5 files changed, 26 insertions, 3 deletions

diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index de3b93bc2..5dd6fb0e5 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -39,14 +39,19 @@
   seastc = packet.ssh.encryption_algorithms_server_to_client
   smastc = packet.ssh.mac_algorithms_server_to_client
   scastc = packet.ssh.compression_algorithms_server_to_client
-  hasshs_str = ';'.join([skex, seastc, smastc, scastc])
+  hasshs_str = ';'.join([skex, seastc, smastc, scastc]) 
 
   [client]
   ckex = packet.ssh.kex_algorithms
   ceacts = packet.ssh.encryption_algorithms_client_to_server
   cmacts = packet.ssh.mac_algorithms_client_to_server
   ccacts = packet.ssh.compression_algorithms_client_to_server
-  hassh_str = ';'.join([ckex, ceacts, cmacts, ccacts])
+  hassh_str = ';'.join([ckex, ceacts, cmacts, ccacts]) 
+
+  NOTE
+  THe ECDSA key fingerprint is SHA256 -> ssh.kex.h_sig (wireshark)
+  is in the Message Code: Diffie-Hellman Key Exchange Reply (31) 
+  that usually is packet 14
 */
 
 /* #define SSH_DEBUG 1 */
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index f8e360c3f..0ab3ed805 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -140,7 +140,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
   *is_whatsapp = 0, *is_messenger = 0, *is_duo = 0;
 
-  if(payload_length < sizeof(struct stun_packet_header)) {
+  if(payload_length >= 512) {
+    return(NDPI_IS_NOT_STUN);
+  } else if(payload_length < sizeof(struct stun_packet_header)) {
     /* This looks like an invalid packet */
 
     if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) {
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 3e0e295c5..5c8e2b18b 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -30,6 +30,19 @@
 
 // #define DEBUG_TLS 1
 
+/*
+  NOTE
+
+  How to view the certificate fingerprint
+  1. Using wireshark save the certificate on certificate.bin file as explained
+     in https://security.stackexchange.com/questions/123851/how-can-i-extract-the-certificate-from-this-pcap-file
+
+  2. openssl x509 -inform der -in certificate.bin -text > certificate.der
+  3. openssl x509 -noout -fingerprint -sha1 -inform pem -in certificate.der
+     SHA1 Fingerprint=15:9A:76....
+
+ */
+
 #define NDPI_MAX_TLS_REQUEST_SIZE 10000
 
 /* skype.c */
diff --git a/tests/pcap/netflowv9.pcap b/tests/pcap/netflowv9.pcap
new file mode 100644
index 000000000..e9f34db42
--- /dev/null
+++ b/tests/pcap/netflowv9.pcap
diff --git a/tests/result/netflowv9.pcap.out b/tests/result/netflowv9.pcap.out
new file mode 100644
index 000000000..9f6f3080a
--- /dev/null
+++ b/tests/result/netflowv9.pcap.out
@@ -0,0 +1,3 @@
+NetFlow	10	13888	1
+
+	1	UDP 192.168.2.134:48629 -> 192.168.2.222:2057 [proto: 128/NetFlow][cat: Network/14][10 pkts/13888 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.0/0.0 0/0 0.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 1362/0 1388.8/0.0 1418/0 23.1/0.0]