fuzz_ds_patricia) @@ -639,7 +672,7 @@ files_corpus_fuzz_ds_domain_classify := $(wildcard corpus/fuzz_ds_domain_classi fuzz_ds_domain_classify_seed_corpus.zip: $(files_corpus_fuzz_ds_domain_classify) zip -j fuzz_ds_domain_classify_seed_corpus.zip $(files_corpus_fuzz_ds_domain_classify) -corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_config_seed_corpus.zip fuzz_ds_patricia_seed_corpus.zip fuzz_ds_ahocorasick_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_hw_rsi_outliers_da_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_ds_tree_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip +corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_config_seed_corpus.zip fuzz_ds_patricia_seed_corpus.zip fuzz_ds_ahocorasick_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_hw_rsi_outliers_da_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_ds_tree_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_is_stun_udp_seed_corpus.zip fuzz_is_stun_tcp_seed_corpus.zip cp corpus/fuzz_*seed_corpus.zip . #Create dictionaries exactly as expected by oss-fuzz. @@ -672,6 +705,8 @@ distdir: -o -path './corpus/fuzz_readerutils_workflow/*' \ -o -path './corpus/fuzz_readerutils_parseprotolist/*' \ -o -path './corpus/fuzz_config/*' \ + -o -path './corpus/fuzz_is_stun_udp/*' \ + -o -path './corpus/fuzz_is_stun_tcp/*' \ -o -path './corpus/fuzz_serialization/*' \ -o -path './corpus/fuzz_community_id/*' \ -o -path './corpus/fuzz_libinjection/*' \ diff --git a/fuzz/corpus/fuzz_is_stun_tcp/1 b/fuzz/corpus/fuzz_is_stun_tcp/1 Binary files differnew file mode 100644 index 000000000..1f13a27a7 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/1 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/10 b/fuzz/corpus/fuzz_is_stun_tcp/10 Binary files differnew file mode 100644 index 000000000..37e17ee5d --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/10 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/11 b/fuzz/corpus/fuzz_is_stun_tcp/11 Binary files differnew file mode 100644 index 000000000..9d622b3e3 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/11 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/13 b/fuzz/corpus/fuzz_is_stun_tcp/13 Binary files differnew file mode 100644 index 000000000..e979df8cd --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/13 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/2 b/fuzz/corpus/fuzz_is_stun_tcp/2 Binary files differnew file mode 100644 index 000000000..e7ee537fd --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/2 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/20 b/fuzz/corpus/fuzz_is_stun_tcp/20 Binary files differnew file mode 100644 index 000000000..da4835462 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/20 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/21 b/fuzz/corpus/fuzz_is_stun_tcp/21 Binary files differnew file mode 100644 index 000000000..f1652efa4 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/21 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/22 b/fuzz/corpus/fuzz_is_stun_tcp/22 Binary files differnew file mode 100644 index 000000000..d5bd06be7 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/22 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/23 b/fuzz/corpus/fuzz_is_stun_tcp/23 Binary files differnew file mode 100644 index 000000000..f1652efa4 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/23 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/3 b/fuzz/corpus/fuzz_is_stun_tcp/3 Binary files differnew file mode 100644 index 000000000..5975001dc --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/3 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/30 b/fuzz/corpus/fuzz_is_stun_tcp/30 Binary files differnew file mode 100644 index 000000000..389c8a620 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/30 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/4 b/fuzz/corpus/fuzz_is_stun_tcp/4 Binary files differnew file mode 100644 index 000000000..69e393095 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/4 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/5 b/fuzz/corpus/fuzz_is_stun_tcp/5 Binary files differnew file mode 100644 index 000000000..80db8a335 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/5 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/6 b/fuzz/corpus/fuzz_is_stun_tcp/6 Binary files differnew file mode 100644 index 000000000..8e4e54bd3 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/6 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/7 b/fuzz/corpus/fuzz_is_stun_tcp/7 Binary files differnew file mode 100644 index 000000000..303bdcd21 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/7 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/8 b/fuzz/corpus/fuzz_is_stun_tcp/8 Binary files differnew file mode 100644 index 000000000..67f400888 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/8 diff --git a/fuzz/corpus/fuzz_is_stun_tcp/9 b/fuzz/corpus/fuzz_is_stun_tcp/9 Binary files differnew file mode 100644 index 000000000..6b4daeafa --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_tcp/9 diff --git a/fuzz/corpus/fuzz_is_stun_udp/1 b/fuzz/corpus/fuzz_is_stun_udp/1 Binary files differnew file mode 100644 index 000000000..e28a81bbf --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/1 diff --git a/fuzz/corpus/fuzz_is_stun_udp/10 b/fuzz/corpus/fuzz_is_stun_udp/10 Binary files differnew file mode 100644 index 000000000..5d5cd5f71 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/10 diff --git a/fuzz/corpus/fuzz_is_stun_udp/11 b/fuzz/corpus/fuzz_is_stun_udp/11 Binary files differnew file mode 100644 index 000000000..73c5ce60e --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/11 diff --git a/fuzz/corpus/fuzz_is_stun_udp/12 b/fuzz/corpus/fuzz_is_stun_udp/12 Binary files differnew file mode 100644 index 000000000..9b5871513 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/12 diff --git a/fuzz/corpus/fuzz_is_stun_udp/13 b/fuzz/corpus/fuzz_is_stun_udp/13 Binary files differnew file mode 100644 index 000000000..7b60ce798 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/13 diff --git a/fuzz/corpus/fuzz_is_stun_udp/2 b/fuzz/corpus/fuzz_is_stun_udp/2 Binary files differnew file mode 100644 index 000000000..e183759db --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/2 diff --git a/fuzz/corpus/fuzz_is_stun_udp/3 b/fuzz/corpus/fuzz_is_stun_udp/3 Binary files differnew file mode 100644 index 000000000..184e7c508 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/3 diff --git a/fuzz/corpus/fuzz_is_stun_udp/31 b/fuzz/corpus/fuzz_is_stun_udp/31 Binary files differnew file mode 100644 index 000000000..0365ecb77 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/31 diff --git a/fuzz/corpus/fuzz_is_stun_udp/4 b/fuzz/corpus/fuzz_is_stun_udp/4 Binary files differnew file mode 100644 index 000000000..923ac68bb --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/4 diff --git a/fuzz/corpus/fuzz_is_stun_udp/5 b/fuzz/corpus/fuzz_is_stun_udp/5 Binary files differnew file mode 100644 index 000000000..135ae982c --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/5 diff --git a/fuzz/corpus/fuzz_is_stun_udp/6 b/fuzz/corpus/fuzz_is_stun_udp/6 Binary files differnew file mode 100644 index 000000000..8587de335 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/6 diff --git a/fuzz/corpus/fuzz_is_stun_udp/7 b/fuzz/corpus/fuzz_is_stun_udp/7 Binary files differnew file mode 100644 index 000000000..0d758aaf2 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/7 diff --git a/fuzz/corpus/fuzz_is_stun_udp/8 b/fuzz/corpus/fuzz_is_stun_udp/8 Binary files differnew file mode 100644 index 000000000..8c8015e46 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/8 diff --git a/fuzz/corpus/fuzz_is_stun_udp/9 b/fuzz/corpus/fuzz_is_stun_udp/9 Binary files differnew file mode 100644 index 000000000..1c02600d6 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/9 diff --git a/fuzz/corpus/fuzz_is_stun_udp/a b/fuzz/corpus/fuzz_is_stun_udp/a Binary files differnew file mode 100644 index 000000000..6957d60b7 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/a diff --git a/fuzz/corpus/fuzz_is_stun_udp/b b/fuzz/corpus/fuzz_is_stun_udp/b Binary files differnew file mode 100644 index 000000000..e814be29f --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/b diff --git a/fuzz/corpus/fuzz_is_stun_udp/c b/fuzz/corpus/fuzz_is_stun_udp/c Binary files differnew file mode 100644 index 000000000..e814be29f --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/c diff --git a/fuzz/corpus/fuzz_is_stun_udp/c1 b/fuzz/corpus/fuzz_is_stun_udp/c1 Binary files differnew file mode 100644 index 000000000..0a5e47172 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/c1 diff --git a/fuzz/corpus/fuzz_is_stun_udp/c2 b/fuzz/corpus/fuzz_is_stun_udp/c2 Binary files differnew file mode 100644 index 000000000..635cde00c --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/c2 diff --git a/fuzz/corpus/fuzz_is_stun_udp/d b/fuzz/corpus/fuzz_is_stun_udp/d Binary files differnew file mode 100644 index 000000000..21de91869 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/d diff --git a/fuzz/corpus/fuzz_is_stun_udp/e b/fuzz/corpus/fuzz_is_stun_udp/e Binary files differnew file mode 100644 index 000000000..d145e02b1 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/e diff --git a/fuzz/corpus/fuzz_is_stun_udp/f b/fuzz/corpus/fuzz_is_stun_udp/f Binary files differnew file mode 100644 index 000000000..cee523a13 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/f diff --git a/fuzz/corpus/fuzz_is_stun_udp/q b/fuzz/corpus/fuzz_is_stun_udp/q Binary files differnew file mode 100644 index 000000000..7e440f7ed --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/q diff --git a/fuzz/corpus/fuzz_is_stun_udp/q1 b/fuzz/corpus/fuzz_is_stun_udp/q1 Binary files differnew file mode 100644 index 000000000..eb71bd82b --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/q1 diff --git a/fuzz/corpus/fuzz_is_stun_udp/q10 b/fuzz/corpus/fuzz_is_stun_udp/q10 Binary files differnew file mode 100644 index 000000000..0185e21ee --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/q10 diff --git a/fuzz/corpus/fuzz_is_stun_udp/q11 b/fuzz/corpus/fuzz_is_stun_udp/q11 Binary files differnew file mode 100644 index 000000000..bb106a234 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/q11 diff --git a/fuzz/corpus/fuzz_is_stun_udp/q12 b/fuzz/corpus/fuzz_is_stun_udp/q12 Binary files differnew file mode 100644 index 000000000..e56a6dbd2 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/q12 diff --git a/fuzz/corpus/fuzz_is_stun_udp/q2 b/fuzz/corpus/fuzz_is_stun_udp/q2 Binary files differnew file mode 100644 index 000000000..c69a11bec --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/q2 diff --git a/fuzz/corpus/fuzz_is_stun_udp/q3 b/fuzz/corpus/fuzz_is_stun_udp/q3 Binary files differnew file mode 100644 index 000000000..5cb0447d1 --- /dev/null +++ b/fuzz/corpus/fuzz_is_stun_udp/q3 diff --git a/fuzz/fuzz_is_stun.c b/fuzz/fuzz_is_stun.c new file mode 100644 index 000000000..b8b80c097 --- /dev/null +++ b/fuzz/fuzz_is_stun.c @@ -0,0 +1,38 @@ +#define NDPI_LIB_COMPILATION + +#include "ndpi_api.h" +#include "fuzz_common_code.h" + +static struct ndpi_detection_module_struct *ndpi_struct = NULL; +static struct ndpi_flow_struct ndpi_flow; +#ifdef STUN_TCP +struct ndpi_tcphdr tcph; +#else +struct ndpi_udphdr udph; +#endif + +extern int is_stun(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t *app_proto); + + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + u_int16_t app_proto; /* unused */ + struct ndpi_packet_struct *packet; + + if (ndpi_struct == NULL) { + fuzz_init_detection_module(&ndpi_struct); + } + + packet = &ndpi_struct->packet; + packet->payload = data; + packet->payload_packet_len = size; +#ifndef STUN_TCP + packet->udp = &udph; +#else + packet->tcp = &tcph; +#endif + + is_stun(ndpi_struct, &ndpi_flow, &app_proto); + return 0; +} diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index b4ef20f5f..f52d9c959 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -84,6 +84,9 @@ extern "C" { u_int16_t lower_detected_protocol, ndpi_confidence_t confidence); + void ndpi_reset_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + void ndpi_set_detected_protocol_keeping_master(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int16_t detected_protocol, diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 278a6714d..8a9e093db 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -383,6 +383,7 @@ typedef enum { NDPI_PROTOCOL_CAN = 352, NDPI_PROTOCOL_PROTOBUF = 353, NDPI_PROTOCOL_ETHEREUM = 354, + NDPI_PROTOCOL_TELEGRAM_VOIP = 355, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 365638aa3..8b1874f38 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1533,7 +1533,7 @@ struct ndpi_flow_struct { } kerberos_buf; struct { - u_int8_t num_pkts, num_binding_requests, num_processed_pkts, maybe_dtls; + u_int8_t maybe_dtls; } stun; struct { diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b14297c16..cd457c3d9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2176,6 +2176,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "ETHEREUM", NDPI_PROTOCOL_CATEGORY_CRYPTO_CURRENCY, ndpi_build_default_ports(ports_a, 30303, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TELEGRAM_VOIP, + "TelegramVoip", NDPI_PROTOCOL_CATEGORY_VOIP, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" @@ -7082,14 +7087,6 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) return(ret); - if((flow->guessed_protocol_id == NDPI_PROTOCOL_STUN) || - (enable_guess && - flow->stun.num_binding_requests > 0 && - flow->stun.num_processed_pkts > 0)) { - ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL); - ret.app_protocol = flow->detected_protocol_stack[0]; - } - /* Check some caches */ /* Does it looks like BitTorrent? */ @@ -8582,6 +8579,14 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, s /* ********************************************************************************* */ +void ndpi_reset_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { + flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; + flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN; + flow->confidence = NDPI_CONFIDENCE_UNKNOWN; +} + +/* ********************************************************************************* */ + u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { return(flow->detected_protocol_stack[1]); } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 7fbecd9f9..645dfc12a 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1373,16 +1373,6 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_end_of_block(serializer); break; - case NDPI_PROTOCOL_STUN: - ndpi_serialize_start_of_block(serializer, "stun"); - ndpi_serialize_string_uint32(serializer, "num_pkts", flow->stun.num_pkts); - ndpi_serialize_string_uint32(serializer, "num_binding_requests", - flow->stun.num_binding_requests); - ndpi_serialize_string_uint32(serializer, "num_processed_pkts", - flow->stun.num_processed_pkts); - ndpi_serialize_end_of_block(serializer); - break; - case NDPI_PROTOCOL_TELNET: ndpi_serialize_start_of_block(serializer, "telnet"); ndpi_serialize_string_string(serializer, "username", flow->protos.telnet.username); diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 9d48aecb1..1cc112be4 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -282,19 +282,10 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, } else { rtp_get_stream_type(payload[1] & 0x7F, &flow->flow_multimedia_type); - /* Previous pkts were STUN */ - if(flow->stun.num_binding_requests > 0 || - flow->stun.num_processed_pkts > 0) { - NDPI_LOG_INFO(ndpi_struct, "Found RTP (previous traffic was STUN)\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_STUN, - NDPI_CONFIDENCE_DPI); - } else { - NDPI_LOG_INFO(ndpi_struct, "Found RTP\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP, - NDPI_CONFIDENCE_DPI); - } + NDPI_LOG_INFO(ndpi_struct, "Found RTP\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP, + NDPI_CONFIDENCE_DPI); } return; } diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 2914a0814..0f3810b81 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -27,12 +27,8 @@ #include "ndpi_api.h" -#define MAX_NUM_STUN_PKTS 3 - -// #define DEBUG_STUN 1 // #define DEBUG_LRU 1 // #define DEBUG_ZOOM_LRU 1 -// #define DEBUG_MONITORING 1 #define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ @@ -43,17 +39,323 @@ extern int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, extern u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type); extern int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len); -static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); +static u_int32_t get_stun_lru_key_raw4(u_int32_t ip, u_int16_t port); +static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int app_proto); + + +static u_int16_t search_into_cache(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + u_int16_t proto; + u_int32_t key; + int rc; + + if(ndpi_struct->stun_cache) { + key = get_stun_lru_key(flow, 0); + rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, + 0 /* Don't remove it as it can be used for other connections */, + ndpi_get_current_time(flow)); +#ifdef DEBUG_LRU + printf("[LRU] Searching %u\n", key); +#endif + + if(!rc) { + key = get_stun_lru_key(flow, 1); + rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, + 0 /* Don't remove it as it can be used for other connections */, + ndpi_get_current_time(flow)); +#ifdef DEBUG_LRU + printf("[LRU] Searching %u\n", key); +#endif + } + + if(rc) { +#ifdef DEBUG_LRU + printf("[LRU] Cache FOUND %u / %u\n", key, proto); +#endif + + return proto; + } else { +#ifdef DEBUG_LRU + printf("[LRU] NOT FOUND %u\n", key); +#endif + } + } else { +#ifdef DEBUG_LRU + printf("[LRU] NO/EMPTY CACHE\n"); +#endif + } + return NDPI_PROTOCOL_UNKNOWN; +} + +static void add_to_caches(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t app_proto) +{ + u_int32_t key, key_rev; + + if(ndpi_struct->stun_cache && + app_proto != NDPI_PROTOCOL_STUN && + app_proto != NDPI_PROTOCOL_UNKNOWN) { + /* No sense to add STUN, but only subprotocols */ + + key = get_stun_lru_key(flow, 0); + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto, ndpi_get_current_time(flow)); + key_rev = get_stun_lru_key(flow, 1); + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key_rev, app_proto, ndpi_get_current_time(flow)); + +#ifdef DEBUG_LRU + printf("[LRU] ADDING %u 0x%x app %u [%u -> %u]\n", key, key_rev, app_proto, + ntohs(flow->c_port), ntohs(flow->s_port)); +#endif + } + + /* TODO: extend to other protocols? */ + if(ndpi_struct->stun_zoom_cache && + app_proto == NDPI_PROTOCOL_ZOOM && + flow->l4_proto == IPPROTO_UDP) { + key = get_stun_lru_key(flow, 0); /* Src */ + ndpi_lru_add_to_cache(ndpi_struct->stun_zoom_cache, key, + 0 /* dummy */, ndpi_get_current_time(flow)); + +#ifdef DEBUG_ZOOM_LRU + printf("[LRU ZOOM] ADDING %u [src_port %u]\n", key, ntohs(flow->c_port)); +#endif + } +} + +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +static +#endif +int is_stun(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t *app_proto) +{ + struct ndpi_packet_struct *packet = &ndpi_struct->packet; + u_int16_t msg_type, msg_len; + int off; + const u_int8_t *payload = packet->payload; + u_int16_t payload_length = packet->payload_packet_len; + u_int32_t magic_cookie; + + if(payload_length < STUN_HDR_LEN) { + return 0; + } + + /* Some really old/legacy stuff */ + if(strncmp((const char *)payload, "RSP/", 4) == 0 && + strncmp((const char *)&payload[7], " STUN_", 6) == 0) { + NDPI_LOG_DBG(ndpi_struct, "found old/legacy stun in rsp\n"); + return 1; /* No real metadata */ + } + + /* STUN may be encapsulated in TCP packets with a special TCP framing described in RFC 4571 */ + if(packet->tcp && + payload_length >= STUN_HDR_LEN + 2 && + /* TODO: multiple STUN messagges */ + ((ntohs(get_u_int16_t(payload, 0)) + 2) == payload_length)) { + payload += 2; + payload_length -=2; + } + + msg_type = ntohs(*((u_int16_t *)&payload[0])); + msg_len = ntohs(*((u_int16_t *)&payload[2])); + magic_cookie = ntohl(*((u_int32_t *)&payload[4])); + + /* No magic_cookie on classic-stun */ + /* Let's hope that we don't have anymore classic-stun over TCP */ + if(packet->tcp && magic_cookie != 0x2112A442) { + return 0; + } + + NDPI_LOG_DBG2(ndpi_struct, "msg_type = %04X msg_len = %d\n", msg_type, msg_len); + + /* With tcp, we might have multiple msg in the same TCP pkt. + Parse only the first one. TODO */ + if(packet->tcp) { + if(msg_len + STUN_HDR_LEN > payload_length) + return 0; + payload_length = msg_len + STUN_HDR_LEN; + } + + if(msg_type == 0 || (msg_len + STUN_HDR_LEN != payload_length)) { + NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X or len %d %d\n", + msg_type, msg_len, payload_length); + return 0; + } + + /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ + if(((msg_type & 0x3EEF) > 0x000B) && + msg_type != 0x0800 && msg_type != 0x0801 && msg_type != 0x0802) { + NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X\n", msg_type); + return 0; + } + + if(magic_cookie != 0x2112A442) { + /* Some heuristic to detect classic-stun: let's see if attributes list seems ok */ + off = STUN_HDR_LEN; + while(off + 4 < payload_length) { + u_int16_t len = ntohs(*((u_int16_t *)&payload[off + 2])); + u_int16_t real_len = (len + 3) & 0xFFFFFFFC; + + off += 4 + real_len; + } + if(off != payload_length) { + NDPI_LOG_DBG(ndpi_struct, "No classic-stun %d/%d\n", off, payload_length); + return 0; + } + } + + /* STUN */ + + if(msg_type == 0x0800 || msg_type == 0x0801 || msg_type == 0x0802) { + *app_proto = NDPI_PROTOCOL_WHATSAPP_CALL; + return 1; + } + + off = STUN_HDR_LEN; + while(off + 4 < payload_length) { + u_int16_t attribute = ntohs(*((u_int16_t *)&payload[off])); + u_int16_t len = ntohs(*((u_int16_t *)&payload[off + 2])); + u_int16_t real_len = (len + 3) & 0xFFFFFFFC; + + NDPI_LOG_DBG(ndpi_struct, "Attribute 0x%x (%d/%d)\n", attribute, len, real_len); + + switch(attribute) { + case 0x0012: /* XOR-PEER-ADDRESS */ + if(off + 12 < payload_length && + len == 8 && payload[off + 5] == 0x01) { /* TODO: ipv6 */ + u_int16_t port; + u_int32_t ip; +#ifdef NDPI_ENABLE_DEBUG_MESSAGES + char buf[128]; +#endif + + port = ntohs(*((u_int16_t *)&payload[off + 6])) ^ (magic_cookie >> 16); + ip = *((u_int32_t *)&payload[off + 8]) ^ htonl(magic_cookie); + + NDPI_LOG_DBG(ndpi_struct, "Peer %s:%d [proto %d]\n", + inet_ntop(AF_INET, &ip, buf, sizeof(buf)), port, + flow->detected_protocol_stack[0]); + + if(1 /* TODO: enable/disable */ && + ndpi_struct->stun_cache) { + u_int32_t key = get_stun_lru_key_raw4(ip, port); + + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, + flow->detected_protocol_stack[0], + ndpi_get_current_time(flow)); +#ifdef DEBUG_LRU + printf("[LRU] Add peer %u %d\n", key, flow->detected_protocol_stack[0]); +#endif + } + } + break; + + case 0x0101: + case 0x0103: + *app_proto = NDPI_PROTOCOL_ZOOM; + return 1; + + case 0x4000: + case 0x4001: + case 0x4002: + case 0x4003: + case 0x4004: + case 0x4007: + /* These are the only messages apparently whatsapp voice can use */ + *app_proto = NDPI_PROTOCOL_WHATSAPP_CALL; + return 1; + + case 0x0014: /* Realm */ + if(flow->host_server_name[0] == '\0') { + ndpi_hostname_sni_set(flow, payload + off + 4, ndpi_min(len, payload_length - off - 4)); + NDPI_LOG_DBG(ndpi_struct, "Realm [%s]\n", flow->host_server_name); + + if(strstr(flow->host_server_name, "google.com") != NULL) { + *app_proto = NDPI_PROTOCOL_HANGOUT_DUO; + return 1; + } else if(strstr(flow->host_server_name, "whispersystems.org") != NULL || + strstr(flow->host_server_name, "signal.org") != NULL) { + *app_proto = NDPI_PROTOCOL_SIGNAL_VOIP; + return 1; + } else if(strstr(flow->host_server_name, "facebook") != NULL) { + *app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP; + return 1; + } else if(strstr(flow->host_server_name, "stripcdn.com") != NULL) { + *app_proto = NDPI_PROTOCOL_ADULT_CONTENT; + return 1; + } else if(strstr(flow->host_server_name, "telegram") != NULL) { + *app_proto = NDPI_PROTOCOL_TELEGRAM_VOIP; + return 1; + } + } + break; + + /* Proprietary fields found on skype calls */ + case 0x8054: /* Candidate Identifier: Either skype for business or "normal" skype with multiparty call */ + case 0x24DF: + case 0x3802: + case 0x8036: + case 0x8095: /* MS-Multiplexed-TURN-Session-ID */ + case 0x0800: + case 0x8006: + case 0x8070: /* MS Implementation Version */ + case 0x8055: /* MS Service Quality */ + *app_proto = NDPI_PROTOCOL_SKYPE_TEAMS_CALL; + return 1; + + case 0xFF03: + *app_proto = NDPI_PROTOCOL_HANGOUT_DUO; + return 1; + + default: + NDPI_LOG_DBG2(ndpi_struct, "Unknown attribute %04X\n", attribute); + break; + } + + off += 4 + real_len; + } + + return 1; +} + +static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No subclassification */) + return 1; + + /* We have a sub-classification */ + + if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) && + flow->detected_protocol_stack[1] != NDPI_PROTOCOL_RTP) + return 1; + + /* Looking for XOR-PEER-ADDRESS metadata; TODO: other protocols? */ + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) + return 1; + return 0; +} + +static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; int rtp_rtcp; u_int8_t first_byte; + u_int16_t app_proto = NDPI_PROTOCOL_UNKNOWN; + u_int32_t unused; -#ifdef DEBUG_MONITORING - printf("[STUN-MON] Packet counter %d protos %d/%d\n", flow->packet_counter, - flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]); -#endif + NDPI_LOG_DBG2(ndpi_struct, "Packet counter %d protos %d/%d\n", flow->packet_counter, + flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]); + + /* TODO: check TCP support. We need to pay some attention because: + * multiple msg in the same TCP segment + * same msg split across multiple segments */ if(packet->payload_packet_len == 0) return 1; @@ -62,33 +364,45 @@ static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct, /* draft-ietf-avtcore-rfc7983bis */ if(first_byte <= 3) { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] Still STUN\n"); -#endif - return 1; + NDPI_LOG_DBG(ndpi_struct, "Still STUN\n"); + if(is_stun(ndpi_struct, flow, &app_proto) /* To extract other metadata */ && + flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No previous subclassification */) { + ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto); + /* TODO */ + ndpi_protocol ret = { NDPI_PROTOCOL_STUN, app_proto, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + flow->category = ndpi_get_proto_category(ndpi_struct, ret); + } } else if(first_byte <= 19) { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] DROP or ZRTP range. Unexpected but keep looking\n"); -#endif - return 1; + NDPI_LOG_DBG(ndpi_struct, "DROP or ZRTP range. Unexpected\n"); } else if(first_byte <= 63) { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] DTLS\n"); -#endif - /* TODO */ - return 1; + NDPI_LOG_DBG(ndpi_struct, "DTLS\n"); + if(is_dtls(packet->payload, packet->payload_packet_len, &unused) && + flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No previous subclassification */) { + /* Switching to TLS dissector is tricky, because we are calling one dissector + from another one, and that is not a common operation... + Additionally: + * at that point protocol stack is already set to STUN + * we have room for only two protocols in flow->detected_protocol_stack[] so + we can't have something like STUN/DTLS/SNAPCHAT_CALL + * the easiest (!?) solution is to remove STUN, and let TLS dissector to set both + master (i.e. DTLS) and subprotocol (if any) */ + if(ndpi_struct->opportunistic_tls_stun_enabled) { + /* TODO: right way? It is a bit scary... do we need to reset something else too? */ + ndpi_reset_detected_protocol(ndpi_struct, flow); + ndpi_int_change_category(ndpi_struct, flow, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED); + + flow->stun.maybe_dtls = 1; + NDPI_LOG_DBG(ndpi_struct, "Switch to TLS\n"); + switch_to_tls(ndpi_struct, flow); + } + } } else if(first_byte <= 127) { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] QUIC or TURN range. Unexpected but keep looking\n"); -#endif - return 1; + NDPI_LOG_DBG(ndpi_struct, "QUIC or TURN range. Unexpected\n"); } else if(first_byte <= 191) { rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, flow); if(rtp_rtcp == IS_RTP) { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] RTP (dir %d)\n", packet->packet_direction); -#endif + NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d)\n", packet->packet_direction); NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n"); rtp_get_stream_type(packet->payload[1] & 0x7F, &flow->flow_multimedia_type); @@ -106,27 +420,19 @@ static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct, } return 0; /* Stop */ } else if(rtp_rtcp == IS_RTCP) { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] RTCP\n"); -#endif - return 1; + NDPI_LOG_DBG(ndpi_struct, "RTCP\n"); } else { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] Unexpected\n"); -#endif - return 1; + NDPI_LOG_DBG(ndpi_struct, "Unexpected\n"); } } else { -#ifdef DEBUG_MONITORING - printf("[STUN-MON] QUIC range. Unexpected but keep looking\n"); -#endif - return 1; + NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n"); } + return keep_extra_dissection(ndpi_struct, flow); } /* ************************************************************ */ -u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { +static u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { if(rev) { if(flow->is_ipv6) return ndpi_quick_hash(flow->s_address.v6, 16) + ntohs(flow->s_port); @@ -142,6 +448,12 @@ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { /* ************************************************************ */ +static u_int32_t get_stun_lru_key_raw4(u_int32_t ip, u_int16_t port_host_order) { + return ntohl(ip) + port_host_order; +} + +/* ************************************************************ */ + int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -205,387 +517,52 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd } } - if(ndpi_struct->stun_cache - && (app_proto != NDPI_PROTOCOL_UNKNOWN) - ) /* Cache flow sender info */ { - u_int32_t key = get_stun_lru_key(flow, 0); - u_int16_t cached_proto; + if(app_proto == NDPI_PROTOCOL_UNKNOWN) { + app_proto = search_into_cache(ndpi_struct, flow); + if(app_proto != NDPI_PROTOCOL_UNKNOWN) + confidence = NDPI_CONFIDENCE_DPI_CACHE; + } + if(app_proto != NDPI_PROTOCOL_UNKNOWN) + add_to_caches(ndpi_struct, flow, app_proto); - if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key, - &cached_proto, 0 /* Don't remove it as it can be used for other connections */, - ndpi_get_current_time(flow))) { -#ifdef DEBUG_LRU - printf("[LRU] FOUND %u / %u: no need to cache %u.%u\n", key, cached_proto, proto, app_proto); -#endif - if(app_proto != cached_proto) { - app_proto = cached_proto; - confidence = NDPI_CONFIDENCE_DPI_CACHE; - } - } else { - u_int32_t key_rev = get_stun_lru_key(flow, 1); + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN || + app_proto != NDPI_PROTOCOL_UNKNOWN) { + NDPI_LOG_DBG(ndpi_struct, "Setting %d\n", app_proto); + ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, NDPI_PROTOCOL_STUN, confidence); + } - if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key_rev, - &cached_proto, 0 /* Don't remove it as it can be used for other connections */, - ndpi_get_current_time(flow))) { -#ifdef DEBUG_LRU - printf("[LRU] FOUND %u / %u: no need to cache %u.%u\n", key_rev, cached_proto, proto, app_proto); -#endif - if(app_proto != cached_proto) { - app_proto = cached_proto; - confidence = NDPI_CONFIDENCE_DPI_CACHE; - } + /* This is quite complex. We want extra dissection for: + * sub-classification + * metadata extraction in general + * Telegram: we need more packets to find all XOR-PEER-ADDRESS attributes + * monitoring, i.e. looking for RTP + And all these cases might overlap... + */ + if(!flow->extra_packets_func) { + if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */ || + flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */ || + (ndpi_struct->monitoring_stun_pkts_to_process > 0 && + (ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED))) { + NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); + + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) { + flow->max_extra_packets_to_check = 10; /* Looking for metadata. There are no really RTP packets + in Telegram flows, so no need to enable monitoring for them */ } else { - if(app_proto != NDPI_PROTOCOL_STUN) { - /* No sense to add STUN, but only subprotocols */ - -#ifdef DEBUG_LRU - printf("[LRU] ADDING %u / %u.%u [%u -> %u]\n", key, proto, app_proto, - ntohs(packet->udp->source), ntohs(packet->udp->dest)); -#endif - - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto, ndpi_get_current_time(flow)); - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key_rev, app_proto, ndpi_get_current_time(flow)); - } + flow->max_extra_packets_to_check = ndpi_max(4, ndpi_struct->monitoring_stun_pkts_to_process); + flow->extra_packets_func = stun_search_again; } } - } - - /* TODO: extend to other protocols? */ - if(ndpi_struct->stun_zoom_cache && - app_proto == NDPI_PROTOCOL_ZOOM && - flow->l4_proto == IPPROTO_UDP) { - u_int32_t key = get_stun_lru_key(flow, 0); /* Src */ -#ifdef DEBUG_ZOOM_LRU - printf("[LRU ZOOM] ADDING %u [src_port %u]\n", key, ntohs(flow->c_port)); -#endif - ndpi_lru_add_to_cache(ndpi_struct->stun_zoom_cache, key, - 0 /* dummy */, ndpi_get_current_time(flow)); - } - - -#ifdef DEBUG_STUN - printf("[STUN] Setting %d\n", app_proto); -#endif - ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, NDPI_PROTOCOL_STUN, confidence); - - if(ndpi_struct->monitoring_stun_pkts_to_process > 0 && - flow->l4_proto == IPPROTO_UDP /* TODO: support TCP. We need to pay some attention because: - * multiple msg in the same TCP segment - * same msg split across multiple segments */) { - if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) || - flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */) { - flow->max_extra_packets_to_check = ndpi_struct->monitoring_stun_pkts_to_process; - flow->extra_packets_func = stun_monitoring; + } else { + /* Already in extra dissection, but we just sub-classied */ + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) { + flow->max_extra_packets_to_check = 10; } } } -typedef enum { - NDPI_IS_STUN, - NDPI_IS_NOT_STUN -} ndpi_int_stun_t; - /* ************************************************************ */ -static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - const u_int8_t * payload, - u_int16_t payload_length, - u_int16_t *app_proto) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t msg_type, msg_len; - u_int32_t unused; - int rc; - - if(packet->iph && - ((packet->iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */) || - ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return(NDPI_IS_NOT_STUN); - } - - /* If we're here it's because this does not look like STUN anymore - as this was a flow that started as STUN and turned into something - else. Let's investigate what is that about */ - if(flow->stun.num_pkts > 0 && is_dtls(payload, payload_length, &unused)) { -#ifdef DEBUG_STUN - printf("[STUN] DTLS?