diff options
| -rw-r--r-- | example/ndpiReader.c | 26 | ||||
| -rw-r--r-- | example/reader_util.c | 6 | ||||
| -rw-r--r-- | example/reader_util.h | 5 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 11 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 73 | ||||
| -rw-r--r-- | tests/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/fuzz-2006-06-26-2594.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/sip.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/skinny.pcap.out | 10 | ||||
| -rw-r--r-- | tests/result/zoom2.pcap.out | 19 |
10 files changed, 128 insertions, 34 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 326197ee3..b384e4b5a 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1527,6 +1527,32 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } } break; + + case INFO_RTP: + if(flow->rtp.stream_type != rtp_unknown) { + const char *what; + + switch(flow->rtp.stream_type) { + case rtp_audio: + what = "audio"; + break; + + case rtp_video: + what = "video"; + break; + + case rtp_audio_video: + what = "audio/video"; + break; + + default: + what = NULL; + break; + } + + if(what) + fprintf(out, "[RTP Stream Type: %s]", what); + } } if(flow->ssh_tls.advertised_alpns) diff --git a/example/reader_util.c b/example/reader_util.c index 276215eff..5b85c4784 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1228,8 +1228,12 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : ""); } } + /* RTP */ + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_RTP)) { + flow->info_type = INFO_RTP; + flow->rtp.stream_type = flow->ndpi_flow->protos.rtp.stream_type; /* COLLECTD */ - else if(is_ndpi_proto(flow, NDPI_PROTOCOL_COLLECTD)) { + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_COLLECTD)) { flow->info_type = INFO_GENERIC; if(flow->ndpi_flow->protos.collectd.client_username[0] != '\0') ndpi_snprintf(flow->info, sizeof(flow->info), "Username: %s", diff --git a/example/reader_util.h b/example/reader_util.h index 675b00bdf..3140a71bf 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -166,6 +166,7 @@ enum info_type { INFO_TIVOCONNECT, INFO_FTP_IMAP_POP_SMTP, INFO_NATPMP, + INFO_RTP }; // flow tracking @@ -275,6 +276,10 @@ typedef struct ndpi_flow_info { } ssh_tls; struct { + enum ndpi_rtp_stream_type stream_type; + } rtp; + + struct { char url[256], request_content_type[64], content_type[64], user_agent[256], server[128]; u_int response_status_code; } http; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index fb996f9a5..8c73723b2 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1278,6 +1278,13 @@ struct ndpi_risk_information { char *info; }; +enum ndpi_rtp_stream_type { + rtp_unknown = 0, + rtp_audio, + rtp_video, + rtp_audio_video, +}; + struct ndpi_flow_struct { u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; @@ -1388,6 +1395,10 @@ struct ndpi_flow_struct { } dns; struct { + enum ndpi_rtp_stream_type stream_type; + } rtp; + + struct { u_int8_t request_code; u_int8_t version; } ntp; diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index db7a90936..1c48af7a4 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -31,7 +31,7 @@ /* http://www.myskypelab.com/2014/05/microsoft-lync-wireshark-plugin.html */ -static u_int8_t isValidMSRTPType(u_int8_t payloadType) { +static u_int8_t isValidMSRTPType(u_int8_t payloadType, enum ndpi_rtp_stream_type *s_type) { switch(payloadType) { case 0: /* G.711 u-Law */ case 3: /* GSM 6.10 */ @@ -52,11 +52,16 @@ static u_int8_t isValidMSRTPType(u_int8_t payloadType) { case 116: /* G.726 */ case 117: /* G.722 */ case 118: /* Comfort Noise Wideband */ + *s_type = rtp_audio; + return(1 /* RTP */); + break; + case 34: /* H.263 [MS-H26XPF] */ case 121: /* RT Video */ case 122: /* H.264 [MS-H264PF] */ case 123: /* H.264 FEC [MS-H264PF] */ case 127: /* x-data */ + *s_type = rtp_video; return(1 /* RTP */); break; @@ -64,6 +69,7 @@ static u_int8_t isValidMSRTPType(u_int8_t payloadType) { case 201: /* RTCP PACKET RECEIVER */ case 202: /* RTCP Source Description */ case 203: /* RTCP Bye */ + *s_type = rtp_unknown; return(2 /* RTCP */); break; @@ -119,10 +125,29 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport, if((enc->sfu_type >= 3) && (enc->sfu_type <= 5)) { struct zoom_media_encapsulation *enc = (struct zoom_media_encapsulation*)(&payload[sizeof(struct zoom_sfu_encapsulation)]); - *is_rtp = ((enc->enc_type == 15) || (enc->enc_type == 16)) ? 1 : 0, *zoom_stream_type = enc->enc_type; - - *payload_offset = (enc->enc_type == 16) ? 32 /* video streams have a long zoom_media_encapsulation header */ - : ((enc->enc_type == 15) ? 27 : header_offset); + *zoom_stream_type = enc->enc_type; + + switch(enc->enc_type) { + case 15: /* Audio */ + *is_rtp = 0; + *payload_offset = 27; + break; + + case 16: /* Video */ + *is_rtp = 1; + *payload_offset = 32; + break; + + case 34: /* RTCP */ + *is_rtp = 1; + *payload_offset = 36; + break; + + default: + *is_rtp = 0; + break; + } + return(1); } } @@ -137,7 +162,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t * payload, u_int16_t payload_len) { u_int8_t payloadType, payload_type; u_int16_t s_port = ntohs(ndpi_struct->packet.udp->source), d_port = ntohs(ndpi_struct->packet.udp->dest), payload_offset; - u_int8_t is_rtp, zoom_stream_type, is_zoom = 0; + u_int8_t is_rtp, zoom_stream_type; NDPI_LOG_DBG(ndpi_struct, "search RTP\n"); @@ -153,9 +178,32 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, if(isZoom(s_port, d_port, payload, payload_len, &is_rtp, &zoom_stream_type, &payload_offset)) { if(payload_offset < payload_len) { - payload_len -= payload_offset; - payload = &payload[payload_offset]; - is_zoom = 1; + /* + payload_len -= payload_offset; + payload = &payload[payload_offset]; + */ + + switch(zoom_stream_type) { + case 15: /* Audio */ + flow->protos.rtp.stream_type = rtp_audio; + break; + + case 16: /* Video */ + flow->protos.rtp.stream_type = rtp_video; + break; + + default: + flow->protos.rtp.stream_type = rtp_unknown; + break; + } + + /* printf("->>> %u\n", zoom_stream_type); */ + + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_ZOOM, + NDPI_PROTOCOL_RTP, + NDPI_CONFIDENCE_DPI); + return; } } @@ -175,9 +223,10 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, return; } else { NDPI_LOG_INFO(ndpi_struct, "Found RTP\n"); + + isValidMSRTPType(payload_type, &flow->protos.rtp.stream_type); ndpi_set_detected_protocol(ndpi_struct, flow, - is_zoom ? NDPI_PROTOCOL_ZOOM : NDPI_PROTOCOL_UNKNOWN, - NDPI_PROTOCOL_RTP, + NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP, NDPI_CONFIDENCE_DPI); return; } @@ -186,7 +235,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, || ((payload[0] & 0xFF) == 0xA0) || ((payload[0] & 0xFF) == 0x90) ) /* RTP magic byte[1] */ - && (payloadType = isValidMSRTPType(payload[1] & 0xFF))) { + && (payloadType = isValidMSRTPType(payload[1] & 0xFF, &flow->protos.rtp.stream_type))) { if(payloadType == 1 /* RTP */) { NDPI_LOG_INFO(ndpi_struct, "Found Skype for Business (former MS Lync)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); diff --git a/tests/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/tests/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out index 5ab06aa66..d375bff49 100644 --- a/tests/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out +++ b/tests/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out @@ -23,7 +23,7 @@ RTP 6995 1395012 1 SIP 92 52851 3 Megaco 130 23570 1 - 1 UDP 10.35.60.100:15580 <-> 10.23.1.52:16756 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][3848 pkts/823318 bytes <-> 3147 pkts/571694 bytes][Goodput ratio: 80/77][76.99 sec][bytes ratio: 0.180 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/17 173/179 4/15][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 214/182 214/214 2/46][PLAIN TEXT (UUUUUU)][Plen Bins: 0,0,38,0,0,61,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 10.35.60.100:15580 <-> 10.23.1.52:16756 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][3848 pkts/823318 bytes <-> 3147 pkts/571694 bytes][Goodput ratio: 80/77][76.99 sec][RTP Stream Type: audio][bytes ratio: 0.180 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/17 173/179 4/15][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 214/182 214/214 2/46][PLAIN TEXT (UUUUUU)][Plen Bins: 0,0,38,0,0,61,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 10.35.40.25:5060 <-> 10.35.40.200:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][22 pkts/13254 bytes <-> 24 pkts/13218 bytes][Goodput ratio: 93/92][83.79 sec][bytes ratio: 0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3385/1643 27628/17187 8177/4202][Pkt Len c2s/s2c min/avg/max/stddev: 425/304 602/551 923/894 205/186][PLAIN TEXT (INVITE sip)][Plen Bins: 0,0,0,0,0,0,0,0,4,0,8,4,22,18,4,0,8,0,0,0,0,0,0,4,8,4,4,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 10.35.40.22:2944 <-> 10.23.1.42:2944 [proto: 181/Megaco][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][65 pkts/7788 bytes <-> 65 pkts/15782 bytes][Goodput ratio: 65/83][109.25 sec][bytes ratio: -0.339 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1409/1356 4370/4370 1953/1909][Pkt Len c2s/s2c min/avg/max/stddev: 77/101 120/243 583/561 107/94][PLAIN TEXT (555282713)][Plen Bins: 0,48,0,23,0,1,1,21,0,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 10.35.60.72:5060 <-> 10.35.60.100:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][11 pkts/6627 bytes <-> 12 pkts/6609 bytes][Goodput ratio: 93/92][83.79 sec][bytes ratio: 0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/19 7451/3699 27579/17188 10544/5458][Pkt Len c2s/s2c min/avg/max/stddev: 425/304 602/551 923/894 205/186][PLAIN TEXT (INVITE sip)][Plen Bins: 0,0,0,0,0,0,0,0,4,0,8,4,22,18,4,0,8,0,0,0,0,0,0,4,8,4,4,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/fuzz-2006-06-26-2594.pcap.out b/tests/result/fuzz-2006-06-26-2594.pcap.out index d19efa006..21a4f8156 100644 --- a/tests/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/result/fuzz-2006-06-26-2594.pcap.out @@ -97,10 +97,10 @@ SIP 85 39540 15 62 UDP 192.168.1.2:138 -> 192.168.1.251:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][Risk: ** Unsafe Protocol **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 63 UDP 192.168.1.2:2719 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/75 bytes <-> 1 pkts/168 bytes][Goodput ratio: 43/75][1.01 sec][147.234.1.253][Risk: ** Malformed Packet **][Risk Score: 10][Risk Info: Invalid DNS Query Lenght][PLAIN TEXT (ecitele)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 64 UDP 192.168.1.41:138 -> 192.168.1.255:394 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][PLAIN TEXT (MEBECDBDBDBCACACACACACACACACACA)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 65 UDP 81.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 66 UDP 192.168.1.2:30000 -> 37.115.0.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (njlndlj)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 67 UDP 192.168.1.2:30000 -> 214.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 68 UDP 192.168.1.3:30000 -> 212.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (VRUDKBu)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 65 UDP 81.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][RTP Stream Type: audio][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 66 UDP 192.168.1.2:30000 -> 37.115.0.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][RTP Stream Type: audio][PLAIN TEXT (njlndlj)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 67 UDP 192.168.1.2:30000 -> 214.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][RTP Stream Type: audio][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 68 UDP 192.168.1.3:30000 -> 212.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][1 pkts/214 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][RTP Stream Type: audio][PLAIN TEXT (VRUDKBu)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 69 UDP 192.168.1.1:53 -> 192.168.1.2:2733 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/210 bytes -> 0 pkts/0 bytes][Goodput ratio: 60/0][218.53 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][::][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 70 UDP 192.168.1.2:2714 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 71 UDP 192.168.1.2:2725 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/sip.pcap.out b/tests/result/sip.pcap.out index 1184f3b18..32fd4839c 100644 --- a/tests/result/sip.pcap.out +++ b/tests/result/sip.pcap.out @@ -25,5 +25,5 @@ RTCP 1 146 1 1 UDP 192.168.1.2:5060 <-> 212.242.33.35:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][53 pkts/21940 bytes <-> 31 pkts/15635 bytes][Goodput ratio: 90/92][1521.57 sec][bytes ratio: 0.168 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 158/13 25541/22026 150200/89874 25265/23489][Pkt Len c2s/s2c min/avg/max/stddev: 47/342 414/504 1118/711 343/85][PLAIN TEXT (REGISTER sip)][Plen Bins: 26,0,0,0,0,0,0,0,0,4,8,0,2,4,13,17,0,0,3,0,1,10,0,0,0,5,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][15 pkts/7568 bytes <-> 3 pkts/1944 bytes][Goodput ratio: 92/93][67.09 sec][bytes ratio: 0.591 (Upload)][IAT c2s/s2c min/avg/max/stddev: 507/34556 4746/34556 32608/34556 8188/0][Pkt Len c2s/s2c min/avg/max/stddev: 389/637 505/648 864/656 180/8][PLAIN TEXT (INVITE sip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,5,62,0,0,0,0,0,0,5,11,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][9 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 20/0 69/0 23/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (VRUDKBuYs)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][9 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.16 sec][RTP Stream Type: audio][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 20/0 69/0 23/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (VRUDKBuYs)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.1.2:30001 -> 212.242.33.36:40393 [proto: 165/RTCP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][1 pkts/146 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (11894297)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/skinny.pcap.out b/tests/result/skinny.pcap.out index d06856c8c..a8e62d593 100644 --- a/tests/result/skinny.pcap.out +++ b/tests/result/skinny.pcap.out @@ -25,11 +25,11 @@ ICMP 2 140 1 RTP 2871 614394 5 CiscoSkinny 94 10114 3 - 1 UDP 192.168.195.58:32144 <-> 192.168.195.50:17718 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][730 pkts/156220 bytes <-> 712 pkts/152368 bytes][Goodput ratio: 80/80][7.28 sec][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 20/20 9/9][Pkt Len c2s/s2c min/avg/max/stddev: 214/214 214/214 214/214 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.195.58:32150 -> 192.168.193.24:9395 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][365 pkts/78110 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.28 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.195.58:32152 -> 192.168.193.24:9396 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][356 pkts/76184 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.10 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 192.168.195.50:17726 -> 192.168.193.24:9399 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][355 pkts/75970 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.08 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 192.168.195.50:17732 -> 192.168.193.24:9400 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][353 pkts/75542 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.04 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (xwwsvyux)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.195.58:32144 <-> 192.168.195.50:17718 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][730 pkts/156220 bytes <-> 712 pkts/152368 bytes][Goodput ratio: 80/80][7.28 sec][RTP Stream Type: audio][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 20/20 9/9][Pkt Len c2s/s2c min/avg/max/stddev: 214/214 214/214 214/214 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.195.58:32150 -> 192.168.193.24:9395 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][365 pkts/78110 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.28 sec][RTP Stream Type: audio][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.195.58:32152 -> 192.168.193.24:9396 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][356 pkts/76184 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.10 sec][RTP Stream Type: audio][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.195.50:17726 -> 192.168.193.24:9399 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][355 pkts/75970 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.08 sec][RTP Stream Type: audio][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.195.50:17732 -> 192.168.193.24:9400 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][353 pkts/75542 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.04 sec][RTP Stream Type: audio][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (xwwsvyux)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 192.168.195.58:49399 <-> 192.168.193.12:2000 [proto: 164/CiscoSkinny][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][20 pkts/1628 bytes <-> 28 pkts/3570 bytes][Goodput ratio: 30/56][11.13 sec][bytes ratio: -0.374 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 734/479 5931/5892 1663/1376][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 81/128 242/378 41/88][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 45,22,0,0,16,6,3,0,0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 TCP 192.168.193.12:2000 <-> 192.168.195.50:51532 [proto: 164/CiscoSkinny][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][24 pkts/3166 bytes <-> 20 pkts/1624 bytes][Goodput ratio: 58/30][22.92 sec][bytes ratio: 0.322 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 699/417 6999/3582 1749/1018][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 132/81 546/242 116/41][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 50,22,0,0,14,3,3,0,0,3,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 ICMP 192.168.195.50:0 -> 192.168.195.58:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/zoom2.pcap.out b/tests/result/zoom2.pcap.out index 2bbc3522b..da7c2f333 100644 --- a/tests/result/zoom2.pcap.out +++ b/tests/result/zoom2.pcap.out @@ -1,17 +1,16 @@ -Guessed flow protos: 2 +Guessed flow protos: 0 DPI Packets (TCP): 8 (8.00 pkts/flow) -DPI Packets (UDP): 62 (20.67 pkts/flow) +DPI Packets (UDP): 15 (5.00 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) -Confidence DPI (partial cache): 2 (flows) -Confidence DPI : 3 (flows) -Num dissector calls: 806 (161.20 diss/flow) +Confidence DPI : 5 (flows) +Num dissector calls: 485 (97.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/9/0 (insert/search/found) -LRU cache zoom: 1/2/2 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 1/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/2/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) Automa host: 1/1 (search/found) Automa domain: 1/0 (search/found) @@ -30,8 +29,8 @@ JA3 Host Stats: 1 192.168.1.178 1 - 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI (partial cache)][cat: Video/26][3824 pkts/4162390 bytes <-> 4907 pkts/4203451 bytes][Goodput ratio: 96/95][40.59 sec][bytes ratio: -0.005 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/6 101/100 10/10][Pkt Len c2s/s2c min/avg/max/stddev: 94/60 1088/857 1339/1339 242/271][PLAIN TEXT (replace)][Plen Bins: 0,2,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,1,74,3,1,0,1,9,1,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 87.189/RTP.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Video/26][3824 pkts/4162390 bytes <-> 4907 pkts/4203451 bytes][Goodput ratio: 96/95][40.59 sec][bytes ratio: -0.005 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/6 101/100 10/10][Pkt Len c2s/s2c min/avg/max/stddev: 94/60 1088/857 1339/1339 242/271][PLAIN TEXT (replace)][Plen Bins: 0,2,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,1,74,3,1,0,1,9,1,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 87.189/RTP.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Video/26][1283 pkts/302584 bytes <-> 947 pkts/159626 bytes][Goodput ratio: 82/75][39.98 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/36 141/131 26/34][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 236/169 376/369 87/64][PLAIN TEXT (replace)][Plen Bins: 0,1,64,18,7,0,0,4,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][cat: Video/26][491 pkts/108525 bytes <-> 411 pkts/58625 bytes][Goodput ratio: 70/54][44.41 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.299 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/109 1466/1467 185/193][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 221/143 1506/1506 285/210][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,15,17,13,5,3,8,2,1,0,1,0,1,1,3,1,2,4,2,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0] - 4 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI (partial cache)][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 87.189/RTP.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 ICMP 192.168.1.178:0 -> 144.195.73.154:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Network/14][27 pkts/1890 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/0 20/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70/0 70/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |