diff options
| -rw-r--r-- | src/lib/ndpi_main.c | 132 | ||||
| -rw-r--r-- | src/lib/protocols/ntp.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 13 | ||||
| -rw-r--r-- | tests/result/1kxun.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/anyconnect-vpn.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/nest_log_sink.pcap.out | 17 | ||||
| -rw-r--r-- | tests/result/nintendo.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/skype.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/skype_no_unknown.pcap.out | 5 | ||||
| -rw-r--r-- | tests/result/whatsapp_login_call.pcap.out | 5 | ||||
| -rw-r--r-- | tests/result/whatsapp_login_chat.pcap.out | 5 | ||||
| -rw-r--r-- | tests/result/zoom.pcap.out | 6 |
12 files changed, 105 insertions, 104 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7138ab9c1..270c8ae36 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1766,7 +1766,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp 1 /* no subprotocol */, no_master, no_master, "Bloomberg", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CAPWAP, 1 /* no subprotocol */, no_master, no_master, "CAPWAP", NDPI_PROTOCOL_CATEGORY_NETWORK, @@ -1950,7 +1950,7 @@ static patricia_node_t* add_to_ptree(patricia_tree_t *tree, int family, /* ******************************************* */ /* - Load a file containing IPv4 addresses in CIDR format as 'protocol_id' + Load a file containing IPv4 addresses in CIDR format as 'protocol_id' Return: the number of entries loaded or -1 in case of error */ @@ -1960,7 +1960,7 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str, FILE *fd; int len; u_int num_loaded = 0; - + fd = fopen(path, "r"); if(fd == NULL) { @@ -1985,9 +1985,9 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str, if(addr) { struct in_addr pin; patricia_node_t *node; - + cidr = strtok_r(NULL, "\n", &saveptr); - + pin.s_addr = inet_addr(addr); if((node = add_to_ptree(ndpi_str->protocols_ptree, AF_INET, &pin, cidr ? atoi(cidr) : 32 /* bits */)) != NULL) @@ -2013,7 +2013,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, if(skip_tor_hosts && (host_list[i].value == NDPI_PROTOCOL_TOR)) continue; - + pin.s_addr = htonl(host_list[i].network); if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL) @@ -2307,7 +2307,7 @@ void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str) automa = &ndpi_str->impossible_bigrams_automa; break; } - + ac_automata_finalize((AC_AUTOMATA_t*)automa->ac_automa); automa->ac_automa_finalized = 1; } @@ -3509,7 +3509,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main_init.c" #endif - + /* ----------------------------------------------------------------- */ ndpi_str->callback_buffer_size = a; @@ -4055,22 +4055,24 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str, func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func; } - for(a = 0; a < ndpi_str->callback_buffer_size_udp; a++) { - if((func != ndpi_str->callback_buffer_udp[a].func) - && (ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) == - ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask - && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask, - ndpi_str->callback_buffer_udp[a].excluded_protocol_bitmask) == 0 - && NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_udp[a].detection_bitmask, - detection_bitmask) != 0) { - ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow); - - // NDPI_LOG_DBG(ndpi_str, "[UDP,CALL] dissector of protocol as callback_buffer idx = %d\n",a); - if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) - break; /* Stop after detecting the first protocol */ - } else - if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_str, - "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n",a); + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + for(a = 0; a < ndpi_str->callback_buffer_size_udp; a++) { + if((func != ndpi_str->callback_buffer_udp[a].func) + && (ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) == + ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask + && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask, + ndpi_str->callback_buffer_udp[a].excluded_protocol_bitmask) == 0 + && NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_udp[a].detection_bitmask, + detection_bitmask) != 0) { + ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow); + + // NDPI_LOG_DBG(ndpi_str, "[UDP,CALL] dissector of protocol as callback_buffer idx = %d\n",a); + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) + break; /* Stop after detecting the first protocol */ + } else + if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_str, + "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n",a); + } } } @@ -4191,7 +4193,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; *protocol_was_guessed = 0; - + if(flow == NULL) return(ret); @@ -4298,10 +4300,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ret.app_protocol = NDPI_PROTOCOL_HANGOUT_DUO; } } - + if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) - ndpi_fill_protocol_category(ndpi_str, flow, &ret); - + ndpi_fill_protocol_category(ndpi_str, flow, &ret); + return(ret); } @@ -4796,7 +4798,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(flow->packet.iph) { if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { u_int8_t protocol_was_guessed; - + /* ret.master_protocol = flow->guessed_protocol_id , ret.app_protocol = flow->guessed_host_protocol_id; /\* ****** *\/ */ ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed); } @@ -4816,34 +4818,33 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct addr.s_addr = flow->packet.iph->daddr; flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_str, &addr); } + + /* + We could implement a shortcut here skipping dissectors for + protocols we have identified by other means such as with the IP + + However we do NOT stop here and skip invoking the dissectors + because we want to dissect the flow (e.g. dissect the TLS) + and extract metadata. + */ +#if SKIP_INVOKING_THE_DISSECTORS + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + /* + We have identified a protocol using the IP address so + it is not worth to dissect the traffic as we already have + the solution + */ + ret.master_protocol = flow->guessed_protocol_id, + ret.app_protocol = flow->guessed_host_protocol_id; + } +#endif } } } if(flow->guessed_host_protocol_id > NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ - ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_host_protocol_id; - - if(flow->packet.tcp && (ret.master_protocol == NDPI_PROTOCOL_UNKNOWN)) { - /* Minimal guess for HTTP/SSL-based protocols */ - int i; - - for(i=0; i<2; i++) { - u_int16_t port = (i == 0) ? ntohs(flow->packet.tcp->dest) : ntohs(flow->packet.tcp->source); - - switch(port) { - case 80: - ret.master_protocol = NDPI_PROTOCOL_HTTP; - break; - case 443: - ret.master_protocol = NDPI_PROTOCOL_TLS; /* QUIC could also match */ - break; - } - - if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) - break; - } - } + ret.master_protocol = flow->guessed_protocol_id, ret.app_protocol = flow->guessed_host_protocol_id; ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet); ndpi_fill_protocol_category(ndpi_str, flow, &ret); @@ -4893,7 +4894,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct && (flow->guessed_protocol_id == 0) ) { u_int8_t protocol_was_guessed; - + /* This is a TCP flow - whose first packet is NOT a SYN @@ -4905,6 +4906,13 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed); } + if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) + && (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) + && (flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) { + ret.master_protocol = ret.app_protocol; + ret.app_protocol = flow->guessed_host_protocol_id; + } + invalidate_ptr: /* Invalidate packet memory to avoid accessing the pointers below @@ -5169,7 +5177,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, while((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' ')) packet->content_line.len--, packet->content_line.ptr++; - + packet->http_num_headers++; } /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ @@ -5186,14 +5194,14 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, char separator[] = { ';', '\r', '\0' }; int i; - for(i=0; separator[i] != '\0'; i++) { + for(i=0; separator[i] != '\0'; i++) { char *c = memchr((char*)packet->content_line.ptr, separator[i], packet->content_line.len); - + if(c != NULL) packet->content_line.len = c - (char*)packet->content_line.ptr; } } - + /* "Accept:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) { @@ -6202,7 +6210,7 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_ if((previous_proto == NDPI_PROTOCOL_UNKNOWN) || (previous_proto == new_proto)) return(0); - + switch(previous_proto) { case NDPI_PROTOCOL_WHATSAPP_CALL: case NDPI_PROTOCOL_WHATSAPP_FILES: @@ -6307,7 +6315,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ flow, string_to_match, string_to_match_len, master_protocol_id, ret_match, 1); unsigned long id = ret_match->protocol_category; - + if(ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &id) != -1) { if(id != -1) { flow->category = ret_match->protocol_category = id; @@ -6593,15 +6601,15 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) { case ndpi_l4_proto_unknown: return(""); break; - + case ndpi_l4_proto_tcp_only: return("TCP"); break; - + case ndpi_l4_proto_udp_only: return("UDP"); break; - + case ndpi_l4_proto_tcp_and_udp: return("TCP/UDP"); break; @@ -6613,7 +6621,7 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) { /* ******************************************************************** */ ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t ndpi_proto_id) { + u_int16_t ndpi_proto_id) { if(ndpi_proto_id < ndpi_struct->ndpi_num_supported_protocols) { u_int16_t idx = ndpi_struct->proto_defaults[ndpi_proto_id].protoIdx; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE bm = ndpi_struct->callback_buffer[idx].ndpi_selection_bitmask; diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index a03ed3b43..126dadc4c 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -58,8 +58,8 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 9d22a66db..23c47d7cd 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1400,19 +1400,16 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t ret, skip_cert_processing = 0; #ifdef DEBUG_TLS - printf("%s()\n", __FUNCTION__); + printf("==>> %u [len: %u][version: %u]\n", + flow->guessed_host_protocol_id, + packet->payload_packet_len, + flow->protos.stun_ssl.ssl.ssl_version); #endif if(packet->udp != NULL) { /* DTLS dissector */ int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); - -#ifdef DEBUG_TLS - printf("==>> %u [rc: %d][len: %u][%s][version: %u]\n", - flow->guessed_host_protocol_id, rc, packet->payload_packet_len, flow->protos.stun_ssl.ssl.ja3_server, - flow->protos.stun_ssl.ssl.ssl_version); -#endif - + if((rc == 0) && (flow->protos.stun_ssl.ssl.ssl_version != 0)) { flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index e2d5cea15..b21b10984 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -2,7 +2,6 @@ Unknown 24 6428 14 DNS 5 638 2 HTTP 945 530967 19 MDNS 1 82 1 -NTP 1 90 1 NetBIOS 31 3589 8 SSDP 143 36951 13 DHCP 24 8208 5 @@ -12,6 +11,7 @@ TLS 105 21914 7 DHCPV6 10 980 3 Facebook 19 6840 2 Google 12 991 4 +Apple 1 90 1 LLMNR 89 6799 47 JA3 Host Stats: @@ -127,7 +127,7 @@ JA3 Host Stats: 106 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 53.8/0.0][< 1 sec][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)] 107 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 31.5/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)] 108 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 31.5/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)] - 109 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes][Goodput ratio: 52.7/0.0][< 1 sec] + 109 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes][Goodput ratio: 52.7/0.0][< 1 sec] 110 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48.2/0.0][< 1 sec][PLAIN TEXT (googlecast)] 111 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Goodput ratio: 40.3/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)] 112 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Goodput ratio: 40.3/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)] diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out index d521cbec5..e4841247f 100644 --- a/tests/result/anyconnect-vpn.pcap.out +++ b/tests/result/anyconnect-vpn.pcap.out @@ -11,10 +11,10 @@ ICMPV6 18 2964 2 Slack 29 4979 2 Google 2 132 1 AJP 5 390 1 -Apple 2 297 1 +Apple 7 656 2 CiscoVPN 33 4378 2 Amazon 36 3540 3 -ApplePush 11 1325 4 +ApplePush 6 966 3 JA3 Host Stats: IP Address # JA3C @@ -51,7 +51,7 @@ JA3 Host Stats: 28 UDP 10.0.0.227:59582 <-> 75.75.75.75:53 [proto: 5.238/DNS.ApplePush][cat: Cloud/13][1 pkts/92 bytes <-> 1 pkts/323 bytes][Goodput ratio: 53.8/86.7][0.02 sec][Host: 1-courier.sandbox.push.apple.com][PLAIN TEXT (courier)] 29 TCP 10.0.0.227:56871 <-> 8.37.103.196:443 [proto: 91/TLS][cat: Web/5][1 pkts/66 bytes <-> 5 pkts/330 bytes][Goodput ratio: 0.0/0.0][20.32 sec][bytes ratio: -0.667 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.0/0.0 0/0 0.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66.0/66.0 66/66 0.0/0.0] 30 TCP 10.0.0.227:56916 -> 10.0.0.151:8009 [proto: 139/AJP][cat: Web/5][5 pkts/390 bytes -> 0 pkts/0 bytes][Goodput ratio: 0.0/0.0][5.03 sec] - 31 TCP 10.0.0.227:56886 <-> 17.57.144.116:5223 [proto: 238/ApplePush][cat: Cloud/13][3 pkts/174 bytes <-> 2 pkts/185 bytes][Goodput ratio: 0.0/28.5][0.02 sec] + 31 TCP 10.0.0.227:56886 <-> 17.57.144.116:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][3 pkts/174 bytes <-> 2 pkts/185 bytes][Goodput ratio: 0.0/28.5][0.02 sec] 32 UDP 10.0.0.151:1900 -> 10.0.0.227:61328 [proto: 12/SSDP][cat: System/18][1 pkts/353 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.9/0.0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)] 33 TCP 10.0.0.227:56910 <-> 35.201.124.9:443 [proto: 91/TLS][cat: Web/5][2 pkts/170 bytes <-> 2 pkts/164 bytes][Goodput ratio: 22.2/19.4][0.05 sec] 34 UDP 10.0.0.227:62427 <-> 75.75.75.75:53 [proto: 5/DNS][cat: Network/14][1 pkts/84 bytes <-> 1 pkts/242 bytes][Goodput ratio: 49.4/82.3][0.02 sec][Host: detectportal.firefox.com][PLAIN TEXT (detectportal)] diff --git a/tests/result/nest_log_sink.pcap.out b/tests/result/nest_log_sink.pcap.out index c8cbf739e..5db8503ec 100644 --- a/tests/result/nest_log_sink.pcap.out +++ b/tests/result/nest_log_sink.pcap.out @@ -1,17 +1,18 @@ DNS 15 1612 1 -NestLogSink 759 116848 13 +NestLogSink 457 44483 6 +Google 302 72365 7 - 1 TCP 192.168.242.15:63342 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][37 pkts/14650 bytes <-> 35 pkts/4115 bytes][Goodput ratio: 86.1/54.0][4.71 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/0 142.2/150.2 1347/1490 250.6/289.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 395.9/117.6 585/733 191.9/107.5][PLAIN TEXT (05CA02AC4414028)] - 2 TCP 192.168.242.15:63345 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][36 pkts/14613 bytes <-> 35 pkts/4114 bytes][Goodput ratio: 86.4/53.9][4.14 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 131.6/134.1 1166/1477 228.8/290.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 405.9/117.5 584/732 185.3/107.3][PLAIN TEXT (05CA02AC4414028)] - 3 TCP 192.168.242.15:63351 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][25 pkts/9229 bytes <-> 24 pkts/2916 bytes][Goodput ratio: 85.0/55.4][3.56 sec][bytes ratio: 0.520 (Upload)][IAT c2s/s2c min/avg/max/stddev: 5/0 163.8/174.5 1319/1484 293.5/350.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 369.2/121.5 584/733 204.4/129.6][PLAIN TEXT (05CA02AC4414028)] - 4 TCP 192.168.242.15:63348 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][25 pkts/9114 bytes <-> 24 pkts/2915 bytes][Goodput ratio: 84.8/55.4][3.42 sec][bytes ratio: 0.515 (Upload)][IAT c2s/s2c min/avg/max/stddev: 10/0 157.7/169.4 1167/1475 265.8/349.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 364.6/121.5 584/732 204.5/129.4][PLAIN TEXT (05CA02AC4414028)] + 1 TCP 192.168.242.15:63342 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][37 pkts/14650 bytes <-> 35 pkts/4115 bytes][Goodput ratio: 86.1/54.0][4.71 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/0 142.2/150.2 1347/1490 250.6/289.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 395.9/117.6 585/733 191.9/107.5][PLAIN TEXT (05CA02AC4414028)] + 2 TCP 192.168.242.15:63345 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][36 pkts/14613 bytes <-> 35 pkts/4114 bytes][Goodput ratio: 86.4/53.9][4.14 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 131.6/134.1 1166/1477 228.8/290.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 405.9/117.5 584/732 185.3/107.3][PLAIN TEXT (05CA02AC4414028)] + 3 TCP 192.168.242.15:63351 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][25 pkts/9229 bytes <-> 24 pkts/2916 bytes][Goodput ratio: 85.0/55.4][3.56 sec][bytes ratio: 0.520 (Upload)][IAT c2s/s2c min/avg/max/stddev: 5/0 163.8/174.5 1319/1484 293.5/350.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 369.2/121.5 584/733 204.4/129.6][PLAIN TEXT (05CA02AC4414028)] + 4 TCP 192.168.242.15:63348 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][25 pkts/9114 bytes <-> 24 pkts/2915 bytes][Goodput ratio: 84.8/55.4][3.42 sec][bytes ratio: 0.515 (Upload)][IAT c2s/s2c min/avg/max/stddev: 10/0 157.7/169.4 1167/1475 265.8/349.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 364.6/121.5 584/732 204.5/129.4][PLAIN TEXT (05CA02AC4414028)] 5 TCP 192.168.242.15:63343 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][60 pkts/5549 bytes <-> 56 pkts/5094 bytes][Goodput ratio: 36.1/40.5][1799.54 sec][bytes ratio: 0.043 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/16 33934.9/28186.7 60073/60075 29484.2/29644.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 92.5/91.0 585/731 96.8/125.8][PLAIN TEXT (05CA02AC4414028)] 6 TCP 192.168.242.15:63352 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][50 pkts/4894 bytes <-> 46 pkts/4392 bytes][Goodput ratio: 39.7/43.3][1508.66 sec][bytes ratio: 0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/17 33170.0/30242.3 60184/60262 29629.6/29816.1][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 97.9/95.5 586/730 105.0/136.5][PLAIN TEXT (05CA02AC4414028)] 7 TCP 192.168.242.15:63346 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][41 pkts/4409 bytes <-> 37 pkts/3907 bytes][Goodput ratio: 45.4/48.7][1042.88 sec][bytes ratio: 0.060 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/15 27923.8/26021.8 60088/60136 29300.8/29455.1][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 107.5/105.6 585/731 114.0/150.6][PLAIN TEXT (05CA02AC4414028)] 8 TCP 192.168.242.15:63349 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][28 pkts/3254 bytes <-> 24 pkts/3040 bytes][Goodput ratio: 49.8/57.2][602.97 sec][bytes ratio: 0.034 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/14 24649.0/24894.2 60122/60151 29303.3/29368.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 116.2/126.7 584/732 117.5/180.8][PLAIN TEXT (05CA02AC4414028)] 9 TCP 192.168.242.15:63350 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][18 pkts/2655 bytes <-> 14 pkts/2499 bytes][Goodput ratio: 61.1/69.6][153.64 sec][bytes ratio: 0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/15 10959.9/13629.3 60124/60155 21488.4/24847.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 147.5/178.5 585/731 137.0/222.5][PLAIN TEXT (05CA02AC4414028)] 10 TCP 192.168.242.15:63340 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][42 pkts/2576 bytes <-> 41 pkts/2214 bytes][Goodput ratio: 2.4/0.0][1615.16 sec][bytes ratio: 0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/143 39827.0/40755.2 60071/60122 27934.1/27879.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 61.3/54.0 116/54 8.5/0.0] - 11 TCP 192.168.242.15:63344 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][11 pkts/2565 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 75.6/60.8][5.29 sec][bytes ratio: 0.297 (Upload)][IAT c2s/s2c min/avg/max/stddev: 61/0 640.5/729.1 2711/3410 865.2/1201.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 233.2/138.9 584/732 216.6/199.2][PLAIN TEXT (05CA02AC4414028)] - 12 TCP 192.168.242.15:63347 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1390 bytes][Goodput ratio: 71.2/60.8][2.81 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 63/0 341.6/348.9 1182/1489 362.6/517.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/139.0 586/733 195.5/199.5][PLAIN TEXT (05CA02AC4414028)] - 13 TCP 192.168.242.15:63353 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 71.2/60.8][2.65 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 70/0 321.0/347.6 1162/1502 365.5/527.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/138.9 586/732 195.5/199.2][PLAIN TEXT (05CA02AC4414028)] + 11 TCP 192.168.242.15:63344 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][11 pkts/2565 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 75.6/60.8][5.29 sec][bytes ratio: 0.297 (Upload)][IAT c2s/s2c min/avg/max/stddev: 61/0 640.5/729.1 2711/3410 865.2/1201.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 233.2/138.9 584/732 216.6/199.2][PLAIN TEXT (05CA02AC4414028)] + 12 TCP 192.168.242.15:63347 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1390 bytes][Goodput ratio: 71.2/60.8][2.81 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 63/0 341.6/348.9 1182/1489 362.6/517.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/139.0 586/733 195.5/199.5][PLAIN TEXT (05CA02AC4414028)] + 13 TCP 192.168.242.15:63353 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 71.2/60.8][2.65 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 70/0 321.0/347.6 1162/1502 365.5/527.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/138.9 586/732 195.5/199.2][PLAIN TEXT (05CA02AC4414028)] 14 UDP 192.168.242.15:52849 <-> 192.168.242.1:53 [proto: 5/DNS][cat: Network/14][8 pkts/713 bytes <-> 7 pkts/899 bytes][Goodput ratio: 52.8/67.2][3600.37 sec][Host: weave-logsink.nest.com][bytes ratio: -0.115 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 22/4311 596403.3/515880.4 1795476/1795277 670695.5/701384.1][Pkt Len c2s/s2c min/avg/max/stddev: 82/98 89.1/128.4 101/169 9.2/35.1][PLAIN TEXT (logsink)] diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out index 98bd3f2e8..34143be84 100644 --- a/tests/result/nintendo.pcap.out +++ b/tests/result/nintendo.pcap.out @@ -1,6 +1,6 @@ ICMP 30 2100 2 -Nintendo 890 320242 12 -Amazon 76 10811 7 +Nintendo 887 319888 11 +Amazon 79 11165 8 JA3 Host Stats: IP Address # JA3C @@ -23,7 +23,7 @@ JA3 Host Stats: 14 UDP 192.168.12.114:55915 <-> 35.158.74.61:10025 [proto: 178/Amazon][cat: Web/5][5 pkts/290 bytes <-> 5 pkts/290 bytes][Goodput ratio: 27.5/27.5][0.06 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.0/0.8 4/3 1.7/1.3][Pkt Len c2s/s2c min/avg/max/stddev: 58/58 58.0/58.0 58/58 0.0/0.0] 15 UDP 192.168.12.114:18874 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][cat: Game/8][1 pkts/110 bytes <-> 1 pkts/281 bytes][Goodput ratio: 61.3/84.8][0.03 sec][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][PLAIN TEXT (fb203858ebc)] 16 UDP 192.168.12.114:51035 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][cat: Game/8][1 pkts/110 bytes <-> 1 pkts/281 bytes][Goodput ratio: 61.3/84.8][< 1 sec][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][PLAIN TEXT (fb203858ebc)] - 17 UDP 192.168.12.114:52119 -> 35.158.74.61:33335 [proto: 173/Nintendo][cat: Game/8][3 pkts/354 bytes -> 0 pkts/0 bytes][Goodput ratio: 64.2/0.0][0.00 sec] + 17 UDP 192.168.12.114:52119 -> 35.158.74.61:33335 [proto: 173.178/Nintendo.Amazon][cat: Game/8][3 pkts/354 bytes -> 0 pkts/0 bytes][Goodput ratio: 64.2/0.0][0.00 sec] 18 UDP 192.168.12.114:55915 -> 35.158.74.61:33335 [proto: 178/Amazon][cat: Web/5][3 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 60.2/0.0][0.00 sec][PLAIN TEXT (NATTestId)] 19 UDP 192.168.12.114:55915 -> 52.10.205.177:34343 [proto: 178/Amazon][cat: Web/5][1 pkts/298 bytes -> 0 pkts/0 bytes][Goodput ratio: 85.6/0.0][< 1 sec] 20 UDP 192.168.12.114:55915 -> 35.158.74.61:33334 [proto: 178/Amazon][cat: Web/5][5 pkts/290 bytes -> 0 pkts/0 bytes][Goodput ratio: 27.5/0.0][0.00 sec] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index 45d402e2a..db6d78183 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -1,7 +1,6 @@ Unknown 753 81587 37 DNS 2 267 1 MDNS 8 1736 2 -NTP 2 180 1 SSDP 101 38156 6 SkypeCall 152 10704 144 ICMP 8 656 1 @@ -9,10 +8,9 @@ IGMP 5 258 4 TLS 96 8876 7 Dropbox 38 17948 5 Skype 1796 451121 80 -Apple 3 168 1 +Apple 17 2225 3 AppleiCloud 88 20520 2 Spotify 5 430 1 -ApplePush 12 1877 1 JA3 Host Stats: IP Address # JA3C @@ -33,7 +31,7 @@ JA3 Host Stats: 12 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][120.16 sec][PLAIN TEXT ( 3375359593)] 13 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][120.15 sec][PLAIN TEXT ( 3375359593)] 14 TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/2140 bytes <-> 3 pkts/200 bytes][Goodput ratio: 62.4/0.0][20.12 sec][bytes ratio: 0.829 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1686.5/0.0 6249/0 2226.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 178.3/66.7 233/74 77.4/5.7][TLSv1][Client: apps.skype.com] - 15 TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/1211 bytes <-> 6 pkts/666 bytes][Goodput ratio: 67.2/40.5][66.95 sec][bytes ratio: 0.290 (Upload)][IAT c2s/s2c min/avg/max/stddev: 228/1 16680.0/16680.0 43974/44201 18098.6/18356.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 201.8/111.0 471/156 151.4/45.0] + 15 TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/1211 bytes <-> 6 pkts/666 bytes][Goodput ratio: 67.2/40.5][66.95 sec][bytes ratio: 0.290 (Upload)][IAT c2s/s2c min/avg/max/stddev: 228/1 16680.0/16680.0 43974/44201 18098.6/18356.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 201.8/111.0 471/156 151.4/45.0] 16 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][13 pkts/1554 bytes <-> 3 pkts/200 bytes][Goodput ratio: 44.0/0.0][29.28 sec][bytes ratio: 0.772 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/73 2359.7/73.0 8785/73 2805.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 119.5/66.7 138/74 27.3/5.7] 17 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/TLS][cat: Web/5][13 pkts/1392 bytes <-> 3 pkts/200 bytes][Goodput ratio: 37.5/0.0][25.19 sec][bytes ratio: 0.749 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/66 2027.6/66.0 7535/66 2315.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 107.1/66.7 138/74 21.3/5.7] 18 TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1305 bytes <-> 3 pkts/285 bytes][Goodput ratio: 39.3/27.6][17.34 sec][bytes ratio: 0.642 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/77 1416.3/77.0 5596/77 1925.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 108.8/95.0 138/145 30.7/35.5] @@ -124,7 +122,7 @@ JA3 Host Stats: 103 UDP 192.168.1.34:13021 -> 176.26.55.167:63773 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][5 pkts/300 bytes -> 0 pkts/0 bytes][Goodput ratio: 29.9/0.0][20.13 sec] 104 UDP 192.168.1.34:58681 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/166 bytes][Goodput ratio: 57.8/74.3][0.07 sec][Host: db3msgr5011709.gateway.messenger.live.com][PLAIN TEXT (MSGR5011709)] 105 UDP 192.168.1.34:62454 <-> 192.168.1.1:53 [proto: 5.143/DNS.AppleiCloud][cat: Web/5][1 pkts/101 bytes <-> 1 pkts/133 bytes][Goodput ratio: 57.8/67.9][0.05 sec][Host: p05-keyvalueservice.icloud.com.akadns.net][PLAIN TEXT (valueservice)] - 106 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 52.7/52.7][0.05 sec] + 106 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 52.7/52.7][0.05 sec] 107 UDP 192.168.1.34:51879 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48.2/56.6][0.05 sec][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)] 108 UDP 192.168.1.34:63321 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48.2/56.6][0.05 sec][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)] 109 UDP 192.168.1.34:64085 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48.2/56.6][0.06 sec][Host: e7768.b.akamaiedge.net][PLAIN TEXT (akamaiedge)] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 962935d87..01e22efd3 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -9,8 +9,7 @@ IGMP 4 226 4 TLS 79 7742 6 Dropbox 16 7342 5 Skype 1185 331827 60 -Apple 76 19581 1 -ApplePush 8 1118 1 +Apple 84 20699 2 JA3 Host Stats: IP Address # JA3C @@ -57,7 +56,7 @@ JA3 Host Stats: 38 TCP 192.168.1.34:51267 <-> 111.221.74.18:40025 [proto: 125/Skype][cat: VoIP/10][10 pkts/785 bytes <-> 4 pkts/378 bytes][Goodput ratio: 15.9/28.0][17.94 sec][bytes ratio: 0.350 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1703.2/147.5 4607/294 1700.3/146.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 78.5/94.5 159/164 27.6/40.3] 39 TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/872 bytes <-> 3 pkts/285 bytes][Goodput ratio: 24.3/27.6][18.79 sec][bytes ratio: 0.507 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/199 2007.5/199.0 5293/199 1964.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 87.2/95.0 138/145 22.1/35.5] 40 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/958 bytes <-> 2 pkts/184 bytes][Goodput ratio: 73.6/54.1][1.27 sec][Host: __msbrowse__][bytes ratio: 0.678 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1258 253.0/1258.0 1243/1258 495.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 104/92 159.7/92.0 271/92 78.7/0.0][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)] - 41 TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 238/ApplePush][cat: Cloud/13][4 pkts/674 bytes <-> 4 pkts/444 bytes][Goodput ratio: 60.7/40.4][10.70 sec][bytes ratio: 0.206 (Upload)][IAT c2s/s2c min/avg/max/stddev: 215/1 3565.3/3493.7 10265/10480 4737.4/4940.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 168.5/111.0 279/156 102.7/45.0] + 41 TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][4 pkts/674 bytes <-> 4 pkts/444 bytes][Goodput ratio: 60.7/40.4][10.70 sec][bytes ratio: 0.206 (Upload)][IAT c2s/s2c min/avg/max/stddev: 215/1 3565.3/3493.7 10265/10480 4737.4/4940.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 168.5/111.0 279/156 102.7/45.0] 42 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.07 sec][PLAIN TEXT ( 1573195445)] 43 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.07 sec][PLAIN TEXT ( 1573195445)] 44 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.05 sec][PLAIN TEXT ( 3375359593)] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 2da823c1b..e3aceafa2 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -5,10 +5,9 @@ WhatsAppCall 803 102942 20 ICMP 10 700 1 TLS 8 589 2 Dropbox 4 2176 1 -Apple 190 50263 21 +Apple 212 56189 22 WhatsApp 182 25154 2 Spotify 3 258 1 -ApplePush 22 5926 1 JA3 Host Stats: IP Address # JA3C @@ -21,7 +20,7 @@ JA3 Host Stats: 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86.5/80.2][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 121.7/107.9 1665/1391 339.6/319.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 84.8/90.3][32.84 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1908.9/36.8 30435/294 7133.2/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][Server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2014-03-08 01:53:04 - 2029-03-08 01:53:04][Cipher: TLS_RSA_WITH_RC4_128_MD5] 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][Goodput ratio: 84.7/76.8][0.94 sec][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.8/42.0 225/228 76.0/80.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238/ApplePush][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)] + 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)] 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][Goodput ratio: 78.4/79.7][29.18 sec][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2192.2/2121.8 18656/18299 5822.2/5720.0][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5] 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][59.94 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][Goodput ratio: 79.4/59.8][14.33 sec][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1922.9/792.0 6986/6468 2906.0/2008.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 6d642ec2b..59a9dce17 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -1,14 +1,13 @@ MDNS 2 202 2 DHCP 6 2052 1 Dropbox 2 1088 1 -Apple 44 21371 1 +Apple 50 23466 2 WhatsApp 32 3243 2 Spotify 1 86 1 -ApplePush 6 2095 1 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes][Goodput ratio: 91.4/82.7][3.89 sec][bytes ratio: 0.415 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 179.5/27.0 2803/212 622.4/56.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629.9/312.7 1494/1002 544.4/369.6][PLAIN TEXT (BjmkLnl)] 2 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][cat: Chat/9][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][Goodput ratio: 36.8/25.9][19.72 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 1370.8/2065.9 10513/10479 2987.9/3556.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.5/89.9 267/144 67.5/22.2][PLAIN TEXT (iPhone)] - 3 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0] + 3 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0] 4 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][25.29 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1983/0 5058.0/0.0 8569/0 2765.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] 5 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.04 sec][PLAIN TEXT ( 3375359593)] 6 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e12.whatsapp.net][PLAIN TEXT (whatsapp)] diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out index df91995f4..a006ae7a6 100644 --- a/tests/result/zoom.pcap.out +++ b/tests/result/zoom.pcap.out @@ -5,11 +5,11 @@ SSDP 1 168 1 DHCP 1 321 1 ntop 20 4265 1 IMAPS 2 226 1 -ICMP 3 210 2 +ICMP 1 70 1 TLS 2 114 1 Google 26 8851 3 Spotify 1 86 1 -Zoom 635 354005 19 +Zoom 637 354145 20 JA3 Host Stats: IP Address # JA3C @@ -44,7 +44,7 @@ JA3 Host Stats: 26 UDP 192.168.1.117:57025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][1 pkts/168 bytes -> 0 pkts/0 bytes][Goodput ratio: 74.6/0.0][< 1 sec][PLAIN TEXT (SEARCH )] 27 UDP 192.168.1.117:62988 <-> 192.168.1.1:53 [proto: 5.189/DNS.Zoom][cat: Video/26][1 pkts/72 bytes <-> 1 pkts/88 bytes][Goodput ratio: 41.1/51.7][0.04 sec][Host: www3.zoom.us] 28 UDP 192.168.1.117:64352 <-> 192.168.1.1:53 [proto: 5.189/DNS.Zoom][cat: Video/26][1 pkts/71 bytes <-> 1 pkts/87 bytes][Goodput ratio: 40.3/51.1][0.04 sec][Host: log.zoom.us] - 29 ICMP 192.168.1.117:0 -> 162.255.38.14:0 [proto: 81/ICMP][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.7/0.0][0.01 sec] + 29 ICMP 192.168.1.117:0 -> 162.255.38.14:0 [proto: 81.189/ICMP.Zoom][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.7/0.0][0.01 sec] 30 TCP 192.168.1.117:54798 <-> 13.225.84.182:443 [proto: 91/TLS][cat: Web/5][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0.0/0.0][0.04 sec] 31 UDP 192.168.1.117:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/87 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][< 1 sec][PLAIN TEXT (spotify)] 32 UDP 192.168.1.117:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 50.6/0.0][< 1 sec][PLAIN TEXT (SpotUdp)] |