\n"); -#endif - /* Switching to TLS dissector is tricky, because we are calling one dissector - from another one, and that is not a common operation... - Additionally: - * at that point protocol stack is still empty - * we have room for only two protocols in flow->detected_protocol_stack[] so - we can't have something like STUN/DTLS/SNAPCHAT_CALL - * the easiest solution is skipping STUN, and let TLS dissector to set both - master (i.e. DTLS) and subprotocol (if any) */ - if(ndpi_struct->opportunistic_tls_stun_enabled) { - flow->stun.maybe_dtls = 1; - switch_to_tls(ndpi_struct, flow); - } - /* We don't want to mess up with TLS classification/results but we don't want to - exclude STUN right away to keep trying it in the case that this packet is - not a real DTLS one */ - return(NDPI_IS_NOT_STUN); - } - - if(payload_length < STUN_HDR_LEN) { - /* This looks like an invalid packet */ - - if(flow->stun.num_pkts > 0) { - return(NDPI_IS_STUN); - } else - return(NDPI_IS_NOT_STUN); - } - - if((strncmp((const char*)payload, (const char*)"RSP/", 4) == 0) - && (strncmp((const char*)&payload[7], (const char*)" STUN_", 6) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found stun\n"); - goto stun_found; - } - - msg_type = ntohs(*((u_int16_t*)payload)); - msg_len = ntohs(*((u_int16_t*)&payload[2])); - - /* With tcp, we might have multiple msg in the same TCP pkt. - Parse only the first one. TODO */ - if(packet->tcp) { - if(msg_len + 20 > payload_length) - return(NDPI_IS_NOT_STUN); - /* Let's hope that classic-stun is no more used over TCP */ - if(ntohl(*((u_int32_t *)&payload[4])) != 0x2112A442) - return(NDPI_IS_NOT_STUN); - - payload_length = msg_len + 20; - } - - if((msg_type == 0) || ((msg_len+20) != payload_length)) - return(NDPI_IS_NOT_STUN); - - /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ - if(((msg_type & 0x3EEF) > 0x000B) && - (msg_type != 0x0800 && msg_type != 0x0801 && msg_type != 0x0802)) { -#ifdef DEBUG_STUN - printf("[STUN] msg_type = %04X\n", msg_type); -#endif - return(NDPI_IS_NOT_STUN); - } - - if(ndpi_struct->stun_cache) { - u_int16_t proto; - u_int32_t key = get_stun_lru_key(flow, 0); - int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, - 0 /* Don't remove it as it can be used for other connections */, - ndpi_get_current_time(flow)); - -#ifdef DEBUG_LRU - printf("[LRU] Searching %u\n", key); -#endif - - if(!rc) { - key = get_stun_lru_key(flow, 1); - rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, - 0 /* Don't remove it as it can be used for other connections */, - ndpi_get_current_time(flow)); - -#ifdef DEBUG_LRU - printf("[LRU] Searching %u\n", key); -#endif - } - - if(rc) { -#ifdef DEBUG_LRU - printf("[LRU] Cache FOUND %u / %u\n", key, proto); -#endif - - *app_proto = proto; - return(NDPI_IS_STUN); - } else { -#ifdef DEBUG_LRU - printf("[LRU] NOT FOUND %u\n", key); -#endif - } - } else { -#ifdef DEBUG_LRU - printf("[LRU] NO/EMPTY CACHE\n"); -#endif - } - - if(msg_type == 0x01 /* Binding Request */) { - flow->stun.num_binding_requests++; - - flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - - if(!msg_len) { - /* flow->stun.num_pkts++; */ - return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */ - } - } - - flow->stun.num_pkts++; - - flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - - if(payload_length == (msg_len+20)) { - if((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { - u_int offset = 20; - - /* - This can either be the standard RTCP or Ms Lync RTCP that - later will become Ms Lync RTP. In this case we need to - be careful before deciding about the protocol before dissecting the packet - - MS Lync = Skype - https://en.wikipedia.org/wiki/Skype_for_Business - */ - - while((offset+4) < payload_length) { - u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset])); - u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); - u_int16_t x = (len + 4) % 4; - - if(x) - len += 4-x; - -#ifdef DEBUG_STUN - printf("==> Attribute: %04X\n", attribute); -#endif - - switch(attribute) { - case 0x0101: - case 0x0103: - *app_proto = NDPI_PROTOCOL_ZOOM; - return(NDPI_IS_STUN); - - case 0x4000: - case 0x4001: - case 0x4002: - case 0x4003: - case 0x4004: - case 0x4007: - /* These are the only messages apparently whatsapp voice can use */ - *app_proto = NDPI_PROTOCOL_WHATSAPP_CALL; - return(NDPI_IS_STUN); - - case 0x0014: /* Realm */ - { - u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2])); - - if(flow->host_server_name[0] == '\0') { - u_int k = offset+4; - - ndpi_hostname_sni_set(flow, payload + k, ndpi_min(realm_len, payload_length - k)); - -#ifdef DEBUG_STUN - printf("==> [%s]\n", flow->host_server_name); -#endif - - if(strstr(flow->host_server_name, "google.com") != NULL) { - *app_proto = NDPI_PROTOCOL_HANGOUT_DUO; - return(NDPI_IS_STUN); - } else if(strstr(flow->host_server_name, "whispersystems.org") != NULL || - (strstr(flow->host_server_name, "signal.org") != NULL)) { - *app_proto = NDPI_PROTOCOL_SIGNAL_VOIP; - return(NDPI_IS_STUN); - } else if(strstr(flow->host_server_name, "facebook") != NULL) { - *app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP; - return(NDPI_IS_STUN); - } else if(strstr(flow->host_server_name, "stripcdn.com") != NULL) { - *app_proto = NDPI_PROTOCOL_ADULT_CONTENT; - return(NDPI_IS_STUN); - } - } - } - break; - - case 0x8054: /* Candidate Identifier */ - if((len == 4) - && ((offset+7) < payload_length) - && (payload[offset+5] == 0x00) - && (payload[offset+6] == 0x00) - && (payload[offset+7] == 0x00)) { - /* Either skype for business or "normal" skype with multiparty call */ -#ifdef DEBUG_STUN - printf("==> Skype found\n"); -#endif - *app_proto = NDPI_PROTOCOL_SKYPE_TEAMS_CALL; - return(NDPI_IS_STUN); - } - - break; - - case 0x8055: /* MS Service Quality (skype?) */ - break; - - /* Proprietary fields found on skype calls */ - case 0x24DF: - case 0x3802: - case 0x8036: - case 0x8095: - case 0x0800: - case 0x8006: /* This is found on skype calls) */ - /* printf("====>>>> %04X\n", attribute); */ -#ifdef DEBUG_STUN - printf("==> Skype (2) found\n"); -#endif - - *app_proto = NDPI_PROTOCOL_SKYPE_TEAMS_CALL; - return(NDPI_IS_STUN); - - case 0x8070: /* Implementation Version */ - if(len == 4 && ((offset+7) < payload_length) - && (payload[offset+4] == 0x00) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) && - ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))) { -#ifdef DEBUG_STUN - printf("==> Skype (3) found\n"); -#endif - - *app_proto = NDPI_PROTOCOL_SKYPE_TEAMS_CALL; - return(NDPI_IS_STUN); - } - break; - - case 0xFF03: - *app_proto = NDPI_PROTOCOL_HANGOUT_DUO; - return(NDPI_IS_STUN); - - default: -#ifdef DEBUG_STUN - printf("==> %04X\n", attribute); -#endif - break; - } - - offset += len + 4; - } - - goto stun_found; - } else if(msg_type == 0x0800 || - msg_type == 0x0801 || - msg_type == 0x0802) { - *app_proto = NDPI_PROTOCOL_WHATSAPP_CALL; - return(NDPI_IS_STUN); - } - } - - if((flow->stun.num_pkts > 0) && (msg_type <= 0x00FF)) { - *app_proto = NDPI_PROTOCOL_WHATSAPP_CALL; - return(NDPI_IS_STUN); - } else - return(NDPI_IS_NOT_STUN); - -stun_found: - flow->stun.num_processed_pkts++; - - rc = (flow->stun.num_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN; - -#ifdef DEBUG_STUN - printf("stun.num_pkts %d, stun.num_processed_pkts %d, rc: %d\n", - flow->stun.num_pkts, flow->stun.num_processed_pkts, rc); -#endif - - return rc; -} static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -596,28 +573,20 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s app_proto = NDPI_PROTOCOL_UNKNOWN; - /* STUN may be encapsulated in TCP packets with a special TCP framing described in RFC 4571 */ - if(packet->tcp && - packet->payload_packet_len >= 22 && - ((ntohs(get_u_int16_t(packet->payload, 0)) + 2) == packet->payload_packet_len)) { - /* TODO there could be several STUN packets in a single TCP packet so maybe the detection could be - * improved by checking only the STUN packet of given length */ + if(packet->iph && + ((packet->iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */) || + ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */))) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } - if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, - packet->payload_packet_len - 2, &app_proto) == NDPI_IS_STUN) { - ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto); - return; - } - } else { /* UDP or TCP without framing */ - if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, - packet->payload_packet_len, &app_proto) == NDPI_IS_STUN) { - ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto); - return; - } + if(is_stun(ndpi_struct, flow, &app_proto)) { + ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto); + return; } - if(flow->stun.num_pkts >= MAX_NUM_STUN_PKTS || - flow->packet_counter > 10) + /* TODO: can we stop earlier? */ + if(flow->packet_counter > 10) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); if(flow->packet_counter > 0) { @@ -628,7 +597,6 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s } } - void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) { ndpi_set_bitmask_protocol_detection("STUN", ndpi_struct, *id, NDPI_PROTOCOL_STUN, diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out index 18992670c..d1d7b9dad 100644 --- a/tests/cfgs/caches_cfg/result/teams.pcap.out +++ b/tests/cfgs/caches_cfg/result/teams.pcap.out @@ -4,18 +4,17 @@ DPI Packets (TCP): 337 (8.02 pkts/flow) DPI Packets (UDP): 74 (1.85 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Unknown : 1 (flows) -Confidence Match by port : 1 (flows) -Confidence DPI (partial) : 1 (flows) +Confidence Match by port : 2 (flows) Confidence DPI : 80 (flows) Num dissector calls: 504 (6.07 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/9/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 6/42/18 (insert/search/found) +LRU cache stun: 24/0/0 (insert/search/found) LRU cache tls_cert: 0/4/0 (insert/search/found) -LRU cache mining: 0/2/0 (insert/search/found) +LRU cache mining: 0/3/0 (insert/search/found) LRU cache msteams: 25/19/9 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/1/0 (insert/search/found) Automa host: 85/71 (search/found) Automa domain: 85/0 (search/found) Automa tls cert: 0/0 (search/found) @@ -62,7 +61,7 @@ JA3 Host Stats: 11 TCP 192.168.1.6:60540 <-> 52.114.75.70:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][14 pkts/5711 bytes <-> 10 pkts/8093 bytes][Goodput ratio: 83/92][0.13 sec][Hostname/SNI: eu-prod.asyncgw.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.173 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/9 32/32 13/14][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 408/809 1494/1506 517/688][TLSv1.2][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][Plen Bins: 0,7,0,7,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,15,31,0,0] 12 TCP 192.168.1.6:60537 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 8][cat: Cloud/13][16 pkts/8418 bytes <-> 10 pkts/5367 bytes][Goodput ratio: 87/88][0.27 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.221 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/27 46/46 20/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 526/537 1494/1506 639/623][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,7,7,0,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,31,15,0,0] 13 TCP 192.168.1.6:60555 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cloud/13][18 pkts/5861 bytes <-> 13 pkts/7901 bytes][Goodput ratio: 80/89][2.79 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: -0.148 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 192/269 2443/2490 625/741][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 326/608 1494/1506 448/617][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Firefox][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,16,11,0,0,5,0,0,0,5,5,0,0,11,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,22,0,0] - 14 UDP 192.168.1.6:51681 <-> 52.114.77.136:3478 [proto: 125/Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI (partial)][DPI packets: 12][cat: VoIP/10][14 pkts/5838 bytes <-> 17 pkts/7907 bytes][Goodput ratio: 90/91][4.57 sec][bytes ratio: -0.151 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 347/256 2336/2336 693/595][Pkt Len c2s/s2c min/avg/max/stddev: 79/79 417/465 1243/1227 434/401][PLAIN TEXT (TBHSWF)][Plen Bins: 0,36,0,0,0,12,6,0,3,6,0,0,0,3,0,0,0,0,0,0,0,0,0,6,6,0,0,0,0,0,3,0,3,3,0,0,0,9,0,0,0,0,0,0,0,0,0,0] + 14 UDP 192.168.1.6:51681 <-> 52.114.77.136:3478 [proto: 125/Skype_Teams][IP: 276/Azure][Encrypted][Confidence: Match by port][DPI packets: 12][cat: VoIP/10][14 pkts/5838 bytes <-> 17 pkts/7907 bytes][Goodput ratio: 90/91][4.57 sec][bytes ratio: -0.151 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 347/256 2336/2336 693/595][Pkt Len c2s/s2c min/avg/max/stddev: 79/79 417/465 1243/1227 434/401][PLAIN TEXT (TBHSWF)][Plen Bins: 0,36,0,0,0,12,6,0,3,6,0,0,0,3,0,0,0,0,0,0,0,0,0,6,6,0,0,0,0,0,3,0,3,3,0,0,0,9,0,0,0,0,0,0,0,0,0,0] 15 TCP 192.168.1.6:60547 <-> 52.114.88.59:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][20 pkts/3926 bytes <-> 15 pkts/8828 bytes][Goodput ratio: 66/89][0.32 sec][Hostname/SNI: chatsvcagg.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.384 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/25 91/80 23/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 196/589 1494/1506 320/612][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][Plen Bins: 0,21,10,5,0,5,10,5,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,21,0,0] 16 TCP 192.168.1.6:60565 <-> 52.114.108.8:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][19 pkts/3306 bytes <-> 14 pkts/9053 bytes][Goodput ratio: 61/90][0.43 sec][Hostname/SNI: emea.ng.msg.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.465 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27/12 276/54 68/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 174/647 1060/1506 238/633][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][Plen Bins: 0,22,16,5,0,0,5,0,0,0,0,0,0,5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,22,0,0] 17 TCP 192.168.1.6:60541 <-> 52.114.75.69:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 10][cat: VoIP/10][13 pkts/4051 bytes <-> 9 pkts/7973 bytes][Goodput ratio: 79/92][0.14 sec][Hostname/SNI: eu-api.asm.skype.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.326 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/11 31/36 14/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 312/886 1494/1506 422/676][TLSv1.2][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][ServerNames: *.asm.skype.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=*.asm.skype.com][Certificate SHA-1: B9:41:1D:AE:56:09:68:D2:07:D0:69:E1:68:00:08:2B:EF:63:1E:48][Validity: 2019-05-07 12:50:03 - 2021-05-07 12:50:03][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,8,0,8,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,34,0,0] diff --git a/tests/cfgs/default/pcap/stun_dtls_unidirectional_client.pcap b/tests/cfgs/default/pcap/stun_dtls_unidirectional_client.pcap Binary files differnew file mode 100644 index 000000000..108b7c469 --- /dev/null +++ b/tests/cfgs/default/pcap/stun_dtls_unidirectional_client.pcap diff --git a/tests/cfgs/default/pcap/stun_dtls_unidirectional_server.pcap b/tests/cfgs/default/pcap/stun_dtls_unidirectional_server.pcap Binary files differnew file mode 100644 index 000000000..9d33cd726 --- /dev/null +++ b/tests/cfgs/default/pcap/stun_dtls_unidirectional_server.pcap diff --git a/tests/cfgs/default/pcap/stun_tcp_multiple_msgs_same_pkt.pcap b/tests/cfgs/default/pcap/stun_tcp_multiple_msgs_same_pkt.pcap Binary files differnew file mode 100644 index 000000000..6fd842126 --- /dev/null +++ b/tests/cfgs/default/pcap/stun_tcp_multiple_msgs_same_pkt.pcap diff --git a/tests/cfgs/default/pcap/stun_zoom.pcapng b/tests/cfgs/default/pcap/stun_zoom.pcapng Binary files differnew file mode 100644 index 000000000..9ef90002b --- /dev/null +++ b/tests/cfgs/default/pcap/stun_zoom.pcapng diff --git a/tests/cfgs/default/pcap/telegram_videocall.pcapng b/tests/cfgs/default/pcap/telegram_videocall.pcapng Binary files differnew file mode 100644 index 000000000..9829fbffe --- /dev/null +++ b/tests/cfgs/default/pcap/telegram_videocall.pcapng diff --git a/tests/cfgs/default/result/adult_content.pcap.out b/tests/cfgs/default/result/adult_content.pcap.out index 09b2b41bc..feb469bd3 100644 --- a/tests/cfgs/default/result/adult_content.pcap.out +++ b/tests/cfgs/default/result/adult_content.pcap.out @@ -2,11 +2,11 @@ Guessed flow protos: 0 DPI Packets (UDP): 4 (4.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 149 (149.00 diss/flow) +Num dissector calls: 6 (6.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/10/0 (insert/search/found) +LRU cache stun: 2/6/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -14,9 +14,9 @@ LRU cache stun_zoom: 0/0/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) diff --git a/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out b/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out index 79f079bed..a7f7365d0 100644 --- a/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out +++ b/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out @@ -29,8 +29,8 @@ CustomProtocolF 1 1287 1 CustomProtocolG 1 318 1 CustomProtocolH 1 318 1 - 1 UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:100 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:1991 [proto: 365/CustomProtocolE][IP: 365/CustomProtocolE][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0] - 2 UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:36098 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:50621 [proto: 366/CustomProtocolF][IP: 366/CustomProtocolF][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0] - 3 UDP [3ffe:507::1:200:86ff:fe05:80da]:21554 <-> [3ffe:501:4819::42]:5333 [proto: 364/CustomProtocolD][IP: 364/CustomProtocolD][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/90 bytes <-> 1 pkts/510 bytes][Goodput ratio: 31/88][0.07 sec][PLAIN TEXT (itojun)][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP [fe80::76ac:b9ff:fe6c:c124]:12717 -> [ff02::1]:64315 [proto: 367/CustomProtocolG][IP: 367/CustomProtocolG][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP [fe80::76ac:b9ff:fe6c:c124]:12718 -> [ff02::1]:26993 [proto: 368/CustomProtocolH][IP: 368/CustomProtocolH][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:100 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:1991 [proto: 366/CustomProtocolE][IP: 366/CustomProtocolE][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0] + 2 UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:36098 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:50621 [proto: 367/CustomProtocolF][IP: 367/CustomProtocolF][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0] + 3 UDP [3ffe:507::1:200:86ff:fe05:80da]:21554 <-> [3ffe:501:4819::42]:5333 [proto: 365/CustomProtocolD][IP: 365/CustomProtocolD][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/90 bytes <-> 1 pkts/510 bytes][Goodput ratio: 31/88][0.07 sec][PLAIN TEXT (itojun)][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP [fe80::76ac:b9ff:fe6c:c124]:12717 -> [ff02::1]:64315 [proto: 368/CustomProtocolG][IP: 368/CustomProtocolG][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP [fe80::76ac:b9ff:fe6c:c124]:12718 -> [ff02::1]:26993 [proto: 369/CustomProtocolH][IP: 369/CustomProtocolH][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out b/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out index 3f5c107a0..62814bf17 100644 --- a/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out +++ b/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out @@ -27,6 +27,6 @@ CustomProtocolA 3 222 1 CustomProtocolB 2 148 1 Unknown 3 222 1 - 1 TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.361/TLS.CustomProtocolA][IP: 361/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 192.168.1.245:58288 -> 3.3.3.3:446 [proto: 400/CustomProtocolC][IP: 363/Unknown][Encrypted][Confidence: Unknown][DPI packets: 1][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.04 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 362/CustomProtocolB][IP: 362/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.362/TLS.CustomProtocolA][IP: 362/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 192.168.1.245:58288 -> 3.3.3.3:446 [proto: 400/CustomProtocolC][IP: 364/Unknown][Encrypted][Confidence: Unknown][DPI packets: 1][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.04 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 363/CustomProtocolB][IP: 363/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/geforcenow.pcapng.out b/tests/cfgs/default/result/geforcenow.pcapng.out index 0d2033944..3c76f4fbd 100644 --- a/tests/cfgs/default/result/geforcenow.pcapng.out +++ b/tests/cfgs/default/result/geforcenow.pcapng.out @@ -1,20 +1,20 @@ Guessed flow protos: 0 DPI Packets (TCP): 7 (7.00 pkts/flow) -DPI Packets (UDP): 7 (7.00 pkts/flow) +DPI Packets (UDP): 9 (9.00 pkts/flow) Confidence DPI : 2 (flows) -Num dissector calls: 136 (68.00 diss/flow) +Num dissector calls: 9 (4.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 0/6/0 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache stun: 0/8/0 (insert/search/found) +LRU cache tls_cert: 1/5/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache stun_zoom: 0/0/0 (insert/search/found) Automa host: 1/1 (search/found) Automa domain: 1/0 (search/found) -Automa tls cert: 0/0 (search/found) +Automa tls cert: 1/1 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 1/1 (search/found) Patricia risk mask: 2/0 (search/found) @@ -24,13 +24,12 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -STUN 54 20349 1 -GeForceNow 54 48651 1 +GeForceNow 108 69000 2 JA3 Host Stats: IP Address # JA3C - 1 192.168.1.245 1 + 1 192.168.1.245 2 1 TCP 192.168.1.245:57490 <-> 80.84.167.206:49100 [proto: 91.341/TLS.GeForceNow][IP: 342/Nvidia][Encrypted][Confidence: DPI][DPI packets: 7][cat: Game/8][27 pkts/8759 bytes <-> 27 pkts/39892 bytes][Goodput ratio: 80/96][1.34 sec][Hostname/SNI: 80-84-167-206.cloudmatchbeta.nvidiagrid.net][(Advertised) ALPNs: http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2][bytes ratio: -0.640 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 56/12 946/84 200/21][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 324/1477 2962/2962 631/1355][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 021c7413ddeb0d58973451b0e3b19eca][ServerNames: prod.cloudmatchbeta.nvidiagrid.net,*.cloudmatchbeta.nvidiagrid.net][JA3S: 098e26e2609212ac1bfac552fbe04127][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, CN=prod.cloudmatchbeta.nvidiagrid.net][Certificate SHA-1: 8C:24:BC:2B:01:63:B9:AC:83:90:F3:A9:F9:EA:72:5E:F4:47:A2:77][Chrome][Validity: 2022-08-09 00:00:00 - 2023-08-09 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,23,2,0,0,5,0,0,14,0,2,0,0,0,0,0,5,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,42] - 2 UDP 192.168.1.245:52441 <-> 80.84.167.206:18452 [proto: 78/STUN][IP: 342/Nvidia][ClearText][Confidence: DPI][DPI packets: 7][cat: Network/14][21 pkts/3455 bytes <-> 33 pkts/16894 bytes][Goodput ratio: 74/92][1.03 sec][bytes ratio: -0.660 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/30 360/689 91/130][Pkt Len c2s/s2c min/avg/max/stddev: 87/67 165/512 582/1222 101/514][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BffATDg/Gz0)][Plen Bins: 1,17,33,9,12,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.1.245:52441 <-> 80.84.167.206:18452 [proto: 30.341/DTLS.GeForceNow][IP: 342/Nvidia][Encrypted][Confidence: DPI][DPI packets: 9][cat: Game/8][21 pkts/3455 bytes <-> 33 pkts/16894 bytes][Goodput ratio: 74/92][1.03 sec][bytes ratio: -0.660 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/30 360/689 91/130][Pkt Len c2s/s2c min/avg/max/stddev: 87/67 165/512 582/1222 101/514][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Cert Validity Too Long **][Risk Score: 260][Risk Info: No ALPN / TLS Cert lasts 730 days / CN=NVIDIA GameStream][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA3S: a9e0318114bb46bdbeef6d54e42c915f][Issuer: CN=NVIDIA GameStream][Subject: CN=NVIDIA GameStream][Certificate SHA-1: D1:FC:74:AD:A0:6F:11:C1:F4:4D:F9:4C:2B:25:88:A6:2B:6E:65:1E][Validity: 2022-05-21 12:24:31 - 2024-05-20 12:24:31][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256][PLAIN TEXT (BffATDg/Gz0)][Plen Bins: 1,17,33,9,12,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out index a66423899..8f1612b07 100644 --- a/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out +++ b/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out @@ -1,14 +1,14 @@ Guessed flow protos: 3 DPI Packets (TCP): 9 (3.00 pkts/flow) -DPI Packets (UDP): 39 (4.33 pkts/flow) +DPI Packets (UDP): 36 (4.00 pkts/flow) Confidence DPI (cache) : 6 (flows) Confidence DPI : 6 (flows) -Num dissector calls: 765 (63.75 diss/flow) +Num dissector calls: 755 (62.92 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 25/12/4 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/18/4 (insert/search/found) +LRU cache stun: 6/8/0 (insert/search/found) LRU cache tls_cert: 1/3/2 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -34,7 +34,7 @@ JA3 Host Stats: IP Address # JA3C - 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 15][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 12][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 3 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 4 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] diff --git a/tests/cfgs/default/result/skype-conference-call.pcap.out b/tests/cfgs/default/result/skype-conference-call.pcap.out index b8805504a..8e4ff578e 100644 --- a/tests/cfgs/default/result/skype-conference-call.pcap.out +++ b/tests/cfgs/default/result/skype-conference-call.pcap.out @@ -6,7 +6,7 @@ Num dissector calls: 6 (6.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/4/0 (insert/search/found) +LRU cache stun: 2/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/1/0 (insert/search/found) diff --git a/tests/cfgs/default/result/stun.pcap.out b/tests/cfgs/default/result/stun.pcap.out index 14b8b5614..a396239ff 100644 --- a/tests/cfgs/default/result/stun.pcap.out +++ b/tests/cfgs/default/result/stun.pcap.out @@ -1,24 +1,24 @@ Guessed flow protos: 0 -DPI Packets (TCP): 7 (3.50 pkts/flow) -DPI Packets (UDP): 18 (6.00 pkts/flow) +DPI Packets (TCP): 9 (4.50 pkts/flow) +DPI Packets (UDP): 8 (2.67 pkts/flow) Confidence DPI : 5 (flows) -Num dissector calls: 589 (117.80 diss/flow) +Num dissector calls: 20 (4.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 4/34/0 (insert/search/found) -LRU cache tls_cert: 1/2/0 (insert/search/found) +LRU cache stun: 6/22/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache stun_zoom: 0/0/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) -Automa tls cert: 1/1 (search/found) -Automa risk mask: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk mask: 4/0 (search/found) +Patricia risk mask IPv6: 2/0 (search/found) Patricia risk: 1/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/2 (search/found) @@ -29,13 +29,8 @@ STUN 62 7620 2 GoogleHangoutDuo 33 6292 1 FacebookVoip 75 10554 1 -JA3 Host Stats: - IP Address # JA3C - 1 192.168.12.169 1 - - 1 UDP 192.168.12.169:38123 <-> 31.13.86.54:40003 [proto: 78.268/STUN.FacebookVoip][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][40 pkts/6134 bytes <-> 35 pkts/4420 bytes][Goodput ratio: 73/67][10.09 sec][Hostname/SNI: turner.facebook][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/331 6004/5997 1040/1126][Pkt Len c2s/s2c min/avg/max/stddev: 70/68 153/126 190/174 31/39][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (unauthorized)][Plen Bins: 8,14,9,28,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.12.169:49153 <-> 142.250.82.99:3478 [proto: 30.201/DTLS.GoogleHangoutDuo][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 5][cat: VoIP/10][18 pkts/2856 bytes <-> 15 pkts/3436 bytes][Goodput ratio: 74/82][2.12 sec][bytes ratio: -0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 88/153 699/625 177/222][Pkt Len c2s/s2c min/avg/max/stddev: 107/76 159/229 588/1240 107/297][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: No ALPN / CN=hangouts][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: 6C:D0:9A:70:A1:F1:9E:BF:8E:EF:FE:B6:F1:37:A3:E8:8A:3B:F7:C8][Validity: 2022-03-17 02:11:17 - 2023-03-18 02:11:17][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (BwlkYDtFJ)][Plen Bins: 0,6,57,21,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] - 3 UDP [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603]:56880 <-> [2a38:e156:8167:a333:face:b00c::24d9]:3478 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 11][cat: Network/14][21 pkts/1722 bytes <-> 21 pkts/2226 bytes][Goodput ratio: 24/41][191.49 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/2 9451/9451 10358/10358 2441/2441][Pkt Len c2s/s2c min/avg/max/stddev: 82/106 82/106 82/106 0/0][PLAIN TEXT (WOBTrOXR)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 87.47.100.17:3478 <-> 54.1.57.155:37257 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][9 pkts/1494 bytes <-> 11 pkts/2178 bytes][Goodput ratio: 60/67][0.95 sec][Hostname/SNI: apps-host.com][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/96 267/252 102/93][Pkt Len c2s/s2c min/avg/max/stddev: 74/94 166/198 234/354 41/65][PLAIN TEXT (Unauthorized)][Plen Bins: 10,0,15,21,42,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.169:49153 <-> 142.250.82.99:3478 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][18 pkts/2856 bytes <-> 15 pkts/3436 bytes][Goodput ratio: 74/82][2.12 sec][bytes ratio: -0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 88/153 699/625 177/222][Pkt Len c2s/s2c min/avg/max/stddev: 107/76 159/229 588/1240 107/297][PLAIN TEXT (BwlkYDtFJ)][Plen Bins: 0,6,57,21,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] + 3 UDP [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603]:56880 <-> [2a38:e156:8167:a333:face:b00c::24d9]:3478 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][21 pkts/1722 bytes <-> 21 pkts/2226 bytes][Goodput ratio: 24/41][191.49 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/2 9451/9451 10358/10358 2441/2441][Pkt Len c2s/s2c min/avg/max/stddev: 82/106 82/106 82/106 0/0][PLAIN TEXT (WOBTrOXR)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 87.47.100.17:3478 <-> 54.1.57.155:37257 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/1494 bytes <-> 11 pkts/2178 bytes][Goodput ratio: 60/67][0.95 sec][Hostname/SNI: apps-host.com][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/96 267/252 102/93][Pkt Len c2s/s2c min/avg/max/stddev: 74/94 166/198 234/354 41/65][PLAIN TEXT (Unauthorized)][Plen Bins: 10,0,15,21,42,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 10.77.110.51:41588 <-> 10.206.50.239:42000 [VLAN: 1611][proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][7 pkts/1006 bytes <-> 8 pkts/1118 bytes][Goodput ratio: 58/57][1.05 sec][bytes ratio: -0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 189/134 369/399 144/153][Pkt Len c2s/s2c min/avg/max/stddev: 70/64 144/140 164/172 31/43][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_classic.pcap.out b/tests/cfgs/default/result/stun_classic.pcap.out index 69e95ad29..734f2e98d 100644 --- a/tests/cfgs/default/result/stun_classic.pcap.out +++ b/tests/cfgs/default/result/stun_classic.pcap.out @@ -1,8 +1,8 @@ Guessed flow protos: 0 -DPI Packets (UDP): 5 (5.00 pkts/flow) +DPI Packets (UDP): 3 (3.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 171 (171.00 diss/flow) +Num dissector calls: 6 (6.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -16,7 +16,7 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) @@ -25,4 +25,4 @@ Patricia protocols IPv6: 0/0 (search/found) RTP 22 1624 1 - 1 UDP 172.16.63.224:55050 <-> 172.16.63.21:13958 [proto: 78.87/STUN.RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Media/1][9 pkts/662 bytes <-> 13 pkts/962 bytes][Goodput ratio: 43/43][0.23 sec][bytes ratio: -0.185 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/0 32/17 101/42 32/11][Pkt Len c2s/s2c min/avg/max/stddev: 70/74 74/74 74/74 1/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 4,95,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 172.16.63.224:55050 <-> 172.16.63.21:13958 [proto: 78.87/STUN.RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][9 pkts/662 bytes <-> 13 pkts/962 bytes][Goodput ratio: 43/43][0.23 sec][bytes ratio: -0.185 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/0 32/17 101/42 32/11][Pkt Len c2s/s2c min/avg/max/stddev: 70/74 74/74 74/74 1/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 4,95,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out b/tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out new file mode 100644 index 000000000..9edd39028 --- /dev/null +++ b/tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out @@ -0,0 +1,33 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 4 (4.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 6 (6.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/4/0 (insert/search/found) +LRU cache tls_cert: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DTLS 6 1708 1 + +JA3 Host Stats: + IP Address # JA3C + 1 26.83.9.81 1 + + + 1 UDP 26.83.9.81:57567 -> 33.35.223.103:540 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][6 pkts/1708 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][1.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 232/0 299/0 116/0][Pkt Len c2s/s2c min/avg/max/stddev: 106/0 285/0 873/0 267/0][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / No ALPN][DTLSv1.0][JA3C: f5eee7bc59657db39e2b9cdd401d78b7][PLAIN TEXT (ugPnBzE)][Plen Bins: 0,0,16,51,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_dtls_unidirectional_server.pcap.out b/tests/cfgs/default/result/stun_dtls_unidirectional_server.pcap.out new file mode 100644 index 000000000..82f672fc4 --- /dev/null +++ b/tests/cfgs/default/result/stun_dtls_unidirectional_server.pcap.out @@ -0,0 +1,32 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 3 (3.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 6 (6.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/4/0 (insert/search/found) +LRU cache tls_cert: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 1/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DTLS 6 1563 1 + +JA3 Host Stats: + IP Address # JA3C + + + 1 UDP 33.35.223.103:540 -> 26.83.9.81:57567 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][6 pkts/1563 bytes -> 0 pkts/0 bytes][Goodput ratio: 84/0][1.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/0 299/0 116/0][Pkt Len c2s/s2c min/avg/max/stddev: 106/0 260/0 958/0 312/0][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** Unidirectional Traffic **][Risk Score: 160][Risk Info: No client to server traffic / CN=LiveFoundry Inc.][DTLSv1.0][JA3S: 1974c5c625e99dc22d0477079a54aed3][Issuer: CN=LiveFoundry Inc.][Subject: CN=LiveFoundry Inc.][Certificate SHA-1: 23:F4:E7:42:93:22:91:BB:A3:54:70:97:94:2A:DE:AF:26:61:18:98][Validity: 2015-08-27 09:07:05 - 2016-08-27 09:07:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (LiveFoundry Inc.0)][Plen Bins: 0,0,67,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_google_meet.pcapng.out b/tests/cfgs/default/result/stun_google_meet.pcapng.out index 4a675be82..b93a2ed49 100644 --- a/tests/cfgs/default/result/stun_google_meet.pcapng.out +++ b/tests/cfgs/default/result/stun_google_meet.pcapng.out @@ -1,12 +1,13 @@ Guessed flow protos: 0 -DPI Packets (UDP): 15 (2.50 pkts/flow) -Confidence DPI : 6 (flows) -Num dissector calls: 650 (108.33 diss/flow) +DPI Packets (UDP): 10 (1.67 pkts/flow) +Confidence DPI (cache) : 2 (flows) +Confidence DPI : 4 (flows) +Num dissector calls: 26 (4.33 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 4/36/8 (insert/search/found) +LRU cache stun: 12/10/2 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -16,7 +17,7 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 12/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) @@ -25,9 +26,9 @@ Patricia protocols IPv6: 0/0 (search/found) GoogleHangoutDuo 214 33707 6 - 1 UDP 192.168.12.156:38152 <-> 142.250.82.76:19305 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][28 pkts/4034 bytes <-> 46 pkts/12188 bytes][Goodput ratio: 71/84][0.87 sec][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/10 205/154 50/29][Pkt Len c2s/s2c min/avg/max/stddev: 87/79 144/265 587/1245 89/180][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (HrRgpad)][Plen Bins: 0,8,37,9,4,0,0,0,38,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.12.156:38152 <-> 142.250.82.76:19305 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][28 pkts/4034 bytes <-> 46 pkts/12188 bytes][Goodput ratio: 71/84][0.87 sec][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/10 205/154 50/29][Pkt Len c2s/s2c min/avg/max/stddev: 87/79 144/265 587/1245 89/180][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (HrRgpad)][Plen Bins: 0,8,37,9,4,0,0,0,38,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.12.156:38152 <-> 142.250.82.76:3478 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][55 pkts/7402 bytes <-> 24 pkts/3525 bytes][Goodput ratio: 69/71][6.63 sec][bytes ratio: 0.355 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/2 109/184 402/761 143/224][Pkt Len c2s/s2c min/avg/max/stddev: 87/82 135/147 423/579 69/115][PLAIN TEXT (HrRgpad)][Plen Bins: 0,39,34,15,0,1,0,0,5,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.12.156:45400 <-> 142.250.82.76:3478 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][17 pkts/2694 bytes <-> 16 pkts/1696 bytes][Goodput ratio: 73/60][54.70 sec][bytes ratio: 0.227 (Upload)][IAT c2s/s2c min/avg/max/stddev: 90/78 3250/2028 17905/6554 4698/2127][Pkt Len c2s/s2c min/avg/max/stddev: 158/106 158/106 166/106 2/0][PLAIN TEXT (HrRgpad)][Plen Bins: 0,0,48,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 192.168.12.156:38152 <-> 74.125.128.127:19302 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][50.12 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10019/10019 10022/10021 10026/10025 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (kAGNNzv)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 192.168.12.156:45400 <-> 74.125.128.127:19302 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][50.12 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10020/10019 10022/10021 10026/10025 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (tcEcaq476)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP 192.168.12.156:45400 <-> 142.250.82.76:19305 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][2 pkts/324 bytes <-> 2 pkts/212 bytes][Goodput ratio: 74/60][0.63 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (ByyD/CC)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.12.156:45400 <-> 142.250.82.76:3478 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][17 pkts/2694 bytes <-> 16 pkts/1696 bytes][Goodput ratio: 73/60][54.70 sec][bytes ratio: 0.227 (Upload)][IAT c2s/s2c min/avg/max/stddev: 90/78 3250/2028 17905/6554 4698/2127][Pkt Len c2s/s2c min/avg/max/stddev: 158/106 158/106 166/106 2/0][PLAIN TEXT (HrRgpad)][Plen Bins: 0,0,48,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.12.156:38152 <-> 74.125.128.127:19302 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 3][cat: Network/14][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][50.12 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10019/10019 10022/10021 10026/10025 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (kAGNNzv)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.12.156:45400 <-> 74.125.128.127:19302 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 3][cat: Network/14][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][50.12 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10020/10019 10022/10021 10026/10025 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (tcEcaq476)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.12.156:45400 <-> 142.250.82.76:19305 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][2 pkts/324 bytes <-> 2 pkts/212 bytes][Goodput ratio: 74/60][0.63 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (ByyD/CC)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_msteams_unidir.pcapng.out b/tests/cfgs/default/result/stun_msteams_unidir.pcapng.out index ccc9348b6..293039798 100644 --- a/tests/cfgs/default/result/stun_msteams_unidir.pcapng.out +++ b/tests/cfgs/default/result/stun_msteams_unidir.pcapng.out @@ -1,15 +1,15 @@ Guessed flow protos: 0 -DPI Packets (UDP): 7 (7.00 pkts/flow) +DPI Packets (UDP): 1 (1.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 193 (193.00 diss/flow) +Num dissector calls: 6 (6.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 0/6/0 (insert/search/found) +LRU cache stun: 2/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 1/0/0 (insert/search/found) +LRU cache msteams: 0/1/0 (insert/search/found) LRU cache stun_zoom: 0/0/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) @@ -23,6 +23,6 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Skype_Teams 12 5944 1 +Skype_TeamsCall 12 5944 1 - 1 UDP 52.115.136.55:3479 -> 10.0.0.1:50006 [proto: 78.125/STUN.Skype_Teams][IP: 276/Azure][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][12 pkts/5944 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][4.53 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 453/0 1210/0 379/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 495/0 1257/0 539/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,16,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0] + 1 UDP 52.115.136.55:3479 -> 10.0.0.1:50006 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][12 pkts/5944 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][4.53 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 453/0 1210/0 379/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 495/0 1257/0 539/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,16,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_signal.pcapng.out b/tests/cfgs/default/result/stun_signal.pcapng.out index 177184f49..6a52312cf 100644 --- a/tests/cfgs/default/result/stun_signal.pcapng.out +++ b/tests/cfgs/default/result/stun_signal.pcapng.out @@ -1,14 +1,14 @@ -Guessed flow protos: 1 +Guessed flow protos: 0 -DPI Packets (UDP): 111 (5.29 pkts/flow) +DPI Packets (UDP): 36 (1.71 pkts/flow) DPI Packets (other): 2 (1.00 pkts/flow) -Confidence DPI (partial) : 1 (flows) -Confidence DPI : 22 (flows) -Num dissector calls: 2656 (115.48 diss/flow) +Confidence DPI (cache) : 19 (flows) +Confidence DPI : 4 (flows) +Num dissector calls: 104 (4.52 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/27/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 4/170/20 (insert/search/found) +LRU cache stun: 40/56/19 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -18,37 +18,37 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 28/0 (search/found) +Patricia risk mask: 46/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 25/23 (search/found) Patricia protocols IPv6: 0/0 (search/found) -STUN 202 18738 9 +STUN 106 12322 1 ICMP 53 5186 2 -SignalVoip 205 24572 12 +SignalVoip 301 30988 20 - 1 UDP 192.168.12.169:43068 <-> 18.195.131.143:61156 [proto: 78/STUN][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 7][cat: Network/14][48 pkts/4692 bytes <-> 58 pkts/7630 bytes][Goodput ratio: 57/68][12.11 sec][bytes ratio: -0.238 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 224/234 1055/1059 250/294][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 98/132 146/306 23/72][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BrDwrhkDr//9e)][Plen Bins: 26,31,15,15,5,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.12.169:47767 <-> 18.195.131.143:61498 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][18 pkts/1900 bytes <-> 35 pkts/6496 bytes][Goodput ratio: 60/77][2.67 sec][bytes ratio: -0.547 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 173/74 665/630 186/150][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 106/186 146/306 26/92][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (80JiLM)][Plen Bins: 13,16,18,18,9,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.12.169:43068 <-> 18.195.131.143:61156 [proto: 78/STUN][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][48 pkts/4692 bytes <-> 58 pkts/7630 bytes][Goodput ratio: 57/68][12.11 sec][bytes ratio: -0.238 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 224/234 1055/1059 250/294][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 98/132 146/306 23/72][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BrDwrhkDr//9e)][Plen Bins: 26,31,15,15,5,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.169:47767 <-> 18.195.131.143:61498 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][18 pkts/1900 bytes <-> 35 pkts/6496 bytes][Goodput ratio: 60/77][2.67 sec][bytes ratio: -0.547 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 173/74 665/630 186/150][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 106/186 146/306 26/92][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (80JiLM)][Plen Bins: 13,16,18,18,9,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 ICMP 35.158.183.167:0 <-> 192.168.12.169:0 [proto: 81/ICMP][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][30 pkts/2780 bytes <-> 4 pkts/552 bytes][Goodput ratio: 55/69][51.83 sec][bytes ratio: 0.669 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 906/1 7931/1 2120/0][Pkt Len c2s/s2c min/avg/max/stddev: 90/138 93/138 98/138 4/0][PLAIN TEXT (BJKHNYBG4)][Plen Bins: 0,88,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 192.168.12.169:43068 <-> 35.158.183.167:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][13 pkts/1598 bytes <-> 13 pkts/1638 bytes][Goodput ratio: 66/67][31.02 sec][bytes ratio: -0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 2090/2098 10035/10033 3616/3611][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 123/126 174/190 47/25][PLAIN TEXT (xYXlLJQ)][Plen Bins: 19,15,26,30,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 192.168.12.169:47767 <-> 35.158.122.211:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][11 pkts/1338 bytes <-> 11 pkts/1354 bytes][Goodput ratio: 65/66][22.74 sec][Hostname/SNI: signal.org][bytes ratio: -0.006 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 2483/2337 10020/10020 3944/4010][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 122/123 158/190 44/25][PLAIN TEXT (rMfcsrHE)][Plen Bins: 18,18,27,31,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP 192.168.12.169:39950 <-> 35.158.183.167:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1282 bytes <-> 11 pkts/1290 bytes][Goodput ratio: 64/64][30.98 sec][bytes ratio: -0.003 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 3757/3735 10023/10021 4493/4510][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 117/117 162/134 48/13][PLAIN TEXT (ovaKDk)][Plen Bins: 22,18,31,27,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP 192.168.12.169:37970 <-> 35.158.122.211:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][10 pkts/1196 bytes <-> 10 pkts/1164 bytes][Goodput ratio: 65/64][22.74 sec][bytes ratio: 0.014 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1760/2672 10017/10018 3250/3952][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 120/116 158/134 45/13][PLAIN TEXT (BSFWxqj)][Plen Bins: 20,20,30,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.12.169:43068 <-> 35.158.183.167:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][13 pkts/1598 bytes <-> 13 pkts/1638 bytes][Goodput ratio: 66/67][31.02 sec][bytes ratio: -0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 2090/2098 10035/10033 3616/3611][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 123/126 174/190 47/25][PLAIN TEXT (xYXlLJQ)][Plen Bins: 19,15,26,30,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.12.169:47767 <-> 35.158.122.211:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][11 pkts/1338 bytes <-> 11 pkts/1354 bytes][Goodput ratio: 65/66][22.74 sec][bytes ratio: -0.006 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 2483/2337 10020/10020 3944/4010][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 122/123 158/190 44/25][PLAIN TEXT (rMfcsrHE)][Plen Bins: 18,18,27,31,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.12.169:39950 <-> 35.158.183.167:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][11 pkts/1282 bytes <-> 11 pkts/1290 bytes][Goodput ratio: 64/64][30.98 sec][bytes ratio: -0.003 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 3757/3735 10023/10021 4493/4510][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 117/117 162/134 48/13][PLAIN TEXT (ovaKDk)][Plen Bins: 22,18,31,27,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.12.169:37970 <-> 35.158.122.211:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][10 pkts/1196 bytes <-> 10 pkts/1164 bytes][Goodput ratio: 65/64][22.74 sec][bytes ratio: 0.014 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1760/2672 10017/10018 3250/3952][Pkt Len c2s/s2c min/avg/max/stddev: 62/102 120/116 158/134 45/13][PLAIN TEXT (BSFWxqj)][Plen Bins: 20,20,30,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 ICMP 35.158.122.211:0 <-> 192.168.12.169:0 [proto: 81/ICMP][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][17 pkts/1578 bytes <-> 2 pkts/276 bytes][Goodput ratio: 55/69][22.73 sec][bytes ratio: 0.702 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1052/0 7992/0 2154/0][Pkt Len c2s/s2c min/avg/max/stddev: 90/138 93/138 98/138 4/0][PLAIN TEXT (braaHWB)][Plen Bins: 0,89,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP 192.168.12.169:39950 -> 35.158.183.167:443 [proto: 78/STUN][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 10][cat: Network/14][16 pkts/1056 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][23.80 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 37/0 1416/0 7961/0 2721/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 UDP 192.168.12.169:43068 -> 35.158.183.167:443 [proto: 78/STUN][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 10][cat: Network/14][16 pkts/1056 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][23.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 60/0 1419/0 7937/0 2708/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 192.168.12.169:39950 -> 35.158.183.167:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][16 pkts/1056 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][23.80 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 37/0 1416/0 7961/0 2721/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.12.169:43068 -> 35.158.183.167:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][16 pkts/1056 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][23.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 60/0 1419/0 7937/0 2708/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP 192.168.12.169:39518 <-> 35.158.183.167:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 4][cat: VoIP/10][4 pkts/448 bytes <-> 4 pkts/504 bytes][Goodput ratio: 62/67][4.85 sec][Hostname/SNI: signal.org][bytes ratio: -0.059 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 23/30 1612/1611 4762/4754 2228/2222][Pkt Len c2s/s2c min/avg/max/stddev: 62/110 112/126 158/134 46/10][PLAIN TEXT (GBLsrHn)][Plen Bins: 25,0,50,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 12 UDP 192.168.12.169:47204 <-> 35.158.183.167:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][4 pkts/448 bytes <-> 4 pkts/504 bytes][Goodput ratio: 62/67][4.85 sec][bytes ratio: -0.059 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 41/42 1612/1612 4721/4721 2198/2199][Pkt Len c2s/s2c min/avg/max/stddev: 62/110 112/126 158/134 46/10][PLAIN TEXT (nYAy610)][Plen Bins: 25,0,50,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 UDP 192.168.12.169:37970 -> 35.158.122.211:443 [proto: 78/STUN][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 10][cat: Network/14][14 pkts/924 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][15.78 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 984/0 7992/0 2186/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][PLAIN TEXT (braaHWB)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 UDP 192.168.12.169:47767 -> 35.158.122.211:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][14 pkts/924 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][15.78 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 982/0 8022/0 2200/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][PLAIN TEXT (BtotYst)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 UDP 192.168.12.169:37970 <-> 172.253.121.127:19302 [proto: 78/STUN][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 11][cat: Network/14][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.39 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 250/250 4201/2720 10126/10103 4828/4263][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BNEmtWH)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 UDP 192.168.12.169:39950 <-> 172.253.121.127:19302 [proto: 78/STUN][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 11][cat: Network/14][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.40 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 248/248 4203/2720 10135/10132 4842/4279][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (quISgYTP)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 17 UDP 192.168.12.169:43068 <-> 172.253.121.127:19302 [proto: 78/STUN][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 11][cat: Network/14][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.38 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 250/249 4201/2720 10128/10128 4837/4277][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BnDbEJB)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 18 UDP 192.168.12.169:47767 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.39 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 249/250 4202/2720 10130/10105 4830/4264][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (lbMRpRo)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 19 UDP 192.168.12.169:47767 <-> 18.195.131.143:54054 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/390 bytes <-> 3 pkts/350 bytes][Goodput ratio: 68/64][0.18 sec][bytes ratio: 0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/4 48/52 90/101 42/48][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 130/117 146/138 17/15][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (JUrAzE1)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 20 UDP 192.168.12.169:39518 -> 35.158.183.167:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][10 pkts/660 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][3.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 64/0 424/0 1928/0 598/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][PLAIN TEXT (BJKHNYBG4)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 21 UDP 192.168.12.169:47204 -> 35.158.183.167:443 [proto: 78/STUN][IP: 265/AmazonAWS][ClearText][Confidence: DPI][DPI packets: 10][cat: Network/14][10 pkts/660 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][3.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 63/0 424/0 1928/0 597/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 22 UDP 192.168.12.169:39518 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][2 pkts/124 bytes <-> 2 pkts/148 bytes][Goodput ratio: 32/43][0.62 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 23 UDP 192.168.12.169:47204 <-> 172.253.121.127:19302 [proto: 78/STUN][IP: 126/Google][ClearText][Confidence: DPI (partial)][DPI packets: 4][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/148 bytes][Goodput ratio: 32/43][0.63 sec][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP 192.168.12.169:47204 <-> 35.158.183.167:3478 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 3][cat: Network/14][4 pkts/448 bytes <-> 4 pkts/504 bytes][Goodput ratio: 62/67][4.85 sec][bytes ratio: -0.059 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 41/42 1612/1612 4721/4721 2198/2199][Pkt Len c2s/s2c min/avg/max/stddev: 62/110 112/126 158/134 46/10][PLAIN TEXT (nYAy610)][Plen Bins: 25,0,50,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 UDP 192.168.12.169:37970 -> 35.158.122.211:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][14 pkts/924 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][15.78 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 984/0 7992/0 2186/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][PLAIN TEXT (braaHWB)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 UDP 192.168.12.169:47767 -> 35.158.122.211:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][14 pkts/924 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][15.78 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 982/0 8022/0 2200/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][PLAIN TEXT (BtotYst)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 UDP 192.168.12.169:37970 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.39 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 250/250 4201/2720 10126/10103 4828/4263][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (BNEmtWH)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 UDP 192.168.12.169:39950 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.40 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 248/248 4203/2720 10135/10132 4842/4279][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (quISgYTP)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 17 UDP 192.168.12.169:43068 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.38 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 250/249 4201/2720 10128/10128 4837/4277][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (BnDbEJB)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 18 UDP 192.168.12.169:47767 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][21.39 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 249/250 4202/2720 10130/10105 4830/4264][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (lbMRpRo)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 19 UDP 192.168.12.169:47767 <-> 18.195.131.143:54054 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][3 pkts/390 bytes <-> 3 pkts/350 bytes][Goodput ratio: 68/64][0.18 sec][bytes ratio: 0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/4 48/52 90/101 42/48][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 130/117 146/138 17/15][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (JUrAzE1)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 UDP 192.168.12.169:39518 -> 35.158.183.167:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 3][cat: Network/14][10 pkts/660 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][3.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 64/0 424/0 1928/0 598/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][PLAIN TEXT (BJKHNYBG4)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 21 UDP 192.168.12.169:47204 -> 35.158.183.167:443 [proto: 78.269/STUN.SignalVoip][IP: 265/AmazonAWS][ClearText][Confidence: DPI (cache)][DPI packets: 3][cat: Network/14][10 pkts/660 bytes -> 0 pkts/0 bytes][Goodput ratio: 36/0][3.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 63/0 424/0 1928/0 597/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 66/0 70/0 4/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 3478][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 22 UDP 192.168.12.169:39518 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 2][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/148 bytes][Goodput ratio: 32/43][0.62 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 23 UDP 192.168.12.169:47204 <-> 172.253.121.127:19302 [proto: 78.269/STUN.SignalVoip][IP: 126/Google][ClearText][Confidence: DPI (cache)][DPI packets: 2][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/148 bytes][Goodput ratio: 32/43][0.63 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_tcp_multiple_msgs_same_pkt.pcap.out b/tests/cfgs/default/result/stun_tcp_multiple_msgs_same_pkt.pcap.out new file mode 100644 index 000000000..29624e089 --- /dev/null +++ b/tests/cfgs/default/result/stun_tcp_multiple_msgs_same_pkt.pcap.out @@ -0,0 +1,28 @@ +Guessed flow protos: 1 + +DPI Packets (TCP): 5 (5.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 6 (6.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/8/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +STUN 5 506 1 + + 1 TCP 166.172.142.131:3479 <-> 23.183.197.71:42849 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][1 pkts/74 bytes <-> 4 pkts/432 bytes][Goodput ratio: 0/39][10.93 sec][PLAIN TEXT (RXgFYlY)][Plen Bins: 75,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_wa_call.pcapng.out b/tests/cfgs/default/result/stun_wa_call.pcapng.out index bb446425c..120ce561f 100644 --- a/tests/cfgs/default/result/stun_wa_call.pcapng.out +++ b/tests/cfgs/default/result/stun_wa_call.pcapng.out @@ -2,12 +2,13 @@ Guessed flow protos: 0 DPI Packets (UDP): 12 (1.00 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) -Confidence DPI : 13 (flows) +Confidence DPI (cache) : 2 (flows) +Confidence DPI : 11 (flows) Num dissector calls: 23 (1.77 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 4/28/20 (insert/search/found) +LRU cache stun: 24/2/2 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -29,12 +30,12 @@ ICMP 1 110 1 1 UDP 192.168.12.156:46652 <-> 93.57.123.227:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][171 pkts/28371 bytes <-> 206 pkts/29803 bytes][Goodput ratio: 75/71][31.78 sec][bytes ratio: -0.025 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 178/151 2505/2463 255/222][Pkt Len c2s/s2c min/avg/max/stddev: 62/62 166/145 434/446 100/85][Plen Bins: 14,41,11,8,2,2,3,2,5,4,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.12.156:49526 <-> 157.240.203.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][48 pkts/12953 bytes <-> 73 pkts/40083 bytes][Goodput ratio: 84/92][14.68 sec][bytes ratio: -0.512 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 191/164 3009/3009 684/623][Pkt Len c2s/s2c min/avg/max/stddev: 62/62 270/549 542/1155 203/421][PLAIN TEXT (dsUmpy)][Plen Bins: 8,18,19,1,0,0,0,0,3,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,0,0,0,2,4,2,1,2,3,4,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.12.156:49526 <-> 93.33.118.87:41107 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][8 pkts/3465 bytes <-> 8 pkts/5392 bytes][Goodput ratio: 90/94][0.38 sec][bytes ratio: -0.218 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 53/35 124/160 55/59][Pkt Len c2s/s2c min/avg/max/stddev: 75/86 433/674 997/876 437/340][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,38,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,18,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.12.156:49526 <-> 93.33.118.87:41107 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][8 pkts/3465 bytes <-> 8 pkts/5392 bytes][Goodput ratio: 90/94][0.38 sec][bytes ratio: -0.218 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 53/35 124/160 55/59][Pkt Len c2s/s2c min/avg/max/stddev: 75/86 433/674 997/876 437/340][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,38,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,18,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.12.156:46652 <-> 157.240.21.51:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/1398 bytes <-> 4 pkts/440 bytes][Goodput ratio: 85/62][31.77 sec][bytes ratio: 0.521 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 7942/831 29269/2494 12355/1176][Pkt Len c2s/s2c min/avg/max/stddev: 254/110 280/110 314/110 28/0][Plen Bins: 0,0,44,0,0,0,33,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.12.156:46652 <-> 157.240.195.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/1398 bytes <-> 4 pkts/440 bytes][Goodput ratio: 85/62][31.77 sec][bytes ratio: 0.521 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 7942/832 29268/2497 12355/1177][Pkt Len c2s/s2c min/avg/max/stddev: 254/110 280/110 314/110 28/0][Plen Bins: 0,0,44,0,0,0,33,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.12.156:46652 <-> 157.240.203.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/1398 bytes <-> 4 pkts/440 bytes][Goodput ratio: 85/62][31.77 sec][bytes ratio: 0.521 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 7942/832 29269/2496 12355/1177][Pkt Len c2s/s2c min/avg/max/stddev: 254/110 280/110 314/110 28/0][Plen Bins: 0,0,44,0,0,0,33,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 192.168.12.156:46652 <-> 157.240.231.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/1398 bytes <-> 4 pkts/440 bytes][Goodput ratio: 85/62][31.77 sec][bytes ratio: 0.521 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 7942/833 29269/2497 12355/1177][Pkt Len c2s/s2c min/avg/max/stddev: 254/110 280/110 314/110 28/0][Plen Bins: 0,0,44,0,0,0,33,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 UDP 192.168.12.156:49526 -> 10.82.40.241:40436 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][10.68 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 548/0 562/0 602/0 20/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.12.156:49526 -> 10.82.40.241:40436 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][10.68 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 548/0 562/0 602/0 20/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 UDP 192.168.12.156:49526 <-> 157.240.196.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/890 bytes <-> 2 pkts/220 bytes][Goodput ratio: 86/62][14.68 sec][Plen Bins: 0,0,40,0,0,0,20,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 UDP 192.168.12.156:49526 <-> 157.240.231.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/890 bytes <-> 2 pkts/220 bytes][Goodput ratio: 86/62][14.68 sec][Plen Bins: 0,0,40,0,0,0,20,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP 192.168.12.156:49526 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/890 bytes <-> 2 pkts/220 bytes][Goodput ratio: 86/62][14.68 sec][Plen Bins: 0,0,40,0,0,0,20,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun_zoom.pcapng.out b/tests/cfgs/default/result/stun_zoom.pcapng.out new file mode 100644 index 000000000..33d4614a9 --- /dev/null +++ b/tests/cfgs/default/result/stun_zoom.pcapng.out @@ -0,0 +1,35 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 19 (9.50 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 12 (6.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/18/0 (insert/search/found) +LRU cache tls_cert: 0/4/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 1/1 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 4/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/2 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +STUN 40 9877 1 +Zoom 30 8381 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.43.169 1 + + + 1 UDP 192.168.43.169:53065 <-> 134.224.90.111:8801 [proto: 78/STUN][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][19 pkts/3524 bytes <-> 21 pkts/6353 bytes][Goodput ratio: 77/86][1.19 sec][bytes ratio: -0.286 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/45 153/178 50/56][Pkt Len c2s/s2c min/avg/max/stddev: 91/56 185/303 231/1094 42/390][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (webrtc)][Plen Bins: 5,15,27,2,27,10,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.43.169:48854 <-> 134.224.90.111:8801 [proto: 30.189/DTLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 14][cat: Video/26][13 pkts/2491 bytes <-> 17 pkts/5890 bytes][Goodput ratio: 78/88][0.76 sec][(Advertised) ALPNs: webrtc;c-webrtc][bytes ratio: -0.406 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 73/43 200/286 59/80][Pkt Len c2s/s2c min/avg/max/stddev: 91/56 192/346 231/1094 40/422][Risk: ** Known Proto on Non Std Port **** Missing SNI TLS Extn **][Risk Score: 100][DTLSv1.2][JA3C: 3e12a43c7535bb32beac3928f8fe905d][ServerNames: *.cloud.zoom.us][JA3S: 323ab23be4a686962b978f9ca6735add][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.cloud.zoom.us][Certificate SHA-1: FD:F2:22:45:64:31:28:BD:2D:56:D6:F4:56:01:71:88:E3:4C:2C:D9][Firefox][Validity: 2022-01-22 00:00:00 - 2023-01-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][PLAIN TEXT (DCBD09778680)][Plen Bins: 10,13,23,0,26,10,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/synscan.pcap.out b/tests/cfgs/default/result/synscan.pcap.out index 3bde66cce..a720489b3 100644 --- a/tests/cfgs/default/result/synscan.pcap.out +++ b/tests/cfgs/default/result/synscan.pcap.out @@ -129,7 +129,7 @@ iSCSI 2 116 2 45 TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 355/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 356/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 50 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 51 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -194,7 +194,7 @@ iSCSI 2 116 2 110 TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 111 TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 112 TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 113 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 355/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 113 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 356/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 114 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 115 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 116 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/teams.pcap.out b/tests/cfgs/default/result/teams.pcap.out index 54dd15848..3753b57bf 100644 --- a/tests/cfgs/default/result/teams.pcap.out +++ b/tests/cfgs/default/result/teams.pcap.out @@ -4,18 +4,18 @@ DPI Packets (TCP): 337 (8.02 pkts/flow) DPI Packets (UDP): 74 (1.85 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Unknown : 1 (flows) -Confidence Match by port : 1 (flows) -Confidence DPI (partial) : 5 (flows) +Confidence Match by port : 2 (flows) +Confidence DPI (partial) : 4 (flows) Confidence DPI : 76 (flows) Num dissector calls: 504 (6.07 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/9/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 6/42/18 (insert/search/found) +LRU cache stun: 24/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/2/0 (insert/search/found) +LRU cache mining: 0/3/0 (insert/search/found) LRU cache msteams: 27/19/15 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/1/0 (insert/search/found) Automa host: 85/71 (search/found) Automa domain: 85/0 (search/found) Automa tls cert: 0/0 (search/found) @@ -62,7 +62,7 @@ JA3 Host Stats: 11 TCP 192.168.1.6:60540 <-> 52.114.75.70:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][14 pkts/5711 bytes <-> 10 pkts/8093 bytes][Goodput ratio: 83/92][0.13 sec][Hostname/SNI: eu-prod.asyncgw.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.173 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/9 32/32 13/14][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 408/809 1494/1506 517/688][TLSv1.2][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][Plen Bins: 0,7,0,7,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,15,31,0,0] 12 TCP 192.168.1.6:60537 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 8][cat: Cloud/13][16 pkts/8418 bytes <-> 10 pkts/5367 bytes][Goodput ratio: 87/88][0.27 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: 0.221 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/27 46/46 20/20][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 526/537 1494/1506 639/623][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: a1674500365bdd882188db63730e69a2][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: ae4edc6faf64d08308082ad26be60767][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Safari][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,7,7,0,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,31,15,0,0] 13 TCP 192.168.1.6:60555 <-> 52.114.77.33:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cloud/13][18 pkts/5861 bytes <-> 13 pkts/7901 bytes][Goodput ratio: 80/89][2.79 sec][Hostname/SNI: mobile.pipe.aria.microsoft.com][bytes ratio: -0.148 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 192/269 2443/2490 625/741][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 326/608 1494/1506 448/617][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: *.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4][Subject: CN=*.events.data.microsoft.com][Certificate SHA-1: 33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB][Firefox][Validity: 2019-10-10 21:55:38 - 2021-10-10 21:55:38][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,16,11,0,0,5,0,0,0,5,5,0,0,11,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,22,0,0] - 14 UDP 192.168.1.6:51681 <-> 52.114.77.136:3478 [proto: 125/Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI (partial)][DPI packets: 12][cat: VoIP/10][14 pkts/5838 bytes <-> 17 pkts/7907 bytes][Goodput ratio: 90/91][4.57 sec][bytes ratio: -0.151 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 347/256 2336/2336 693/595][Pkt Len c2s/s2c min/avg/max/stddev: 79/79 417/465 1243/1227 434/401][PLAIN TEXT (TBHSWF)][Plen Bins: 0,36,0,0,0,12,6,0,3,6,0,0,0,3,0,0,0,0,0,0,0,0,0,6,6,0,0,0,0,0,3,0,3,3,0,0,0,9,0,0,0,0,0,0,0,0,0,0] + 14 UDP 192.168.1.6:51681 <-> 52.114.77.136:3478 [proto: 125/Skype_Teams][IP: 276/Azure][Encrypted][Confidence: Match by port][DPI packets: 12][cat: VoIP/10][14 pkts/5838 bytes <-> 17 pkts/7907 bytes][Goodput ratio: 90/91][4.57 sec][bytes ratio: -0.151 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 347/256 2336/2336 693/595][Pkt Len c2s/s2c min/avg/max/stddev: 79/79 417/465 1243/1227 434/401][PLAIN TEXT (TBHSWF)][Plen Bins: 0,36,0,0,0,12,6,0,3,6,0,0,0,3,0,0,0,0,0,0,0,0,0,6,6,0,0,0,0,0,3,0,3,3,0,0,0,9,0,0,0,0,0,0,0,0,0,0] 15 TCP 192.168.1.6:60547 <-> 52.114.88.59:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][20 pkts/3926 bytes <-> 15 pkts/8828 bytes][Goodput ratio: 66/89][0.32 sec][Hostname/SNI: chatsvcagg.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.384 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/25 91/80 23/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 196/589 1494/1506 320/612][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][Plen Bins: 0,21,10,5,0,5,10,5,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,21,0,0] 16 TCP 192.168.1.6:60565 <-> 52.114.108.8:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][19 pkts/3306 bytes <-> 14 pkts/9053 bytes][Goodput ratio: 61/90][0.43 sec][Hostname/SNI: emea.ng.msg.teams.microsoft.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.465 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27/12 276/54 68/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 174/647 1060/1506 238/633][TLSv1.2][JA3C: ebf5e0e525258d7a8dcb54aa1564ecbd][Plen Bins: 0,22,16,5,0,0,5,0,0,0,0,0,0,5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,22,0,0] 17 TCP 192.168.1.6:60541 <-> 52.114.75.69:443 [proto: 91.125/TLS.Skype_Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 10][cat: VoIP/10][13 pkts/4051 bytes <-> 9 pkts/7973 bytes][Goodput ratio: 79/92][0.14 sec][Hostname/SNI: eu-api.asm.skype.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.326 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/11 31/36 14/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 312/886 1494/1506 422/676][TLSv1.2][JA3C: 74d5fa154a7fc0a7c655d8eaa34b89bf][ServerNames: *.asm.skype.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1][Subject: CN=*.asm.skype.com][Certificate SHA-1: B9:41:1D:AE:56:09:68:D2:07:D0:69:E1:68:00:08:2B:EF:63:1E:48][Validity: 2019-05-07 12:50:03 - 2021-05-07 12:50:03][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,8,0,8,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,34,0,0] diff --git a/tests/cfgs/default/result/telegram_videocall.pcapng.out b/tests/cfgs/default/result/telegram_videocall.pcapng.out new file mode 100644 index 000000000..184afe386 --- /dev/null +++ b/tests/cfgs/default/result/telegram_videocall.pcapng.out @@ -0,0 +1,72 @@ +Guessed flow protos: 20 + +DPI Packets (TCP): 113 (11.30 pkts/flow) +DPI Packets (UDP): 82 (4.32 pkts/flow) +DPI Packets (other): 5 (1.00 pkts/flow) +Confidence Match by port : 8 (flows) +Confidence DPI (cache) : 10 (flows) +Confidence DPI : 15 (flows) +Confidence Match by IP : 1 (flows) +Num dissector calls: 1867 (54.91 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/27/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 43/49/10 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/9/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 2/0 (search/found) +Automa domain: 2/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 6/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 56/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 3/0 (search/found) +Patricia protocols: 37/25 (search/found) +Patricia protocols IPv6: 6/0 (search/found) + +MDNS 2 194 2 +ICMP 6 828 3 +TLS 640 339548 9 +ICMPV6 5 350 2 +Dropbox 2 348 1 +AmazonAWS 4 288 1 +TelegramVoip 228 41561 16 + + 1 TCP 192.168.12.169:37950 <-> 149.154.167.91:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 18][cat: Web/5][156 pkts/40749 bytes <-> 214 pkts/142865 bytes][Goodput ratio: 75/90][41.14 sec][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 246/152 12847/5983 1291/707][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 261/668 1090/1294 224/564][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,2,2,4,5,6,4,4,3,0,1,0,0,1,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0] + 2 TCP 192.168.12.169:40830 <-> 149.154.167.222:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 18][cat: Web/5][80 pkts/7287 bytes <-> 100 pkts/120708 bytes][Goodput ratio: 27/95][28.19 sec][bytes ratio: -0.886 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 437/1 25008/31 3114/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 91/1207 644/1294 95/289][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,94,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.12.169:42405 <-> 93.36.13.115:35393 [proto: 78.355/STUN.TelegramVoip][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][59 pkts/17987 bytes <-> 55 pkts/9102 bytes][Goodput ratio: 86/75][2.02 sec][bytes ratio: 0.328 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/28 306/117 48/28][Pkt Len c2s/s2c min/avg/max/stddev: 65/63 305/165 1154/435 330/102][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (BPEmhF0)][Plen Bins: 8,28,25,7,0,0,0,15,0,1,1,0,2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.12.169:40832 <-> 149.154.167.222:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 19][cat: Web/5][18 pkts/2256 bytes <-> 15 pkts/13705 bytes][Goodput ratio: 47/93][28.20 sec][bytes ratio: -0.717 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 218/280 2909/2997 746/859][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125/914 644/1294 150/495][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,0,0,6,6,6,0,0,0,6,0,0,0,0,0,0,0,6,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,57,0,0,0,0,0,0,0,0,0] + 5 TCP 192.168.12.169:46862 <-> 149.154.167.51:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 19][cat: Web/5][11 pkts/1963 bytes <-> 8 pkts/2558 bytes][Goodput ratio: 63/79][10.13 sec][bytes ratio: -0.132 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1124/32 9909/87 3106/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 178/320 452/670 155/261][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,0,11,0,22,0,0,0,0,22,0,11,0,0,0,11,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.12.169:46866 <-> 149.154.167.51:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 15][cat: Web/5][9 pkts/1879 bytes <-> 6 pkts/1822 bytes][Goodput ratio: 68/78][10.11 sec][bytes ratio: 0.015 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/30 1440/34 9925/41 3464/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 209/304 436/839 161/306][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,0,14,0,0,0,14,0,14,0,28,0,0,0,0,14,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.12.169:40643 <-> 91.108.9.35:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][8 pkts/1224 bytes <-> 10 pkts/1236 bytes][Goodput ratio: 72/66][14.20 sec][Hostname/SNI: telegram.org][bytes ratio: -0.005 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/0 2360/1766 13458/13458 4964/4420][Pkt Len c2s/s2c min/avg/max/stddev: 70/102 153/124 170/190 33/25][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (Unauthorized)][Plen Bins: 5,16,34,16,27,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.12.169:40906 -> 10.46.103.200:42554 [proto: 78.355/STUN.TelegramVoip][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][13 pkts/1846 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][13.47 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 98/0 1088/0 1553/0 481/0][Pkt Len c2s/s2c min/avg/max/stddev: 142/0 142/0 142/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (BBEvpfJJpa)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 192.168.12.169:42405 -> 10.46.103.200:42554 [proto: 78.355/STUN.TelegramVoip][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][13 pkts/1846 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][13.02 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 97/0 1047/0 2004/0 541/0][Pkt Len c2s/s2c min/avg/max/stddev: 142/0 142/0 142/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (bfyeXPVa97N)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 TCP 192.168.12.169:40834 <-> 149.154.167.222:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 8][cat: Web/5][5 pkts/788 bytes <-> 3 pkts/890 bytes][Goodput ratio: 57/77][0.17 sec][bytes ratio: -0.061 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/47 24/68 42/90 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/297 315/750 110/321][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP 192.168.12.169:49667 <-> 91.108.13.23:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][6 pkts/912 bytes <-> 6 pkts/704 bytes][Goodput ratio: 72/64][14.30 sec][Hostname/SNI: telegram.org][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 82/81 176/176 283/284 76/77][Pkt Len c2s/s2c min/avg/max/stddev: 70/102 152/117 170/134 37/14][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (ehscoNGDW)][Plen Bins: 8,16,33,16,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP 192.168.12.169:49780 <-> 91.108.17.2:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][6 pkts/912 bytes <-> 6 pkts/704 bytes][Goodput ratio: 72/64][14.31 sec][Hostname/SNI: telegram.org][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 83/84 174/175 253/252 62/61][Pkt Len c2s/s2c min/avg/max/stddev: 70/102 152/117 170/134 37/14][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (Unauthorized)][Plen Bins: 8,16,33,16,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 TCP 192.168.12.169:37966 <-> 149.154.167.91:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 8][cat: Web/5][5 pkts/1117 bytes <-> 3 pkts/464 bytes][Goodput ratio: 70/55][0.15 sec][bytes ratio: 0.413 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/32 20/62 33/91 13/30][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 223/155 532/324 196/120][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,33,33,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 UDP 192.168.12.169:37444 <-> 91.108.17.2:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 6][cat: VoIP/10][3 pkts/402 bytes <-> 3 pkts/378 bytes][Goodput ratio: 68/66][14.31 sec][Hostname/SNI: telegram.org][bytes ratio: 0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 159/159 7082/7082 14005/14005 6923/6923][Pkt Len c2s/s2c min/avg/max/stddev: 70/110 134/126 166/134 45/11][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (Unauthorized)][Plen Bins: 16,0,50,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 UDP 192.168.12.169:37530 <-> 91.108.13.23:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 6][cat: VoIP/10][3 pkts/402 bytes <-> 3 pkts/378 bytes][Goodput ratio: 68/66][14.30 sec][Hostname/SNI: telegram.org][bytes ratio: 0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 133/132 7082/7082 14032/14032 6950/6950][Pkt Len c2s/s2c min/avg/max/stddev: 70/110 134/126 166/134 45/11][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (Unauthorized)][Plen Bins: 16,0,50,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 UDP 192.168.12.169:37849 <-> 91.108.9.35:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 6][cat: VoIP/10][3 pkts/402 bytes <-> 3 pkts/378 bytes][Goodput ratio: 68/66][14.20 sec][Hostname/SNI: telegram.org][bytes ratio: 0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 30/45 7084/7084 14138/14124 7054/7040][Pkt Len c2s/s2c min/avg/max/stddev: 70/110 134/126 166/134 45/11][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (Bs/cdOs)][Plen Bins: 16,0,50,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 17 UDP 192.168.12.169:40906 <-> 93.36.13.115:35393 [proto: 78.355/STUN.TelegramVoip][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][2 pkts/248 bytes <-> 2 pkts/244 bytes][Goodput ratio: 66/65][0.13 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 18 UDP 192.168.12.169:40906 <-> 91.108.9.35:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI (cache)][DPI packets: 4][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/252 bytes][Goodput ratio: 32/66][10.06 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 19 UDP 192.168.12.169:40906 <-> 91.108.13.23:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI (cache)][DPI packets: 4][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/252 bytes][Goodput ratio: 32/66][10.28 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (RBkPSgr)][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 UDP 192.168.12.169:40906 <-> 91.108.17.2:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI (cache)][DPI packets: 4][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/252 bytes][Goodput ratio: 32/66][10.30 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 21 UDP 192.168.12.169:42197 <-> 91.108.9.35:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI (cache)][DPI packets: 4][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/252 bytes][Goodput ratio: 32/66][10.06 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BZOyNeHQUCZIf)][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 22 UDP 192.168.12.169:42197 <-> 91.108.13.23:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI (cache)][DPI packets: 4][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/252 bytes][Goodput ratio: 32/66][10.27 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BrHWdEqa2)][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 23 UDP 192.168.12.169:42197 <-> 91.108.17.2:1400 [proto: 78.355/STUN.TelegramVoip][IP: 185/Telegram][ClearText][Confidence: DPI (cache)][DPI packets: 4][cat: Network/14][2 pkts/124 bytes <-> 2 pkts/252 bytes][Goodput ratio: 32/66][10.30 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BYyA/MmBER1)][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 24 UDP 192.168.12.1:17500 -> 192.168.12.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][2 pkts/348 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][30.01 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 25 TCP 18.195.162.93:443 <-> 192.168.12.169:38956 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][2 pkts/163 bytes <-> 2 pkts/132 bytes][Goodput ratio: 19/0][5.09 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 26 TCP 192.168.12.169:40710 <-> 52.58.18.25:5222 [proto: 265/AmazonAWS][IP: 265/AmazonAWS][Encrypted][Confidence: Match by IP][DPI packets: 4][cat: Cloud/13][2 pkts/144 bytes <-> 2 pkts/144 bytes][Goodput ratio: 8/8][0.02 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 27 ICMPV6 [fe80::98df:58ff:fefa:ebdc]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][4 pkts/280 bytes -> 0 pkts/0 bytes][Goodput ratio: 11/0][32.62 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 28 ICMP 192.168.12.169:0 -> 91.108.9.35:0 [proto: 81/ICMP][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/276 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.00 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (ORtRLoo/fpi)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 29 ICMP 192.168.12.169:0 -> 91.108.13.23:0 [proto: 81/ICMP][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/276 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.00 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BuBNffVSd)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 30 ICMP 192.168.12.169:0 -> 91.108.17.2:0 [proto: 81/ICMP][IP: 185/Telegram][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/276 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.01 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (KHOirrFTCqEz)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 31 TCP 192.168.12.169:37948 <-> 149.154.167.91:443 [proto: 91/TLS][IP: 185/Telegram][Encrypted][Confidence: Match by port][DPI packets: 3][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/74 bytes][Goodput ratio: 0/0][0.03 sec][Risk: ** TCP Connection Issues **][Risk Score: 50][Risk Info: Connection refused (client)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 32 UDP [fe80::abe:acff:fe0b:176e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/107 bytes -> 0 pkts/0 bytes][Goodput ratio: 42/0][< 1 sec][Hostname/SNI: _ipps._tcp.local][_ipps._tcp.local][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 33 UDP 192.168.12.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/87 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _ipps._tcp.local][_ipps._tcp.local][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 34 ICMPV6 [fe80::abe:acff:fe0b:176e]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/70 bytes -> 0 pkts/0 bytes][Goodput ratio: 11/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/wa_video.pcap.out b/tests/cfgs/default/result/wa_video.pcap.out index 815c5a091..b7f4bfc77 100644 --- a/tests/cfgs/default/result/wa_video.pcap.out +++ b/tests/cfgs/default/result/wa_video.pcap.out @@ -2,13 +2,14 @@ Guessed flow protos: 1 DPI Packets (TCP): 22 (22.00 pkts/flow) DPI Packets (UDP): 13 (1.00 pkts/flow) -Confidence DPI : 13 (flows) +Confidence DPI (cache) : 2 (flows) +Confidence DPI : 11 (flows) Confidence Match by IP : 1 (flows) Num dissector calls: 390 (27.86 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/16/12 (insert/search/found) +LRU cache stun: 14/2/2 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/1/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -33,9 +34,9 @@ WhatsApp 133 20568 1 Spotify 1 86 1 1 UDP 192.168.2.12:53688 <-> 31.13.86.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][347 pkts/223797 bytes <-> 146 pkts/24878 bytes][Goodput ratio: 93/75][22.48 sec][bytes ratio: 0.800 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 44/77 2891/3013 278/400][Pkt Len c2s/s2c min/avg/max/stddev: 48/44 645/170 1181/1095 402/174][PLAIN TEXT (hw3@PydH)][Plen Bins: 11,29,10,5,5,0,0,0,0,0,0,0,0,0,14,0,3,0,0,0,0,0,0,0,0,1,1,0,1,3,2,0,2,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.2.12:53688 <-> 91.252.56.51:32641 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][72 pkts/48848 bytes <-> 35 pkts/22821 bytes][Goodput ratio: 94/94][3.05 sec][bytes ratio: 0.363 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 47/19 707/132 139/32][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 678/652 1160/1140 376/376][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (dBXAnF)][Plen Bins: 1,8,0,8,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,1,5,5,14,2,5,1,8,4,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.2.12:53688 <-> 91.252.56.51:32641 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][72 pkts/48848 bytes <-> 35 pkts/22821 bytes][Goodput ratio: 94/94][3.05 sec][bytes ratio: 0.363 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 47/19 707/132 139/32][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 678/652 1160/1140 376/376][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (dBXAnF)][Plen Bins: 1,8,0,8,2,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,1,5,5,14,2,5,1,8,4,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.2.12:49355 <-> 157.240.20.53:5222 [proto: 142/WhatsApp][IP: 142/WhatsApp][Encrypted][Confidence: Match by IP][DPI packets: 22][cat: Chat/9][66 pkts/8810 bytes <-> 67 pkts/11758 bytes][Goodput ratio: 50/62][27.94 sec][bytes ratio: -0.143 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 365/429 6456/7033 1181/1216][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 133/175 1454/1454 183/248][PLAIN TEXT (AaPKuGR)][Plen Bins: 2,50,0,5,13,17,0,0,2,0,0,1,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0] - 4 UDP 192.168.2.12:53688 -> 1.60.78.64:59491 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][18 pkts/1548 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][10.75 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 618/0 631/0 695/0 17/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.2.12:53688 -> 1.60.78.64:59491 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][18 pkts/1548 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][10.75 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 618/0 631/0 695/0 17/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][2 pkts/764 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/684 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][8.20 sec][Hostname/SNI: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 192.168.2.12:53688 <-> 157.240.196.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 75/51][22.48 sec][Plen Bins: 0,40,0,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/wa_voice.pcap.out b/tests/cfgs/default/result/wa_voice.pcap.out index 309ab9fbf..3d665945e 100644 --- a/tests/cfgs/default/result/wa_voice.pcap.out +++ b/tests/cfgs/default/result/wa_voice.pcap.out @@ -4,12 +4,13 @@ DPI Packets (TCP): 20 (3.33 pkts/flow) DPI Packets (UDP): 33 (1.57 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Unknown : 1 (flows) -Confidence DPI : 27 (flows) +Confidence DPI (cache) : 2 (flows) +Confidence DPI : 25 (flows) Num dissector calls: 387 (13.82 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/18/12 (insert/search/found) +LRU cache stun: 14/3/2 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/1/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -47,13 +48,13 @@ JA3 Host Stats: 1 TCP 192.168.2.12:50504 <-> 157.240.20.52:443 [proto: 91.142/TLS.WhatsApp][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][41 pkts/3669 bytes <-> 44 pkts/43871 bytes][Goodput ratio: 27/93][0.41 sec][Hostname/SNI: pps.whatsapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.846 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/8 129/77 24/19][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 89/997 583/1454 85/624][TLSv1.3][JA3C: 7a7a639628f0fe5c7e057628a5bbec5a][JA3S: 475c9302dc42b2751db9edcac3b74891][Safari][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 8,11,4,0,0,2,2,0,2,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,61,0,0,0,0] 2 TCP 192.168.2.12:49355 <-> 157.240.20.53:5222 [proto: 142/WhatsApp][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 4][cat: Chat/9][132 pkts/14116 bytes <-> 131 pkts/24439 bytes][Goodput ratio: 38/65][54.73 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 342/421 9349/9387 1279/1420][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/187 393/1454 62/283][PLAIN TEXT (fd.9LTIP9)][Plen Bins: 1,63,2,3,10,10,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0] - 3 UDP 91.252.56.51:32704 <-> 192.168.2.12:56328 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][87 pkts/14598 bytes <-> 77 pkts/17336 bytes][Goodput ratio: 75/81][11.91 sec][bytes ratio: -0.086 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 136/121 921/265 137/64][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 168/225 318/331 61/68][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (KEXQD/)][Plen Bins: 6,4,7,27,16,4,11,12,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 91.252.56.51:32704 <-> 192.168.2.12:56328 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][87 pkts/14598 bytes <-> 77 pkts/17336 bytes][Goodput ratio: 75/81][11.91 sec][bytes ratio: -0.086 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 136/121 921/265 137/64][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 168/225 318/331 61/68][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (KEXQD/)][Plen Bins: 6,4,7,27,16,4,11,12,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.2.12:50503 <-> 31.13.86.51:443 [proto: 91.242/TLS.WhatsAppFiles][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 6][cat: Download/7][25 pkts/2993 bytes <-> 25 pkts/21759 bytes][Goodput ratio: 44/92][0.39 sec][Hostname/SNI: media-mxp1-1.cdn.whatsapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.758 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/10 127/126 28/30][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/870 583/1454 124/639][TLSv1.3][JA3C: b92a79ed03c3ff5611abb2305370d3e3][JA3S: 475c9302dc42b2751db9edcac3b74891][Safari][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 7,14,7,0,0,3,0,0,7,0,3,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,47,0,0,0,0] 5 TCP 192.168.2.12:49354 <-> 17.242.60.84:5223 [proto: 238/ApplePush][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 1][cat: Cloud/13][14 pkts/6933 bytes <-> 10 pkts/1074 bytes][Goodput ratio: 87/39][54.11 sec][bytes ratio: 0.732 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4462/757 43773/5113 12515/1779][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 495/107 1506/215 607/44][Plen Bins: 0,42,14,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,21,0,0] 6 UDP 192.168.2.12:56328 <-> 31.13.86.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][21 pkts/2349 bytes <-> 28 pkts/3668 bytes][Goodput ratio: 62/68][34.51 sec][bytes ratio: -0.219 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1959/1447 12194/12196 2978/2626][Pkt Len c2s/s2c min/avg/max/stddev: 48/44 112/131 249/326 64/101][Plen Bins: 40,20,0,20,0,0,8,4,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/1710 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][17.30 sec][Hostname/SNI: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][4 pkts/1528 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP 192.168.2.12:56328 -> 1.60.78.64:64282 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][16 pkts/1376 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 625/0 643/0 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 192.168.2.12:56328 -> 1.60.78.64:64282 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][16 pkts/1376 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 625/0 643/0 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 UDP 192.168.2.12:56328 <-> 157.240.193.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6151 22207/12302 9311/6151][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP 192.168.2.12:56328 <-> 157.240.196.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6148 22207/12297 9311/6148][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 UDP 192.168.2.12:56328 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6149 22207/12298 9311/6149][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/whatsapp_login_call.pcap.out b/tests/cfgs/default/result/whatsapp_login_call.pcap.out index dc4f34941..7ef12d152 100644 --- a/tests/cfgs/default/result/whatsapp_login_call.pcap.out +++ b/tests/cfgs/default/result/whatsapp_login_call.pcap.out @@ -4,12 +4,13 @@ DPI Packets (TCP): 95 (3.52 pkts/flow) DPI Packets (UDP): 35 (1.21 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Match by port : 20 (flows) -Confidence DPI : 37 (flows) +Confidence DPI (cache) : 4 (flows) +Confidence DPI : 33 (flows) Num dissector calls: 295 (5.18 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/60/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 4/44/36 (insert/search/found) +LRU cache stun: 40/4/4 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/20/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -45,8 +46,8 @@ JA3 Host Stats: 1 192.168.2.4 1 - 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][Goodput ratio: 71/55][9.73 sec][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/33 198/347 51/47][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145/93 525/488 100/64][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (zTdFPOk)][Plen Bins: 24,37,19,5,0,1,1,0,3,3,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][Goodput ratio: 66/81][7.74 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/124 307/539 63/96][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124/226 484/552 75/128][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 9,34,26,10,4,1,2,3,1,1,1,2,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][Goodput ratio: 71/55][9.73 sec][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/33 198/347 51/47][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145/93 525/488 100/64][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (zTdFPOk)][Plen Bins: 24,37,19,5,0,1,1,0,3,3,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][Goodput ratio: 66/81][7.74 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/124 307/539 63/96][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124/226 484/552 75/128][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 9,34,26,10,4,1,2,3,1,1,1,2,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][Goodput ratio: 55/48][134.29 sec][bytes ratio: 0.183 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1385/1866 28162/28146 4416/5105][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 147/127 1506/754 238/99][PLAIN TEXT (iPhone)][Plen Bins: 19,48,10,14,1,1,1,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.224/TLS.AppleStore][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 7][cat: SoftwareUpdate/19][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86/80][34.28 sec][Hostname/SNI: p53-buy.itunes.apple.com][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 122/108 1665/1391 340/319][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 406/276 1494/1002 489/348][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 4,8,4,0,0,0,0,4,0,0,16,0,0,0,8,8,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0] 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 7][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 85/90][32.84 sec][Hostname/SNI: query.ess.apple.com][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1909/37 30435/294 7133/82][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364/563 1494/1494 553/634][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][ServerNames: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Issuer: CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US][Subject: CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2015-05-06 01:09:47 - 2016-06-04 01:09:47][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 5,11,0,11,0,5,0,0,5,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,45,0,0] @@ -57,8 +58,8 @@ JA3 Host Stats: 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][Goodput ratio: 79/60][14.33 sec][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1923/792 6986/6468 2906/2008][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 205/105 331/128 82/23][Plen Bins: 15,10,40,15,0,0,10,0,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][90.14 sec][PLAIN TEXT ( 3375359593)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51/IMAPS][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 4][cat: Email/3][9 pkts/1130 bytes <-> 8 pkts/868 bytes][Goodput ratio: 47/39][0.94 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 105/100 275/162 108/47][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 126/108 236/151 68/42][Plen Bins: 0,0,50,25,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][8.85 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 632/0 667/0 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][6.95 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631/0 644/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][8.85 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 632/0 667/0 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][6.95 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631/0 644/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 15 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][43.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4795/0 42598/0 13366/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70/0 70/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 75/51][29.18 sec][Plen Bins: 0,40,0,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 75/51][29.18 sec][Plen Bins: 0,40,0,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out b/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out index 764e0a04c..1aa179b6d 100644 --- a/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out +++ b/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out @@ -7,7 +7,7 @@ Num dissector calls: 423 (32.54 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/18/14 (insert/search/found) +LRU cache stun: 16/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/zoom.pcap.out b/tests/cfgs/default/result/zoom.pcap.out index 18b4c90a4..d8d853932 100644 --- a/tests/cfgs/default/result/zoom.pcap.out +++ b/tests/cfgs/default/result/zoom.pcap.out @@ -9,7 +9,7 @@ Num dissector calls: 650 (19.70 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/6/0 (insert/search/found) LRU cache zoom: 7/0/0 (insert/search/found) -LRU cache stun: 2/8/4 (insert/search/found) +LRU cache stun: 6/0/0 (insert/search/found) LRU cache tls_cert: 0/2/0 (insert/search/found) LRU cache mining: 0/2/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/zoom_p2p.pcapng.out b/tests/cfgs/default/result/zoom_p2p.pcapng.out index f04fb6ff0..69a34b40d 100644 --- a/tests/cfgs/default/result/zoom_p2p.pcapng.out +++ b/tests/cfgs/default/result/zoom_p2p.pcapng.out @@ -8,7 +8,7 @@ Num dissector calls: 812 (67.67 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/12/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 4/16/4 (insert/search/found) +LRU cache stun: 8/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/4/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out index 9bbdd474e..8f1612b07 100644 --- a/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out +++ b/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out @@ -1,14 +1,14 @@ Guessed flow protos: 3 DPI Packets (TCP): 9 (3.00 pkts/flow) -DPI Packets (UDP): 35 (3.89 pkts/flow) +DPI Packets (UDP): 36 (4.00 pkts/flow) Confidence DPI (cache) : 6 (flows) Confidence DPI : 6 (flows) -Num dissector calls: 765 (63.75 diss/flow) +Num dissector calls: 755 (62.92 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 25/12/4 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/18/4 (insert/search/found) +LRU cache stun: 6/8/0 (insert/search/found) LRU cache tls_cert: 1/3/2 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -34,7 +34,7 @@ JA3 Host Stats: IP Address # JA3C - 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 11][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 12][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 3 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 4 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out index 9dda33537..ee7f07b15 100644 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out +++ b/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out @@ -4,12 +4,13 @@ DPI Packets (TCP): 20 (3.33 pkts/flow) DPI Packets (UDP): 102 (4.86 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Unknown : 1 (flows) -Confidence DPI : 27 (flows) +Confidence DPI (cache) : 1 (flows) +Confidence DPI : 26 (flows) Num dissector calls: 387 (13.82 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/18/12 (insert/search/found) +LRU cache stun: 14/3/2 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/1/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -54,7 +55,7 @@ JA3 Host Stats: 6 UDP 192.168.2.12:56328 <-> 31.13.86.48:3478 [proto: 45.87/WhatsAppCall.RTP][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 21][cat: VoIP/10][21 pkts/2349 bytes <-> 28 pkts/3668 bytes][Goodput ratio: 62/68][34.51 sec][bytes ratio: -0.219 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1959/1447 12194/12196 2978/2626][Pkt Len c2s/s2c min/avg/max/stddev: 48/44 112/131 249/326 64/101][Plen Bins: 40,20,0,20,0,0,8,4,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/1710 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][17.30 sec][Hostname/SNI: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][4 pkts/1528 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP 192.168.2.12:56328 -> 1.60.78.64:64282 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 16][cat: VoIP/10][16 pkts/1376 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 625/0 643/0 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 192.168.2.12:56328 -> 1.60.78.64:64282 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 16][cat: VoIP/10][16 pkts/1376 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 625/0 643/0 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 UDP 192.168.2.12:56328 <-> 157.240.193.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6151 22207/12302 9311/6151][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP 192.168.2.12:56328 <-> 157.240.196.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6148 22207/12297 9311/6148][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 UDP 192.168.2.12:56328 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6149 22207/12298 9311/6149][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |